Kali Linux may be the No. 1 Linux distribution for penetration testing, but running Kali isn’t enough to make you an expert pen tester.
It takes effort and commitment to learn to use Kali Linux pen testing tools for actual pen testing engagements, according to Kali Linux project lead Jim O’Gorman.
O’Gorman, who is also lead trainer for pen testing with Kali Linux and chief content and strategy officer at Offensive Security, a New York-based pen testing training and certification company, discussed how ethical hackers can use Kali Linux pen testing tools for a wide variety of cybersecurity assessments and how Kali can be customized for almost any kind of digital forensics.
Editor’s note: This interview was edited for clarity and length.
Why should Kali Linux be in every pen tester’s toolkit?
Jim O’Gorman: Number one, regardless of what you’re doing, you’re going to want to have access to Unix and Linux-based tools. Otherwise, it’s like trying to do an assessment with one arm tied behind your back and your eyes closed — it’s going to be extremely difficult.
If you take it as a given that you need access to these Unix, open source-based tools as part of your assessment, then the question is: What platform are you going to use? Kali is the de facto standard platform for assessment services, especially when you’re running Linux.
With the heritage that we have, there’s been kind of an evolution of what was originally in a lot of these pen testing platforms, when we were focused on just a collection of tools. That was the whole point: Here, you have your tools and away you go. We’ve evolved long past that now. That’s a given: The tools are there, they’re updated and they’re there. That’s kind of like the price of entry.
Now, a lot of what we’re focused on and a lot of the real strong advantages of Kali come down to customization. Organizations don’t have to use stock Kali. We make it very easy to roll your own version, make modifications, change what tools are on there, change the default settings.
If you were doing an assessment and you have to work through a proxy server, you can build that into the operating system and then roll that out to the rest of your team — very easy. The tool set to do that is all part of Kali; it’s all documented, and a lot of organizations will do it.
We have many organizations that will take the tool, and they’ll have some private tools they’ll put in there that they want to make sure that all of their team has access to.
Jim O’GormanKali Linux
That sort of modification and customization is a core aspect of using Kali — not just as a hobbyist, not just as a single, stand-alone professional out there in the space, but from an enterprise standpoint, from a professional organizational standpoint, to see the tool set that we provide in order to leverage this open source platform in this way.
A key part of Kali — and one of my pet aspects of the project — is that we treat ARM as a first-class citizen. That means Kali doesn’t just scale up on 64-bit x86, but scales down to small devices, like the Raspberry Pi, a very popular platform that people leverage Kali on. If you go into an organization and you want to hide a piece of hardware somewhere with a nice strong tool set, there you go. Since Kali has ARM support, you can do that.
Then, we have Windows Subsystem for Linux support, Docker — we have versions of Kali for all of these major different items. The idea being, regardless of where you are, you should have access to the tool set. If you get into a developer system and you want to load up a tool set on there, they’re probably already using Docker somewhere, so just load up Kali Docker. Now, you have your Kali tool set there, and it really just opens up accessibility for a lot of users.
What would you say are the top few ways in which Kali Linux differs from other Linux distributions?
O’Gorman: At the end of the day, we are a Debian derivative, so we go off of Debian testing. And then, we do the things that make us unique as a distro based off of that Debian testing.
We focus on penetration testing, red teaming attack simulation; however you want to word it, that’s our space. That’s our niche. That’s what we [do quality assurance (QA)] against. That right there is what makes it unique. We’re not competing against Ubuntu or Linux Mint or anything like that; they obviously have a much different base. They’re not going to run QA to ensure that the latest pen testing tools are working properly on their operating systems.
Conversely, we’re not testing that the latest desktop software is going to run properly on Kali. Do people run Kali as their day-to-day operating system? If you can run Debian testing as your day to day, then there’s really no reason you can’t run Kali because we’re just a derivative of that. But we’re not going to QA it; that’s not what we’re putting our effort into.
Kali is better focused on the pen testing space. A lot of that is really just coming down to ease of customization, the multiplatform support and the long-term legacy of trustworthiness.
For somebody who’s coming fresh to Kali Linux as a new penetration tester, what would be the top pieces of advice on how to use it?
O’Gorman: The biggest thing is going to be read the documentation. We actually have a site called Kali.training where we have free training material, a free online course about Kali. It doesn’t go into the security aspect; it’s not a pen testing course or introduction to security course or anything like that. It’s all about Kali as a Linux operating system. How do you manage it? How do you leverage it? How do you make it do the fancy cool things that Kali can do?
It’s all there documented on Kali.training. I would highly recommend that people start there. Even if you’re familiar with Linux, it never hurts to have a refresher and remind you of the things that you already knew but may have forgotten. But also you can dive deep into the areas that are unique and special about Kali. One hundred percent, that’s the No. 1 place to start.
Then, the No. 2 piece of advice would then be to not be scared about making mistakes. The point of Kali is assessment; it’s coloring outside the lines to a certain extent. If you approach the operating system too strictly and you’re scared to do something with it, you’re just not going to take advantage of the full potential.
Install it in a VM initially, someplace where it’s nondestructive and you can make use of it and just go to town. Start having fun. Run things, and see what happens. Look at the doc; make sure you don’t paint yourself into a corner where you say, ‘This is my routine, I do these four things and this is all I’ll ever do,’ because then you’re just not getting the full experience.
What are the top most common errors or missteps that people who are new to Kali make when they first start?
O’Gorman: There are a few things that people do that are kind of silly. One common mistake is people try to just take our repos [repositories] and then put them in their sources on other non-Kali operating systems. Since we’re a Debian derivative, obviously, everything is handled through [Advanced Package Tool].
Sometimes, people will want to use Kali, but they already have a new Ubuntu install that they like. And they’ll just put our repos in the Ubuntu install. That’s just rough; you’re going to break things that way.
Conversely, people will take other repos and drop them into their Kali install — maybe there’s some music player that they want, that we don’t have a package for that part of the Debian tree, but it is in Ubuntu. They’ll go and drop in an Ubuntu package, and obviously, that’s not going to work because you’re just going to break the system that way. I would be careful with the sources; that’s kind of a silly thing, but it happens quite a bit.
The other thing kind of goes back to the previous question: People just don’t read the docs. They come across a problem, and then they just throw their hands up in the air and say, ‘I don’t know what I’m doing.’ It’s not an operating system for beginners, it’s not a Linux Mint and it’s not an Ubuntu. It’s a very powerful tool. And, in any powerful tool, whether it’s an operating system or a woodworking power tool you’re using, it really behooves you to read the documentation, understand what’s there first. And, if you don’t take the time to do some self-study, do some research when something goes wrong.
Hacking is a sexy topic, and there are a lot of people that want to jump into it. It’s just not something that happens overnight. You cannot just install an operating system and become a hacker. You have to put out some work; there is just no way around putting in the blood, sweat and tears that comes along with that.
What are the top Kali Linux pen testing utilities that users will spend most of their time with?
O’Gorman: Tool set-wise, there are obviously some tools that are evergreen that everyone loves. Nmap is one of them. For information gathering, it’s always been the industry go-to.
The Metasploit framework is obviously extremely popular for a lot of different reasons, so that’s in there. Intercepting proxy [traffic] when you’re doing web assessment work is always critical, and the Burp Proxy is a great example of one of those tools.
There are a lot of tools like that, but there are also the ones that you don’t necessarily think about but that you rely on, day in and day out. For example, what you use to take notes in. When you’re doing an assessment, you need to be able to write a report afterwards, so there are a number of different tools that we’ve placed in Kali like text editors or hierarchical note-taking applications like Cherrytree. They are there to help people take notes. It isn’t sexy, but it’s essential.
Then, there’s your basic shell. As a pen tester, you’re always writing little one-liners, short scripts to automate things, and having that there, it becomes invisible, and you expect it to always be there. But, realistically, that’s a major tool that a lot of pen testers use.
Are there specific ways to use Kali Linux pen testing utilities?
O’Gorman: Everybody has their own workflow that is good for them. I have a co-worker, and when we’re doing an assessment together, I watch him in awe of what he does because I can’t work that way — but I appreciate what he’s doing.
He runs everything through Screen, and he has Screen write out to a spool file. Everything that goes through his terminal is written out to this text file that he can open up with a text editor later and search through to take items out and put together what he was doing at the time.
He doesn’t really even take notes; everything he does gets spooled to this output file. He does it with Screen, our terminal that we have in Kali, where you can change the preferences to write everything out to a spool file. It doesn’t work for me, but that doesn’t mean it’s bad. Obviously, it works wonderfully for my co-worker. I’m amazed that he doesn’t have to spend time taking notes because it’s all automated.
For me, I just use a plain old text editor. I use Vi all the time, nothing sexy about it — it’s just what works for me. We give people the options to find what workflow works best for them; there’s not one or the other that you can really advocate as being the right way to do it because it’s so personal.
What if someone wanted to use a different editor, like Emacs?
O’Gorman: Emacs is not included by default, but it’s in the tree, and you can install it. We’ve been optimizing Kali recently and taking a critical look at what packages are included by default to try to reduce the file size.
We have a number of different flavors of Kali, and we have all these different metapackages, which goes into what I said about doing your own custom version of Kali. If you want to roll your own ISO that is completely headless, there’s a special meta package to use. There’s a meta package to use if you’re focused on web assessment with all the web assessment tools.
When a new tool comes out, it’s hot, it’s cool, everybody uses it. Then, a few years go by and it’s no longer maintained, and then it just kind of sits there. Every once in a while, we have to do spring cleaning.
I’ve always been a Vi person. If you need an editor that is easier to use, there’s Nano. But Emacs? Yes, that’s as far away as doing an advanced install, but it’s not far from the default.