Command-line tool used for network discovery & security auditing. Nmap can:

• Discover and identify open & close ports on a network or a host.
• Provide information about open port services, the used OS and DNS lookups (network enumeration).
• Send crafted packages to networks and hosts.
• Determine and test whether or not a service or host is vulnerable to exploitation.

• General syntax: nmap <ip_address or URL>
• Port type scan: nmap [option] <ip_address or URL>
  • -sS: scan using TCP SYN scan, to identify what ports are open without waiting for an acknowledgment from the TCP connection (default)
  • -sT: scan TCP ports.
  • -sU: scan UDP ports.
• Specific port scan: nmap [option] <ip_address or URL>
  • -p <port_number>: scan a single port (default).
  • -p <port_range>: scan a range of ports eg. 1-10.
  • -p-: scan all 65535 ports.

• -v: Verbose - controls the number of information printed during the execution.
• -o: OS Detection: enables OS detection.

Nmap Scripting Engine (NSE) allows users to run custom and community generated scripts. This enables users to automate and perform a range of tasks, including more sophisticated network discovery and OS detection, as well as vulnerability detection and exploitation. Scripts can be identified by the .nse extension.

• Run Default Script: nmap -sV -sC <ip_address or URL>
• Run Specific Script: nmap -sV --script [scirpt_name] <ip_address or URL>
• Run Script with Arguments: nmap -sV --script [scirpt_name] --script-args [arguments] <ip_address or URL>

option --script-help provides more information for a script

A packet analyzer (also known as a packet sniffer) is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network. Packet Analysers use pcap files to records and display captured packets.

Packet analyser used for network troubleshooting, analysis, software and communications protocol development. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

During network analysis, specific packets can be filtered out from capture, using the BPF syntax. An expression is used to filter through the packets. These expressions are broken down into 'commands', 'arguments' and 'options'.

ip.src== <ip_adress> && tcp.port== <port_number>
The example above filters out a particular source IP address on TCP port 80.

A more detailed list of the available filter commands can be found here: Wireshark Display Filter Commands

Command line packet analyser very similar to wireshark. Also supports the BPF syntax for filtering packages. tcpdump can read pcap files and display them in the command line interface.

• Read & display a pcap file: tcpdump -r [pcap_file]
• Filter packets to/from a host: tcpdump -r [pcap_file] host [ip_address]

• -w [file_name]: outputs results into a file.
• -nn: prevents from converting packets & DNS resolution.

Identifies vulnerabilities & attack vectors within web apps. Its proxy allows HTTP traffic to be intercepted as it passes between the Client and the Server. Its intercepter tool can view and modify HTTP traffic before forwarding it (MITM attack potential).

Features:

• Interception proxy: gives control over requests sent to a server
• Repeater: automatation of custom attacks/payloads
• Spider & Discover Content: crawls links

Setup:

• Configure browser to use its proxy and forward all HTTP traffic through it
• Set it to listen on a specific port & interface

HTTPS Setup: Burp has to break the SSL/TLS connection between the browser and the server
Add Burp's CA to remove browser's warnings (http://burp for the certificate

Pre-installed on Kali. Wordlists reduce time needed to crack a password

Used for brute-forcing and dictionary attacks

encryption-decryption (eg. reverse ciphers..)

See enabled ciphers and which are weak

Command line tool querying a DNS domain nameserver to lookup and find IP address information of computers in the internet. Convert a host or domain name into an IP address.

After you have just gained user access to a desktop, the next most common stage is to gain root access so you can access necessary information for the pentest. However, there are no useful tools or programs on the desktop that allow you to exploit any vulnerabilities. This is where the SimpleHTTPServer Python module will come into play. You can use this tool to turn any directory in your system into your web server directory.

The first step would be to create/customise a necessary exploit on a Kali machine using tools such as Metasploit. You would then create a temporary directory and place the exploit in this directory, before running SimpleHTTPServer in this directory on a specific port. This would enable the pentester to access this directory from another host on the network and easily download the exploit by visiting the directory in the browser.

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases

Suite of tools to assess WiFi network security, focusing on different areas of WiFi security:

• Monitoring: Packet capture and export of data to text files for further processing by third party tools
• Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
• Testing: Checking WiFi cards and driver capabilities (capture and injection)
• Cracking: WEP and WPA PSK (WPA 1 and 2)

• Usage:

• airmon-ng check [newtork_card_name]
  • find any processes that may interfere with task. (Kill with following order: Network Manager -> dhclient -> the rest)