Kali Linux is a Debian-based Linux distribution originally designed for offensive information security. It contains tools for penetration testing, network security, bug hunting, cybersecurity research, digital forensics, and reverse engineering.

At its 10th anniversary, Kali released Kali Purple 2023.1, a variation of the original build. It includes additional tools focused on defensive information security plus a new defensive menu structure:

Identify Protect Detect Respond Recover

Note: Most of these tools were already part of Kali; they are simply organised in a way that makes sense for a blue/purple team rather than a purely red team approach.


FEATURED DEFENSIVE TOOLS

  • Arkime
    • Full packet capture and analysis tool designed to provide greater visibility, but not as a replacement for an IDS [Link]. Source code available at [Link].
  • CyberChef
    • Intuitive web app for data manipulation and conversion [Link]. Open source, with code available at [Link].
  • Elastic Security
    • Security information and event management tool that combines SIEM, EDR, and cloud security capabilities [Link].
  • Greenbone Vulnerability Manager
    • Also known as OpenVAS [Link], it offers more than just a vulnerability scanner [Link].
  • TheHive
    • Incident response platform that can sync with one or more MISP [Link] instances to start investigations from MISP events [Link].
  • Malcolm
    • A network traffic analysis tool suite [Link]. Source code available at [Link].
  • Suricata
    • A network IDS appliance. As included in the Kali Purple build, it is NOT meant to be used as a router but in campaigns [Link].
  • Zeek
    • An open source IDS formerly known as Bro [Link]. Source code available at [Link].
  • Kali Autopilot
    • An attack script builder framework for automated attacks. It can share scripts for blue teams to run against, as well as practice packet captures for network analysis training [Link].

CHEAT SHEET

Identify

  • amass
    • OWASP Amass is an open source tool written in Go for network mapping, attack surface discovery, and asset discovery using both active and passive techniques [Link].
    • amass intel for intelligence gathering.
      • -active enables active methods.
      • -d, -addr, -asn, and -cidr define a list or range of in-scope targets.
      • -df and -de provide file lists of domains to include and exclude from scope.
      • -whois and -org search directories for reverse whois and organisation names respectively.
      • amass intel -list
        amass intel -whois -d domain.com
        amass intel -org CompanyName
    • amass enum for enumeration.
      • -active and -passive enable active methods or define a purely passive scan.
      • -df, -ef, and -blf specify files for domains to include, exclude, root names, and blacklisted domains respectively.
      • -dns-qps, -max-dns-queries, and -min-for-recursive set limits.
      • -iface specifies the interface to send traffic from (a VPN such as tun0 is recommended).
      • amass enum -list
        amass enum -min-for-recursive 5 -ip -brute -v -src -d domain.com
    • amass viz creates a visualisation graph to add structure to collected information.
      • -o and -oA use an existing output file as source and set the prefix for the output file name respectively.
      • -graphistry, -maltego, and -dot define the graph output format.
      • amass viz -graphistry -d domain.com
        amass viz -maltego -d domain.com
    • amass track analyses a target over time across logged enumerations.
      • amass track -d domain.com
    • amass db views collected data stored in the database or output directory.
      • amass db -d domain.com
    • In all cases, additional flags are available for help (-h), extra verbosity (-v), or quiet output (-silent). See the documentation for more [Link].
  • assetfinder
    • Passively finds related domains and subdomains for in-scope targets [Link].
    • sudo apt install assetfinder -y
      assetfinder -h
      assetfinder domain.com
  • cisco-auditing-tool
    • Scans Cisco devices and appliances for common vulnerabilities.
      • -h and -f for a single host or a list of hosts.
      • -p specifies the port number.
      • -w and -a use word and password lists.
      • sudo apt install cisco-auditing-tool -y
        CAT --help
        CAT 192.168.1.1
  • defectdojo
    • A vulnerability management platform for DevSecOps teams [Link], with triage support and integrations for Jira and Slack.
    • sudo apt install defectdojo -y
      defectdojo start
      defectdojo stop
    • Navigate to http://127.0.0.1:42003 and use the following command to create an admin user:
    • cd /usr/lib/defectdojo && sudo -u _defectdojo -- python3 manage.py createsuperuser
  • hb-honeypot
    • A honeypot [Link] for the Heartbleed vulnerability (CVE-2014-0160), a high-severity OpenSSL flaw [Link].
    • sudo apt install hb-honeypot -y
  • maltego
    • Maltego graphically illustrates and analyses output from intelligence and forensics tools [Link], making it easy to spot patterns that might otherwise go unnoticed.
    • sudo apt install maltego -y
  • maryam
    • OWASP Maryam is an OSINT-based framework for data acquisition and aggregation [Link].
    • sudo apt install maryam -y
      maryam -e show modules
      maryam -e crt -q "domain.com"
      maryam -e github -q "userName"
  • nipper
    • Audits the configuration of Cisco routers, firewalls, switches, and other network devices for security issues [Link]. Note: this tool appears to be unmaintained.
    • sudo apt install nipper-ng -y
      nipper --ios-switch --input=/PATH/switch.config --xml --output=audit.xml
  • osrframework
    • A set of libraries for OSINT collection tasks [Link].
    • usufy identifies social media sites containing a given username.
    • mailfy searches for a given email address or username.
    • phonepy looks for a phone number in popular directories.
    • domainfy finds domains matching a query that resolve to an IP.
    • searchfy searches all sources for a given string or name.
    • checkfy finds potential email addresses based on known aliases and patterns.
    • sudo apt install osrframework -y
      usufy -n userName
      mailfy -n userName
      phonefy -n phoneNumber
      domainfy -n domainPrefix
      searchfy -q 'Full Name'
      
  • searchsploit
    • A CLI tool to query the Exploit Database [Link]. It searches for exploits by query string or filter against a local copy of the database.
    • This database is maintained by the Kali team, but other relevant databases should also be considered during a thorough campaign (not all are equally trustworthy):
    • sudo apt install exploitdb -y
      searchsploit sftp windows
      searchsploit sftp windows --json
      searchsploit -p 40828
      searchsploit sftp --exclude="(PoC)|/dos/"
      searchsploit --cve 2021-44228
  • tiger
    • A collection of tools for internal security auditing and intrusion detection on UNIX-based systems [Link].
    • Run sudo tiger for a full audit.
      • -l specifies the output directory.
      • -G generates MD5 signatures for binary files to detect tampering.
      • -e and -E provide explanations for findings.
      • -q limits output to security issues only.
      • sudo apt install tiger -y
        sudo tiger
        tiger -l /PATH/
        tiger -G
    • Kali’s documentation also mentions the alternatives checksecurity, lsat, and yasat.
  • wapiti
    • A web application dynamic tester [Link] that fuzzes and injects well-known exploits for SQL, XSS, Shell, XXE, CRLF, CSRF, and more.
    • sudo apt install wapiti -y
      wapiti -u http://domain.com/app
  • witnessme
    • This tool is not listed on the Kali tools page and has no man file. It appears to take screenshots of remote hosts, possibly via VNC.
  • zap
    • OWASP ZAP is a proxy tool similar to Burp Suite, used for web application pentesting [Link].
    • It may not be my favourite tool, but it gets the job done without feature throttling (unlike Burp Community Edition for non-paying users).

Protect

  • clamav
    • ClamAV is probably the most widely used open source antivirus for Linux [Link].
    • This signature-based AV engine is the default in many open source projects for scanning email, traffic, and files.
    • sudo apt install clamav clamav-daemon -y
      sudo clamscan --infected --remove --recursive /PATH
      
      
  • cryptsetup
    • A disk encryption setup tool [Link].
    • It uses LUKS (Linux Unified Key Setup) and kernel modules to provide low-overhead encryption for read/write operations on encrypted partitions.
    • See the full walk-through in this post [Link].
  • fwbuilder
    • Firewall Builder is a GUI for creating, editing, and auditing firewall policies across various vendors and platforms [Link].
    • It displays rules and policies as objects in a directory structure.
    • sudo apt install fwbuilder -y

Detect

  • grokevt
    • GrokEVT uses multiple scripts to parse legacy Microsoft Windows event logs [Link]. It appears to be unmaintained.
    • sudo apt install grokevt -y
      grokevt-parselog -l /var/db/grokevt/mysystem
      grokevt-parselog /var/db/grokevt/mysystem System
      grokevt-findlogs dumpDisk.img
  • sentrypeer
    • A decentralised project for protecting SIP/VoIP servers without relying on centralised infrastructure [Link].
    • It uses a peer-to-peer method to share suspicious IPs and phone numbers between servers to detect fraud and trigger notifications.
    • sudo apt install sentrypeer -y
      sentrypeer -w -j -f /PATH/sentrypeer.db -l /PATH/json.log

Respond

  • dc3dd
    • A forensics tool similar to dd but with additional features such as automatic bad sector skipping, hash generation over the copied data stream, compression, and encryption [Link].
    • sudo apt install dc3dd -y
      dc3dd -i
      dc3dd if=/dev/sda of=image.dd hash=sha512
  • ewf-tools
    • A set of forensics tools and libraries with support for EWF (Expert Witness Format) image files [Link].
      • ewfacquire writes device storage to EWF files.
      • ewfacquirestream writes data from standard input to EWF files.
      • ewfexport exports storage media data from EWF files to RAW or a specific EWF version.
      • ewfinfo displays EWF metadata.
      • ewfmount mounts EWF files.
      • ewfrecover creates a new set of EWF files from a corrupt set.
      • ewfverify verifies EWF integrity and authenticity.
      • sudo apt install ewf-tools -y
        ewfinfo image.E01
        ewfverify image.E01
        ewfmount image.E01 /PATH
        ewfrecover image.E01 /PATH
        sudo ewfacquire /dev/sda image.E01
        sudo ewfacquirestream /dev/sda - | ssh [email protected] "cat > /PATH/image.E01"
        ewfacquirestream image.raw | ssh [email protected] remote.example.com "cat > /PATH/image.E01"
        ewfexport image.E01 -f raw -t image.dd
  • foremost
    • A file recovery tool that reads from image files or directly from a storage device [Link].
    • sudo apt install foremost -y
      foremost -t jpg,png -i /dev/sdb1 -o /PATH/RECOVERED/
      foremost -c custom.conf -i image.dd -o /PATH/RECOVERED/
      foremost -t pdf -i /dev/sdc1 -o /PATH/RECOVERED/ -s /usr/share/foremost/pdf.confidential
  • galleta
    • A tool to extract cookies from the defunct Microsoft Internet Explorer.
    • sudo apt install galleta -y
      galleta -d";" output.txt
      galleta example.cookie > output.txt
  • ghidra
    • Ghidra is an open source GUI tool for software reverse engineering, developed by the NSA [Link]. It supports disassembly, decompilation, and debugging, among other features for analysing binary files and software including malware, firmware, and compiled programs.
  • guymager
    • A graphical forensic imaging tool for media acquisition that supports multiple image formats (dd, ewf, and aff, plus disk cloning) and a multi-threaded engine for fast parallel compression [Link].
  • hashrat
    • Hashrat generates hashes using md5, sha1, sha256, sha512, whirlpool, jh-244, jh256, jh-384, jh-512, and other algorithms, useful for password generation, file integrity checking, and duplicate detection [Link].
    • sudo apt install hashrat -y
      cat fileName | hashrat -md5
    • Note: the example above is equivalent to md5sum fileName, but Hashrat offers much more functionality.
  • sleuthkit
    • TSK (The Sleuth Kit) is a digital forensics library and collection of command line tools for analysing disk volumes and file systems [Link].
    • sudo apt install libtsk-dev libtsk19 sleuthkit -y
      • blkcalc
      • blkcat
      • blkls
      • blkstat
      • fcat
      • ffind
      • fiwalk
      • fls
      • fsstat
      • hfind
      • icat
      • ifind
      • ils
      • img_cat
      • img_stat
      • istat
      • jcat
      • jls
      • jpeg_extract
      • mactime
      • mmcat
      • mmls
      • mmstat
      • pstat
      • sigfind
      • sorter
      • srch_strings
      • tsk_comparedir
      • tsk_gettimes
      • tsk_imageinfo
      • tsk_loaddb
      • tsk_recover
      • usnjls
  • mac-robber
    • A sibling project of TSK and Autopsy. Mac-Robber is a digital investigation and incident response tool that collects metadata from allocated files and directories in a mounted file system [Link].
    • sudo apt install mac-robber -y
      mac-robber /PATH/
      mac-robber /PATH/ | mactime -z EST
  • impacket-scripts
    • Impacket is a Python library with tools for interacting with network services such as SMB, MSSQL, and LDAP. It is commonly used for password cracking, network sniffing, packet manipulation, password spraying, and privilege escalation by security researchers [Link]. Impacket-Scripts can be used for both offensive (pentesting) and defensive (network monitoring, detection, and incident response) purposes.
    • sudo apt install impacket-scripts -y
        • impacket-addcomputer
        • impacket-atexec
        • impacket-dcomexec
        • impacket-dpapi
        • impacket-esentutl
        • impacket-exchanger
        • impacket-findDelegation
        • impacket-GetADUsers
        • impacket-getArch
        • impacket-Get-GPPPassword
        • impacket-GetNPUsers
        • impacket-getPac
        • impacket-getST
        • impacket-getTGT
        • impacket-GetUserSPNs
        • impacket-goldenPac
        • impacket-karmaSMB
        • impacket-keylistattack
        • impacket-kintercept
        • impacket-lookupsid
        • impacket-machine_role
        • impacket-mimikatz
        • impacket-mqtt_check
        • impacket-mssqlclient
        • impacket-mssqlinstance
        • impacket-netview
        • impacket-nmapAnswerMachine
        • impacket-ntfs-read
        • impacket-ntlmrelayx
        • impacket-ping
        • impacket-ping6
        • impacket-psexec
        • impacket-raiseChild
        • impacket-rbcd
        • impacket-rdp_check
        • impacket-reg
        • impacket-registry-read
        • impacket-rpcdump
        • impacket-rpcmap
        • impacket-sambaPipe
        • impacket-samrdump
        • impacket-secretsdump
        • impacket-services
        • impacket-smbclient
        • impacket-smbexec
        • impacket-smbpasswd
        • impacket-smbrelayx
        • impacket-smbserver
        • impacket-sniff
        • impacket-sniffer
        • impacket-split
        • impacket-ticketConverter
        • impacket-ticketer
        • impacket-wmiexec
        • impacket-wmipersist
        • impacket-wmiquery
  • netsniff-ng
    • Netsniff-ng is a free Linux networking toolkit for network development, analysis, debugging, auditing, and reconnaissance [Link]. Source code available at [Link].
    • sudo apt install netsniff-ng
      • netsniff-ng a zero-copy analyser and pcap capture/replay tool compatible with tcpdump and wireshark.
      • trafgen a multi-threaded, low-level, zero-copy network packet generator (including raw 802.11 frames).
      • mausezahn a high-level packet generator for network appliances with a Cisco-style CLI, useful for stress testing, malformed packets, and malicious packet tests.
      • bpfc a BPF (Berkeley Packet Filter) compiler and disassembler with support for undocumented Linux filter extensions.
      • ifpps a top-like kernel networking statistics tool.
        • -d or --dev specifies the device.
        • -n or --num-cpus specifies the number of CPUs/cores to display in ncurses mode (default: 10).
        • -t or --interval sets the refresh interval (default: 1000ms).
        • -c or --csv outputs data in CSV format.
        • -o or --omit-header omits headers when used with -c.
        • -l or --loop continuously outputs data to the terminal after each refresh interval. Requires -c.
        • -m or --median shows median values across all CPUs/cores for load and interrupts.
        • -p or --promisc enables promiscuous mode on the NIC. May also require hypervisor-level changes in virtualised environments.
        • -P or --percentage shows values relative to the line rate.
        • -W or --no-warn suppresses warnings.
        • ifpps eth0
          sudo ifpps -pd eth0
          sudo ifpps -lpcd eth0 > eth0raw.data
          sudo ifpps -lpcd wlan0 > wlan0raw.data
      • flowtop a top-like netfilter connection tracking tool.
        • -4 or --ipv4 for IPv4 only.
        • -6 or --ipv6 for IPv6 only.
        • -T or --tcp for TCP traffic only.
        • -U or --udp for UDP traffic only.
        • -I or --icmp for ICMP traffic only.
        • -D or --dccp for DCCP traffic only.
        • -S or --sctp for SCTP traffic only.
        • -n or --no-dns disables reverse DNS lookups.
        • -s or --show-src shows the source IP.
        • -b or --bits shows speed in bits/s instead of bytes/s.
        • -G or --no-geoip disables the GeoIP database (recommended; known to be buggy).
        • -u or --update updates the local GeoIP database.
        • -t or --interval sets the refresh interval in seconds (default: 1). All flags can be combined.
          • sudo flowtop -4UTIGs
        • For the GeoIP database:
          • sudo mkdir /usr/share/netsniff-ng
            sudo flowtop --update
          • You may encounter a missing GeoIP.dat.gz file that can no longer be retrieved from mirrors. As a workaround, download and place the file in the specified directory manually, or disable GeoIP with -G.
      • curvetun a lightweight Curve25519-based IP tunnel using TUN/TAP to transfer IPv4/IPv6 TCP/UDP traffic over IPv4/IPv6.
      • astraceroute an autonomous system (AS) traceroute utility that provides additional AS and GeoIP information compared to traceroute and tcptraceroute.
  • ollydbg
    • OllyDbg is a 32-bit assembler-level debugger and decompiler for Microsoft Windows binaries [Link]. It requires wine to run on Linux and is useful for malware analysis. Note: it is not open source.
    • sudo dpkg --add-architecture i386 && sudo apt update && sudo apt -y install wine32
      ollydbg
      • It may fail if wine cannot load kernel32.dll.
  • rkhunter
    • Rootkit Hunter is an open source Unix-based tool that scans for rootkits, backdoors, and local exploits [Link].
    • It compares hashes of important local files against known-good values in online databases.
    • It also searches for rootkits, incorrect permissions, hidden files, suspicious strings in kernel modules, and performs specific tests for Linux and FreeBSD.
    • sudo apt install rkhunter -y
      sudo rkhunter --update
      sudo rkhunter --propupd
      sudo rkhunter -c --enable all --disable none --rwo
      sudo rkhunter --check
      sudo tail -f /var/log/rkhunter.log
      • Note: There is limited value in running it directly on Kali unless it has a secondary drive mounted (cloned from a production server) and you use chroot to scan that system instead. It is most useful when run periodically on production environments as a cronjob with email notifications enabled (e.g. 0 3 * * * root /usr/bin/rkhunter --cronjob --update --quiet).
  • unhide
    • Unhide is a forensics tool that detects processes and open ports hidden by rootkits, LKMs (loadable kernel modules), or other techniques [Link].
    • sudo apt install unhide -y
    • unhide reveals processes hidden from the process list.
      • brute an aggressive method that checks areas not covered by default.
      • proc checks a specific process ID.
      • procall uses all available methods including brute.
      • procfs relies on /proc to obtain the process list.
      • quick a faster, less intrusive check.
      • reverse runs checks in reverse order, starting from brute.
      • sys relies on syscall to obtain the process list.
      • sudo unhide proc
        sudo unhide procall
        sudo unhide -v brute
    • unhide-linux looks for processes hidden via Linux kernel modules.
      • sudo unhide-linux reverse
    • unhide-posix checks for hidden TCP/UDP ports (backdoors).
      • sudo unhide-posix sys
        sudo unhide-posix proc
    • unhide-tcp also checks for hidden TCP/UDP ports (backdoors).
      • sudo unhide-tcp -v
    • unhide_rb checks for hidden processes using C functions commonly found in rootkits, written in Ruby.
      • sudo unhide_rb
    • Note: unhide-gui is not included in Kali and does not appear to be functional.
  • wireshark
    • Wireshark is a network protocol analyser that captures traffic in real time, commonly used for troubleshooting, monitoring, and identifying security vulnerabilities [Link].
  • xplico
    • Xplico is a network forensics tool that extracts content from PCAP files [Link]. For example, it can reconstruct web pages, transferred files, and VoIP calls. It also offers a web interface at http://127.0.0.1:9876 (default credentials: admin:xplico).
      • sudo xplico-webui
    • Command-line usage:
      • xplico -m pcap -f file.pcap
        sudo xplico -m rltm -i eth0
  • yara
    • YARA rules identify patterns in malware binaries to aid in signature-based classification [Link].
    • sudo apt install yara libyara9 libyara-dev -y

Recover

  • ddrescue
    • A widely used tool for recovering data from drives with damaged sectors or blocks [Link]. Other options include SpinRite (not open source, but widely regarded as the most powerful) [Link], MyRescue, Testdisk, Photorec, Foremost, and Scalpel.
    • sudo ddrescue -f --no-split /dev/sdb1 /dev/sdc1 output.log
  • ext3grep
    • A forensics tool for recovering deleted files [Link]. Note: unmaintained, as ext3 is considered obsolete.
    • sudo apt install ext3grep -y
      ext3grep --dump-names /dev/sdb1 | grep 'fileName'
      ext3grep --ls --group 1000 /dev/sdb1
      ext3grep --restore-all /dev/sdb1
  • ext4magic
    • ext4magic was inspired by ext3grep and extundelete and can restore deleted files from ext3/ext4 file systems using the journal [Link].
    • sudo apt install ext4magic -y
      sudo ext4magic /dev/sdb1 -M -d /PATH/Recovered/
  • extundelete
    • ExtUndelete attempts to recover deleted files using clues found in the partition journal [Link].
    • sudo apt install extundelete -y
      sudo extundelete /dev/sdb1 --restore-all
  • myrescue
    • MyRescue is an alternative to ddrescue that makes a best effort to recover data from defective drives [Link].
    • sudo apt install myrescue -y
  • recoverdm
    • RecoverDM recovers data from bad sectors by reading in raw mode while ignoring errors. It is a defunct, discontinued application with no official website.
    • sudo apt install recoverdm -y
  • recoverjpeg
    • RecoverJPEG attempts to recover deleted JPEG and MOV files (using recovermov) from a partition [Link].
    • sudo apt install recoverjpeg -y
  • scrounge-ntfs
    • Scrounge NTFS reads each block of a disk and attempts to rebuild the original file system structure into an output directory [Link].
    • sudo apt install scrounge-ntfs -y
      sudo scrounge-ntfs -l /dev/sdb
      scrounge-ntfs -m  -c    -o /PATH/Recovered/ /dev/sdb
  • undbx
    • UnDBX recovers deleted emails from MS Outlook .dbx files [Link] and can also recover emails or fragments from corrupted files.
    • sudo apt install undbx -y