Vulneratility and Penetration Testing Tools
If you search around for vulnerability scanning tools – and particularly free ones – you will stumble across a lot of sites with best products lists and short reviews. You will see stuff that’s free – but with some pretty serious limitations.
After going through many of these sites, a few things start to bubble up – OpenVAS for vulnerability assessment, Metasploit for penetration testing…
… and then, if you’re really lucky, you stumble on to Kali Linux.
Kali is not a single tool like all the others. It’s a curated set of the best open source tools
Kali evolved from BackTrack Linux. It’s a full Linux distribution that includes best-of-breed free/open source security tools. It’s all there, configured, updated, and like any good Linux distribution, it has all the pointers and tools to keep all the products up to date. It includes the quality tools we mentioned earlier (Metasploit, OpenVAS) and many more.
If you want a good overview of all the tools Kali offers, check out this article.
Best of all, there’s a growing number of quality tutorials and videos to train you on getting the product up and running and running tests.
Along the way, you will find a lot of references to another product – Metasploitable. This is a virtual machine that has been pre-configured with a ton of vulnerabilities to test against!
Finally, as you keep reading, you will find that you can install Kali and Metasploitable as virtual machines under VirtualBox to run one against the other. Even laptop with enough CPU power, memory and disk can run both!
Start with introductions to the topic
- Good overview of the types of tools and work required, and then follows up with an overview of paid and free vulnerability scanner tools that you can ignore. You’ve already found Kali.
- Kali.org’s Introduction to Kali Revealed is really just in intro to Kali installation and Linux administration for it. If you have some proficiency with Linux, you may be better of skipping it – except for Section 11 – Intro to Security Assessments
With these two quick intros, you’ll have an idea of the scope of what you’re about to take on.
Installing the software
The faster you go hands-on, the better.
We found it a lot easier to load Kali as a VM under Virtual Box.
Tutorial Point has this excellent excellent tutorial called Kali Linux Installation and Configuration in Virtual Box – and it goes right to installation of Metasploitable in another VM for testing!
Warning: if you want to take it easier on yourself, make sure you are connecting the VMs though Ethernet and not wireless. Getting wireless going in the Kali system appears to be challenging. Due to time constraints (we were lazy and in a hurry), we went the Ethernet route.
If you have a bunch of spare hardware available and potentially some patience and Linux skills, follow the instructions in the Intro to Kali Revealed above to install Kali directly on hardware. But beware. We tried to install it on some older laptops, and it was extremely fussy about Ethernet adapters. Unlike every other Linux distribution we’ve used, it wasn’t finding the adapter included on our hardware. It wanted us to find and load the drive, with no info on how to do it. This is a laptop that was already running Ubuntu 18. The Linux underlying Kali appears to have been stripped down a bit too much.
The Tutorial Point then goes on give you a quick intro to each of the tools. Phenomenal.
If you want to warm up with some videos first
Free Video Courses and Tutorials
- Udemy: Starting Kali Linux, Ethical Hacking and Penetration Testing – Over 4 hours of on-demand video (enrolment required)
- Youtube: A well reviewed 1 hour 40 minute video – “An introduction to Penetration Testing using Kali Linux“