How to do offensive Penetration Testing with Kali?

Share this…

We will start with the preparation. We will need some basic skills. Even more important than being able to do research, time management and learn new technical skills, there are less obvious basic skills that will still be very useful to take PWK and pass the OSCP Exam, says a information security professional.

One tip is to take note. Maybe this seems completely foreign, but: to take advantage of their experience in PWK, they should be able to do an effective job of taking notes. You must know how to structure your notes, how to keep the data associated with different machines, and keep screenshots with your notes, etc.


There is not just one way to do it, but you could separate the notes into two categories:

  • Thematic notes that describe information about particular vulnerabilities, tools or techniques. As it could be, to associate particular exploits of the kernel with the versions to which they apply, or notes on techniques to pivot through machines.
  • Notes per machine. Detailing the information about the operating system and the applications, vulnerabilities and vulnerabilities applicable, and the technique that I used. For most machines, a python or metasploit rc script can also be produced to quickly re-explode the machine, since the equipment in the lab room can be restarted at any time by other students.

In the case of having Linux on the workstation. It is surprising to see people enrolling in a class called “Penetration Testing with Kali Linux”, but never before had I used Linux, however, there are many reports of this. Information security experts recommend that you learn to use some form of Linux before paying hundreds of dollars a month for access to the lab. At least you should be familiar with:

  • The design of the file system
  • Network settings
  • Shell familiarity
  • How to use SSH

You do not have to use Kali, but since it’s based on Debian Testing, you can use some kind of Debian derivative. Debian, Ubuntu and Mint are good options.

A good way to start is to download a distribution, place it in a virtual machine and start using it for a while. Then try to do some “daily controller” tasks and familiarize yourself with the interface. Configure and run the SSH server, and test with SSH on.

Experts also recommend OverTheWire Bandit which is a free “war game” that teaches basic Linux concepts. It’s free and it’s a good place to start. If you can overcome that, you will be on your way to the basic knowledge of Linux to continue with PWK.

Experts say you must learn what you do not know. It is important to find the gaps in your knowledge so that you know what to investigate and how to fill those gaps can be quite a challenge. Check the Syllabus for the PWK course. If you find yourself confused, you can research more and spend more time becoming familiar with the concepts and terminology.

The class will teach you a lot about the material, but if you are lost even with what the titles mean, it will be almost impossible to follow and you will definitely not spend so much time working in the laboratories.

IP and Ethernet networks

Almost all modern networks use IP in the network layer (L3). As a result, you must be familiar with the IP network. Mainly relevant is the division into IP subnets and the difference between routing and switched networks. Know what RFC1918 is and why these IP addresses are special. It may be useful to learn how to translate between representations of CIDR subnets, such as / 24 and /

Information security professionals say that you should have an understanding of No route to the host and how to correct or circumvent it. You should also understand how a host with two hosts works and how that differs from a host that acts as a router between two networks. Note the differences between broadcast and single broadcast traffic.

  • IP Protocol
  • Ethernet
  • IP subnet calculator

For TCP and UDP. It is important to know the differences between TCP and UDP. This includes differences in terms of establishment and maintenance of the connection, as well as differences in the reliability of the protocols. Common well-known service port numbers will also be useful to know, say information security researchers.

  • TCP
  • UDP
  • List of TCP and UDP port numbers

Regarding network protocols

Learn about some of the common protocols used in networks. Even if you do not learn details or read the RFCs, at least read the Wikipedia article about some of the most common protocols.

  • DNS
  • Telnet
  • SSH
  • HTTP
  • SMB / CIFS
  • TLS

Now we will talk about operating systems and applications. The professionals comment that knowing how operating systems work at a basic level will be of great help. This includes differences between operating systems, how processes work, how file systems work, and information about authentication and authorization in each operating system.

We will begin with Linux. It is very important to understand the different types of authentication and authorization mechanisms in Linux systems, as well as the interfaces of operating systems and common services.

  • The root user
  • Setuid Binaries
  • POSIX users and groups
  • Posix file system permissions
  • SELinux and AppArmor
  • File locations (/ etc / passwd, / etc / shadow, etc.)
  • How services are started (SysV init, Upstart, systemd)

Now Windows. Windows has a very different behavior from Linux and POSIX systems. Most PWK students are probably familiar with Windows on the desktop, but not in a multi-user or Windows domain.

  • Users and groups
  • File system permissions
  • Windows Services
  • Domain authentication
  • SMB / CIFS resources

We will continue with some applications. Part of this is independent of the operating system or may differ from the operating system, but it is important that it is known. Database servers (MySQL / MSSQL / PostgreSQL) and application servers are a large part of the attack surface. For example, know different web servers (Apache, nginx, IIS) and mechanisms to load web applications (mod_php, cgi scripts, php-fpm, Python WSGI and Not all of these are critical, but being familiar will be useful.

In a business environment, there will be dozens of web applications, most of which are supported by database servers or other application servers.

Regarding security issues. PWK is mainly about learning safety skills, but there must be some knowledge that a student brings to the table, say information security experts. Understanding the basics of security will serve the student during the course.

  • The triad of the CIA (Confidentiality, integrity and availability)
  • Authentication vs Authorization
  • Memory corruption vulnerabilities
  • Web vulnerabilities (maybe OWASP Top 10)

Scripting. Researchers say it will be useful to become familiar with reading scripts written in Python or Ruby. Many of the exploits in Exploit-DB are in one of these two languages. In addition, Metasploit is written in Ruby, so being able to refer to this as necessary will be very useful.

It’s even better if you can write in one of these languages ​​or another scripting language. This will help you with the playback scripts and it will be a very useful skill.

Get the most out of PWK. Based on experiences, your learning style and experience may vary.

He took note-taking as one of the best skills, and now as one of the activities that you should focus on during the course. Taking notes will help you keep your learning more effectively and, since the exam is open book, it can help you in the exam. If you choose to send a report for the lab and the exam, you can use this documentation to generate the lab report.

The documentation can take many forms during the course:

  • Notes, whether written by hand or typed
  • Network diagrams
  • Shell logs / command line logs
  • Screenshots

If in doubt, bring additional documentation. A couple of minutes here or there could work in the long term. I treated the lab as a “real” penetration test, where I documented each machine committed to:

  • Enumeration / Recon information
  • Vulnerability and exploit used to compromise
  • Hashes / downloaded accounts
  • Screenshot of access to the machine
  • Privilege escalation information
  • Any useful artifact (documentation, files, shared shared files, etc.)

Recognition. The value of the recognition and counting phase cannot be emphasized enough. The exhaustive collection of information will help you identify vulnerabilities and understand how the network fits. The laboratory environment is really a network with interconnected components, and recognizing it as such during the recognition phase will make it much more successful. Information security researchers comment that understanding the relationship between machines will help to pivot between hosts and network segments. Understanding the role of the machine helps you determine how the machine could benefit you.

Now we will talk about time management. There are several aspects in your time management throughout the course. Experts recommend not dividing your time between course material and laboratories.

It is recommended to flip through the lab book to get a general understanding of the progression of the course, then go back and tour the labs, videos and exercises together. If you want to get the most out of your course, information security professionals suggest that you try to complete all the course material in about half the time of the lab, because the course material does not provide all the machines in the lab. The other half of the time can be used to work independently on the machines in the laboratory.

If you are going to do a 60- or 90-day lab period and worry about not passing the OSCP exam on the first try, professionals recommend that you take an exam attempt about 15 days before the end of your lab time. If you do this and fail, you will have the opportunity to revisit the laboratory and review your weak areas before making another test attempt.