Book Review: CTF Blueprints

This is a short review of the book Kali Linux CTF Blueprints by Cameron Buchanan which was published under Packt Publishing in July 2014.

The books goal is to provide blueprints to building a CTF environment. In my opinion, this is not quite true as the blueprints are mere pointers in the right direction. While this might be misleading, it’s actually a good thing as real blueprints would result in spawning a series of similar or even identical CTFs. Before you buy the book, please note that the author expects that a certain level of pentesting knowledge and skill is already given. Basic concepts such as XSS, privilege escalation or information gathering are not explained.

The target group is definitively the experienced pentester who wants to setup a challenge or training ground for colleagues and not the inexperienced one who wants to do it to test its own skills. That being said, someone new to the game could still learn a few things by reading this, although there are books out there who are better suited for this task.

In the first and second chapter, the author explains how to setup a vulnerability on Windows or Linux hosts respectively. The chapters are split into three main parts, namely securing the base os that is used to run the challenge, installing the vulnerable software and finally explaining how the vulnerability could be exploited.

The first part is important, as a challenge should not have any other security holes except the intended ones, therefore forcing the challengers into solving the right problems instead of finding a way around them. The second part is pretty obvious, as this book is all about creating vulnerable machines and the third part is just to give some insight on how the challenge could be solved.

There are also some tips on how to plant flags without them being to easy or too hard to find. For example, a C:\flag.txt file would be too easy to find and would also make any post exploitation unecessary. Hiding the flag inside a config file in a temporary, random generated subfolder of the Firefox addons folder would be to hard, unless the objective is clearly stated and includes some hints that would point a player to this location.

I can’t say much about the other four chapters “Wireless and Mobile”, “Social Engeneering”, “Cryptography” and “Red Teaming”as I didn’t find the time to read them. However, they do look interesting and I’ll post an update as soon as I get to them.

Overall, this is the first book PacktPub book that wasn’t completely dissapointing. The one thing I missed, was some suggestions for vulnerabilities that make good targets in a CTF, preferably in form of CVEs or a short list of sites where to find things like that. Someone who is new to creating CTFs might have a hard time finding vulnerabilities that are suitable for challenges.

I’m not quite sure if it is worth the price of €16.32 ($22.44) for the ebook edition as it’s only a quick intro to the topics and lacks in depth but at least you get something in return for your money, unlike many of the other books I reviewed.

However, if I had looked for a short CTF guide that points me in the right direction on how to make my own challenges, I wouldn’t have regretted the purchase.

If you have any specific questions about the book, drop me a line and I see if I can answer it for you.

#Security in time has gone a long way since it started over two years ago.

In the depths of my hard drive I found screenshots of older versions, so I decided to share them with you!

Back when I started it was a blog about pretty much everything that crossed my mind. Having it’s roots in my first, now buried blog which I started during my apprenticeship it wasn’t soley focused on security. However, after I got my hands on the domain, I decided to leave the administration area and get more into infosec.

The first “logo” I created was done during a trainride on my tablet. I was playing with different brush settings on a new painting app and created a “#” that I thought would make a great logo for my new blog.

Original logo on my old wordpress blog:

I’m no designer, that’s for sure – but still, I should have known better. After some time, even I noticed that the resolution was crappy, so I imported the jpg file in inkscape, created a svg off it and imported that into blender. Yes, I created my v.1.1 logo in a 3D moddeling application. That should give you a pretty good picture of how 1337 my design skills are.

Over time I rendered different logos, but the last one was this:

The logo was of course not the only thing that changed. In the beginning I often found my blog showing really old posts. It’s the typical beginners blogging problem.

  1. Post – “There is not much here yet, but I’m gonna start writing soon”
  2. Post – “Sorry for not writing in such a long time, but it’s gonna change real soon, promise”

Even though I didn’t actually write it that way, the publishing dates speak for themselves.

I still have to force myself from time to time to publish posts, but all in all I got kind of a thing going now.

As every beginning blogger, I wondered if anyone was reading my blog at all. And I still do actually. That’s why I added Google Analytics at one point. That was pretty much at the beginning, back when it was still running on wordpress. After Ghost came out, I switched to the nodejs powered new blogging platform and had so many new problems that tracking and analytics wasn’t really on my mind anymore.

I tried a few themes but ended up writing my first crappy theme in html,css,js and ghost handles.

This was version 1.0, and it even came with a “mobile version” which only worked in a few browsers correctly as you can see here.

For a first try I thought it acceptable, when in fact it sucked quite much. So I rewrote the whole thing twice, and what you see today is actually v3.1.

Version 2.0 was my first complete rewrite, and though I stuck to the overall design, there was quite a huge change in the codebase.

The big rewrite not only improved my theme, but also my rudimentary CSS,HTML and JS skills allowing me to finally solve many problems with my mobile theme.

![](/content/images/2014/Aug/v2-0_mobileA.jpg) ![](/content/images/2014/Aug/v2-0_mobileB.jpg) I thought about releasing the code, but I don’t want anyone having to deal with it – seriously! If you really want the code, just write me and I’ll gladly hand it out. But you have been warned!

Between writing version 2.0 and 3.0 I again found myself wondering if anyone actually read my blog and started to thing about my objective. Why was I writing this stuff? And why was I publishing it for everyone to see? The short answer is, because I like to help people. I love finding the solution to a problem in minutes on somebodies blog and I always wanted to contribute to the open knowledge and source community. Realizing that, I noticed that it doesn’t matter how many people read my blog. If it helped even just one person, the post was worth writing it.

I installed Kibana at one point to get a rough overview of visitors from my webservers access logs, but that’s about it. I have no need for cookies, tracking or advertisement. The cookies that are created are because of the twitter panel on the right, and I’m not even sure if I’m going to keep that.

I enjoy a clean blog, and that means no ads, no tracking and no click marathons to get the information you want.

After all that, it seems that I found time to look at my logo again. And it’s fair to say that I did not like it anymore. So I set out to the task of designing a new one. As I’ve mentioned before I’m no designer so it took me longer than I’m want to admit. Here are two of the ideas I had that I scribbled on a pink post-it.

Not much? That’s because no matter at how many designs of hashtags I looked, I couldn’t come up with something I liked.

Finally I fired up blender again and due to a lighting accident I came up with this.

This was actually the first logo I kind of liked. I showed it to a few of my colleagues and they said “Show it to the guys from the graphics department, they can surely give you some good feedback”. Oh boy!

I showed it to Nick. He just shook his head and sent me some examples a few minutes later. I mashed them all together to get a better overview, but they where all in high resolution.

After a few mails back and forth, he came up with these two for twitter and one with “Security” instead of just “SEC” for the blog header.

I really liked the red version as well, but since the blog had a blue theme going, I sticked with it in the end. It was a tough decision though!

The new logo inspired me to write version 3.1 and change a few things on the theme. This is how the blog looked like a few days ago, still with the old structure and logo. It’s the first minor version update, as it only takes on minor feature changes and overall design. The change from 2.0 to 3.0 had much bigger changes, such as “mobile first” and a complete rewrite of the CSS stylesheet.

For comparison, this is what the previous theme, so to say version 3.0 looked like.

It might not look that different from 2.0, but again there is quite a lot of code I ripped out and completely wrote new.

Of course it’s not done yet and I’m always going to be changing it. But I hope at least now it’s representable.
If you want to give me some feedback I would appreaciate it. Just put it in the comment section or tweet me @HashtagSecurity.


Defcon is over and the dust has settled – or at least I have rested. Since this was my first Defcon, here is a short write up of my experience.

First of, this post is about DC22 and that alone. If you want to read about my trip to BlackHat, go read my BlackHat review. But honestly, why would you? This is defcon we’re talking about!

Since I attended Blackhat, I had only three out of four days of defcon. I arrived around 9:00 AM with my badge in hand at RIO Hotel trying to figure out where to go. Ah, just follow the stream of people through the casino. Since I had already picked up my badge at BH the day before, I skipped standing in line for three+ hours and went around at the conference site. It was surprisingly quiet and only small groups of people where walking around, which surprised me to say the least. Where were the masses of hackers, geeks and strange people I had mentally prepared myself for? There wasn’t that much to see, so I headed for Pen&Teller at track 5 where I wanted to attend my first talk. A direct but friendly and loud voiced goon (defcon voluntary personel) was shouting at the attendees, including me, as we slowly made our way up the escalators to the upper seatings.

“If you just take a few steps and take a seat, this would go much quicker. It’s not that hard, you’ve done it before. You’ve already taken a few steps to get up here, now take a few more steps and sit down. Move it guys, you’re too slow, the escalator is faster then you! THE ESCALATOR IS FASTER THEN YOU!”

He then explained how we should go about choosing our seat. “Move it, go to the end of the row and sit down. There is a second row, start filling it – now! If the seats next to you are emtpy, you’ve done it wrong!” He put his hands on the shoulders of one guy, who was sitting all by himself in one of the top rows. “IF THE SEATS NEXT TO YOU ARE EMTPY – YOU’VE – DONE IT – WRONG!”.

The talk was a mix of how the badges where made and a general introduction to the mess that is DEFCON. I won’t go into detail, but if you haven’t seen a DEFCON badge before, this is what the DC22 badge and the rest of the attendee kit looked like.

I’m not a hardware guy so I don’t know all the details, but essentially the badge itself is part of the “be active” mentality of defcon that invites you to do something while you’re there. It included a challenge which took the winning team of about 8 people, something around 39 hours to solve. Parts of the challenge were hidden on the badge, others on vendor, goon or speaker badges and the rest placed all over defcon. If you want to know more about the badge challenge, I suggest you read the write up of the winning team [spoiler alert].

After the talk everyone left the room at the same time, once again overloading the escalators and a few minutes later I found myself in the main hall surrounded by tons and tons of people. This is what I had expected when I arrived in the morning!

From there on out it’s all a bit blurry. Not because I didn’t do anything but because I had no feeling for time for the rest of defcon. The three days felt like only half as much and the days where over so fast that it’s hard to recall what exactly happened. But what I do remember, is that I’ve never talked to so many people at any other conference before. The chillout lounge was a perfect spot to just relax, sit down with some people and chat. And chat we did, about pretty much everything that crossed our minds. The best part however is how total strangers can sit down at a table, and only five minutes later they are joking (at each others expenses of course), drinking, laughing, having a good time and solving problems. And that’s what impressed me the most. On Saturday morning I sat down with a small group of people, and they where still hung over from last night. That however did not stop them even one bit from discussing all sorts of matters. If I had to describe defcon in one sentence it would be “thousand of people partying and solving the worlds problems at the same time”.

Defcon is of course much more then chatting with people and listening to talks. There are so many challenges to solve, villages to participate in and learn new things, vendors to buy gadgets, books, tools, swag, etc. and everytime I went through the different areas I found something I had overseen the first couple of times. And that’s exactly why I’m going to stop here. I can’t possibly describe how amazing every single part of defcon was and I would surely miss some awesome things. Just go to DC23 and see for yourself. I’m definitely going to be there and I’m looking forward to spend even more time there and find even more stuff to explore. If you don’t have anyone to go with, don’t worry – you’ll make new friends in the first five minutes, or maybe even before that if you spend some time at or the irc channel #dc-forums.

For those who want to see more, I posted all the pictures I made on my twitter account – @HashtagSecurity. Hopefully I will find the time to write about all the challenges, villages and other fun stuff that happens at defcon next year.

Thanks to everyone who attended defcon this year, I had a great time and met loads of great people. Special thanks of course to all goons and organizers and everyone who helped make defcon what it is.

See you next year!

Python Cheat Sheet

I like to solve my problems in python, so here is a small cheat sheet on python tricks that make my life easier.

There’s not much yet, but more to come!

End for loop on return-key hit

If you need a certain task done over and over again, you can use watch -n [seconds] 'task', but I sometimes need all the information at once without a clear page after every execution. That’s where python comes in handy.

import sys, select

print "Hit <Return> to exit"
while True:
	print "I'm doing stuff :)"
	if sys.stdin in[sys.stdin], [], [], 0)[0]:
        print "Exiting..."

This little snippet will do what you want until the end of (up)time – or until you hit the return button.

HTTP requests made easy

Normally Python uses urllib to make HTTP request, but that’s kind of a PITA and not very pythonic. “requests” is a library that aims to make it easier – and it does!

Everything you need to know to get started can be found here

It’s easy to install

git clone git://
cd folder
sudo python install

and easy to use

>>> r = requests.get('', auth=('user', 'pass'))
>>> r.status_code
>>> r.headers['content-type']
'application/json; charset=utf8'
>>> r.encoding
>>> r.text
>>> r.json()
{u'private_gists': 419, u'total_private_repos': 77, ...}

Manipulating strings

There is one thing that baffled me when it comes to strings in python.
Namely, I wanted to print the two middle characters of a string. This is how it’s done

	# My string (I want to print "CD")
	>>> string = "ABCDEF"
    # get half the length of the string (string == 6, half ==3)
    >>> pos = len(string)/2
    # print the middle chars.
    >>> print string[pos:pos+1]

Note: pos == 3, pos+1 == 4
To my understanding, pos and pos+1 shoudl print character 3 and 4, meaning CD. Python however sees positions as pointers to the chars meaning pos+1 points to the beginning of the 4th char. Therefore the 4th character D is not printed. To get both, you need to specify the start of the 5th character, as this is also the end of the 4th.

The correct syntax to print CD would be

>>> print string[pos:pos+2]

For more string manipulation, look here.

Random Notes

This is a post for random notes, since I never know where to put them, and always have trouble finding them later…

Also, I’m sick of running a personal wiki. So everything worth it’s own blog post or cheatsheet will become one if I find the time. Everything else will end up here.

There is no structure here yet, so it’s more of a “I found out how it works and dumped it here” kinda thing until I have the motivation to clean it up.

[Ctrl]+[F] is your friend!

Topics: (In progress)

  1. Linux Shell

Linux GUI Back to Index

VNC Viewer – Arrow keys resize windows **Problem:** When i use the terminal inside my VNC session (full screen mode), the up arrow key doesn’t browse the commands history as usual, but it resizes the terminal window..

Gnome appears to be interpreting and as Super- and
Super-. I tested both servers, and from both the vinagre and
xvnc4viewer clients.

As a workaround, you can go to the keyboard control panel and change the
keybindings to remove Super+Up and Super+Down from the Windows section.

Spotify Multimedia Keys in Kubuntu

Using the right-click feature sucks – aspecially when we have multimedia keys on our keyboard.

Run [Ctrl]+[F2] and type “Custom Shortcuts”.

Then right click in the free space on the left side under the folder tree and click “New Group”. Right click on the your new Spotify group and go to “New -> Global Shortcut -> Command / URL” and name that shortcut “Play / Pause”.

In the Command/URL field under the Action tab, you enter the following command:

dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.PlayPause

That’s pretty much it. Now do the same for all your keys. The commands are

dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous
dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next
dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Stop

Last but not least, you need to assign keys to your shortcuts. You can do this under the Trigger tab.

Don’t forget to enable your new shortcuts and the spotify group.

Really random Back to Index

VMware ESX zlib.dll missing


I thought it would be good to keep this info archived in the group for
further reference on ESXi, see below.

Kudos to Eric for figuring this out.


-------- Original Message --------

This seems to be a common issue with importing OVA files onto ESXi from
a Windows 7 computer VMware console with the following setup:

ESXi v5.0
Windows 7 Pro x64
OVA on local C: drive
vShpere Client installed from VMware-viclient-all-5.0.0-455964.exe

The error in question is simply the VMWare console trying to uncompress
the OVA file using a libray file that is simply not in the correct
directory.  Moving this file to a location that is in the systems PATH
will resolve this issue.

Copy /C:\Program Files (x86)\Common Files\VMware\USB\*zlib1.dll*/* *
/C:\Windows /(Win 7 Pro).

This resolved the issue for me and the OVA file was easily imported into

Image size

Scale post images to 1400 width and < 256KB JPGs to upload them.
(GIMP Scale 1400, export jpg with 50 quality settings for sony xperia z images)

Links, Tools, Ressources Back to Index



Other stuff


Convert Apache cert to IIS

openssl pkcs12 -export -out certificate.pfx -inkey mycert.key  -in mycert.crt -certfile CA.crt

BSidesLondon 2014

Here is my review on the BSidesLondon ’14 with a heavy focus on the rookie track, since I spent almost all of my time there.

As promised in my talk “CSP Analysis – Attacking XSS Mitigation”, I published the source code of all my examples (and more) along with some explanation of what I did on github.

My Rookie Talk

First of all, here is the video 🙂

I had a lot of fun talking at BSidesLND and I’m really looking forward to see all the great people again I met.

BSidesLondon 2014 – Rookie Talks:

First talk was by Sasha Zijinovic and was called “Run-time tools to aid application security assessments”. It was an interesting topic, although I found it hard to follow because Sasha often looked at the floor or his slides. It was still a good talk though and I hope to see Sasha talk at other cons in the future.

Right after that Kristo Helasvuo held his “Copenhagen and Becks for Cybersecurity” talk, and I’m sorry but I really can’t tell you what’s it all about. I had problems understanding him but it could also be because I missed the first five minutes from his 15 minute talk. In retrospective, it’s probably the later.

The next talk, “Reputational Damage” was canceled and replaced with “A look at modern warfare” by Kaitlyn Garratley (@kaitlyn4495) and was very well presented. We got a good look at the costs of normal warfare (building tanks, training troops, etc.) and modern warfare (e.g. developing and distributing stuxnet like weapons).

“When a noob comes aware” was an excellent talk by Herbie Zimmerman and let’s just say he nailed it. The talk was about awareness programs and how they are often approached from the wrong perspective. Herbie said he will probably publish the video of his talk. If I get it, I’ll add the link.

After Herbie, Scott MacKenzie presented his “Infosec is board Responsibility” talk, which I really enjoyed. @Scott, I might have to get back to you with some questions once I’m back home.

Just before lunch, Grant Willcox presented his Recon-NG module in “Crawling Metadata with Recon-ng” which was really interesting. Now I have to play with it – thanks Grant… so much to do, so little time.

After lunch, I came a little bit to late back to the rookie track so I missed half of Joseph Greenwoods talk on “Game-Based CTFs – Engaging University Students in InfoSec”. Keypoint for me was, that the reason for doing CTFs, aside from being really interesting and a lot of fun, are rarely explained. Joseph took an approach to show students what are possible results of an actual breach in an end-of-world scenario. He and his team recoded the nuclear-apocalypse game DefCon in Python and hooked it up to vulnerable servers. Once a team hacked a server, it could launch enemy nuclear missles in DefCon at enemy cities.

I did a quick sweep through the BSides halls and after talking to some of the sponsors, I watched the talks “Why information security should be important to all of us” by Beverley A MacKenzie and “Zero-Day Surprises via your Supply Chain” by Vivian Nwoji. Both of them got me thinking, which is probably why I didn’t pay too much attention to Vinayak Rams talk “SIEM – making the white elephant dance”. Sorry about that, but if I remember correctly it was something along the lines of people putting in the wrong data and expecting marvelous result while ending up being dissapointed by their SIEM.

The “Best Rookie Talk” prize winning presentation was “Is privacy still a thing” by Georgi Boiko, and I think there is no need for me to say anything about it. He earned it, go watch it! (if you find it..)

“A multidisciplinary Perspective on Cybersecurity” is definitely not your average infosec talk. It was a completely different approach by Emil Tan, which I’m not able to explain from memory, however if it is uploaded (I’m looking at you Emil!) I will definitely watch it again, maybe I’ll be able to explain it then. Good talk!

Between Emils talk and the next one, there was a short break giving me just enough time to realize that I had to give my own presentation soon. Joseph Gwynne-Jones gave his talk completely in sign-language, with a translator speaking to us. This was definately a new experience and kudos to Joseph for pulling this one off!

RFID hacking is something I haven’t had much contact with yet, but I probably will try my luck at it after watching “RFID Hacking – an introduction” by @d3sre. I’m amazed that she did most of it on an arduino, writing all of the protocol stuff herself.

Time for Fraser Scotts talk on “Privacy Through Choice: Something for the Masses”. I’m sorry Scott, but I don’t remember anything of your talk. Probably because I was nervous being up next. I’ll watch it once it’s on Youtube though 😉

My own talk was “Content Security Policy Analysis – Attacking XSS Mitigation”. I will probably add more info once I get home, but for now, please checkout the git repo with the examples and explanations at github

I think my talk went well, but I won’t know for sure until I see the video (which I will post regardless of the outcome!). Big Thanks goes out to my mentor Dave Hartley from MWR Labs for helping me, as well as to Scott Finlay, a colleague of mine who helped out with the javascript examples during research and my brother Moritz Jäger (the one from for his honest feedback.

Also of course to everyone who made BSidesLondon 2014 possible, to Robin and Finnux for running the Rookie Track and for everyone who attended for an awesome event.


I’m sorry that I didn’t watch all of the rookie talks, especially “Teaching Kids programming and Cyber Security” by Dalian Terry and Sam Sanoop. I was really looking forward to this one, but after my talk I went out and just like that the keynote was up. Don’t know what happened there…

Getting Started with Kali Linux

After reviewing the book Instant Kali Linux, I thought why not give it a try and actually do the things better I nagged about. Well, for one thing it’s a lot of work and I try not to start projects that are way too demanding and end up never finishing them.

But maybe it’s time for just such a project and who knows, maybe I’ll even finish it. In any case, you can read along while the book developes and hopefully give some feedback.

Disclaimer: All the information provided on this document is for educational purposes only. The site and it’s author is in no way responsible for any misuse of the information.

I will continue writing this book whenever I find time to. This book comes free of charge but without any warranty or promises :).


  1. Introduction to Kali Linux

It is hard for me to decide how far I should go into detail on a single tool. I try to explain everything, that I think starters should now and add links to further ressources as the book evolves. If you miss any information or want to share a link you think might be of value to the readers, please contact me at

Introduction to Kali Linux Back to Index

For those of you that don’t know what Linux is, this book might be the wrong source to get started. I’m not saying that you shouldn’t read this book, but there are better guides on getting started with Linux. Since I hate it when a book suggests, that I should read another book before I can get started reading about what interests me, I will give a quick introduction to Linux as well.

If you already know how Linux works and spent your fair share of time on a console, you can skip to chapter 5. If you just saw a picture of your favourite gaming console flash before your inner eye, you might want to keep reading.

A Linux distribution such as Debian, is based on the Linux kernel. A distribution is basically a collection of tools that form an OS. Many distros are built for a specific purpose, there are the ones trying to give users the best out-of-the-box experience, the ones that let you do everything manually, the ones that are focused on providing stable packages, or the ones providing the most on the edge, up to date packages, and of course the ones that provide very specific purpose such as distros that are used as firewalls, intrusion detection systems and so on.

Kali is a Linux distribution, but instead of being made from scratch, it is based on the Debian distribution. This allows its maintainers (the guys over at to focus on the huge collection of already installed tools that are useful for penetration testers, exploit developers and almost anyone who’s into IT security. Even if you’re working as an system administrator, many of these tools can come in handy.

If you need information on Kali Linux and you don’t find it here, you should try the official documentation.

Installation Guide Back to Index

So how do you get Kali Linux? First of, you need to download the .iso image from Do yourself a favor and download the image via torrent, it’s much faster that the regular download.

In this book, I will be working in a Kali Linux VM running in Virtualbox, because it’s free, cross platform and has everything we need. If you prefer VMware Workstation or any other virtualisation or even want to install it directly on your hardware go ahead. The later has of course the benefit of having direct access to GPU and CPU, which comes in handy if you want to crack passwords.

Installing Kali in Virtualbox

I will not go through the process of installing Virtualbox itself, and I won’t show a picture for every step.

If you have a second HDD available, (not partition, an internal physical harddrive or esata/USB3) you can put your vms virtual disk on this disk, which improves the overall performance. To do that, go to

Start Virtualbox and click on “New” to create a new virtual machine. Enter a name for your vm and choose Linux as type and “Debian (64 bit)” as version. I personally like to set my vms RAM to 2048MB, but you can work with 1024MB if you don’t have enough memory.

Create a new virtual disk and choose the VDI format. I normally use Dynamically allocated, which takes only the space on your disk the vm really needs. If you have enough space you might want to choose Fixed size, which takes longer to create to since it allocates the whole disk size but it’s also boosts the vms performance.
The disk should at least have 12GB of space, but I like to create 50GB disks. That way I usually don’t run out of space – there is nothing more annoying than running out of disk space while working on something.

When you’re done, start the vm. Virtualbox will asked you for a DVD drive or .iso file to boot from since the hdd is still empty. Click on the small folder sign to browse through your file system and select the kali linux image you have downloaded earlier. You should be presented with a boot menu. Select the Graphical Install entry. If you want to leave the window, press the right [CTRL] key on your keyboard.

The graphical installation should be self-explanatory. If you speak english (which you probably do since you’re reading this) choose english and en_US.UTF-8 for language and locales. It makes your life a lot easier in my experience.

Wait for the setup to load everything, then choose a hostname for your vm, enter your domain name (if you have one) and set a root password.
Choose the entry “Guided – use entire disk”, select the previously created virtual hdd and install “All files in one partition”. After that, you’ll be shown a summary of your disk partitioning which you can accept by clicking continue. At “Write changes to disk?” select Yes and move on.

Answer the following questions like I did.
“Use a network mirror?” Yes.
“HTTP proxy information” leave blank.
“Install the GRUB bootloader to the master boot record?” Yes.

Wait for Kali to reboot after installation and boot your new OS. Virtualbox will automatically boot from your hdd instead of the .iso.

Notes on VMware Workstation

If you want use the preinstalled image (which isn’t available from anymore) of Kali in VMware Workstation 8 or lower, you need to edit the .vmx and change the following line

virtualHW.version = "9"

to your version of Workstation.

Also, if you use the preinstalled image, make sure you change the default login credentials (root/toor). For those new to linux, if you enter your new password you won’t get any visual feedback – the advice is not to put in a blank password!

root@kali:~# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Install Virtualbox GuestAdditions

The VBox GuestAdditions make your life much easier and therefore should be installed. To do so, login to Kali and open up a terminal by clicking on the black box with the > sign in it on the top bar.

A terminal windows should open, which shows you the following promt.


This prompt tells you everything you need to know about your user in the terminal. Root is the user you are executing programs as, @kali indicates the host which you are currently on. This can change if you connect to other hosts, for example using ssh. After : comes the path of your current location, where ~ stand for your home folder. The root user has it’s home in /root/, other users normally have their home folders in /home/username/. Lastly, # indicates that you are an administrative user, otherwise there would be a $ instead.

No that you know what the prompt means, enter the following commands to install the Virtualbox GuestAdditions.

root@kali:~# apt-get install virtualbox-guest-additions virtualbox-guest-dkms -y
root@kali:~# reboot

From now on, whenever you see a prompt like this you are expected to run a command on the terminal in the context of the specified user.

Configuring and updating the system

A lot of tools in Kali need root permissions, which is the ultimate system administrator. Root is allowed to do everything on your Linux machine, which is why you shouldn’t run everything as root. I always create a normal user in Kali, in this case called hashtagsecurity. This allowes me to run programs like firefox or chrome as normal user.

root@kali:~# adduser hashtagsecurity

You don’t have to fill out the information, but make sure to set a password.
Now logout (click root in the upper right corner) and login as your newly created user.
To run commands as root, you can either open a terminal and enter


Which will ask you for your root password, or open the root terminal at “Applications -> Accessories -> Root Terminal (Red Logo)”.

Last but not least, you need to update Kali. This is something you should regularly do, so you don’t miss new features.

root@kali:~# apt-get update
root@kali:~# apt-get upgrade

Apt-get is the package manager used to install, search, remove and upgrade packages. With apt-get update you can check for new updates and with apt-get upgrade you can install them.

Getting started with the GUI Back to Index

By default, the graphical user interface should look like this.

If you have installed the GuestAdditions you can jump into fullscreen mode by pressing the right [CTRL]+[F] keys.

Unlike Windows, Kali Linux has two systembars. The one on the bottom contains open programs and the switcher applet in the right corner to change between multiple virtual desktops. At the topbar you can see from left to right the Applications and Places menus, as well as a few shortcuts to iceweasel (firefox), the commandline, a calendar widget, sound options, remote connections (RDP) and user settings.

If you want to change system settings take a look at places, otherwise we will focus on the Applications menu, specifically the Kali Linux submenu, which provides us with most of the on board security tools sorted in categories.

Among a few others, the categories listed in this menu entry will also be the topics of the coming chapters.

Menu overview and standard tools
Here is a quick introduction to the most tools you can find in the menu outside the “Kali Linux” submenu.

One important thing about Kali is, that you can open any program with [ALT]+[F2], if you know its name. So if you already know what program to run, don’t bother clicking through the menu.


Applications -> Internet -> Empathy

Empathy is a chat program that supports the following protocols
Jabber, Facebook, Google, AIM, gadugadu, GroupWise, ICQ, IRC, MSN, mxit, myspace, sametime, Yahoo, zephyr


Applications -> Internet -> Iceweasel

Iceweasel, the Debian version of Firefox is installed by default. If you need Chromium (the Linux version of Google Chrome), you can install it with

root@kali:~# apt-get install chromium-browser

and start it from Applications -> Internet -> Chromium.

Note that Chromium will not run under root unless you change some bytes in the executable binary. It’s easier to use a normal user for everyday tasks and a root shell for those who need administrative privileges.


Applications -> Accessories -> Zim Desktop Wiki

There are different ways to keep notes and document your process while working in Kali. My personal favourite is Zim Desktop Wiki, which with I do all my documentation. It is, as the name suggests, a typical wiki with markup functionality only that it runs as a desktop application.
I won’t go into detail about Zim, because it’s pretty self-explanatory.

Other tools on board are the notebook KeepNote, as well as the typical text editors like LeafPad and GVIM. A sidenote on the later – if you don’t know VIM, which is the same as GVIM but for commandline (cli), you should absolutely try it!

Applications -> Office -> KeepNote

Applications -> Accessories -> LeafPad

Applications -> Accessories -> GVim

VIM works very differently than your normal editor but it’s a very powerful cli editor. What you should know is that VIM operates in modes. You can leave any mode with the [ESC] key and enter them with their shortcuts. In [v]isual mode you can select text, which can than be used in VIM commands. The most important mode is [i]nsert, which lets you insert and edit text.

Here is a list of the most important VIM commands (leave any modes first with [ESC])

To save the file enter
To quit enter
To quit without saving
To quit with saving
To save and force overwrite
Search in file
Search and replace all

VIM has a lot of features (just search for VIM cheatsheets), but this should help you get started. It is important to know how to work with a commandline editor if you don’t wanna be stuck at some point. Many servers don’t have a graphical interfaces installed, which leaves you only with commandline tools.

If you need a plain PDF reader, Evince is already installed.
Applications -> Office -> Document Viewer


There are a few tools for programmers already installed. If you want to quickly write a script or small program in python, this will probably help you.

Under Applications -> Programming, you can see the tools PyCrust, XRCED, GRC and the ArduinoIDE.

PyCrust is an interactive python shell, and not an IDE. It is good to try out python snippets, but if you want to program in python you should try PyAlaMode which you can start from the commandline or [ALT]+[F2] by running pyalamode. If you want to create a GUI for your python program, you can use XRCed, which is a GUI editor for wxPython GUI design. XRCed uses XRC, which is a XML-based interface markup language used by wxWidgets.

The ArduinoIDE is the integrated development environment (IDE) for the Arduino hardware board.

GRC is the GNU Radio Companion, and a graphical user interface to develop GNU Radio applications. GNU Radio is a software library that you can use to develop complete applications for radio engineering and signal processing.

Next up

That ends our quick tour through the main menu and the standard tools you might use. Let’s get familiar with the commandline, which in this case is the Bourne Again Shell (bash). Once you know your way around the bash, we will get started on the differen tools Kali has to offer.

But first, since you will be needing terminals a lot it’s best to keep a shortcut in the upper system bar of both, the normal and the root terminal. A shortcut of the default terminal should already be in the bar. To get the root terminal there as well, browse to Applications -> Accessories and drag/drop the entry “Root Terminal” with the red terminal icon to the bar.

To delete or edit a shortcut icon, you have to press [Super]+[ALT]+[RMB]. This brings up the context menu from which you can choose “edit” or “delete. This combination also works on the top and bottom panels. (If you have problems, try [Alt]+[RMB] instead.)

To make things clear, in Linux the “Super” Key is the one with the Windows logo. And just in case you don’t know, RMB = Right Mouse Button.

Working with a terminal Back to Index

There are many shells you can choose from and as for so many things in Linux, the choice is completely yours. The Bourne Again Shell, or bash for short is the default shell in Debian and Kali Linux. I won’t go into the history but will go directly into how to work with it. If you want to read up on it, take a look at the wikipedia article.

During the Installation Guide, we already used the terminal and thus the bash. The bash is located at /usr/bin/bash, which is a path in the filesystem. If you come from Windows, some of this stuff may be new to you, so here’s a short introduction.

Filesystems work different in Linux
Windows uses file paths like C:\Programs\Company\AwesomeTool\awesometool.exe, while Linux uses

In Windows, executable files are usually marked as .exe files. In Linux you can execute any file if it has the executive bit set. Therefore, you don’t necessarely need a file ending. You could rename the bash executable to bash.linux or even and you would still be able to start it – though it would mess up your system if bash can’t be found.

The biggest differences for newcomers are that Linux uses / instead of \ in file paths and that there are no drive letters like C:\ or D:\.
Drives are mounted to file paths, which means that you open drives just like you open any folder. The C:\ drive is equal to / which is also known as the root directoy. The root directory is, as the name suggests the root of all paths and the highest object in file path hierarchy. Don’t get confused by /root/, which is the home folder for the user “root.

The root user is the most powerfull administrative user Linux has to offer, so executing commands as root should always go hand in hand with the “think before fire” rule.

A nice example for this is the ever so famous rm -rf /* command, which deletes every file on your harddrive and leaves you with an system that defines the word “destroyed”.
The rm, or remove command is used to delete files, the -rf switches stand for recursive and force, which tells rm to delete files as well as folders that hold further files or folders. The last part /* states, that rm should delete every (*) file/folder in the root directory. As you can see, using root to execute commands can be the last command you execute on this system. That is why you have to make sure you understand every command you enter (especially when it comes to copy/paste commands someone posted in the web).

Further partitions are usually mounted in the /media/ folder. The drives are listed under /dev/sdXY, where /dev/ is the path containing all devices, sd equals sata drive, X stands for the drive identifier (a-z) and Y is the partition number. So your system partition is usually /dev/sda1, sda being the disk and sda1 the first partition on it. These are just mappings though, the real identifier (if you ever have problems) can be found by entering the following command:
ls -lah /dev/disk/by-uuid/

This command lists (ls -lah) the mapping of /dev/sdXY to the disk UUID (Universal unique identifier).

If you need more information about your harddrive, try
fdisk -l or fdisk -l /dev/sdXY

This gives you more information about all or a specified drive. -l stands for list, so you can’t break anything with this command (it still needs root though), but be careful with fdisk. It is used to format and partition disks (among other functions).

If you use fdisk -l, you might notice that your system partition is not NTFS but most likely Ext3. Ext is a Linux filesystem, (yes a, not the – there are many). Once again, you have the choice which Filesystem you want to use, but this is way out of the scope of this book. The only thing you need to know right now is that FAT16/FAT32 (used by USB thumbdrives) and NTFS (used by Windows) is supported by Linux, Ext filesystems however are not supported by Windows. So when using Linux you can move files between your Windows and Linux partitions, but not when your running Windows.

What is FHS and how does it help me?

Now that you know a bit more about the Linux filesystem and how drives are handled, there is one more thing you might wanna know. Before Kali was released, the distribution was known under the name BackTrack. It included all the great tools hackers and security experts needed to do their thing, but there was the problem of keeping these tools sorted.
If a new tool was added, there was the question in which folder this tool shoud go and the different categories where located in the /pentest/ folder.

With Kali Linux, the guys at Offsec decided to switch to FHS, which stands for File Hierarchy Standard and represents a definition, where tools should be located. For people that where used to the /pentest/ folder, this was a bit uncomfortable, since you can’t just browse through the folder anymore to find cool new tools.

The benefit of working with FHS however, is that you can call any tools from any location in the terminal. Before you had to be in the folder of e.g. the web scanner Nikto, to be able to start Nikto. Now you can fire it up no matter where you currently are.

If you need a source to browse through all the tools offered by Kali (the menu has only a small percentage of the tools that are available), try this.

dpkg -l |grep -v "firmware\|ii  lib\|ii  gir1\|ii  gnome-\|ii  python\|ii  xserver-xorg-\|ii  x11\|ii  xserver\|ii  ruby"|grep "^ii"

Tweaking the bash with .bashrc
If you don’t want to type all that every time you need a list, either add > myprogramlist to the end, to save it in the file myprogramlist or add the following string to the alias section in the file ~/.bashrc. (It’s one line!)

alias listapps='dpkg -l |grep -v "firmware\|ii  lib\|ii  gir1\|ii  gnome-\|ii  python\|ii  xserver-xorg-\|ii  x11\|ii  xserver\|ii  ruby"|grep "^ii"'

Speaking of ~/.bashrc, there are two things in this file path we haven’t discussed yet. The ~ which stands for your home directory, so /home/hashtagsecurity/ in my case, or /root/ if you work as root user (it’s best to edit both files by the way) and the dot in front of .bashrc. The dot is the universal sign that the file is normaly a hidden file, so you won’t see it if you type ls (list) in your terminal. Fortunately ls has a few options, like
ls -1 which lists every item in a new line (good for scripts),

ls -lh where the additional l gives you more information and the h makes sure it is in a human readable output (so filesizes in KB or MB instead ob bytes) and of course (among many more)
ls -a which show you all files as long as you have sufficient permissions to see them. These options can be combined to your liking, for example

ls -lhatr gives you all files (a) with additional information (l) in a human readable form (h), sorted by timestamp (t) but reverse (r), so that the newest file is listed on the bottom.

As with the listapps alias, you can define your own aliases to make your life easier, e.g.
alias la='ls -lhatr'.
Then you only have to type la instead of ls -lhatr to get all the above mentioned function. There is always a shortcut in Linux.

To load changes made to ~/.bashrc either close and reopen your terminal, or simply enter source ~/.bashrc to reload it.

Introducing: manpages and –help

Now that you have seen, how commands work in general – command -switch, we should take the help switch and manpages. The help switch is mostly --help, -h or sometimes -?. If that doesn’t work, try them without the dashes. It usually gives you a quick overview on what the program does and what it’s main switches are. If you need more information, you should use the man command, which stands for manual. A good example is the mount command.
Take a look at the different output between
mount -h
and man mount.
The later opens the manual in a commandline text viewe. Normally it uses less, which you can try yourself by typing less and-a-text-file-of-your-choice
To exit less, or the manpages just enter q, to search in them enter /searchterm.

Using apt-get to manage software packages

Last but not least, we’ll quickly go over the package manager apt-get. There are two package managers already on board (besides dpkg), one is apt-get and the other is aptitude. In this book we will use apt-get since it is the one used in most tutorials.
Linux doesn’t work with .exe files, since those are built for Windows. If you have a linux binary you want to run, you have to make it executable first.

You can to this by adding the executable bit (as root) with chmod +x file.bin
After that you can start it with ./file.bin. Note that the . is in front of the / this time, which stands for the folder you are currently in. Alternatively you could specify the whole path, e.g. /full/path/to/your/file.bin

This however, only works if all the ressources the binary depends on are either already installed or included in the file. If you want to install a new program, it’s always better to check the repositories first.

First, you have to check the repository for updates. This will all available information about packages.
apt-get update

The you can upgrade the whole system (all packages) or a single program with either
apt-get upgrade or apt-get upgrade programname

If you don’t know the exact name of the programs package, you can search for it with
apt-cache search programname

or display information about an package, for example the VLC media player, with
apt-cache showpkg vlc

This wraps up the introduction to Linux and Kali basics. In the next chapters, we will take a look at the tools Kali has to offer and their different features.

The following chapters are divided into the same categories, as the tools in Kalis menu. However, I will not use the same order as the menu does, nor will I go into detail on every single tool of the categories. I will try to explain tools along the flow of a possible workflow, meaning I won’t start with someting like maintaining access, but rather information gathering and documentation. This way, readers without experience should be able to work through the book without having to jump between chapters.

Information Gathering Back to Index

Before you can start attacking, you need to gather information and before that you need a target. You target can be a host, a website, a person or company and much more.

The most important thing is that you have a written permission of the targets owner. Never attack or scan a host or website or any other ressource without having a permission to do so. If you do otherwise, you are breaking the law.

Also note, that some countries have special rules about attacking and scanning host with or without permission in some it’s even illegal to download or posess tools that are inteded for these purposes (e.g. most of Kalis tools). This book is no legal guide, so make sure to read up on the laws of your country or the country you are in when performing these actions.

You also need to make sure, that you are allowed to scan or attack your own servers. Some hosters don’t allow scanning from, or servers in their network and it is possible that you violate your agreement.

Once you have your target, you can apply different techniques of information gathering. If it’s a person, you can try to find out the following information.

  • Email addresses – most people have more than one. Try private and business mails.
  • Profiles in social networks like Facebook, Google Plus, Xing, LinkedIn, MySpace, YouTube, Discussion boards, Q&A sites, etc.
  • Real Name, Job, Company, Aliases or Chatprofiles
  • Try to find out who are his colleagues, friends, family member, etc. Maybe you can use them to your advantage.
  • Anything that might be interesting

If you found an email address, search for it. It’s not uncommon for people to mix their personas on the web. You might find some accounts mapped to that mail address and if you search for these accounts you might find new mail addresses.

To do all that, you don’t need Kali. You just need a browser and an internet connection. But Kali can still help you and make things easier.

To keep track of all that information, you can use Maltego. Maltego is a tool to create maps of related information. If you search for a person, you create an entry for that person and link every information you find to it. This way you create a network map of all the information you find, which helps you to keep track of your progress and find new connections.


To start Maltego, hit [ALT]+[F2], type maltego and click on Run. This is the Maltego Community Edition, which is intended for non-commercial use only. Head over to []( for a full license and a lot of documentation.

Once you have started Maltego you will be greeted by a wizard and a login page. There is a register link where you can setup an account. Just click through the wizard and select the example page when you come to the end. This gives you an example of how a map could look like and also a nice set of entities you can use to create your own map. Hit [CTRL]+[T], or click on the sign in the upper left corner and then on New, to create a blank page.

Start dragging entities into your map and open them with a double click to fill in the information you’ve gathered. You can select them with a single click and than drag them around, or when deselected, you can create links between entities.

To be continued…

Creative Commons License

“Getting Started with Kali Linux” is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Time to give something back 🙂