Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
Staying abreast of the latest tools is crucial for ethical hackers, security researchers, and penetration testers. Security professionals rely on both cutting edge tools and fundamental security controls to strengthen enterprise cybersecurity effectively.
Offensive Security's Kali Linux stands out as a pivotal asset in any penetration tester's toolkit. Renowned for its comprehensive suite of security utilities, Kali Linux operates on a rolling release model, ensuring users have access to the most current software iterations. Notably, in 2024, Kali Linux introduced three new versions: 2024.1, 2024.2, and 2024.3, each bringing enhancements that further solidify its deep arsenal of security testing tools.
In this article we delve into the most interesting and beneficial tools added to the Kali Linux native package repository in 2024. While some of these tools are not new, their inclusion in the Kali repository marks a significant milestone. Previously, users had to manually search for and install these tools, a process often fraught with compatibility and dependency issues. Now, these tools are not only easier to install but also benefit from reliable maintenance provided by Kali packages maintainers.
Let's review the most useful tools added to the Kali Linux repository in 2024. Each pentesting tool has been organized into sections based on their use-case.
Mxcheck (source code): Scans email servers, evaluating DNS records including A, MX, PTR, SPF, MTA-STS, DKIM, and DMARC. It also verifies StartTLS support and certificate authenticity, and scans for open ports (25, 465, 587) and tests for open relay vulnerabilities. Additionally, it checks if the service is blacklisted, detects potential information leaks via server strings and the VRFY command. Considering the recent attacks leveraging overly permissive DMARC records, MX scans are a must-do.
Netexec (source code): Released in 2023 as an extension of CrackMapExec, this tool automates security assessment of large networks. It can simulate client requests to test server responses, helping to identify vulnerabilities in network services across a broad spectrum of remote access protocols.
Netscanner (source code): This command line tool uses hardware interface management, which allows users to switch the active interface for scanning and packet dumping. It also provides capabilities to scan WiFi networks, measure signal strengths and conduct detailed IPv4 and IPv6 packet dumping for protocols like TCP, UDP, and ARP. Netscanner also supports scanning for open TCP ports, filtering captured packets, and exporting scanned IP addresses, ports, and packet data into CSV files.
Autorecon (source code): Inspired by Reconnoitre, ReconScan, and bscan, this tool is a high performance multi-threaded network reconnaissance that enumerates active services. While noisy to detection products, autorecon is designed to be efficient rather than covert.
Coercer (source code): Designed for network security testing of SMB pipes and Remote Procedure Calls (RPC) on Windows machines. Coercer scans for and initiates authentication behaviors in targeted network services. The captured data can be cracked to reveal passwords, or used in replay attacks. The Coercer tool features three modes: Scan Mode for identifying and connecting to open SMB pipes, exporting results in various formats; Fuzz Mode for testing RPC vulnerabilities with configurable delays; and Coerce Mode, which exploits discovered vulnerabilities to force server authentication to an arbitrary machine.
Horst (source code): The Highly Optimized Radio Scanning (Horst) is a compact, text-based IEEE802.11 WLAN analyzer designed for quick overview rather than deep packet inspection. Horst can also monitor ad-hoc (IBSS) and mesh networks. It provides detailed insights like signal values per station, channel utilization, and a spectrum analyzer view of signal levels and usage across channels.
Pspy (source code): Designed to snoop on Linux processes hoping to discover vulnerabilities that can allow privilege escalation. Pspy allows a non-root user to see commands run by other users, cron jobs, etc. as they execute by monitoring procsfs and Inotify messages. Procfs, short for "process file system," is a pseudo-filesystem used in Unix-like operating systems that exists under /proc. By monitoring /proc users and programs can read and manipulate detailed system information about processes (identified by their PIDs) and system resources.
Ligolo-ng (source code): Released in late 2023, and written in GoLang, this tool is a tunneling/pivoting tool that creates its own TUN interface on the target system. Ligolo-ng can replace other SOCKS proxy or TCP/UDP forwarders such as Proxychains and includes support for Let's Encrypt certificates and does not require administrative privileges on the agent system.
Vopono (source code): Facilitates running specific applications over VPN tunnels with temporary network namespaces and supports a variety of VPN protocols, including Wireguard and OpenVPN, and comes with built-in killswitches for these protocols to enhance security. Vopono directly supports several VPN providers such as ProtonVPN, NordVPN, AirVPN, HMA (HideMyAss), and Cloudflare Warp. It also supports custom configurations with OpenConnect and OpenFortiVPN protocols.
Gsocket (source code): The Global Socket library is a tool that enables secure, encrypted connections over the internet between systems without needing to know the other party's IP address or service port. It uses the Global Socket Relay Network (GSRN) and supports cryptographic protocols like TLS. The primary use of the Global Socket library is to support communication between two endpoints that are both behind NATs or firewalls which cannot be altered. Gsocket tool thus allows two machines on different networks to communicate with each other circumventing these traditional networking challenges.
Sprayhound (source code): Password spraying attacks are commonly used for attackers looking for unauthorized initial access. Attackers may use common wordlists, or credentials stolen in data breaches. Sprayhound conducts password spraying attacks against Windows Active Directory (AD) and integrates with Bloodhound (source code) a tool for analyzing AD environments and identifying security flaws.
Sqlmc (source code): SQL Injection Massive Checker (aka sqlmc) builds upon the legendary sqlmap tool by automating the SQL injection attacks against all URLs found on a domain. Sqlmc spiders the specified domain to a set depth, evaluates each link for potential SQL injection vulnerabilities in all GET params. However, sqlmc does not yet support automatically identifying forms, POST requests, or support cookies for web sessions.
Graudit (source code): Uses the GNU grep utility to find potential security flaws in source code. Graudit stands out as a static analysis tool for its minimal technical requirements and high flexibility. Users can easily extend the tool's capabilities by adding new signatures to the existing databases or creating entirely new ones tailored to specific needs. It supports over 25 programming languages, with key supported languages including C, Java, Python, JavaScript (js), and PHP.
Sharpshooter (source code): A payload creation framework that supports generating payloads in multiple formats such as HTA, JS, VBS, and WSF. SharpShooter facilitates payload delivery via HTTP or DNS and can support DNS-based command and control (C2). It offers RC4 encryption for basic anti-virus evasion, includes sandbox detection, and environment keying features to avoid payload detection.
Sickle (source code): A versatile payload development framework initially created to enhance shellcode development and comprehension. While its primary focus remains on assembly-based modules, the tool is not limited to shellcode applications. Sickle offers functionalities for shellcode generation, execution, and extraction, along with capabilities for disassembly, diffing, and bad character identification, making it a comprehensive tool for security researchers and developers working with executable code.
Set toolkit (source code): The Social-Engineer Toolkit (SET) is a toolkit for simulating social engineering attacks. The framework includes tools for email phishing, web spoofing, wireless network, SMS (aka "Smishing"), QR code (aka "Quishing") attacks.
In 2024, Kali Linux has significantly enriched its repository with diverse tools that cater to every facet of penetration testing. The additions range from reconnaissance utilities like Mxcheck and Netexec to sophisticated command and control tools such as Ligolo-ng and Vopono. Furthermore, innovative exploitation resources like Sprayhound and Sqlmc have expanded capabilities for active threats, while exploit development has been bolstered by tools like Graudit and Sickle.
These tools not only simplify and streamline the penetration testing process but also enhance the security professionals' ability to diagnose and mitigate potential vulnerabilities effectively, affirming Kali Linux's commitment to providing state-of-the-art resources for cybersecurity advancement.
There's simply no room for a compromise. We're here to help. Our team works with yours to ensure you reach your full security potential.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.