Penetration testing can help you improve both the security and quality of your product. It’s a complex yet creative process where you must understand what you’re doing and why you’re doing it.
At Apriorit, we have a team of experienced penetration testing professionals who can help you find the weak spots in your software product. When working on our clients’ projects, we often offer to conduct penetration testing, which we consider a necessary part of security testing. In this article, we focus on Kali Linux, a Linux distribution that’s helpful in handling different penetration testing tasks, from gathering information about a product to testing its performance with a stress test.
Apriorit expert shares his experience in penetration testing with Kali Linux. We talk about using Kali Linux for improving product security and provide a brief overview of the most popular tools preinstalled in this operating system. Keep in mind that the final choice of penetration testing tools and approaches will fully depend on the specifics of your project, including the architecture of the product under test.
Note: Many of the tools mentioned in this article should only be used for penetration testing for research purposes.
A few words about Kali Linux
Kali Linux is a Debian-derived distribution of the popular Linux operating system. With the help of Kali, penetration testing becomes much easier. Advanced users can use Kali for running information security tests to detect and fix possible vulnerabilities in their programs.
One of the main distinctives of Kali Linux is that this system has been ported to the ARM architecture. As a result, Kali can be installed not only on desktops and laptops but also on Android-based smartphones.
During penetration testing, you should pay special attention to various problems and possible attack vectors. In this article, we take a closer look at the four stages of testing a product’s information security (see Figure 1):
- Gathering information
- Analyzing vulnerabilities
- Sniffing and spoofing traffic
- Stress testing
We’ll list the most useful tools for each of these stages and provide a brief overview of each tool. You can find a full list of Kali Linux tools on the official website.
Let’s begin with the first task and see what Kali Linux tools are most helpful for collecting data about the product or system under test.
When starting penetration testing of a product, the first thing you need to do is gather as much information about the system as you can. This stage allows you to see if the system under test can be investigated from the outside and if potential attackers could extract any critical data.
For instance, information about technologies, ports, protocols, software versions, entry points, and product architecture may significantly increase the chance of an attack’s success. Your goal is to protect this information, or at the very least to make it extremely difficult for a potential attacker to extract such information from your product.
Judging from our experience, up to 20 percent of critical vulnerabilities can be detected at the information gathering stage, when the impact on the system under test isn’t as significant as at other stages of penetration testing.
Let’s take a closer look at the tools that will be most helpful for investigating your product’s information security and collecting valuable data about the tested product.
To see a list of applications running on a specified port, consider using the Amap scanner. This tool can also be used for identifying non-ASCII based applications.
Amap establishes a connection with specified ports and sends them trigger packets. Usually, trigger packets are application protocol handshakes. After sending the packets, Amap looks for matches in the response strings.
Amap supports several types of protocols: TCP, UDP, binary, regular, and SSL-enabled ASCII protocols.
The Amap package includes two tools:
- amapcrap – a tool for sending random data to silent UDP, TCP, and SSL ports in order to trigger an unexpected response
- amap – an application mapper for identifying applications running on a specific port
Amap is a nice scanner and has lots of options that can be used during penetration testing. However, there’s another tool called Nmap that works better for finding a host and scanning open ports, and it’s easier to use. We describe Nmap below.
Testers often use DNSMap to check infrastructure security and gather information about domain names, IP netblocks, subdomains, and so on. This utility can also be used for subdomain brute-forcing at the enumeration stage. This method is especially helpful when other domain brute-forcing methods, such as zone transfer, don’t bring the desired results.
3. Network Mapper (Nmap)
Network Mapper (Nmap) is a popular open-source utility for penetration testing and security testing. It can also be used for inventorying a network, monitoring host and service uptimes, and managing service upgrade schedules.
Nmap uses raw IP packets to get detailed information on the hosts available on a network: services they offer, operating systems they run, packet filters and firewalls they implement, and more. In addition to the classic command-line Nmap there are several additional tools such as a results viewer (Zenmap) and a tool for comparing scan results (Ndiff).
Nmap is compatible with all popular operating systems and has official binary packages for Windows, Linux, and macOS.
Nmap is one of the most popular tools for host and network scanning. Its main benefits are its speed, universality, and efficiency. So if you’re not sure where to start, go with Nmap.
If you want to see what kind of information an attacker can get on your organization, try using theHarvester. With the help of this tool, you can gather data including:
- SHODAN computer databases
- employee names
- email addresses
- open ports
theHarvester is easy to use and, at the same time, quite effective at the early stages of penetration testing. It can also be used for checking what kind of information about your company can be found on the internet.
5. Load Balancing Detector (lbd)
To see if your website is prone to DDoS attacks, consider using the Load Balancing Detector (lbd). Load balancing refers to the distribution of intensive loads across multiple servers. With the help of lbd, you can check if a domain under test uses DNS and HTTP load balancing. This tool also provides you with detailed information on found servers.
To scan your network traffic, you can use arp-scan, a tool that scans networks with layer-2, MAC, and Ethernet ARP packets. Using arp-scan, you can send ARP packets to specified hosts on your local network and see the responses.
With the help of Arp-scan, you can:
- Send ARP packets to any number of hosts, using a configurable packet rate and output bandwidth. This is helpful for system discovery, especially when you need to scan large address spaces.
- Construct the outgoing ARP packets in a flexible manner. Using arp-scan, you can control all fields in both the ARP packet and the Ethernet frame header.
- Decode and display the received ARP packets.
Plus, with the help of the arp-fingerprint tool, you can fingerprint a specified target host.
SMBMap is a tool for enumerating shared samba drives across a domain. It can list shared drives and show their content and current drive permissions. SMBMap also has upload/download functionality, can automatically download files whose names match a specified format, and can even execute commands remotely.
The main goal of SMBMap is to simplify the discovery of sensitive and potentially vulnerable data across large networks.
SSLsplit is a popular tool for penetration testing and network forensics. It can conduct man-in-the-middle (MITM) attacks against network connections encrypted with SSL/TLS. SSLsplit can transparently intercept and redirect connections. After terminating the original SSL/TLS connection, SSLsplit initiates a new connection to the original destination address and logs all data transmitted.
SSLsplit supports plain TCP and SSL as well as HTTP/HTTPS connections via IPv4 and IPv6. For SSL and HTTPS connections, it can generate and sign forged X509v3 certificates on-the-fly.
By default, SSLsplit depends on OpenSSL, libpcap, libevent 2.x, libnet 1.1.x, and other libraries. As an experimental feature, SSLsplit generically supports the STARTTLS mechanism.
Now, let’s talk about some of the most popular and useful Kali Linux tools for vulnerability analysis.
Vulnerability assessment is one of the most important stages of penetration testing. Analyzing vulnerabilities is quite similar to gathering information, but this time we have a very specific goal — to find the weaknesses that can be successfully exploited by an attacker. This stage plays a crucial part in penetration testing because, in most cases, vulnerabilities are what make your system or product prone to cyberattacks.
Mastering one or two effective vulnerability assessment tools will bring you more benefit than trying to use dozens of tools simultaneously. To make the choice a bit easier, we list eight of the most widely used Kali Linux tools for detecting vulnerabilities in systems under test.
APT2 is a popular tool set for automated penetration testing. It performs NMap scanning and can import the scanning results from other tools including Nexpose, Nessus, and NMap. APT2 uses the processed results to launch exploit and enumeration modules according to the enumerated service information and configurable Safe Level.
APT2 stores all received module results on a local host and adds them to the general knowledge base. Users can access APT2’s knowledge base from within the application and use it to see the results received from an exploit module.
One of the main advantages of APT2 is that it’s highly flexible and, thanks to the configurability of the Safe Level, enables granular control over its behavior. This tool is easy to use and has detailed documentation, although updates aren’t frequent.
BruteXSS is a powerful and fast cross-site scripting brute-forcer. It’s used for brute forcing parameters. BruteXSS can inject multiple payloads from a specified wordlist to specified parameters and scan these parameters to see if any are prone to the XSS vulnerability.
The main features of BruteXSS are:
- XSS brute forcing
- XSS scanning
- Custom wordlists
- Support for GET/POST requests
BruteXSS has a user-friendly UI and supports GET/POST requests, which makes it compatible with most web applications. But the main advantage of BruteXSS is its high level of accuracy.
3. Cisco Torch
Cisco Torch is a useful tool for mass scanning, fingerprinting, and exploitation. Its main advantage is its ability to launch multiple scanning processes in the background without compromising system performance. Cisco Torch extensively uses forking and can use several application layer fingerprinting methods at the same time.
It can be used for discovering remote Cisco hosts with running Telnet, Web, NTP, SSH, and SNMP services as well as for launching dictionary attacks against those discovered services.
Cisco Torch is a helpful command-line tool that even less experienced testers can use effectively. However, it was designed mostly for testing Cisco products, so it isn’t as popular as other tools on our list.
CrackMapExec is an all-in-one tool for testing Windows/Active Directory environments. It uses multiple popular technologies including the PowerSploit repository, which CrackMapExec uses as one of its submodules.
This tool can enumerate logged users and index shared SMB folders, perform psexec attacks and NTDS.dit dumping, automatically inject Mimikatz/Shellcode/DLL into the memory using PowerShell, etc.
Advantages of CrackMapExec include:
- Clear Python scripts that don’t require the use of outside tools
- Fully parallel multithreading
- Uses only native WinAPI calls for detecting sessions, users, SAM hash dumping, etc.
- CrackMapExec is mostly undetectable by security scanners (when dumping clear-text credentials, injecting shellcode, etc., binary files aren’t loaded)
CrackMapExec uses plain Python scripts, so it works stably and doesn’t depend on any external or additional libraries and programs. Plus, it uses only native WinAPI calls, thus reducing the risk of errors and false positives during testing.
On the downside, CrackMapExec is rather complex, and you’ll probably need more time to master it than other programs we talk about in this post. But this tool is worth the effort, since most of its analogs aren’t as accurate and functional.
5. jSQL Injection
To search for information in databases on distant servers, you can use jSQL Injection. It’s a lightweight (about 2.5 MB) Java tool that can automatically make injections into SQL databases.
jSQL Injection is a free, open-source, cross-platform tool that supports Windows, Linux, and Solaris.
- Supports GET, POST, header, and cookie methods
- Uses regular, error-based, blind, and time-based injection algorithms
- Picks the most suitable algorithm automatically
- Has four options for multi-thread control: Start, Pause, Resume, Stop
- Supports five authentication types: Basic, Digest, Negotiate, NTLM, Kerberos
- Creates and visualizes Web shell and SQL shell
- Reads and writes files on a host using injection
- Reads files remotely
- Supports brute-force hashes like MD5 and MySQL
- Supports simple evasion
- Displays URL calls
- Backs up utility configurations
- Checks for updates automatically
- Finds admin pages
- Encodes and decodes strings
- Allows selection of a database type
jSQL Injection is an easy-to-use tool with a built-in brute-forcer for decrypting passwords and other encoded data. You can use it to simultaneously scan multiple websites for SQL injection vulnerabilities. And, in contrast to similar tools, jSQL Injection works well on Windows machines.
At the same time, even though jSQL Injection is more comfortable to work with than, say, SQLMap, it supports fewer SQL injection types than the latter. Plus, jSQL Injection doesn’t allow you to make any changes to databases and has limited automatization capabilities, since it can’t be used in scripts.
It’s also noteworthy that the version of jSQL Injection preinstalled in Kali Linux is outdated: there are newer releases of the tool.
NoSQLMap is an open-source tool written in Python that was created to audit and automate injection attacks. It can also be used for exploiting default configuration weaknesses in NoSQL web applications and databases. The project’s goal is to create a penetration testing tool that can simplify attacks on MongoDB servers and web applications and create concepts for such attacks to debunk the myth that NoSQL is fully immune to SQL injection.
- Performs automatic listing and cloning attacks against MongoDB and CouchDB databases.
- Extracts database names, users, and password hashes from MongoDB through web applications.
- Scans subnets and IP lists to find MongoDB and CouchDB databases with default access and version enumeration.
- Carries out dictionary and brute-force attacks to hack passwords of detected MongoDB and CouchDB hashes.
- Performs injection attacks on PHP application parameters to return all database entries.
One of the main problems is that currently, this tool’s exploits are focused on MongoDB and CouchDB databases. The developers of NoSQLMap promise to add support for Redis and Cassandra in future releases. However, since the homepage for the project isn’t working, we aren’t sure if NoSQLMap is still supported by its creators.
SQLmap is an open-source tool that can help you automate the detection and exploitation of SQL injection flaws and the taking over of database servers. SQLmap has a powerful detection engine and can be launched on Windows.
SQLmap offers support for:
- Popular database management systems including MySQL, Oracle, and IBM DB2
- Six SQL injection techniques: error-based, time-based blind, boolean-based blind, UNION query, stacked queries, and out-of-band
- Direct connections to the database without passing via SQL injection by providing DBMS credentials, IP address, port, and database name
- User enumeration, privileges, roles, password hashes, databases, tables, and columns
- Automatic recognition of password hash formats and support for password cracking with a dictionary-based attack
- Dumping of database tables according to a user’s choice: fully or only for a range of specified entries or columns. The user can also specify a range of characters from a column’s entry to be dumped
- Searching for specific database names, specific tables, or specific columns in database tables
- Downloading and uploading any files from the database server file system for databases using MySQL, PostgreSQL, or Microsoft SQL Server software
- Executing arbitrary commands and retrieving their standard output on the database server operating system (for databases using MySQL, PostgreSQL, or Microsoft SQL Server software)
- Establishing an out-of-band stateful TCP connection between the database server operating system and the attacker’s machine
- Escalating user privileges for database processes via Metasploit’s Meterpreter getsystem command
SQLmap has one of the richest sets of configurations and capabilities among similar testing tools, so you’ll definitely need some time to learn how to use it to the fullest. However, the man page is outdated.
8. Open Vulnerability Assessment System (OpenVAS)
Open Vulnerability Assessment System (OpenVAS), previously named GNessUs, is a framework that consists of several services and tools for detecting and managing network vulnerabilities. This framework can be used to actively monitor network hosts in order to find security issues, determine their severity, and control the way they’re dealt with. Essentially, it’s a tool for detecting hosts that are vulnerable due to the use of old software or misconfiguration.
OpenVAS can scan open ports of a monitored host, send specially formed packets to imitate an attack, authorize on a specific host, get access to the admin panel, run certain commands, and so on.
The framework uses a collection of Network Vulnerability Tests (NVT), which include around 50,000 security tests for vulnerability detection. The description of known problems is then checked against two popular vulnerability management databases: CVE and OpenSCAP. The latter supports several specifications, including OVAL, XCCDF, ARF, CVSS, CCE, and CVE. Just remember that after installing OpenVAS, you’ll need some time to update the current version of the NVT database.
One of the main advantages of OpenVAS is that, in contrast to other scanners, it’s completely free. It’s compatible with the VirtualBox, ESXi, and Hyper-V virtualization systems.
While trying to get ahold of valuable data from the outside is helpful during penetration testing, eavesdropping and intercepting sensitive data from the inside may be even more informative. In the next section, we talk about tools you can use for intercepting and analyzing network traffic.
Sniffing and spoofing traffic
After vulnerability assessment, we can move to a stage that’s just as interesting and important: traffic sniffing and traffic spoofing. As a penetration tester, you can use traffic sniffing and spoofing for many reasons. One of the main uses is for detecting network vulnerabilities and weak spots that can be targeted by attackers. You can check the paths that packets pass within your network and see to where and to whom packets are moving, what information they contain, whether they’re encrypted, etc.
The possibility of a packet being intercepted and any potentially useful information it contains being accessed by an attacker poses a significant threat to your network’s security. Moreover, if an attacker intercepts a packet, they can switch the original packet with a malicious one, which can have devastating consequences.Therefore, your goal is to make it as difficult as possible to sniff and spoof packets sent across your network with the help of encryption, tunneling, and other similar techniques.
Below, we briefly describe six of the most popular Kali Linux tools for sniffing and spoofing network traffic.
Arpspoof is a popular tool for intercepting packets on a local network with commutation. It redirects packets sent within the local network by substituting ARP responses.
Arpspoof is effective for sniffing traffic on a commutator. IP forwarding by the kernel (or by a similarly acting user mode program such as fragrouter) must be enabled beforehand.
2. Burp Suite
Burp Suite is an integrated platform for running web application security tests. This platform includes a set of tools that can be effectively used at each phase of the testing process, starting with website map creation and analysis of the web application attack surface and moving on to search and exploitation of security vulnerabilities.
Burp Suite provides you with full control over the testing process and allows you to combine advanced manual techniques with high-level automation, making testing faster and more effective.
Burp Suite includes:
- A sniffing proxy for inspecting and modifying traffic sent between your browser and the target web application
- An advanced web application scanner that can help you automatically detect several vulnerability types
- An application spider for crawling both content and functionality
- Intruder, Repeater, and Sequencer tools
Burp Suite is able to save your work and resume the workflow later. Plus, the platform is extensible, so you can easily write your own plugins to perform complex and highly customizable tasks. But like any other security testing tool, Burp Suite can significantly harm a web application. Therefore, make sure to make backup copies of the tested application before using Burp Suite and never use it against systems that you don’t have permission to test.
Also, note that in contrast to many tools listed in this article, Burp Suite is a paid product and not an open-source tool. However, it’s easy to use and has an intuitive interface, so it can be used even by newbie testers. At the same time, the platform can be configured according to your needs and has a number of powerful features that will be helpful to advanced testers.
DNSChef is a highly configurable DNS proxy that can be used by both penetration testers and malware analysts. This cross-platform application can forge responses based on lists of both included and excluded domains. DNSChef supports multiple types of DNS records, can match domains with wildcards, can proxy true responses for non-matching domains, and can define external configuration files.
A DNS proxy is a tool used for analyzing application network traffic. For example, a DNS proxy can be used to fake requests for badguy.com into pointing not to the real host somewhere on the internet but to a local machine that will terminate or intercept the request.
Most DNS proxies simply point to a single IP address for all DNS queries or implement only elementary filtering. DNSChef was created as part of a penetration test in which a more flexible system was needed.
DNS proxy will be helpful when there’s no other way to make an application use any other proxy server. For instance, some mobile applications can ignore the operating system settings for an HTTP proxy. In this case, a DNS proxy server such as DNSChef will help you trick the application and redirect its connections to the chosen target.
4. OWASP Zed Attack Proxy
OWASP Zed Attack Proxy (ZAP) is one of the most popular and widely used security tools. The main advantages of OWASP ZAP are that it’s free, open-source, and cross-platform. Plus, it’s actively supported by volunteers all over the globe and is fully internationalized.
ZAP includes a number of helpful features such as automated and passive scanners, proxy server interception, a fuzzer, and traditional and AJAX web crawlers.
You can use OWASP ZAP for automatically detecting security weaknesses in your web applications during development and testing. It’s also a great tool for experienced penetration testers to use when running manual security testing.
The MITMf creators wanted to make an all-in-one tool for both network attacks and MITM attacks while constantly updating and improving existing attacks and techniques. Initially, the MITMf was created to fix critical drawbacks of other tools such as Mallory and Ettercap. But later, it was completely rewritten to ensure a high level of framework scalability so that every user can use MITMf for performing their own MITM attacks.
Main features of the MITMf framework:
- Built-in SMB, HTTP, and DNS servers that can be managed and used by many plugins
- A modified SSLStrip proxy with enabled HTTP modification and partial HSTS bypass
- Active filtering and manipulation of packets in the latest versions (starting from version 0.9.8)
- On-the-fly editing of the configuration file, even if MITMf is running
- Ability to capture multiple types of network data, including FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1 /v2 (all supported protocols like HTTP, SMB, LDAP, etc.) and Kerberos protocol credentials with Net-Creds, which starts simultaneously with MITMf
- Integration with the responder tool allows NBT-NS, LLMNR, and MDNS poisoning
- Support for the Web Proxy Auto-Discovery Protocol (WPAD) fraud server
Wireshark is a popular network protocol analyzer. With this tool, you can see everything that’s happening on your network at the micro level.
In many industries, Wireshark has become the gold standard for network traffic analysis.
Wireshark is essentially the successor to a project created back in 1998. Since then, many network experts from around the world have supported the development of Wireshark.
Currently, this project has one of the richest feature sets:
- Deep inspection of hundreds of protocols
- Full support for multiple platforms including Windows, Linux, Solaris, macOS, NetBSD, and FreeBSD
- Live capture of network data and analysis in offline mode
- Several options for browsing captured network data, including a GUI and the TTY-mode TShark utility
- Powerful display filters
- Rich VoIP analysis
- Rich options for reading live data
- Custom coloring rules for packet analysis
- Output can be exported to several popular formats
- Decryption support for multiple protocols
- Read/write many different captured file formats
Even though Wireshark isn’t that easy to use and requires additional time for studying its features and functionality, it’s probably the most effective tool for intercepting network traffic, encrypting packets, and researching network paths.
Next, we switch our focus to tools that can help you improve the results of one more important part of penetration testing: stress testing.
The main goal of any stress testing tool is to put the tested system or application under circumstances where it can act in a way that may compromise its security and create an opportunity for a successful attack. For instance, we can simulate a situation in which the software is so overloaded that there appears a time window at launch, creating an opportunity for an attack to be performed or malware to be injected.
Below, we provide a brief overview of four useful tools for stress testing.
DHCPig is an improved script for initiating a DHCP exhaustion attack. This script is written in Python with the use of the scapy network library.
DHCPig consumes all IP addresses on the local network, thus banning new users from obtaining IP addresses. To execute DHCPig, you’ll need admin privileges and the scapy network 2.1 or newer. The script doesn’t require any additional configurations; all you need to do is pass the interface as a parameter.
Make sure to use this tool wisely to avoid accidentally blocking hosts and obtaining IP addresses.
It’s noteworthy that while DHCPig is effective and quite popular, it hasn’t received any significant updates since 2017.
FunkLoad is popular web tester for testing functions and load on web applications. The utility is written in Python and lets you perform tasks such as functional web project testing, performance and load testing, and stress testing. It can be used for finding weak spots in a tested web application, detecting bugs that weren’t exposed during cursory testing, and checking an application’s recoverability.
FunkLoad can be used to write web agents with the help of scripts for repetitive tasks, which saves testers lots of time. It can also be used for regression testing. When all tests are over, FunkLoad will provide you with a detailed report about the performance of the tested application.
As for its downsides, FunkLoad doesn’t always work properly with cookies and sometimes may even ignore them.
MDK3 is a proof-of-concept tool that you can use for exploiting vulnerabilities of the IEEE 802.11 protocol.
Note: This tool can only be legally used with the network owner’s consent. It’s your responsibility to make sure that you have permission of the network owner to run MDK against their network.
MDK3 is a new Musket mod (mod-musket-r1) that can send directed probe requests with invalid SSIDs to a targeted access point. After a certain number of sent probe requests are received, the access point is supposed to lock up and reboot.
This tool can be used for Wi-Fi jamming, deauthenticating clients, confusing wireless network monitors, and running an attack aimed at downgrading the encryption algorithm from WPA to a less protected protocol or skipping the encryption process altogether.
MDK3 has several modes:
- Beacon flood
- Authentication DoS
- Basic probing and ESSID bruteforce
- Deauthentication/ Amok disassociation
- WIDS/WIPS confusion
- MAC filter bruteforce
- And more
With the help of MDK3, you can detect both critical and minor performance issues and weak spots of the tested Wi-Fi network.
SlowHTTPTest is a tool for simulating a low-bandwidth Application Layer DoS attack. This tool has a rich set of configurations and is compatible with many Linux platforms.
SlowHTTPTest exploits different vulnerabilities of the HTTP protocol by sending partial HTTP requests to occupy limited server resources or extending the time for reading responses to legitimate requests, thus creating a denial of service.
SlowHTTPTest allows you to configure the level of detail for data output, from simple status information automatically generated every five seconds (Level 1) to a full dump of the traffic (Level 4). It can be easily installed via apt-get and is highly configurable.
Using SlowHTTPTest, you can implement such attacks as slowloris, Slow Read, and Apache Range Header. Just remember that sometimes the server might respond slower not because of a DoS attack but because of SlowHTTPTest itself, as it can occupy all of the available computing resources. This tool sometimes slows down virtual machines and machines with low capacity.
t50, previously named F22 Raptor, is a popular multi-protocol tool for packet injection designed specifically for *nix systems. It supports 15 popular protocols including TCP, UDP, and ESP, and can send them all sequentially. The developers of t50 claim it’s the only tool capable of encapsulating all supported protocols within the Generic Routing Encapsulation (GRE).
You can use t50 for simulating DoS and DDoS attacks and checking how the tested network behaves under stress, overload, and attack. This tool can hit up to one million packets per second in gigabit networks and has generally high performance.
t50 is a great tool that can inject packets fast. Plus, it offers a rich set of options and additional features, so take your time mastering it. Just make sure to use a version newer than 5.8, as this version contains a lot of serious errors that were fixed in newer releases.
Pentesting of web applications
Finally, let’s talk about tools that will be helpful for testing and interacting with different web applications, interfaces, and admin panels. A modern web application is a system with a complex architecture that may contain multiple vulnerabilities with different levels of severity. Furthermore, many applications are connected with international payment systems, ordering services, CRMs, etc.
For this section, we’ve selected five helpful Kali Linux tools and prepared a brief overview for each of them.
ATSCAN is a useful tool for advanced search, massive dork exploitation, and automatic detection of websites with vulnerabilities. It supports popular search engines including Google, Bing, Yandex, Ask.com, and Sogou.
Available for all popular platforms, ATSCAN can perform massive dork search, run multiple scans simultaneously, execute external commands, search for admin pages, automatically detect errors, and more. It includes XSS scanner, LFI/AFD scanner, and other scanners.
DIRB is a popular web content scanner that searches for existing (and possibly hidden) web objects. It uses dictionary-based attacks to form requests for a webserver and analyzes the received responses.
DIRB is provided with a set of preconfigured dictionaries for attacks, although you can use your own as well. In some cases, you can use DIRB as a regular CGI scanner, but don’t forget that it’s a content scanner and not a vulnerability scanner.
The main goal of DIRB is to help testers run a quality web application audit, especially a security audit. It covers some of the gaps left by classic vulnerability scanners. DIRB looks for specific web objects that other CGI scanners usually aren’t searching for. At the same time, it doesn’t look for specific vulnerabilities of potentially vulnerable web content.
Fimap is a useful tool written in Python that can detect both local and remote file inclusion bugs in web applications. It can audit, exploit, and even look up information on these bugs in search engines.
In essence, Fimap is supposed to be something like SQLmap but for LFI/DFI bugs instead of SQL injection. Currently, Fimap is under heavy development, but its main features are quite usable.
- Fully automated auditing of separated URLs, URL lists, and Google search results
- Detects and exploits file inclusion bugs
- Tests and exploits multiple errors
- Injects deleted files
- Has a blind mode that can be used when a server has disabled error reporting
- Has an interactive exploit mode for spawning shell and reverse shell on vulnerable systems
- Allows adding custom requests and paths to XML files and writing custom plugins
- Scans and exploits GET, POST, and cookies
- Allows proxies
- Is compatible with Windows and can attack Windows servers
IronWASP is a free open-source tool for scanning web application security. While it was initially created for Windows, it’s also compatible with Linux. IronWASP mainly supports Python and Ruby but can also use plugins and modules written in C# and VB.NET.
IronWASP has a simple graphical interface that’s easy to use and is provided with a powerful scanning engine and support for entry sequence recording. It scans web applications for over 25 types of well-known vulnerabilities and weaknesses. Reports can be composed in HTML and RTF formats.
IronWASP includes a large variety of built-in modules and provides a number of specific tools:
- WiHawk — A Wi-Fi router vulnerability scanner
- XmlChor — An automatic exploitation tool for XPATH injection
- IronSAP — An SAP security scanner
- SSL Security Checker — A scanner for detecting SSL installation vulnerabilities
- OWASP Skanda — An automatic SSRF operation tool
- CSRF PoC Generator — A tool for generating exploits for CSRF vulnerabilities
- HAWAS — A tool for automatically detecting and decoding encoded strings and hashes on websites
Nikto is an open-source tool for scanning web servers. It searches for default and potentially dangerous files, configurations, and programs on web servers of any type.
Nikto examines the web server under test to detect possible problems and security vulnerabilities, including:
- Incorrect settings for the web server or in software
- Insecure files and programs
- Default files and programs
- Outdated services and programs
Nikto is made on LibWhisker2 (by RFP) and can work on any platform with the Perl environment. The utility supports SSL, host authentication, proxy, payload encoding, and more.
Kali Linux is a powerful and extremely useful tool that every penetration tester must be familiar with. While it offers an impressively rich set of tools for every phase of the penetration testing process, the final choice of tools to use will always depend on the tasks and goals of your current project. Under different circumstances, the same tools can show completely different levels of accuracy and efficiency.
In this article, we talked about ways you can use Kali Linux for penetration testing. We listed some of the most popular and commonly used Kali Linux tools for information gathering, vulnerability analysis, sniffing and spoofing network traffic, stress testing, and interacting with web applications and administrative panels. We’d like to point out once more that many of these tools should only be used for research and security audit purposes, and in some cases strictly in closed networks.
At Apriorit, we have a team of security experts who are passionate about searching for hidden vulnerabilities, mitigating them, and hardening the protection of tested products. Feel free to contact us if you have a question about penetration testing or have a challenging cybersecurity project in mind!