Mastering Kali Linux for Advanced Penetration Testing - Third Edition

5 (4 reviews total)
By Vijay Kumar Velu , Robert Beggs
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Goal-Based Penetration Testing

About this book

This book takes you, as a tester or security practitioner, through the reconnaissance, vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities used by pentesters.

To start with, you'll use a laboratory environment to validate tools and techniques, along with an application that supports a collaborative approach for pentesting. You'll then progress to passive reconnaissance with open source intelligence and active reconnaissance of the external and internal infrastructure. You'll also focus on how to select, use, customize, and interpret the results from different vulnerability scanners, followed by examining specific routes to the target, which include bypassing physical security and the exfiltration of data using a variety of techniques. You'll discover concepts such as social engineering, attacking wireless networks, web services, and embedded devices.

Once you are confident with these topics, you'll learn the practical aspects of attacking user client systems by backdooring with fileless techniques, followed by focusing on the most vulnerable part of the network – directly attacking the end user. By the end of this book, you'll have explored approaches for carrying out advanced pentesting in tightly secured environments, understood pentesting and hacking techniques employed on embedded peripheral devices.

Publication date:
January 2019


Chapter 1. Goal-Based Penetration Testing

Everything starts with a goal. In this chapter, we will discuss the importance of goal-based penetration testing with a set of objectives and discuss misconceptions and how a typical vulnerability scan, penetration testing, and red teaming exercise can fail without the importance of a goal. This chapter also provides an overview of security testing and setting up a verification lab and focuses on customizing Kali to support some advanced aspects of penetration testing. By the end of this chapter, you'll have learned the following:

  • An overview of security testing
  • Misconceptions of vulnerability scanning, penetration testing, and red teaming exercises
  • History and purpose of Kali Linux
  • Updating and organizing Kali
  • Setting up defined targets
  • Building a verification lab

Conceptual overview of security testing

Every household, individual and public and private business in the world has something to worry about in cyber space, such as privacy, data loss, malware, cyber terrorism, and identity theft. Everything starts with a concept of protection; if you ask the question "What is security testing?" to 100 different security consultants, it is very likely that you'll hear different responses. In the simplest form, security testing is a process to determine that any information asset or system is protected and its functionality is maintained as intended.


Misconceptions of vulnerability scanning, penetration testing, and red team exercises

In this section, we will discuss some misconceptions and limitations on traditional/classical vulnerability scanning, penetration testing, and red teaming exercises. Let's now understand the actual meaning of all of these three in simple terms and their limitations:

  • Vulnerability scanning (Vscan): It is a process of identifying vulnerabilities or security loopholes in a system or network. One of the misconceptions about Vscan is that it will let you know all of the known vulnerabilities; well, it's not true. Limitations with Vscan are only potential vulnerabilities and it purely depends on the type of scanner that one utilizes; it might also include lots of false positives and, to the business owner, there is no clear vision on whether they are relevant risks or not and which one will be utilized by the attackers first to gain access.
  • Penetration testing (Pentest): It is a process of safely exploiting vulnerabilities without much impact to the existing network or business. There is a lower number of false positives since the testers will try and simulate the exploit. Limitations with the pentest are only currently known, publicly available exploits and mostly these are project-focused testing. We often hear from pentesters during an assessment, "Yay! Got Root"—but we never question: What's next? This could be due to various reasons, such as the project limits you to report the high-risk issues immediately to the client or the client is interested in only one segment of the network and wants you to test that.


One of the misconceptions about the pentest is that it provides the full attacker view of the network and you are safe once you've done a penetration testing. Well, it isn't the case if attackers found a vulnerability in the business process of your secure app.

  • Red Team Exercise (RTE): It is a process of evaluating the effectiveness of an organization to defend against cyber threats and improve its security by any possible means; during an RTE, we can notice multiple ways of achieving project objectives and goals, such as complete coverage of activities with the defined project goal, including phishing, wireless, disk drops (USB, CD, and SSD), and physical penetration testing. The limitations with RTEs are time-bound, pre-defined scenarios and an assumed rather than real environment. Often, the RTE is run with a fully monitored mode for every technique and tactics are executed according to the procedure, but this isn't the case when a real attacker wants to achieve an objective.

Often, all three different testing methodologies refer to the term hack or compromise. We will hack your network and show you where your weaknesses are; but wait, does the client or business owner understand the term hack or compromise? How do we measure it? What are the criteria? And when do we know that the hack or compromise is complete? All the questions point to only one thing: what's the primary goal?


Objective-based penetration testing

The primary goal of a pentest/RTE is to determine the real risk, differentiating the risk rating from the scanner and giving a business risk value for each asset, along with the brand image of the organization. It's not about whether how much risk they have; rather, it's about how much they are exposed. A threat that has been found does not really constitute a risk and need not be demonstrated. For example, a Cross-Site Scripting (XSS) on a brochure website may not have significant impact on the business; however, a client might accept the risk to put in a mitigation plan using a Web Application Firewall (WAF) to prevent the XSS attacks.

While objective-based penetration testing is time-based, depending on the specific problem that an organization faces, an example of an objective is: We are most worried about the online portal and fraud transactions. So, the objective now is to compromise the portal or administrators through phishing or take over the approval chains through a system flaw. Every objective comes with its own tactics, techniques, and procedures that will support the primary goal of the penetration test activity. We will be exploring all of the different ways throughout this book using Kali Linux.


The testing methodology

Methodologies rarely consider why a penetration test is being undertaken or which data is critical to the business and needs to be protected. In the absence of this vital first step, penetration tests lose focus.

Many penetration testers are reluctant to follow a defined methodology, fearing that it'll hinder their creativity in exploiting a network. Penetration testing fails to reflect the actual activities of a malicious attacker. Frequently, the client wants to see whether you can gain administrative access to a particular system (Can you root the box?). However, the attacker may be focused on copying critical data in a manner that does not require root access or cause a denial of service.

To address the limitations inherent in formal testing methodologies, they must be integrated in a framework that views the network from the perspective of an attacker, the kill chain.

In 2009, Mike Cloppert of Lockheed Martin CERT introduced the concept that is now known as the attacker kill chain. This includes the steps taken by an adversary when they are attacking a network. It does not always proceed in a linear flow as some steps may occur in parallel. Multiple attacks may be launched over time at the same target, and overlapping stages may occur at the same time.

In this book, we've modified Cloppert's kill chain to more accurately reflect how attackers apply these steps when exploiting networks, application, and data services.

The following diagram shows a typical kill chain of an attacker:

A typical kill chain of an attacker can be described as follows:

  • Explore or reconnaissance phase: The adage, reconnaissance time is never wasted time, adopted by most military organizations, acknowledges that it is better to learn as much as possible about an enemy before engaging them. For the same reason, attackers will conduct extensive reconnaissance of a target before attacking. In fact, it is estimated that at least 70 percent of the work effort of a penetration test or an attack is spent conducting reconnaissance! Generally, they will employ two types of reconnaissance:
    • Passive: This does not directly interact with the target in a hostile manner. For example, the attacker will review the publicly available website(s), assess online media (especially social media sites), and attempt to determine the attack surface of the target. One particular task will be to generate a list of past and current employee names. These names will form the basis of attempts to brute force or guess passwords. They will also be used in social engineering attacks. This type of reconnaissance is difficult, if not impossible, to distinguish from the behavior of regular users.
    • Active: This can be detected by the target but it can be difficult to distinguish most online organizations' faces from the regular backgrounds. Activities occurring during active reconnaissance include physical visits to target premises, port scanning, and remote vulnerability scanning.
  • Delivery phase: Delivery is the selection and development of the weapon that will be used to complete the exploit during the attack. The exact weapon chosen will depend on the attacker's intent as well as the route of delivery (for example, across the network, via wireless, or through a web-based service). The impact of the delivery phase will be examined in the second half of this book.
  • Exploit or compromise phase: This is the point when a particular exploit is successfully applied, allowing attackers to reach their objective. The compromise may have occurred in a single phase (for example, a known operating system vulnerability was exploited using a buffer overflow), or it may have been a multiphase compromise (for example, an attacker physically accessed premises to steal a corporate phone book. The names were used to create lists for brute force attacks against a portal logon. In addition, emails were sent to all employees to click on an embedded link to download a crafted PDF file that compromised their computers). Multiphase attacks are the norm when a malicious attacker targets a specific enterprise.
  • Achieve phase – Action on the Objective: This is frequently, and incorrectly, referred to as the exfiltration phase because there is a focus on perceiving attacks solely as a route to steal sensitive data (such as login information, personal information, and financial information); it is common for an attacker to have a different objective. For example, a business may wish to cause a denial of service in their competitor's network to drive customers to their own website. Therefore, this phase must focus on the many possible actions of an attacker. One of the most common exploit activity occurs when the attackers attempt to improve their access privileges to the highest possible level (vertical escalation) and to compromise as many accounts as possible (horizontal escalation).
  • Achieve phase – Persistence: If there is value in compromising a network or system, then that value can likely be increased if there is persistent access. This allows attackers to maintain communications with a compromised system. From a defender's point of view, this is the part of the kill chain that is usually the easiest to detect.

Kill chains are metamodels of an attacker's behavior when they attempt to compromise a network or a particular data system. As a metamodel, it can incorporate any proprietary or commercial penetration testing methodology. Unlike the methodologies, however, it ensures a strategic-level focus on how an attacker approaches the network. This focus on the attacker's activities will guide the layout and content of this book.


Introduction to Kali Linux – features

Kali Linux (Kali) is the successor to the BackTrack penetration testing platform that is generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks. It was developed by Mati Aharoni and Devon Kearns of Offensive Security. 

In 2018, Kali had four major releases—as of December 2018. The Kali 2018.1 release was on Feb 6 2018 with kernel 4.14.13 and Gnome 3.26.2. The Kali 2018.2 rolling release was on April 30 2018 with Kernel 4.15 that beats the Spectre and meltdown vulnerabilities on x64 and x86 machines, and Kali 2018.3 on August 21 2018 just after the Hacker summer camp. This brings the kernel version to 4.17.0 with minimal addition to the kernel and the final release Kali 2018.4 for the year was on Oct 29 2018 with an experimental Raspberry Pi 3 image that supports 64 bit mode and updated packages of other tools.

Some features of the latest Kali include the following:

  • Over 500 advanced penetration testing, data forensics, and defensive tools are included. The majority of the tools are eliminated and replaced by similar tools. They provide extensive wireless support with multiple hardware and kernel patches to permit the packet injection required by some wireless attacks.
  • Support for multiple desktop environments such as KDE, GNOME3, Xfce, MATE, e17, lxde, and i3wm.
  • By default, Kali Linux has Debian-compliant tools that are synchronized with the Debian repositories at least four times daily, making it easier to update packages and apply security fixes.
  • There are secure Development Environment and GPG signed packages and repositories.
  • There's support for ISO customization, allowing users to build their own versions of customized Kali with a limited set of tools, to make it lightweight. The bootstrap function also performs enterprise-wide network installs that can be automated using pre-seed files.
  • Since ARM-based systems have become more prevalent and less expensive, the support for ARMEL and ARMHF in Kali to be installed on devices such as rk3306 mk/ss808, Raspberry Pi, ODROID U2/X2, Samsung Chromebook, EfikaMX, Beaglebone Black, CuBox, and Galaxy Note 10.1 was introduced.
  • Kali always remains an open source project that is free. Most importantly, it is well supported by an active online community.

Role of Kali in red team tactics

While pentesters can prefer any type of operating system to perform their desired activity, usage of Kali Linux saves significant time and prevents the need to search for packages that aren't typically available for other operating systems. Some of the advantages that are not noticed with Kali during a red team are the following:

  • One single source to attack various platforms
  • Quick to add sources and install packages and supporting libraries (especially those that are not available for Windows)
  • Possible to install even the RPM packages with the usage of alien

The purpose of Kali Linux is to secure things and bundle all of the tools to provide a single platform for penetration testers.


Installing and updating Kali Linux

In the last edition, we focused on the installation of Kali Linux to VMware player, VirtualBox, and Amazon AWS and using the Docker appliance. In this section, we will touch base on installing on the same platforms along with Raspberry Pi 3.

Using as a portable device

It is fairly simple to install Kali Linux onto a portable device. In some situations, clients do not permit the use of an external laptop inside a secure facility. In those cases, typically a testing laptop is provided by the client to the pentester to perform the scan. Running Kali Linux from a portable device has more advantages during a pentest or RTE:

  • It's in the pocket, in case of a USB or mobile device
  • It can be run live without making any changes to the host operating system
  • You can customize the build of Kali Linux and you can even make the storage persistent

There are a simple three steps to make a USB into a portable Kali from a Windows PC:

  1. Download the official Kali Linux image from:
  2. Download Win32 Disk Imager from: We will be using Win32 Disk Imager 1.0.
  3. Open the Win32 Disk Imager as administrator. Plug the USB drive into the PC's available USB port. Browse to the location where you've downloaded your image. You should be able to see what's shown in the following screenshot. Select the right drive name and then click Write:

Once complete, exit the Win32 Disk Imager and safely remove the USB. The Kali Linux is now ready as a portable device to be plugged into any laptop to boot it up live. It is also possible to generate a hash value using the Win32 Disk Imager. If your host operating system is Linux this can be achieved by two standard commands:

sudo fdisk -l

This will display all of the disks mounted on the drive:

dd if=kali linux.iso of=/dev/nameofthedrive bs=512k

That's it. The dd command-line utility does the convert and copy, if is used for input file , of is for output file, and bs is for the block size.

Installing Kali to Raspberry Pi 3

Raspberry Pis are single board devices that are compact in nature and can run just like a fully loaded computer with minimal functionalities. These devices are extremely useful during RTE and penetration testing activities. The base of the operating system is loaded from a SD card just like a hard disk drive for normal computers/laptops.

The same steps as those outlined in the previous section, Using as a portable device, can be performed on a high speed SD card that can be plugged into a Raspberry Pi. We are ready to use the system without any issues. If the installation is successful, the following screen must be present when Kali Linux is booted from a Raspberry Pi. We've used Raspberry Pi 3 for this demonstration and accessed the Pi Operating system using VNC viewer:

Installing Kali onto a VM

In this section, we will take a quick tour of how to install Kali onto VMware Workstation Player and Oracle VirtualBox.

VMware Workstation Player

VMware Workstation Player, formerly known as VMware Player, is free for personal use and a commercial product for business use from VMware as a desktop application that allows us to run a VM inside your host operating system. This application can be downloaded from:

We will be using version 12.5.9 VMware Workstation Player. Once the installer is downloaded, go ahead and install the VMware Player accordingly, based on your host operating system. If the installation is complete, you should have the following screen:

The next step to install the Kali-Linux to VMware is to click on Create a New Virtual machine and select Installer disc image file (iso). Browse your ISO file that was downloaded and then click Next. You can now enter the name of your choice (for example, HackBox) and select the Custom Location where you would like to store your VMware image. Click Next and then you'll specify the disk capacity. It is recommended that a minimum of 10 GB is needed to run Kali. Click Next until you finish.

Another way is to directly download the VMware image and open the .vmx file and select I copied it. That should boot up the fully loaded Kali Linux in VMware.

You can either choose to install the Kali-Linux to the host operating system or run it as a live image. Once all of the installation steps are complete, you are ready to launch Kali Linux from VMware without any problem, as shown in the following screenshot:


Similar to VMware workstation player, VirtualBox is the hypervisor that is completely open source and a free desktop application from which you can run any VM from the host operating system. This application can be downloaded from:

We will now go ahead and install Kali to VirtualBox. Similar to VMware, we will just execute the downloaded executable until we have a successful installation of Oracle VirtualBox, as shown in the following screenshot:

During installation, it is recommended that the RAM be set to at least 1 or 2 GB, and that you create the virtual hard drive with a minimum of 10 GB to have no performance issues. After the final step, you should be able to load Kali Linux in VirtualBox, as shown in the following screenshot:

Installing to a Docker Appliance

Docker is an open source project that is designed to automate the deployment of software containers and applications instantly. Docker also provides the additional abstraction and automation layer of operating system-level virtualization on Linux.

Docker is available for Windows, Mac, Linux, AWS (Amazon Web Services), and Azure. For Windows, Docker can be downloaded from:

After the Docker installation, it should be fairly simple to run Kali Linux by running the docker pull kalilinux/kali-linux-docker and docker run -t -i kalilinux/kali-linux-docker /bin/bashcommands to confirm installation.

We should be able to run Kali Linux directly from Docker as shown in the following screenshot. Also, note that Docker utilizes the VirtualBox environment in the background. So, technically, it is a VM running on VirtualBox through the Docker appliance:

Once the Docker download is complete, you can run the Docker image by running docker run -t -i kalilinux/kali-linux-docker /bin/bash. You should be able to see what's shown in the following screenshot:

Ensure that VT-X is enabled on your system BIOS and Hyper-V is enabled on Windows. Do note that enabling Hyper-V will disable VirtualBox, as shown in the following screenshot:

Kali on AWS Cloud

Amazon Web Services(AWS) provide Kali Linux as part of Amazon Machine Interface (AMI) and Software as a Service (SaaS). A penetration tester or hacker can utilize AWS to conduct penetration testing and more efficient phishing attacks. In this section, we will go through the steps to bring up the Kali Linux on AWS.

First, you'll need to have a valid AWS account. You can sign up by visiting the following URL:

When we log in to the AWS account, we should be able to see all of the AWS services. Search for Kali Linux. You'll see the following as per the screenshot,

AWS services- Kali Linux

The open source community has made it very simple to directly launch with pre-configured Kali Linux 2018.1 in the Amazon marketplace. The following URL will take us to a direct launch of Kali-Linux within a few minutes, Follow the instructions and then you should be able to launch the instance by selecting Continue to Subscribe. This should take you to the following option to select as shown in the following screenshot. Finally, just click Launch:

Before you launch Kali Linux 2018.3 from AWS, it is recommended that you create a new key pair as shown in the following screenshot:

As usual, to use any AWS VM, you must create your own key pair in order to ensure the security of the environment. Then, you should be able to log in by entering the following command from your command shell. In order to use the private key to log in without the password, Amazon enforces the file permission to be tunneled. We will use the following commands to connect to the Kali Linux instance:

chmod 600 privatekey.pem
ssh -i privatekey.pem [email protected]

The following screenshot depicts the successful usage of Kali on AWS:


All of the terms and conditions must be met in order to utilize AWS to perform penetration testing. Legal terms and conditions must be met before launching any attacks from the cloud host.


Organizing Kali Linux

Installation is just the beginning of the setup, as organizing Kali Linux is very important. In this section, we will deep dive into different ways of organizing the HackBox through customization.

Configuring and customizing Kali Linux

Kali is a framework that is used to complete a penetration test. However, the tester should never feel tied to the tools that have been installed by default or by the look and feel of the Kali desktop. By customizing Kali, a tester can increase the security of client data that is being collected and make it easier to do a penetration test.

Common customization made to Kali include the following:

  • Resetting the root password
  • Adding a non-root user
  • Configuring network services and secure communications
  • Adjusting network proxy settings
  • Accessing the secure shell
  • Speeding up Kali operations
  • Sharing folders with MS Windows
  • Creating encrypted folders

Resetting the root password

To change a user password, use the following command:

passwd root

You'll then be prompted to enter a new password, as shown in the following screenshot:

Adding a non-root user

Many of the applications provided in Kali must run with root-level privileges in order to function. Root-level privileges do possess a certain amount of risk; for example, mistyping a command or using the wrong command can cause applications to fail or even damage the system being tested. In some cases, it is preferable to test with user-level privileges. In fact, some applications force the use of lower-privilege accounts.

To create a non-root user, you can simply use the addusercommand from the Terminal and follow the instructions that appear, as shown in the following screenshot:

Configuring network services and secure communications

The first step to ensure that we are able to access the network is to make sure that it has connectivity to either a wired or wireless network to support updates and communications.

You may need to obtain an IP address through DHCP (Dynamic Host Configuration Protocol) by appending network configuration and adding the Ethernet adapter:

# nano /etc/network/interfaces
iface eth0 inet dhcp

Once the network configuration file is appended, you should be able to bring up the ifup script to automatically assign the IP address as shown in the following screenshot:

In the case of a static IP, you can append the same network configuration file with the following lines and quickly set up a static IP to your Kali Linux:

# nano /etc/network/interfaces
iface eth0 inet static
address <your address>
netmask <subnet mask>
broadcast <broadcast mask>
gateway <default gateway>

# nano /etc/resolv.conf
nameserver <your DNS ip> or <Google DNS (>

By default, Kali does not start with the DHCP service enabled. Doing so announces the new IP address to the network, and this may alert administrators about the presence of the tester. For some test cases, this may not be an issue, and it may be advantageous to have certain services start automatically during boot up. This can be achieved by entering the following commands:

update-rc.d networking defaults
/etc/init.d/networking restart

Kali installs with network services that can be started or stopped as required, including DHCP, HTTP, SSH, TFTP, and the VNC server. These services are usually invoked from the command line, however, some are accessible from the Kali menu.

Adjusting network proxy settings

Users located behind an authenticated or unauthenticated proxy connection must modify bash.bashrc and apt.conf. Both files are located in the /etc/ directory.

Edit the bash.bashrc file, as shown in the following screenshot, using a text editor to add the following lines to the bottom of the bash.bashrc file:

export ftp_proxy="ftp://username:[email protected]:port"
export http_proxy="http://username:[email protected]:port"
export https_proxy="https://username:[email protected]:port"
export socks_proxy="https://username:[email protected]:port"

Replace proxyIP and port with your proxy IP address and port number respectively, and replace user and password with your authentication username and password. If there's no need to authenticate, write only the part following the @ symbol. Save and close the file.

Accessing the secure shell

To minimize detection by a target network during testing, Kali does not enable any externally listening network services. Some services, such as Secure Shell (SSH), are already installed. However, they must be enabled prior to use.

Kali comes preconfigured with default SSH keys. Before starting the SSH service, it's a good idea to disable the default keys and generate a unique keyset for use.

Move the default SSH keys to a backup folder, and then generate a new SSH keyset using the following command:

dpkg-reconfigure openssh-server

To confirm the SSH service is running, you can verify using the following command (service ssh status) as shown in the following screenshot:

Note that, with the default configuration of SSH, root login will be disabled. If you require access with the root account, you may have to edit /etc/ssh/sshd_config and set PermitRootLogin to yes, save, and then exit. Finally, from any system on the same network, you should be able to access the SSH service and utilize Kali Linux. In this example, we would use PuTTY, which is a free and portable SSH client for windows. Now you should be able to access the Kali Linux from another machine, accept the SSH certificate, and enter your credentials, as shown in the following screenshot:

Speeding up Kali operations

Several tools can be used to optimize and speed up Kali operations:

  • When using a VM, install the VM's software drive package: Guest Additions (VirtualBox) or VMware Tools (VMware).


We have to ensure that we run apt-get update before the installation.

  • When creating a VM, select a fixed disk size instead of one that is dynamically allocated. It is faster to add files to a fixed disk, and there is less file fragmentation.
  • By default, Kali does not show all applications that are present in the start up menu. Each application that is installed during the boot up process slows the system data and may impact memory use and system performance. Install Boot Up Manager (BUM) to disable unnecessary services and applications that are enabled during the boot up (apt-get install bum), as shown in the following screenshot:

Sharing folders with the host operating system

The Kali toolset has the flexibility to share results with applications residing on different operating systems, especially Microsoft Windows. The most effective way to share data is to create a folder that is accessible from the host operating system as well as the Kali Linux VM guest.

When data is placed in a shared folder from either the host or the VM, it is immediately available via the shared folder to all systems that access that shared folder.

To create a shared folder, perform the following steps:

  1. Create a folder on the host operating system. In this example, it will be called kali_Share.
  2. Right-click on the folder and select the Sharing tab. From this menu, select Share.
  3. Ensure that the file is shared with Everyone, and that Permission Level for this share is set to Read / Write.
  4. If you haven't already done so, install the appropriate tools onto Kali Linux. For example, when using VMware, install the VMware tools.
  1. When the installation is complete, go to the VMware player menu and select Manage and click Virtual Machine Settings. Find the menu that enables Shared Folders and select Always Enabled. Create a path to the shared folder that is present on the host operating system, as shown in the following screenshot:
  1. In the case of Oracle VirtualBox, select the VM and go to the Settings and select Shared Folders, as shown in the following screenshot:


Older versions of VMware player use a different menu.

  1. Run the file from the Kali Linux desktop from your VirtualBox. Now the shared folder will be visible in mnt, as shown in the following screenshot:
  1. Everything placed in the folder will be accessible in the folder of the same name on the host operating system and vice versa.

The shared folder, which will contain sensitive data from a penetration test, must be encrypted to protect the client's network and reduce the tester's liability should the data ever be lost or stolen.

Using Bash scripts to customize Kali

Typically, to maintain system and software development, command-line interfaces were developed as multiple shells in Linux, namely sh, bash, csh, tcsh, and ksh.

We can utilize the following Bash scripts to customize the Kali Linux depending upon the goal of our penetration testing:


Building a verification lab

As a penetration tester, it is recommended to set up your own verification lab to test any kind of vulnerabilities and have the right proof of concept before emulating the same on a live environment.

Installing defined targets

In order to practice the art of exploitation, it is always recommended to make use of the well-known vulnerable software. In this section, we will be installing Metasploitable3, which is a Windows platform, and Mutillidae, which is a PHP framework web application.


Metasploitable3 is an indubitable vulnerable VM that's intended to be tested for multiple exploits using Metasploit. It is under BSD-style license. Two VMs can be built for practice, which can be downloaded from: You can download the ZIP file and unzip it in your favorite Windows location (typically, we segregate in the D:\HackTools\ folder) or you cangit clone using Bash command. Install all of the relevant supporting software such as Packer (, Vagrant (, VirtualBox, and the Vagrant reload plugin. The following commands should install all of the relevant vulnerable services and software:

  • On Windows 10 as the host operating system, you can run the following commands:
./build.ps1 windows2008
./build.ps1 ubuntu1404
  • On Linux or macOS, you can run the following commands:
./ windows2008
./ ubuntu1404

After the VirtualBox file download, you'll just have to run vagrant up win2k8 and vagrant up ub1404 in the same PowerShell. This should bring up your new VM in your VirtualBox without any problem as shown in the following screenshot:


Mutillidae is an open source insecure web application, which is designed for penetration testers to practice all of the web-app specific vulnerability exploitation. XAMPP is another free and open source cross-platform web server solution stack package developed by Apache Friends. The XAMPP can be downloaded from:

We will now be installing the Mutillidae to our newly installed Microsoft windows 2008 R2 server to host it:

  1. Once XAMPP is downloaded, let's go ahead and install the executable by following the wizard. Once the installation is complete and the XAMPP launched, you should be able to see the following screen. We will be using XAMPP version 5.6.36 / PHP 5.6.36:
  1. Mutillidae can be downloaded from:
  2. Unzip the file and copy the folder to C:\yourxampplocation\htdocs\<mutillidae>.
  3. You have to ensure XAMPP is running Apache and MySQL/MariaDB and finally access the .htacess file inside the mutillidae folder and ensure that and the IP range are allowed. We should be able to see the web application installed successfully as shown in the following screenshot and it can be accessed by visiting http://localhost/mutillidae/:


In case of error messages saying that the database is offline or something similar, you may have to reset or set up the DB for Mutillidae.

Setting up an Active Directory and Domain Controller

In the previous edition of Mastering Kali Linux for Advanced Penetration Testing, we learned how to set up an Active Directory in Windows 2008 R2. In this section, we will install Active Directory on Windows 2008 R2. Once you've downloaded the ISO from Microsoft and installed the operating system on VMware workstation player or VirtualBox, you should be able to do the following steps:

  1. Open the Server Manager from the taskbar.
  2. From the Server Manager, click on Add roles and features.
  3. Select Role-based or Features-based installation from the Installation Type screen and click Next.
  4. By default, the same server will be selected.
  5. From the Server Roles page place a checkmark in the checkbox next to Active Directory Domain Services. Additional roles, services, or features are also required to install Domain Services: click Add Features.
  6. Select optional features to install during the AD DS installation by placing a check in the box next to any desired features, and then click Next, operating system compatibility checks, then select Create a new domain in a new format and click Next.
  7. Enter the FQDN (Fully Qualified Domain Name). In the example, we will create a new FQDN as mastering.kali.thirdedition; that should take us to forest functional level. We can select Windows 2008 R2 and click Next; that will enable us to install the DNS (Domain Name System). During this installation, it is recommended to set a static IP to this machine so that the domain controller features can be enabled; in our case, we set the static IP of this server to 192.168.x.x. Finally, you'll need to set the Directory Services Restore mode administrator password; a summary of the configuration will be present.
  8. On the Confirm installation selections screen, review the installation and then click Install.
  9. Once everything is complete, you should be able to see the following screenshot:

Adding users to the Active Directory

To demonstrate the privilege escalation in later chapters, we will create a normal user with domain user privilege and a domain administrator user with full privileges.

To create a normal user on domain, run the following command in the command line on our Domain Controller:

net user normaluser Passw0rd12 /add /domain

To create a domain administrator account, the following commands will create a user as admin and add this user to the domain admins group:

net user admin Passw0rd123 /add /domain
net group "domain admins" admin /add /domain

To validate these users are created, you can use the domain controller by simply running net user from the command line and you should be able to see the users, as shown in the following screenshot:

Adding Metasploitable3 Windows to the new domain

Now we will go back to the Metasaploitable3 Windows that we installed and add it to our newly created domain by following the steps:

  1.  Add the IP address of the domain controller to the DNS setting by editing the Ethernet adapter properties. This is to resolve the FQDN; Metasploitable3 will need to query the domain controller for the domain name resolution.

  2. Click Start button and right click on My Computer and select Properties; under Computer name, Domain and Workgroup settings click on Change settings, that should pop up a system properties windows. On the window click, onChange.

  3. Select the radio button from Workgroup to Domain and enter the domain name as shown in the following screenshot; in our case, the domain name is mastering.kali.thirdedition:
  1. That should prompt you to enter the username and password, and we can login as either normaluser or admin that we created. Once authenticated, the system is connected the domain and any domain user will be able to log in to Metapsloitable3.

This should provide us with a wide range of exposure to multiple vulnerabilities on the network:

  • A vulnerable Windows 2008 R2 (Metasploitable3 server) that is connected to a domain (mastering.kali.thirdedition).
  • A vulnerable web application hosted on a vulnerable Windows 2008 R2 Server (Metasploitable3)
  • A vulnerable services Linux machine (Metasploitable3) running Ubuntu 14.04
  • A domain controller with one domain admin and one normal user

Managing collaborative penetration testing using Faraday

One of the most difficult aspects of penetration testing is remembering to test all of the relevant parts of the network or system target or trying to remember whether the target was actually tested after the testing has been completed. In some cases, a single client may have multiple penetration testers performing scanning activities from multiple locations and management would like to have a single view. Faraday can provide a single view, assuming all of the penetration testers are able to ping each other on the same network or on the internet for external assessment.

Faraday is a multiuser penetration test IDE (Integrated Development Environment). It is designed for testers to distribute, index, and analyze all of the data that is generated during the process of a penetration testing or technical security audit to provide different views such as Management, Executive Summary, and Overall Issues lists.

This IDE platform is developed in Python by InfoByte and version 2.7.2 is installed by default in the latest version of Kali Linux. You can navigate from the menu Applications, click on 12-Reporting tools, and then click on Faraday IDE. That should open up the new workspace to be created by the testers, as shown in the following screenshot:

Launching Faraday should be able to open up the Faraday shell console to us, as shown in the following screenshot:

One of the features of the application is that following any scanning that you or any other penetration testers in your team do, you'll be able to visualize the information by clicking on Faraday Web and you'll be able to see the following:

Faraday Web


There is a limitation on the free version of Faraday for Community that can be utilized to visualize the whole list of issues in a single place.



In this chapter, we took a journey into different methodologies and goal-based penetration testing that help organizations to test themselves against real-time attacks. We learned how penetration testers can use Kali Linux in multiple different platforms to assess the security of data systems and networks. We've taken a quick look into installing Kali on different virtualized platforms and how we can run a Linux operating system on a Windows platform using Docker.

We've built our own verification lab, set up Active Directory Domain Services, and set up two different VMs on the same network, one of which is part of the Active Directory. Most importantly, we learned how to customize Kali to increase the security of our tools and the data that they collect. We're working to achieve the goal of making tools support our process, instead of the other way around!

In the next chapter (Chapter 2, Open Source Intelligence and Passive Reconnaissance), we will learn how effectively we can master Open Source Intelligence (OSINT) to identify the vulnerable attack surfaces of our target and create customized username and password lists to facilitate more focused attacks, extract these details from the dark web, and use other exploits.

About the Authors

  • Vijay Kumar Velu

    Vijay Kumar Velu is a Passionate Information Security Practitioner, Author, Speaker, Investor and Blogger. He has more than 12 years of IT industry experience, is a Licensed Penetration Tester, and has specialized in providing technical solutions to a variety of cyber problems, ranging from simple security configuration reviews to cyber threat intelligence. Vijay holds multiple security qualifications including CEH, ECSA and CHFI. He has Authored couple of books on Penetration Testing "Mastering Kali Linux for Advanced Penetration Testing - Second Edition" and "Mobile Application Penetration Testing". For community Vijay servers as Chair member in NCDRC, India. Out of work, He enjoys playing music and doing charity.

    Browse publications by this author
  • Robert Beggs

    Robert Beggs is the founder and CEO of DigitalDefence, a Canadian-focused company that specializes in preventing and responding to information security incidents. Robert is a security practitioner with more than 15 years of experience. He has been responsible for the technical leadership and project management of more than 300 consulting engagements, including policy development and review, standards compliance, penetration testing of wired and wireless networks, third party security assessments, incident response and data forensics, and other consulting projects. Previously, he provided security services for a major Canadian financial institution and Netigy, a global network and security infrastructure firm based in San Jose.

    Browse publications by this author

Latest Reviews

(4 reviews total)
The book so far has been a good read and is allowing me to expand on my skillset
This was the technical book I was looking for. Well written!
Prima service.

Recommended For You

Mastering Kali Linux for Advanced Penetration Testing - Third Edition
Unlock this book and the full library for FREE
Start free trial