When it comes to Kali I've always been using whatever it comes with, but I recently found Dewalt's amazing pimpmyi3 script and was blown away by how easy I can get i3 set up on Kali along with pimpmykali and lots of other bonus tools. It's all pretty awesome.

With a clean and fresh Kali vm ready to go you just need to cd into /opt and run the commands on the pimpmyi3 github Readme. I would either do sudo su - to become root during installation or use sudo for each command that needs it. When I run pimpmy-i3.sh I pick the first option for setting it up with the root account.

cd /opt
rm -rf pimpmyi3/
git clone https://github.com/Dewalt-arch/pimpmyi3
cd pimpmyi3
sudo ./pimpmy-i3.sh

It will take a little while to finish just like pimpmykali. When it's done you'll need to reboot. When I rebooted I noticed that i3 still wasn't installed but you can do that with apt.

When I set up a new Kali VM I'll create some lists of all the packages and tools that were installed on the previous VM just in case there is something I forgot about that I might want to use again or I want to know what version of a tool I was using because I may want to keep using the same version. It can be hard to remember how a tool was installed, like with dpkg, apt, pip3 or even pip so I'll create a list for each of them.

First I usually make a directory to hold the files.

mkdir installed_packages
cd installed_packages

dpkg piped into a couple other commands will give you a clean list.

dpkg --get-selections | grep -v deinstall | cut -f 1 > dpkg_installed.txt

apt list will give you the same list of packages as dpkg. This will also show all the versions.

Heading 1

# heading 1

Heading 2

## heading 2

Heading 3

### heading 3

Heading 4

#### heading 4

Line Break - like the one you see above.

---

Sometimes you want to get a more recent version of BloodhoundAD than what apt gives you.

Navigate to opt:

~$ cd /opt

Remove older version if it exists:

/opt$ rm -rf Bloodhound

Clone Bloodhound with git:

/opt$ git clone https://github.com/BloodHoundAD/BloodHound.git
/opt$ cd Bloodhound

I wanted to find a way to save the winPeas output to a text file with all the colors intact so I could view the file offline with cat in Kali and see the same colored output. I looked at tmux first since that is what I use. I found a way to do this with the Advanced-Use piping-pane-changes in tmux. With pipe-pane you can pipe the output to a command. The command that I'm doing this with is one that can read and write output. It's called is tee. The option I'm using is -a.

$ tee --help
Usage: tee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite

There are some vulnerabilities in Juiceshop that won't work if you use install it with docker and some other methods. XXE Data Access is one that doesn't work with the docker installation. I install Juiceshop form sources with nodejs so every vulnerability is supported. I also use fish shell and there is a little extra setup for fish.

Instead of installing nodejs with apt, it's better to use nvm. With nvm you can install multiple versions of node and switch back and forth between versions.
github.com/nvm-sh/nvm

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.2/install.sh | bash

After it's installed you need to make sure it adds these lines to .zshrc or .bashrc, whichever one you are using.

"Running either of the above commands downloads a script and runs it. The script clones the nvm repository to ~/.nvm, and attempts to add the source lines from the snippet below to the correct profile file (~/.bash_profile, ~/.zshrc, ~/.profile, or ~/.bashrc)."

export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm

If you are using fish (github.com/fish-shell/fish-shell), you'll need to install a few more things and create a config file.

Here is how I setup tmux in Kali. This is the file I start with or just use as it is: tmux.conf

Put the .tmux.conf file in the home directory, wherever your home may be: /home/USERNAME/.tmux.conf or /root/.tmux.conf

I usually use Kali as root. The easiest way to get started with root in Kali is with with the incredibly handy pimpmykali.

Create a tmux plugins directory inside the home directory:

cd /root/
mkdir /root/.tmux/plugins

Use git to clone tpm:

...

Run nmap to see what's open. The name of the machine should make what we're looking for obvious.

$ nmap -vvv -sC -sV -oA nmap/active.nmap 10.10.10.100 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 20:16 EDT
...
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 49165/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
...

TEXT

Run nmap:

$ nmap -vvv -Pn -sCV -p0-65535 --reason -oN kenobi.nmap 10.10.119.248
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 17:32 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:32
Completed Parallel DNS resolution of 1 host. at 17:32, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:32
Scanning 10.10.119.248 [65536 ports]
Discovered open port 445/tcp on 10.10.119.248
Discovered open port 111/tcp on 10.10.119.248
Discovered open port 139/tcp on 10.10.119.248
Discovered open port 80/tcp on 10.10.119.248
Discovered open port 22/tcp on 10.10.119.248
Discovered open port 21/tcp on 10.10.119.248
Discovered open port 35627/tcp on 10.10.119.248
Discovered open port 39223/tcp on 10.10.119.248

...

TEXT

Kioptrix Level 2 is a little more complicated than Level 1, as you might have guessed.

$ netdiscover -i eth1
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.2.1        0a:00:27:00:00:00      1     60  Unknown vendor        
 10.0.2.2        08:00:27:35:b3:5d      1     60  PCS Systemtechnik GmbH   
 10.0.2.3        0a:00:27:00:00:00      1     60  Unknown vendor           
 10.0.2.7        08:00:27:54:d2:b2      1     60  PCS Systemtechnik GmbH

Run nmap as usual, but on port 80 there is a login form that loaded into Firefox so it might be worth it to check on that first. Use Burpsuite and Firefox with the Foxyproxy extension set up for Burp.

With Foxyproxy ready and Intercept on in Burp, go to Firefox, type something like “admin” for the username and “test” for the password, hit Enter. In Burp we will see this:

...