Kali Intelligence Suite (KIS) is an intelligence gathering and data mining tool for penetration testers. It shall aid in the fast, autonomous, central, and comprehensive collection of intelligence by automatically:
After the execution of each Kali Linux tool or querying APIs, KIS analyses the collected information and extracts as well as reports interesting information like newly identified user credentials, hosts/domains, TCP/UDP services, HTTP directories, etc. The extracted information is then internally stored in different PostgreSql database tables, which enables the continuous, structured enhancement and re-use of the collected intelligence by subsequently executed Kali Linux tools.
Additional features are:
The latest version of KIS is available at Docker.com. Follow the installation instructions there.
Information about manual installations can be obtained at INSTALL.
KIS’ Data and Collection Model
The following figure illustrates KIS’ data and collection model. Thereby, each node represents a table in the rational database and each solid line between the nodes documents the corresponding relationship. The dashed directed graphs document based on which already collected intelligence (source node) KIS is able to collect further information (destination node). The labels of the directed graphs document the techniques used by KIS to perform the collection.
Scoping the Engagement
Scoping is an essential feature of KIS, which specifies on which IP networks, IP addresses, host names, etc.,
KIS is allowed to collect data (e.g., via OSINT or active scans) from. Before diving into scoping, it is important to understand the following collection types, which are supported by KIS:
Scopes can be set on the following items by using the script kismanage
:
all
: Sets the given IP network (e.g., 192.168.1.0/24) together with all IP addresses (e.g., 192.168.1.1) that are within this network range in scope. As a result, KIS automatically executes any active and active* collectors on such IP networks and IP address. This scope type is useful during penetration tests where the scope is limited to certain IP networks and all their IP address. The following listing provides an example on how this scope type is set during the initial intel collection setup:#create a new workspace example
docker exec -it kaliintelsuite kismanage workspace -a example
#add the network 192.168.1.0/24 to workspace example and set the scope to all (default)
docker exec -it kaliintelsuite kismanage network -w example -a 192.168.1.0/24
#add new IP address 192.168.1.1 to workspace example. IP address is automatically in scope due to the network’s scope all
docker exec -it kaliintelsuite kismanage host -w example -a 192.168.1.1
#verify the initial setup
docker exec -it kaliintelsuite bash
kis_shell> kisreport host -w example –csv | csvcut -c “Network (NW)”,”Scope (NW)”,”IP Address (IP)”,”In Scope (IP)” | csvlook
Network (NW) Scope (NW) IP Address (IP) “In Scope (IP)”
192.168.1.0/24 all 192.168.1.1 True
kis_shell> exit
exclude
: Sets the given IP network (e.g., 192.168.1.0/24) together with all IP addresses (e.g., 192.168.1.1) that are within this network range out of scope. As a result, KIS does not execute any active and active* collectors on this IP network and its IP address.This scope type is the default type for all IP networks and IP addresses that are automatically identified by KIS (e.g., via whois, DNS resolution, etc.). Nevertheless, this scope type can be used to manually exclude networks from scope at a later time.create a new workspace example
docker exec -it kaliintelsuite kismanage workspace -a example
add the second-level domain megacorpone.com to workspace example and set the scope to all (default)
docker exec -it kaliintelsuite kismanage domain -w example -a megacorpone.com
add new host names to workspace example. The host names are automatically in scope due to the second-level
domain’s scope all
docker exec -it kaliintelsuite kismanage hostname -w example -a www.megacorpone.com ftp.megacorpone.com
verify the initial setup
docker exec -it kaliintelsuite bash
kis_shell> kisreport domain -w example –csv | csvcut -c “Second-Level Domain (SLD)”,”Scope (SLD)”,”Host Name (HN)”,”In Scope (HN)” | csvlook
Second-Level Domain (SLD) | Scope (SLD) | Host Name (HN) | In Scope (HN) |
| megacorpone.com | all | megacorpone.com | True |
| megacorpone.com | all | www.megacorpone.com | True |
| megacorpone.com | all | ftp.megacorpone.com | True |
kis_shell> exit
strict
: Sets the given second-level domains (e.g., megacorpone.com) in scope. In contrast to type all
, any sub-level domains (e.g., www.megacorpone.com) are not automatically in scope, unless they are explicitly added. As a result, KIS automatically executes any active or active* collectors on such in-scope second-level domains and additionally on those sub-level domains that are explicitly added to the scope.
This type is useful during penetration tests where the scope is limited to certain sub-level domains.
The following listing provides an example on how this scope type is set during the initial intel collection setup:
create a new workspace example
docker exec -it kaliintelsuite kismanage workspace -a example
add the second-level domain megacorpone.com to workspace example and set the scope to strict
docker exec -it kaliintelsuite kismanage domain -w example -a megacorpone.com -s strict
add new host names to workspace example. They are automatically in scope due to kismanage’s default value.
docker exec -it kaliintelsuite kismanage hostname -w example -a www.megacorpone.com ftp.megacorpone.com
verify the initial setup
docker exec -it kaliintelsuite bash
kis_shell> kisreport domain -w example –csv | csvcut -c “Second-Level Domain (SLD)”,”Scope (SLD)”,”Host Name (HN)”,”In Scope (HN)” | csvlook
Second-Level Domain (SLD) | Scope (SLD) | Host Name (HN) | In Scope (HN) |
| megacorpone.com | strict | megacorpone.com | False |
| megacorpone.com | strict | www.megacorpone.com | True |
| megacorpone.com | strict | ftp.megacorpone.com | True |
kis_shell> exit
Note that KIS treats the second-level domain also as a host name. As it has not been explicitly put in scope, it
is still out of scope.
exclude
: Sets the given second-level domains (e.g., megacorpone.com) together with all sub-level domains out of scope. As a result, KIS does not execute any active and active* collectors on these second-level domains. This scope type is the default type for all second-level domains and their sub-level domains that are automatically identified by KIS (e.g., via extraction from certificates, etc.). Thus, it is not necessary to explicitly set this scope type. Nevertheless, this scope type can be used to manually exclude second-level domains at a later time.create a new workspace example
docker exec -it kaliintelsuite kismanage workspace -a example
add the second-level domain google.com to workspace example and set the scope to all (default)
docker exec -it kaliintelsuite kismanage domain -w example -a google.com
In this case, KIS is able to, among other things, enumerate any sub-level domains as well as resolve their corresponding IP addresses. In addition, to ensure that KIS scans any host with an IP address within the IP network range 172.217.0.0/16, this network range must be added to KIS with scope type all
as well:
add the network 172.217.0.0/16 to workspace example and set the scope to all (default)
docker exec -it kaliintelsuite kismanage network -w example -a 172.217.0.0/16
Example 2: Let’s assume the second-level domain google.com together with all sub-level domains that resolve to any network range are in scope. In this case, the top-level domain google.com is added to the KIS database with scope type all
as documented below:
create a new workspace example
docker exec -it kaliintelsuite kismanage workspace -a example
add the second-level domain google.com to workspace example and set the scope to all (default)
docker exec -it kaliintelsuite kismanage domain -w example -a google.com
In this case, KIS is able to, among other things, enumerate any sub-level domains as well as resolve their corresponding IP addresses. In addition, to ensure that KIS scans any host, the network range 0.0.0.0/0 must be added to KIS with scope type all
as well:
add network 0.0.0.0/0 to workspace example and set the scope to all (default)
docker exec -it kaliintelsuite kismanage network -w example -a 0.0.0.0/0
List of KIS Collectors
The following table shows the list of existing collectors that are supported by KIS. These collectors are executed by the script kiscollect
to create and execute actual OS commands.
The Priority column provides information about the order of execution; the lower the number, the earlier the respective OS commands are created and executed and subsequent collectors can profit from the already collected information. Collectors with a priority of -
are not automatically executed as they either require user interaction or additional information (e.g., domain credentials) for execution.
The Name column contains the name of the collector. These names can be added as command line arguments to kiscollect
(e.g. --httpnikto
). The name also indicates, which underlying OS command is executed.
Column Level specifies whether the collector is operating on:
Column Type specifies whether the collector actively approaches the target (active
) or obtains the information from third-party sources (passive
and active*
).
The IP Support column specifies the IP versions, which are supported by the underlying Kali tool (e.g., gobuster). Kali uses this information to decide which operating systems commands can be created and successfully executed. This column is only relevant for host, network, service, and vhost collectors (see column Level).
Column Timeout specifies the number of seconds after which the collector is automatically terminated.
The column User specifies the user with which the respective operating system commands are executed.
Priority | Name | Level | Type | IP Support | Timeout | User |
---|---|---|---|---|---|---|
– | ftpdotdotpwn | service | Active | IPv4, IPv6 | – | nobody |
– | httpdotdotpwn | service | Active | IPv4, IPv6 | – | nobody |
– | tftpdotdotpwn | service | Active | IPv4, IPv6 | – | nobody |
– | httphydra | service | Active | IPv4, IPv6 | – | nobody |
– | rdphydra | service | Active | IPv4, IPv6 | – | nobody |
– | smbhydra | service | Active | IPv4, IPv6 | – | nobody |
– | smbmedusa | service | Active | IPv4 | – | nobody |
– | smbmsflogin | service | Active | IPv4, IPv6 | – | root |
– | sshhydra | service | Active | IPv4, IPv6 | – | nobody |
125 | builtwith | domain | Active* | – | – | nobody |
127 | hostio | domain | Active* | – | – | nobody |
130 | censysdomain | domain | Active* | – | – | kali |
131 | securitytrails | domain | Active* | – | – | nobody |
132 | dnsdumpster | domain | Active* | – | – | nobody |
133 | certspotter | domain | Active* | – | – | nobody |
134 | crtshdomain | domain | Active* | – | – | nobody |
135 | virustotal | domain | Active* | – | – | nobody |
140 | dnssublist3r | domain | Active | – | – | nobody |
141 | dnsamasspassive | domain | Active* | – | – | nobody |
142 | dnsamassactive | domain | Active | – | – | nobody |
143 | dnscrobatdomain | domain | Active* | – | – | nobody |
144 | dnscrobattld | domain | Active* | – | – | nobody |
150 | theharvester | domain | Passive | – | – | kali |
155 | awsslurp | domain | Active | – | – | nobody |
160 | dnsenum | domain | Active | – | – | nobody |
170 | dnsgobuster | domain | Active | – | – | nobody |
180 | dnsrecon | domain | Active | – | – | nobody |
210 | whoisdomain | domain | Active | – | 30 | nobody |
215 | dnsspf | domain | Active | – | – | nobody |
220 | dnsdmarc | domain | Active | – | – | nobody |
235 | dnsdkim | domain | Active | – | – | nobody |
240 | dnstakeover | domain | Active | – | – | nobody |
310 | dnshost | domain | Active | – | – | nobody |
312 | dnshostpublic | domain | Passive | – | – | nobody |
320 | dnsreverselookup | host | Active | IPv4, IPv6 | – | nobody |
360 | dnscrobatreversehost | host | Active* | IPv4, IPv6 | – | nobody |
410 | hunter | domain | Active* | – | – | nobody |
420 | haveibeenbreach | Active* | – | – | nobody | |
430 | haveibeenpaste | Active* | – | – | nobody | |
510 | whoishost | host | Passive | IPv4, IPv6 | 30 | nobody |
512 | whoisnetwork | network | Passive | IPv4, IPv6 | 30 | nobody |
515 | reversewhois | company | Active* | – | – | nobody |
520 | shodanhost | host | Active* | IPv4, IPv6 | – | nobody |
521 | shodannetwork | network | Active* | IPv4, IPv6 | – | nobody |
530 | censyshost | host | Active* | IPv4 | – | kali |
540 | crtshcompany | company | Active* | – | – | nobody |
550 | dnscrobatreversenetwork | network | Active* | IPv4, IPv6 | – | nobody |
1100 | tcpnmapnetwork | network | Active | IPv4, IPv6 | – | root |
1150 | tcpnmapdomain | domain | Active | IPv4, IPv6 | – | root |
1200 | udpnmapnetwork | network | Active | IPv4, IPv6 | – | root |
1250 | udpnmapdomain | domain | Active | IPv4, IPv6 | – | root |
1270 | icmpnmapnetwork | network | Active | IPv4, IPv6 | – | root |
1300 | tcpmasscannetwork | network | Active | IPv4 | – | root |
1305 | dnsaxfrdomain | domain | Active | – | – | nobody |
1306 | dnsaxfrservice | service | Active* | Ipv4, Ipv6 | – | nobody |
1320 | vhostgobuster | service | Active | IPv4, IPv6 | – | nobody |
1350 | anyservicenmap | service | Active | IPv4, IPv6 | – | root |
1820 | tcptraceroute | host | Active | IPv4, IPv6 | – | nobody |
1900 | httpmsfrobotstxt | service, vhost | Active | IPv4, IPv6 | – | root |
2000 | dnsnmap | service | Active | IPv4, IPv6 | – | root |
2020 | telnetnmap | service | Active | IPv4, IPv6 | – | root |
2040 | vncnmap | service | Active | IPv4, IPv6 | – | root |
2100 | mssqlnmap | service | Active | IPv4, IPv6 | – | root |
2150 | mysqlnmap | service | Active | IPv4, IPv6 | – | root |
2200 | smbnmap | service | Active | IPv4, IPv6 | – | root |
2250 | ftpnmap | service | Active | IPv4, IPv6 | – | root |
2300 | smtpnmap | service | Active | IPv4, IPv6 | – | root |
2400 | rpcnmap | service | Active | IPv4, IPv6 | – | root |
2500 | rdpnmap | service | Active | IPv4, IPv6 | – | root |
2700 | pop3nmap | service | Active | IPv4, IPv6 | – | root |
2750 | msrpcenum | service | Active | IPv4, IPv6 | – | root |
2800 | imapnmap | service | Active | IPv4, IPv6 | – | root |
2850 | x11nmap | service | Active | IPv4, IPv6 | – | root |
2900 | tftpnmap | service | Active | IPv4, IPv6 | – | root |
2950 | nfsnmap | service | Active | IPv4, IPv6 | – | root |
3100 | finger | service | Active | IPv4 | – | nobody |
3200 | ntpdate | service | Active | IPv4, IPv6 | – | nobody |
3300 | ntpq | service | Active | IPv4, IPv6 | – | nobody |
4000 | h323version | service | Active | IPv4, IPv6 | – | root |
4100 | sipnmap | service | Active | IPv4, IPv6 | – | root |
4120 | sipmsf | service | Active | IPv4, IPv6 | – | root |
4200 | stunnmap | service | Active | IPv4, IPv6 | – | root |
11000 | vncmsfnoneauth | service | Active | IPv4, IPv6 | – | root |
11010 | vncmsflogin | service | Active | IPv4, IPv6 | – | root |
11100 | ftphydra | service | Active | IPv4, IPv6 | – | nobody |
11200 | mssqlhydra | service | Active | IPv4, IPv6 | – | nobody |
11400 | pgsqlhydra | service | Active | IPv4, IPv6 | – | nobody |
11500 | snmphydra | service | Active | IPv4, IPv6 | – | nobody |
11600 | sshchangeme | service | Active | IPv4, IPv6 | – | kali |
11610 | httpchangeme | service, vhost | Active | IPv4, IPv6 | – | kali |
11700 | ipmi | service | Active | IPv4, IPv6 | – | root |
11750 | rmiregistrymsfgather | service | Active | IPv4, IPv6 | – | root |
11760 | rmiregistrynmap | service | Active | IPv4, IPv6 | – | root |
12100 | ftpfilelist | service | Active | IPv4, IPv6 | – | nobody |
13000 | showmount | service | Active | IPv4, IPv6 | 300 | nobody |
13090 | smbcme | service | Active | Ipv4, Ipv6 | – | kali |
13100 | smbclient | service | Active | IPv4, IPv6 | – | nobody |
13200 | smbfilelist | service | Active | IPv4, IPv6 | – | nobody |
13210 | smbmap | service | Active | IPv4 | – | nobody |
21500 | nbtscan | service | Active | IPv4 | – | nobody |
21600 | ldapsearch | service | Active | IPv4, IPv6 | – | nobody |
21610 | ldapnmap | service | Active | IPv4, IPv6 | – | root |
31100 | snmpcheck | service | Active | IPv4 | 300 | nobody |
31110 | snmpnmap | service | Active | IPv4, IPv6 | – | root |
31200 | onesixtyone | service | Active | IPv4 | 60 | nobody |
31300 | snmpwalk | service | Active | IPv4 | – | nobody |
31400 | oraclesidguess | service | Active | IPv4 | – | nobody |
41200 | sshnmap | service | Active | IPv4, IPv6 | – | root |
41300 | certnmap | service, vhost | Active | IPv4, IPv6 | – | root |
41310 | tlsnmap | service, vhost | Active | IPv4, IPv6 | – | root |
41315 | sslyze | service, vhost | Active | IPv4 | – | nobody |
41320 | sslscan | service, vhost | Active | IPv4, IPv6 | – | nobody |
41330 | certopenssl | service, vhost | Active | IPv4, IPv6 | 120 | nobody |
51100 | httpgobuster | service, vhost | Active | IPv4, IPv6 | – | nobody |
51110 | httpgobustersmart | service, vhost | Active | IPv4, IPv6 | – | nobody |
51150 | httpkiterunner | service, vhost | Active | Ipv4 | – | kali |
51200 | httpnmap | service, vhost | Active | IPv4, IPv6 | – | root |
51205 | httpntlmnmap | service, vhost | Active | IPv4, IPv6 | – | root |
61400 | rpcclient | service | Active | IPv4, IPv6 | – | nobody |
61500 | rpcinfo | service | Active | IPv4, IPv6 | – | nobody |
71100 | ikescan | service | Active | IPv4 | – | root |
91050 | httpwpscan | service | Active | IPv4, IPv6 | – | kali |
91100 | enum4linux | service | Active | IPv4 | – | nobody |
91200 | httpnikto | service, vhost | Active | IPv4 | – | nobody |
91225 | httpburpsuitepro | domain, host | Active | IPv4, IPv6 | – | nobody |
91250 | httpdavtest | service, vhost | Active | IPv4, IPv6 | – | nobody |
91260 | httpwhatweb | service | Active | IPv4, IPv6 | – | nobody |
91300 | httpsqlmap | service, vhost | Active | IPv4, IPv6 | – | nobody |
91400 | smtpuserenum | service | Active | IPv4 | – | nobody |
91600 | mysqlhydra | service | Active | IPv4, IPv6 | – | nobody |
92200 | httpwapiti | service, vhost | Active | IPv4, IPv6 | – | nobody |
100000 | vncviewer | service | Active | IPv4 | – | nobody |
100100 | httpeyewitness | service, vhost | Active | IPv4, IPv6 | 3600 | kali |
After the setup, the following KIS commands are available.
This script allows:
Run the following command to obtain more information and examples:
docker exec -it kaliintelsuite kismanage -h
kiscollect
This script implements a commandline interface to collect the intelligence.
Run the following command to obtain more information and examples:
docker exec -it kaliintelsuite kiscollect -h
kisreport
This script allows the analysis of the collected data via various filtering options. Supported report formats are:
Run the following command to obtain more information and examples:
docker exec -it kaliintelsuite kisreport -h
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…