Kali Linux#
Kali is a Debian derivative for offensive security work. This page
catalogs the filesystem additions that distinguish a Kali install from
a base Debian install: the distribution-specific files (APT repo,
kali-* helpers, theming, kali user) and the data files shipped
by Kali’s bundled security tools (wordlists, nmap data, Metasploit,
Exploit-DB, password crackers, web / network / recon / forensics
toolchains).
Bundled security tools live at upstream conventional paths, the same locations they would occupy on any Debian system that has the package installed. The operationally interesting fact about Kali is that this data is pre-staged at first boot, so “go look it up” becomes “open the file.”
Authorization notice. Kali ships dual-use tooling. Use it only against systems you own, lab targets, CTF ranges, or scoped engagements with written authorization.
Kali Linux Files#
Kali Linux is a Debian-derived distribution. It inherits the FHS layout
above, then adds files that only ship with the Kali distribution
itself: the APT repo, the signing key, the kali user and skel,
the Kali theming, and the small set of kali-* helper binaries.
Bundled security tools live at conventional upstream paths (apt
also installs them on Debian) and are intentionally not listed here.
/etc/apt/sources.list.d/kali.list, Kali APT repository definition/etc/apt/trusted.gpg.d/kali-archive-keyring.gpg, Kali archive signing key/etc/sudoers.d/kali-grant-root, Passwordlesssudorule for thekaliuser/etc/skel/.zshrc, Default Kali Zsh init copied to new accounts/etc/skel/.bashrc, Kali-flavored Bash init for new accounts/etc/issue, Kali pre-login banner (shipped bykali-defaults)/etc/motd, Kali post-login message of the day/etc/os-release,ID=kaliandVERSION_CODENAME=kali-rolling/etc/debian_version,kali-rolling(vs. a numeric Debian release)/etc/calamares/, Kali graphical installer config/usr/bin/kali-tweaks, Kali post-install configuration TUI/usr/bin/kali-undercover, Toggle Windows-look “undercover” desktop theme/usr/bin/kali-grant-root, Grant the calling user passwordlesssudo/usr/bin/kali-finish-install, Post-image first-boot finalization/usr/share/kali-defaults/, Distribution defaults (banner, prompt, settings)/usr/share/kali-menu/, Categorized Kali application menu definitions/usr/share/kali-themes/, Kali GTK / Qt theme files/usr/share/kali-grub-themes/, Kali boot-loader theme assets/usr/share/kali-tools/, Kali tool metadata used by the menu/usr/share/kali-undercover/, Resources forkali-undercovermode/usr/share/desktop-base/kali-theme/, Desktop-base hooks for Kali branding/usr/share/wallpapers/kali/, Default Kali wallpaper set/usr/share/icons/Flat-Remix-Blue-Dark/, Default Kali icon theme/usr/share/backgrounds/kali/, Login / lock-screen backgrounds/usr/share/applications/kali-*.desktop,.desktopentries unique to the Kali menu/usr/share/doc/kali-*/, Kali-specific package documentation/var/lib/dpkg/info/kali-*.list, dpkg manifests forkali-*packages/home/kali/, Default unprivileged user on modern Kali images
Example:
$ grep '^ID' /etc/os-release
$ cat /etc/debian_version
$ ls /etc/apt/sources.list.d/
$ kali-tweaks
$ kali-undercover
References:
Operations, Ranger phases applied to red-team work
Authorization notice: Kali ships with dual-use tooling. Use it only against systems you own, lab targets, CTF ranges, or scoped engagements with written authorization.
Kali Linux Data Files#
The data shipped by Kali’s bundled security tools. The package paths
below are upstream conventions (you’d see the same locations on any
Debian system that has the tool installed), but on Kali the data is
pre-staged at first boot, which is the operationally interesting
fact: knowing where rockyou.txt lives, or what file backs
nmap’s port-to-service mapping, turns “go look it up” into “open
the file.”
Wordlists#
Pre-staged dictionaries for password attacks, content discovery, and
fuzzing. The wordlists package wires up symlinks under
/usr/share/wordlists/ pointing at the sources below.
/usr/share/wordlists/rockyou.txt.gz, Classic 14M-line breach corpus (gunzip -kbefore use)/usr/share/wordlists/fasttrack.txt, Symlink →/usr/share/set/src/fasttrack/wordlist.txt/usr/share/wordlists/nmap.lst, Symlink →/usr/share/nmap/nselib/data/passwords.lst/usr/share/wordlists/john.lst, Symlink →/usr/share/john/password.lst/usr/share/wordlists/sqlmap/, Symlink →/usr/share/sqlmap/data/txt/(dir of sqlmap data files)/usr/share/wordlists/dirb/, Symlink →/usr/share/dirb/wordlists//usr/share/wordlists/dirbuster/, Symlink →/usr/share/dirbuster/wordlists//usr/share/wordlists/dnsmap.txt, Symlink →/usr/share/dnsmap/wordlist_TLAs.txt/usr/share/wordlists/metasploit/, Symlink →/usr/share/metasploit-framework/data/wordlists//usr/share/wordlists/wfuzz/, Symlink →/usr/share/wfuzz/wordlist//usr/share/wordlists/legion/, Symlink →/usr/share/legion/wordlists//usr/share/wordlists/fern-wifi/, Symlink →/usr/share/fern-wifi-cracker/extras/wordlists//usr/share/seclists/, SecLists (when installed viaapt install seclists)/usr/share/seclists/Passwords/, Password-attack lists/usr/share/seclists/Discovery/Web-Content/, Directory and file fuzzing lists/usr/share/seclists/Usernames/, Username brute-force lists/usr/share/seclists/Fuzzing/, Generic fuzz corpora/usr/share/dirb/wordlists/common.txt, dirb’s default/usr/share/dirb/wordlists/big.txt, dirb’s larger list/usr/share/dirb/wordlists/vulns/, dirb vulnerability-focused lists/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt, Most-used DirBuster list/usr/share/wfuzz/wordlist/, wfuzz wordlists by category
Example:
$ sudo gunzip -k /usr/share/wordlists/rockyou.txt.gz
$ wc -l /usr/share/wordlists/rockyou.txt
$ ls -l /usr/share/wordlists/
References:
Nmap Data#
The data files that drive nmap’s port lookup, OS fingerprinting,
service detection, and NSE script library.
/usr/share/nmap/nmap-services, TCP/UDP port → service-name mapping (used for-sVordering)/usr/share/nmap/nmap-protocols, IP-protocol-number → name/usr/share/nmap/nmap-rpc, RPC service name → number/usr/share/nmap/nmap-os-db, OS fingerprint database (-O)/usr/share/nmap/nmap-mac-prefixes, MAC address OUI → vendor/usr/share/nmap/nmap-payloads, UDP payloads keyed by port/usr/share/nmap/nmap-service-probes, Service-version detection probes (-sV)/usr/share/nmap/scripts/, NSE scripts (--script=...)/usr/share/nmap/scripts/script.db, Index of installed NSE scripts/usr/share/nmap/nselib/, Lua libraries used by NSE scripts/usr/share/nmap/nselib/data/, Per-script data (passwords.lst,http-fingerprints.lua, …)/usr/share/nmap/nse_main.lua, NSE engine entry point
Example:
$ grep -E '^http\b' /usr/share/nmap/nmap-services | head
$ ls /usr/share/nmap/scripts | grep '^smb-'
$ nmap --script-help http-title
$ wc -l /usr/share/nmap/nmap-os-db
References:
Ports, common ports cross-reference
Exploit-DB / SearchSploit#
Local mirror of Exploit-DB; the
searchsploit CLI queries the CSV indexes and points at the source
files under this tree.
/usr/share/exploitdb/, Mirror root/usr/share/exploitdb/files_exploits.csv, Exploit metadata index/usr/share/exploitdb/files_shellcodes.csv, Shellcode metadata index/usr/share/exploitdb/exploits/, Exploits organized by platform / category/usr/share/exploitdb/exploits/linux/local/, Linux local-priv-esc exploits/usr/share/exploitdb/exploits/windows/remote/, Windows remote exploits/usr/share/exploitdb/exploits/multiple/webapps/, Web-app exploits/usr/share/exploitdb/shellcodes/, Shellcodes by architecture/usr/share/exploitdb/papers/, Published security papers
Example:
$ searchsploit apache 2.4.49
$ searchsploit -p 50406
$ sed -n '1,20p' /usr/share/exploitdb/exploits/linux/local/40847.cpp
References:
Metasploit Framework#
Module library, embedded data, and per-user state for the Metasploit Framework.
/usr/share/metasploit-framework/, MSF root/usr/share/metasploit-framework/modules/, All MSF modules/usr/share/metasploit-framework/modules/exploits/, Exploit modules by platform/usr/share/metasploit-framework/modules/auxiliary/, Scanners, fuzzers, DoS, gather/usr/share/metasploit-framework/modules/post/, Post-exploitation modules/usr/share/metasploit-framework/modules/payloads/, Payloads (singles, stagers, stages)/usr/share/metasploit-framework/modules/encoders/, Payload encoders/usr/share/metasploit-framework/modules/nops/, NOP-sled generators/usr/share/metasploit-framework/data/, Embedded data: wordlists, exploit binaries, templates/usr/share/metasploit-framework/data/wordlists/, MSF-shipped wordlists/usr/share/metasploit-framework/data/exploits/, Pre-built exploit payloads/usr/share/metasploit-framework/data/templates/, PE / ELF / Mach-O payload templates~/.msf4/, Per-user state: history, loot, local modules~/.msf4/loot/, Captured creds and files from sessions~/.msf4/logs/, MSF console logs~/.msf4/modules/, User-supplied custom modules/var/lib/postgresql/, DB used bymsfdbfor workspaces and hosts
Example:
$ sudo msfdb init
$ ls /usr/share/metasploit-framework/modules/exploits/linux | head
$ msfvenom -l payloads | wc -l
References:
Password Crackers (John, Hashcat)#
Rule sets, charsets, and reference wordlists used by the offline password-cracking tooling.
/usr/share/john/password.lst, John’s default wordlist/usr/share/john/john.conf, Default rules, mode definitions, formats/usr/share/john/dynamic.conf, Dynamic-format definitions/usr/share/john/regex_alphabets.conf, Mask-attack alphabets/usr/share/john/dumb16.conf, Markov mode parameters/usr/share/hashcat/rules/, Hashcat rule files (best64.rule,rockyou-30000.rule)/usr/share/hashcat/charsets/, Charset files for mask attacks (?d,?l, etc.)/usr/share/hashcat/masks/, Pre-built mask-attack files/usr/share/hashcat/OpenCL/, OpenCL kernel sources/usr/share/hashcat/hashcat.hctune, Per-device tuning database/usr/share/hashcat/hashcat.hcstat2, Markov stats used by-a 6
Example:
$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
$ hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule
References:
Web Application Testing#
Data files for the bundled web-app testing tools (sqlmap, nikto, WPScan, gobuster, ffuf, wfuzz, dirb, dirbuster, ZAP, Burp).
/usr/share/sqlmap/, sqlmap installation root/usr/share/sqlmap/data/txt/wordlist.tx_, sqlmap default password / payload list/usr/share/sqlmap/data/xml/queries.xml, Per-DBMS injection payload definitions/usr/share/sqlmap/data/xml/payloads/, Boolean / time / error / union payloads/usr/share/nikto/databases/, CGI, server, and vulnerability databases/usr/share/nikto/plugins/, Nikto plugins/usr/share/nikto/nikto.conf, Nikto runtime config/usr/share/wpscan/, WPScan installation root/usr/share/dirb/wordlists/, dirb wordlists/usr/share/dirbuster/wordlists/, DirBuster wordlists/usr/share/wfuzz/wordlist/, wfuzz wordlists/usr/share/wfuzz/wordlist/Injections/, SQL/XSS/SSI injection payloads/usr/share/wfuzz/wordlist/general/, General-purpose fuzz corpora/usr/share/burpsuite/, Burp Suite Community installation/usr/share/zaproxy/, OWASP ZAP installation/usr/share/zaproxy/db/, ZAP session DB templates/usr/share/whatweb/plugins/, WhatWeb fingerprint plugins/usr/share/wapiti/, Wapiti modules and payloads
Example:
$ sqlmap --wizard
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt \
-u 'https://target/FUZZ'
$ nikto -h target -Plugins @@DEFAULT
$ wpscan --url https://target --wordlist /usr/share/wordlists/rockyou.txt
References:
Network and Auth Attacks#
Data backing the network-layer brute-forcers and MITM tooling
(hydra, ncrack, medusa, responder, aircrack-ng,
ettercap, mitmproxy).
/usr/share/hydra/, Hydra modules and protocol data/usr/share/ncrack/, Ncrack runtime data/usr/share/medusa/, Medusa data/usr/share/responder/, Responder defaults and certs/etc/responder/Responder.conf, Responder runtime config/usr/share/responder/certs/, SSL certs used by Responder’s rogue services/usr/share/responder/logs/, Per-run capture logs/usr/share/responder/tools/, Helper scripts (MultiRelay.py)/etc/aircrack-ng/airodump-ng-oui.txt, IEEE OUI database used byairodump-ng/etc/ettercap/etter.conf, Ettercap MITM framework config/etc/ettercap/etter.dns, Ettercap DNS-spoof zone file/etc/ettercap/etter.filter.kill, Sample Ettercap filter/usr/share/ettercap/, Ettercap plugin data/usr/share/wifite/, Wifite payloads and tools~/.mitmproxy/, mitmproxy CA cert and config
Example:
$ hydra -L /usr/share/wordlists/usernames.txt \
-P /usr/share/wordlists/rockyou.txt \
ssh://target
$ sudo responder -I eth0 -wv
$ sudo airodump-ng wlan0mon
References:
Recon and OSINT#
Data shipped by the reconnaissance and intelligence-gathering tools.
/usr/share/theharvester/, theHarvester sources and API config/usr/share/recon-ng/, Recon-ng modules and DB schema/usr/share/dnsenum/dns.txt, dnsenum’s subdomain brute list/usr/share/dnsrecon/, dnsrecon namelists/usr/share/dnsmap/, dnsmap subdomain wordlists/usr/share/spiderfoot/, SpiderFoot modules and DB/usr/share/maltego/, Maltego CE installation/usr/share/sublist3r/, Sublist3r data/usr/share/photon/, Photon recon tool data/usr/share/recon-ng/data/, Per-module data files
Example:
$ theHarvester -d example.com -b all
$ recon-ng -w workspace
$ dnsenum --enum -f /usr/share/dnsenum/dns.txt example.com
References:
Forensics and Reverse Engineering#
Data backing the forensics suite (volatility, binwalk,
foremost, yara, radare2, ghidra).
/usr/share/volatility3/, Volatility 3 plugins and symbol stubs/usr/share/binwalk/magic/, Magic-number signatures used bybinwalk/etc/foremost.conf, File-carving signatures used byforemost/usr/share/yara/, Bundled YARA rule sets (where present)/usr/share/radare2/, r2 magic, syscall tables, plugins/usr/share/ghidra/, Ghidra installation root (whenapt install ghidra)/usr/share/clamav/, ClamAV signature databases
Example:
$ binwalk -e firmware.bin
$ foremost -t all -i image.dd
$ yara -r /usr/share/yara/rules.yar suspect/
References: