Your ultimate guide to pentesting with Kali Linux
Kali is a popular and powerful Linux distribution used by cybersecurity professionals around the world. Penetration testers must master Kali’s varied library of tools to be effective at their work. The Kali Linux Penetration Testing Bible is the hands-on and methodology guide for pentesting with Kali.
You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.
- Build a modern dockerized environment
- Discover the fundamentals of the bash language in Linux
- Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
- Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
- Apply practical and efficient pentesting workflows
- Learn about Modern Web Application Security Secure SDLC
- Automate your penetration testing with Python
Table of Contents
Introduction xx
Chapter 1 Mastering the Terminal Window 1
Kali Linux File System 2
Terminal Window Basic Commands 3
Tmux Terminal Window 6
Starting Tmux 6
Tmux Key Bindings 7
Tmux Session Management 7
Navigating Inside Tmux 9
Tmux Commands Reference 9
Managing Users and Groups in Kali 10
Users Commands 10
Groups Commands 14
Managing Passwords in Kali 14
Files and Folders Management in Kali Linux 15
Displaying Files and Folders 15
Permissions 16
Manipulating Files in Kali 19
Searching for Files 20
Files Compression 21
Manipulating Directories in Kali 23
Mounting a Directory 23
Managing Text Files in Kali Linux 24
Vim vs. Nano 26
Searching and Filtering Text 27
Remote Connections in Kali 29
Remote Desktop Protocol 29
Secure Shell 30
SSH with Credentials 30
Passwordless SSH 32
Kali Linux System Management 34
Linux Host Information 36
Linux OS Information 36
Linux Hardware Information 36
Managing Running Services 38
Package Management 39
Process Management 41
Networking in Kali Linux 42
Network Interface 42
IPv4 Private Address Ranges 42
Static IP Addressing 43
DNS 45
Established Connections 46
File Transfers 47
Summary 48
Chapter 2 Bash Scripting 49
Basic Bash Scripting 50
Printing to the Screen in Bash 50
Variables 52
Commands Variable 54
Script Parameters 54
User Input 56
Functions 56
Conditions and Loops 57
Conditions 58
Loops 60
File Iteration 61
Summary 63
Chapter 3 Network Hosts Scanning 65
Basics of Networking 65
Networking Protocols 66
TCP 66
UDP 67
Other Networking Protocols 67
IP Addressing 69
IPv4 69
Subnets and CIDR 69
IPv6 70
Port Numbers 71
Network Scanning 72
Identifying Live Hosts 72
Ping 73
ARP 73
Nmap 73
Port Scanning and Services Enumeration 74
TCP Port SYN Scan 75
UDP 75
Basics of Using Nmap Scans 76
Services Enumeration 77
Operating System Fingerprinting 79
Nmap Scripting Engine 80
NSE Category Scan 82
NSE Arguments 84
DNS Enumeration 84
DNS Brute-Force 85
DNS Zone Transfer 86
DNS Subdomains Tools 87
Fierce 87
Summary 88
Chapter 4 Internet Information Gathering 89
Passive Footprinting and Reconnaissance 90
Internet Search Engines 90
Shodan 91
Google Queries 92
Information Gathering Using Kali Linux 94
Whois Database 95
TheHarvester 97
DMitry 99
Maltego 99
Summary 103
Chapter 5 Social Engineering Attacks 105
Spear Phishing Attacks 105
Sending an E-mail 106
The Social Engineer Toolkit 106
Sending an E-mail Using Python 108
Stealing Credentials 109
Payloads and Listeners 110
Bind Shell vs. Reverse Shell 111
Bind Shell 111
Reverse Shell 112
Reverse Shell Using SET 113
Social Engineering with the USB Rubber Ducky 115
A Practical Reverse Shell Using USB Rubber Ducky and PowerShell 117
Generating a PowerShell Script 118
Starting a Listener 118
Hosting the PowerShell Script 119
Running PowerShell 120
Download and Execute the PS Script 120
Reverse Shell 121
Replicating the Attack Using the USB Rubber Ducky 122
Summary 122
Chapter 6 Advanced Enumeration Phase 125
Transfer Protocols 126
FTP (Port 21) 126
Exploitation Scenarios for an FTP Server 126
Enumeration Workflow 127
Service Scan 127
Advanced Scripting Scan with Nmap 128
More Brute-Forcing Techniques 129
SSH (Port 22) 130
Exploitation Scenarios for an SSH Server 130
Advanced Scripting Scan with Nmap 131
Brute-Forcing SSH with Hydra 132
Advanced Brute-Forcing Techniques 133
Telnet (Port 23) 134
Exploitation Scenarios for Telnet Server 135
Enumeration Workflow 135
Service Scan 135
Advanced Scripting Scan 136
Brute-Forcing with Hydra 136
E-mail Protocols 136
SMTP (Port 25) 137
Nmap Basic Enumeration 137
Nmap Advanced Enumeration 137
Enumerating Users 138
POP3 (Port 110) and IMAP4 (Port 143) 141
Brute-Forcing POP3 E-mail Accounts 141
Database Protocols 142
Microsoft SQL Server (Port 1433) 142
Oracle Database Server (Port 1521) 143
MySQL (Port 3306) 143
CI/CD Protocols 143
Docker (Port 2375) 144
Jenkins (Port 8080/50000) 145
Brute-Forcing a Web Portal Using Hydra 147
Step 1: Enable a Proxy 148
Step 2: Intercept the Form Request 149
Step 3: Extracting Form Data and Brute-Forcing with Hydra 150
Web Protocols 80/443 151
Graphical Remoting Protocols 152
RDP (Port 3389) 152
RDP Brute-Force 152
VNC (Port 5900) 153
File Sharing Protocols 154
SMB (Port 445) 154
Brute-Forcing SMB 156
SNMP (Port UDP 161) 157
SNMP Enumeration 157
Summary 159
Chapter 7 Exploitation Phase 161
Vulnerabilities Assessment 162
Vulnerability Assessment Workflow 162
Vulnerability Scanning with OpenVAS 164
Installing OpenVAS 164
Scanning with OpenVAS 165
Exploits Research 169
SearchSploit 171
Services Exploitation 173
Exploiting FTP Service 173
FTP Login 173
Remote Code Execution 174
Spawning a Shell 177
Exploiting SSH Service 178
SSH Login 178
Telnet Service Exploitation 179
Telnet Login 179
Sniffing for Cleartext Information 180
E-mail Server Exploitation 183
Docker Exploitation 185
Testing the Docker Connection 185
Creating a New Remote Kali Container 186
Getting a Shell into the Kali Container 187
Docker Host Exploitation 188
Exploiting Jenkins 190
Reverse Shells 193
Using Shells with Metasploit 194
Exploiting the SMB Protocol 196
Connecting to SMB Shares 196
SMB Eternal Blue Exploit 197
Summary 198
Chapter 8 Web Application Vulnerabilities 199
Web Application Vulnerabilities 200
Mutillidae Installation 200
Apache Web Server Installation 200
Firewall Setup 201
Installing PHP 201
Database Installation and Setup 201
Mutillidae Installation 202
Cross-Site Scripting 203
Reflected XSS 203
Stored XSS 204
Exploiting XSS Using the Header 205
Bypassing JavaScript Validation 207
SQL Injection 208
Querying the Database 208
Bypassing the Login Page 211
Execute Database Commands Using SQLi 211
SQL Injection Automation with SQLMap 215
Testing for SQL Injection 216
Command Injection 217
File Inclusion 217
Local File Inclusion 218
Remote File Inclusion 219
Cross-Site Request Forgery 220
The Attacker Scenario 221
The Victim Scenario 222
File Upload 223
Simple File Upload 223
Bypassing Validation 225
Encoding 227
OWASP Top 10 228
Summary 229
Chapter 9 Web Penetration Testing and Secure Software Development Lifecycle 231
Web Enumeration and Exploitation 231
Burp Suite Pro 232
Web Pentest Using Burp Suite 232
More Enumeration 245
Nmap 246
Crawling 246
Vulnerability Assessment 247
Manual Web Penetration Testing Checklist 247
Common Checklist 248
Special Pages Checklist 248
Secure Software Development Lifecycle 250
Analysis/Architecture Phase 251
Application Threat Modeling 251
Assets 251
Entry Points 252
Third Parties 252
Trust Levels 252
Data Flow Diagram 252
Development Phase 252
Testing Phase 255
Production Environment (Final Deployment) 255
Summary 255
Chapter 10 Linux Privilege Escalation 257
Introduction to Kernel Exploits and Missing Configurations 258
Kernel Exploits 258
Kernel Exploit: Dirty Cow 258
SUID Exploitation 261
Overriding the Passwd Users File 263
CRON Jobs Privilege Escalation 264
CRON Basics 265
Crontab 265
Anacrontab 266
Enumerating and Exploiting CRON 266
sudoers 268
sudo Privilege Escalation 268
Exploiting the Find Command 268
Editing the sudoers File 269
Exploiting Running Services 270
Automated Scripts 270
Summary 271
Chapter 11 Windows Privilege Escalation 273
Windows System Enumeration 273
System Information 274
Windows Architecture 275
Listing the Disk Drives 276
Installed Patches 276
Who Am I? 276
List Users and Groups 277
Networking Information 279
Showing Weak Permissions 282
Listing Installed Programs 283
Listing Tasks and Processes 283
File Transfers 284
Windows Host Destination 284
Linux Host Destination 285
Windows System Exploitation 286
Windows Kernel Exploits 287
Getting the OS Version 287
Find a Matching Exploit 288
Executing the Payload and Getting a Root Shell 289
The Metasploit PrivEsc Magic 289
Exploiting Windows Applications 293
Running As in Windows 295
PSExec Tool 296
Exploiting Services in Windows 297
Interacting with Windows Services 297
Misconfigured Service Permissions 297
Overriding the Service Executable 299
Unquoted Service Path 299
Weak Registry Permissions 301
Exploiting the Scheduled Tasks 302
Windows PrivEsc Automated Tools 302
PowerUp 302
WinPEAS 303
Summary 304
Chapter 12 Pivoting and Lateral Movement 305
Dumping Windows Hashes 306
Windows NTLM Hashes 306
SAM File and Hash Dump 307
Using the Hash 308
Mimikatz 308
Dumping Active Directory Hashes 310
Reusing Passwords and Hashes 310
Pass the Hash 311
Pivoting with Port Redirection 312
Port Forwarding Concepts 312
SSH Tunneling and Local Port Forwarding 314
Remote Port Forwarding Using SSH 315
Dynamic Port Forwarding 316
Dynamic Port Forwarding Using SSH 316
Summary 317
Chapter 13 Cryptography and Hash Cracking 319
Basics of Cryptography 319
Hashing Basics 320
One-Way Hash Function 320
Hashing Scenarios 321
Hashing Algorithms 321
Message Digest 5 321
Secure Hash Algorithm 323
Hashing Passwords 323
Securing Passwords with Hash 324
Hash-Based Message Authenticated Code 325
Encryption Basics 326
Symmetric Encryption 326
Advanced Encryption Standard 326
Asymmetric Encryption 328
Rivest Shamir Adleman 329
Cracking Secrets with Hashcat 331
Benchmark Testing 332
Cracking Hashes in Action 334
Attack Modes 336
Straight Mode 336
Combinator 337
Mask and Brute-Force Attacks 339
Brute-Force Attack 342
Hybrid Attacks 342
Cracking Workflow 343
Summary 344
Chapter 14 Reporting 345
Overview of Reports in Penetration Testing 345
Scoring Severities 346
Common Vulnerability Scoring System Version 3.1 346
Report Presentation 349
Cover Page 350
History Logs 350
Report Summary 350
Vulnerabilities Section 350
Summary 351
Chapter 15 Assembly Language and Reverse Engineering 353
CPU Registers 353
General CPU Registers 354
Index Registers 355
Pointer Registers 355
Segment Registers 355
Flag Registers 357
Assembly Instructions 358
Little Endian 360
Data Types 360
Memory Segments 361
Addressing Modes 361
Reverse Engineering Example 361
Visual Studio Code for C/C++ 362
Immunity Debugger for Reverse Engineering 363
Summary 368
Chapter 16 Buffer/Stack Overflow 369
Basics of Stack Overflow 369
Stack Overview 370
PUSH Instruction 370
POP Instruction 371
C Program Example 371
Buffer Analysis with Immunity Debugger 372
Stack Overflow 376
Stack Overflow Mechanism 377
Stack Overflow Exploitation 378
Lab Overview 379
Vulnerable Application 379
Phase 1: Testing 379
Testing the Happy Path 379
Testing the Crash 381
Phase 2: Buffer Size 382
Pattern Creation 382
Offset Location 382
Phase 3: Controlling EIP 383
Adding the JMP Instruction 384
Phase 4: Injecting the Payload and Getting a Remote Shell 386
Payload Generation 386
Bad Characters 386
Shellcode Python Script 387
Summary 388
Chapter 17 Programming with Python 389
Basics of Python 389
Running Python Scripts 390
Debugging Python Scripts 391
Installing VS Code on Kali 391
Practicing Python 392
Python Basic Syntaxes 393
Python Shebang 393
Comments in Python 393
Line Indentation and Importing Modules 394
Input and Output 394
Printing CLI Arguments 395
Variables 395
Numbers 395
Arithmetic Operators 397
Strings 397
String Formatting 397
String Functions 398
Lists 399
Reading Values in a List 399
Updating List Items 399
Removing a list item 400
Tuples 400
Dictionary 400
More Techniques in Python 400
Functions 400
Returning Values 401
Optional Arguments 401
Global Variables 402
Changing Global Variables 402
Conditions 403
if/else Statement 403
Comparison Operators 403
Loop Iterations 404
while Loop 404
for Loop 405
Managing Files 406
Exception Handling 407
Text Escape Characters 407
Custom Objects in Python 408
Summary 409
Chapter 18 Pentest Automation with Python 411
Penetration Test Robot 411
Application Workflow 412
Python Packages 414
Application Start 414
Input Validation 415
Code Refactoring 417
Scanning for Live Hosts 418
Ports and Services Scanning 420
Attacking Credentials and Saving the Results 423
Summary 426
Appendix A Kali Linux Desktop at a Glance 427
Downloading and Running a VM of Kali Linux 428
Virtual Machine First Boot 428
Kali Xfce Desktop 429
Kali Xfce Menu 430
Search Bar 430
Favorites Menu Item 430
Usual Applications 432
Other Menu Items 433
Kali Xfce Settings Manager 433
Advanced Network Configuration 435
Appearance 436
Desktop 439
Display 441
File Manager 442
Keyboard 445
MIME Type Editor 447
Mouse and Touchpad 448
Panel 449
Workspaces 450
Window Manager 451
Practical Example of Desktop Customization 454
Edit the Top Panel 454
Adding a New Bottom Panel 454
Changing the Desktop Look 457
Installing Kali Linux from Scratch 458
Summary 466
Appendix B Building a Lab Environment Using Docker 467
Docker Technology 468
Docker Basics 468
Docker Installation 468
Images and Registries 469
Containers 470
Dockerfile 472
Volumes 472
Networking 473
Mutillidae Docker Container 474
Summary 475
Index 477