Kali Linux#

Kali is a Debian derivative for offensive security work. This page catalogs the filesystem additions that distinguish a Kali install from a base Debian install: the distribution-specific files (APT repo, kali-* helpers, theming, kali user) and the data files shipped by Kali’s bundled security tools (wordlists, nmap data, Metasploit, Exploit-DB, password crackers, web / network / recon / forensics toolchains).

Bundled security tools live at upstream conventional paths, the same locations they would occupy on any Debian system that has the package installed. The operationally interesting fact about Kali is that this data is pre-staged at first boot, so “go look it up” becomes “open the file.”

Authorization notice. Kali ships dual-use tooling. Use it only against systems you own, lab targets, CTF ranges, or scoped engagements with written authorization.

Kali Linux Files#

Kali Linux is a Debian-derived distribution. It inherits the FHS layout above, then adds files that only ship with the Kali distribution itself: the APT repo, the signing key, the kali user and skel, the Kali theming, and the small set of kali-* helper binaries. Bundled security tools live at conventional upstream paths (apt also installs them on Debian) and are intentionally not listed here.

  • /etc/apt/sources.list.d/kali.list, Kali APT repository definition

  • /etc/apt/trusted.gpg.d/kali-archive-keyring.gpg, Kali archive signing key

  • /etc/sudoers.d/kali-grant-root, Passwordless sudo rule for the kali user

  • /etc/skel/.zshrc, Default Kali Zsh init copied to new accounts

  • /etc/skel/.bashrc, Kali-flavored Bash init for new accounts

  • /etc/issue, Kali pre-login banner (shipped by kali-defaults)

  • /etc/motd, Kali post-login message of the day

  • /etc/os-release, ID=kali and VERSION_CODENAME=kali-rolling

  • /etc/debian_version, kali-rolling (vs. a numeric Debian release)

  • /etc/calamares/, Kali graphical installer config

  • /usr/bin/kali-tweaks, Kali post-install configuration TUI

  • /usr/bin/kali-undercover, Toggle Windows-look “undercover” desktop theme

  • /usr/bin/kali-grant-root, Grant the calling user passwordless sudo

  • /usr/bin/kali-finish-install, Post-image first-boot finalization

  • /usr/share/kali-defaults/, Distribution defaults (banner, prompt, settings)

  • /usr/share/kali-menu/, Categorized Kali application menu definitions

  • /usr/share/kali-themes/, Kali GTK / Qt theme files

  • /usr/share/kali-grub-themes/, Kali boot-loader theme assets

  • /usr/share/kali-tools/, Kali tool metadata used by the menu

  • /usr/share/kali-undercover/, Resources for kali-undercover mode

  • /usr/share/desktop-base/kali-theme/, Desktop-base hooks for Kali branding

  • /usr/share/wallpapers/kali/, Default Kali wallpaper set

  • /usr/share/icons/Flat-Remix-Blue-Dark/, Default Kali icon theme

  • /usr/share/backgrounds/kali/, Login / lock-screen backgrounds

  • /usr/share/applications/kali-*.desktop, .desktop entries unique to the Kali menu

  • /usr/share/doc/kali-*/, Kali-specific package documentation

  • /var/lib/dpkg/info/kali-*.list, dpkg manifests for kali-* packages

  • /home/kali/, Default unprivileged user on modern Kali images

Example:

$ grep '^ID' /etc/os-release
$ cat /etc/debian_version
$ ls /etc/apt/sources.list.d/
$ kali-tweaks
$ kali-undercover

References:

Kali Linux Data Files#

The data shipped by Kali’s bundled security tools. The package paths below are upstream conventions (you’d see the same locations on any Debian system that has the tool installed), but on Kali the data is pre-staged at first boot, which is the operationally interesting fact: knowing where rockyou.txt lives, or what file backs nmap’s port-to-service mapping, turns “go look it up” into “open the file.”

Wordlists#

Pre-staged dictionaries for password attacks, content discovery, and fuzzing. The wordlists package wires up symlinks under /usr/share/wordlists/ pointing at the sources below.

  • /usr/share/wordlists/rockyou.txt.gz, Classic 14M-line breach corpus (gunzip -k before use)

  • /usr/share/wordlists/fasttrack.txt, Symlink → /usr/share/set/src/fasttrack/wordlist.txt

  • /usr/share/wordlists/nmap.lst, Symlink → /usr/share/nmap/nselib/data/passwords.lst

  • /usr/share/wordlists/john.lst, Symlink → /usr/share/john/password.lst

  • /usr/share/wordlists/sqlmap/, Symlink → /usr/share/sqlmap/data/txt/ (dir of sqlmap data files)

  • /usr/share/wordlists/dirb/, Symlink → /usr/share/dirb/wordlists/

  • /usr/share/wordlists/dirbuster/, Symlink → /usr/share/dirbuster/wordlists/

  • /usr/share/wordlists/dnsmap.txt, Symlink → /usr/share/dnsmap/wordlist_TLAs.txt

  • /usr/share/wordlists/metasploit/, Symlink → /usr/share/metasploit-framework/data/wordlists/

  • /usr/share/wordlists/wfuzz/, Symlink → /usr/share/wfuzz/wordlist/

  • /usr/share/wordlists/legion/, Symlink → /usr/share/legion/wordlists/

  • /usr/share/wordlists/fern-wifi/, Symlink → /usr/share/fern-wifi-cracker/extras/wordlists/

  • /usr/share/seclists/, SecLists (when installed via apt install seclists)

  • /usr/share/seclists/Passwords/, Password-attack lists

  • /usr/share/seclists/Discovery/Web-Content/, Directory and file fuzzing lists

  • /usr/share/seclists/Usernames/, Username brute-force lists

  • /usr/share/seclists/Fuzzing/, Generic fuzz corpora

  • /usr/share/dirb/wordlists/common.txt, dirb’s default

  • /usr/share/dirb/wordlists/big.txt, dirb’s larger list

  • /usr/share/dirb/wordlists/vulns/, dirb vulnerability-focused lists

  • /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt, Most-used DirBuster list

  • /usr/share/wfuzz/wordlist/, wfuzz wordlists by category

Example:

$ sudo gunzip -k /usr/share/wordlists/rockyou.txt.gz
$ wc -l /usr/share/wordlists/rockyou.txt
$ ls -l /usr/share/wordlists/

References:

Nmap Data#

The data files that drive nmap’s port lookup, OS fingerprinting, service detection, and NSE script library.

  • /usr/share/nmap/nmap-services, TCP/UDP port → service-name mapping (used for -sV ordering)

  • /usr/share/nmap/nmap-protocols, IP-protocol-number → name

  • /usr/share/nmap/nmap-rpc, RPC service name → number

  • /usr/share/nmap/nmap-os-db, OS fingerprint database (-O)

  • /usr/share/nmap/nmap-mac-prefixes, MAC address OUI → vendor

  • /usr/share/nmap/nmap-payloads, UDP payloads keyed by port

  • /usr/share/nmap/nmap-service-probes, Service-version detection probes (-sV)

  • /usr/share/nmap/scripts/, NSE scripts (--script=...)

  • /usr/share/nmap/scripts/script.db, Index of installed NSE scripts

  • /usr/share/nmap/nselib/, Lua libraries used by NSE scripts

  • /usr/share/nmap/nselib/data/, Per-script data (passwords.lst, http-fingerprints.lua, …)

  • /usr/share/nmap/nse_main.lua, NSE engine entry point

Example:

$ grep -E '^http\b' /usr/share/nmap/nmap-services | head
$ ls /usr/share/nmap/scripts | grep '^smb-'
$ nmap --script-help http-title
$ wc -l /usr/share/nmap/nmap-os-db

References:

Exploit-DB / SearchSploit#

Local mirror of Exploit-DB; the searchsploit CLI queries the CSV indexes and points at the source files under this tree.

  • /usr/share/exploitdb/, Mirror root

  • /usr/share/exploitdb/files_exploits.csv, Exploit metadata index

  • /usr/share/exploitdb/files_shellcodes.csv, Shellcode metadata index

  • /usr/share/exploitdb/exploits/, Exploits organized by platform / category

  • /usr/share/exploitdb/exploits/linux/local/, Linux local-priv-esc exploits

  • /usr/share/exploitdb/exploits/windows/remote/, Windows remote exploits

  • /usr/share/exploitdb/exploits/multiple/webapps/, Web-app exploits

  • /usr/share/exploitdb/shellcodes/, Shellcodes by architecture

  • /usr/share/exploitdb/papers/, Published security papers

Example:

$ searchsploit apache 2.4.49
$ searchsploit -p 50406
$ sed -n '1,20p' /usr/share/exploitdb/exploits/linux/local/40847.cpp

References:

Metasploit Framework#

Module library, embedded data, and per-user state for the Metasploit Framework.

  • /usr/share/metasploit-framework/, MSF root

  • /usr/share/metasploit-framework/modules/, All MSF modules

  • /usr/share/metasploit-framework/modules/exploits/, Exploit modules by platform

  • /usr/share/metasploit-framework/modules/auxiliary/, Scanners, fuzzers, DoS, gather

  • /usr/share/metasploit-framework/modules/post/, Post-exploitation modules

  • /usr/share/metasploit-framework/modules/payloads/, Payloads (singles, stagers, stages)

  • /usr/share/metasploit-framework/modules/encoders/, Payload encoders

  • /usr/share/metasploit-framework/modules/nops/, NOP-sled generators

  • /usr/share/metasploit-framework/data/, Embedded data: wordlists, exploit binaries, templates

  • /usr/share/metasploit-framework/data/wordlists/, MSF-shipped wordlists

  • /usr/share/metasploit-framework/data/exploits/, Pre-built exploit payloads

  • /usr/share/metasploit-framework/data/templates/, PE / ELF / Mach-O payload templates

  • ~/.msf4/, Per-user state: history, loot, local modules

  • ~/.msf4/loot/, Captured creds and files from sessions

  • ~/.msf4/logs/, MSF console logs

  • ~/.msf4/modules/, User-supplied custom modules

  • /var/lib/postgresql/, DB used by msfdb for workspaces and hosts

Example:

$ sudo msfdb init
$ ls /usr/share/metasploit-framework/modules/exploits/linux | head
$ msfvenom -l payloads | wc -l

References:

Password Crackers (John, Hashcat)#

Rule sets, charsets, and reference wordlists used by the offline password-cracking tooling.

  • /usr/share/john/password.lst, John’s default wordlist

  • /usr/share/john/john.conf, Default rules, mode definitions, formats

  • /usr/share/john/dynamic.conf, Dynamic-format definitions

  • /usr/share/john/regex_alphabets.conf, Mask-attack alphabets

  • /usr/share/john/dumb16.conf, Markov mode parameters

  • /usr/share/hashcat/rules/, Hashcat rule files (best64.rule, rockyou-30000.rule)

  • /usr/share/hashcat/charsets/, Charset files for mask attacks (?d, ?l, etc.)

  • /usr/share/hashcat/masks/, Pre-built mask-attack files

  • /usr/share/hashcat/OpenCL/, OpenCL kernel sources

  • /usr/share/hashcat/hashcat.hctune, Per-device tuning database

  • /usr/share/hashcat/hashcat.hcstat2, Markov stats used by -a 6

Example:

$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
$ hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt \
        -r /usr/share/hashcat/rules/best64.rule

References:

Web Application Testing#

Data files for the bundled web-app testing tools (sqlmap, nikto, WPScan, gobuster, ffuf, wfuzz, dirb, dirbuster, ZAP, Burp).

  • /usr/share/sqlmap/, sqlmap installation root

  • /usr/share/sqlmap/data/txt/wordlist.tx_, sqlmap default password / payload list

  • /usr/share/sqlmap/data/xml/queries.xml, Per-DBMS injection payload definitions

  • /usr/share/sqlmap/data/xml/payloads/, Boolean / time / error / union payloads

  • /usr/share/nikto/databases/, CGI, server, and vulnerability databases

  • /usr/share/nikto/plugins/, Nikto plugins

  • /usr/share/nikto/nikto.conf, Nikto runtime config

  • /usr/share/wpscan/, WPScan installation root

  • /usr/share/dirb/wordlists/, dirb wordlists

  • /usr/share/dirbuster/wordlists/, DirBuster wordlists

  • /usr/share/wfuzz/wordlist/, wfuzz wordlists

  • /usr/share/wfuzz/wordlist/Injections/, SQL/XSS/SSI injection payloads

  • /usr/share/wfuzz/wordlist/general/, General-purpose fuzz corpora

  • /usr/share/burpsuite/, Burp Suite Community installation

  • /usr/share/zaproxy/, OWASP ZAP installation

  • /usr/share/zaproxy/db/, ZAP session DB templates

  • /usr/share/whatweb/plugins/, WhatWeb fingerprint plugins

  • /usr/share/wapiti/, Wapiti modules and payloads

Example:

$ sqlmap --wizard
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt \
     -u 'https://target/FUZZ'
$ nikto -h target -Plugins @@DEFAULT
$ wpscan --url https://target --wordlist /usr/share/wordlists/rockyou.txt

References:

Network and Auth Attacks#

Data backing the network-layer brute-forcers and MITM tooling (hydra, ncrack, medusa, responder, aircrack-ng, ettercap, mitmproxy).

  • /usr/share/hydra/, Hydra modules and protocol data

  • /usr/share/ncrack/, Ncrack runtime data

  • /usr/share/medusa/, Medusa data

  • /usr/share/responder/, Responder defaults and certs

  • /etc/responder/Responder.conf, Responder runtime config

  • /usr/share/responder/certs/, SSL certs used by Responder’s rogue services

  • /usr/share/responder/logs/, Per-run capture logs

  • /usr/share/responder/tools/, Helper scripts (MultiRelay.py)

  • /etc/aircrack-ng/airodump-ng-oui.txt, IEEE OUI database used by airodump-ng

  • /etc/ettercap/etter.conf, Ettercap MITM framework config

  • /etc/ettercap/etter.dns, Ettercap DNS-spoof zone file

  • /etc/ettercap/etter.filter.kill, Sample Ettercap filter

  • /usr/share/ettercap/, Ettercap plugin data

  • /usr/share/wifite/, Wifite payloads and tools

  • ~/.mitmproxy/, mitmproxy CA cert and config

Example:

$ hydra -L /usr/share/wordlists/usernames.txt \
      -P /usr/share/wordlists/rockyou.txt \
      ssh://target
$ sudo responder -I eth0 -wv
$ sudo airodump-ng wlan0mon

References:

Recon and OSINT#

Data shipped by the reconnaissance and intelligence-gathering tools.

  • /usr/share/theharvester/, theHarvester sources and API config

  • /usr/share/recon-ng/, Recon-ng modules and DB schema

  • /usr/share/dnsenum/dns.txt, dnsenum’s subdomain brute list

  • /usr/share/dnsrecon/, dnsrecon namelists

  • /usr/share/dnsmap/, dnsmap subdomain wordlists

  • /usr/share/spiderfoot/, SpiderFoot modules and DB

  • /usr/share/maltego/, Maltego CE installation

  • /usr/share/sublist3r/, Sublist3r data

  • /usr/share/photon/, Photon recon tool data

  • /usr/share/recon-ng/data/, Per-module data files

Example:

$ theHarvester -d example.com -b all
$ recon-ng -w workspace
$ dnsenum --enum -f /usr/share/dnsenum/dns.txt example.com

References:

Forensics and Reverse Engineering#

Data backing the forensics suite (volatility, binwalk, foremost, yara, radare2, ghidra).

  • /usr/share/volatility3/, Volatility 3 plugins and symbol stubs

  • /usr/share/binwalk/magic/, Magic-number signatures used by binwalk

  • /etc/foremost.conf, File-carving signatures used by foremost

  • /usr/share/yara/, Bundled YARA rule sets (where present)

  • /usr/share/radare2/, r2 magic, syscall tables, plugins

  • /usr/share/ghidra/, Ghidra installation root (when apt install ghidra)

  • /usr/share/clamav/, ClamAV signature databases

Example:

$ binwalk -e firmware.bin
$ foremost -t all -i image.dd
$ yara -r /usr/share/yara/rules.yar suspect/

References: