Penetration Testing: Why Kali is a Great First Toolset

You don’t have to visit many “how-to” resources on penetration testing before you read something about Kali Linux, often just called Kali. It is one of the most common and accessible suites of pen testing tools available today. In fact, Kali has pretty much become synonymous with pen testing and hacking.

Kali Linux is one of the many Linux distributions that are based on Debian. It is developed and managed by Offensive Security as the successor of the wildly popular Backtrack Linux distribution. In short, Kali is a pen testing toolbox.

Kali includes over 600 software tools and utilities that pen testers commonly use. The vast majority of these are free and open source. The Kali Tools page lists the tools included in the current distribution.

But Kali isn’t just a static collection of tools. The Kali Git development source tree is open source as well. That means that anyone can see what goes into any Kali release and can customize any Kali packages. The list of authorized users who can modify the Kali source is very short and well-protected, but that provides a layer of control over the distribution.

Although Kali is derived from Debian, it does not include all the packages many general-purpose Linux distributions include. That’s because Kali isn’t for general-purpose users. It is built specifically for pen testers, and pen testers use it on a variety of hardware. You can download Kali to install on Intel PCs, a variety of ARM devices, as VMware, VirtualBox, or Hyper-V images, or simply as an ISO file to create bootable DVDs or USB devices. You can install Kali or just run it from the live boot device.

Why Is Kali So Popular?

Try conducting an internet search for the phrase “pen testing tools.” You’ll find that many of the resources include Kali in their “best of” lists. Kali is immensely popular with both pen testers and hackers. The reason for the cross-cultural appeal is that the tools included in Kali can be used for beneficial or malicious purposes.

So, what is it that makes Kali the de facto toolset for so many pen testers and hackers when they’re just starting out?

Here is a short list of the main reasons Kali has gained such a prominent position in the share of pen testing tools:

• Kali is free: The price is right
• Kali is largely comprehensive: Over 600 bundled tools means there is a good chance you’ll find a way to do what you want
• Installing Kali and accessing tools is easy: Download the image you want and either run the simple install procedure or create bootable media
• Kali runs on lots of computing devices: Kali runs on Intel PCs, many ARM devices, or as a virtual machine in VMWare, VirtualBox, or Hyper-V.
• Kali has a rich community of users: Many Kali users interact in various forums across the world
  Kali is used on “Mr. Robot”

That last point needs a little more explanation. The USA Network produces and broadcasts a television series called “Mr. Robot.” The show is about a cyber security engineer, Elliot, who moonlights as a hacker. Several episodes highlight the fact that Elliot uses Kali Linux in many of his hacking exploits. The show is quite accurate, at least as far as its depiction of hacking techniques and tools. Many wannabe hackers saw “Mr. Robot” and immediately downloaded Kali Linux to become a hacker.

This media awareness of Kali, and hackers in general, has created a growing group of entry-level hackers and pen testers. They generally want free tools that are bundled all in one place to get started. Kali provides exactly that product.

How to Get Started with Kali

While becoming a legitimate pen tester takes time and effort, getting started with Kali is easy. There are only a few steps to get up and running. However, just booting Kali will not make you a pen tester. It won’t make you a hacker, either—Kali is a tool. Education and skill acquisition are mandatory paths to becoming good at either pen testing or hacking. But for now, here’s how to get started with Kali:

• Decide which Kali download file format you need. This will be based on the type of device on which you plan to run Kali.
  • Install image: This format allows you to burn DVDs or bootable USB sticks. You can boot and run Kali directly or boot and then install Kali.
  • Device-specific ARM image: This download type allows you to install Kali on a variety of ARM devices.
  • ARM build scripts: These are the scripts used to build the ARM images. You can build your own images for custom devices.
  • Virtual machine images: Kali is available in prebuilt images for VMware, VirtualBox and Hyper-V.
• Download the file type you need for how you’ll use Kali.
  • If you don’t know what to select, just get the Kali Linux 64-bit or 32-bit image.
  • Burn the ISO file to a DVD or USB storage device to create bootable media.
  • Boot Kali from your newly burned boot media and install it, or just run it from the boot media. Running Kali from the boot media is a great way to get started with Kali without having to install it in a hard drive.
• Log in and explore Kali.
  • If you install Kali, you will use the root password you provided during the installation process.
  • If you run Kali from the boot media, the root password is “toor.”

Receive Popular Monthly Testing & QA Articles

Join 34,000 subscribers and receive carefully researched and popular article on software testing and QA. Top resources on becoming a better tester, learning new tools and building a team.

Subscribe

We will never share your email. 1-click unsubscribes.

Next Steps

As you explore Kali, you’ll notice that the default user interface has the tools organized into categories. Take some time to peruse the menus to see what tools Kali includes.

Once you are a little familiar with Kali, the next step is to really start learning what the tools do and when to use them. There are many Kali and pen testing tutorials freely available online. Find one that you like and work through it.

The best way to learn Kali is to use it. Actually employing the tools in different ways gives you a good feel for how they work. If you take the time to learn about pen testing, you’ll gain a good understanding of how Kali fits into the process.

Although Kali is a great collection of tools, it isn’t the only pen testing tool suite. There are many more freely available tools and collections, and fully featured commercial options, as well. As you gain experience as a pen tester, you’ll find that you need more tools that provide specific capabilities.

But Kali is a very good starting point. It is free, and there is lots of information about it out there. That’s why Kali is one of the first tool collections that is mentioned when talking about pen testing. (And, of course, it’s on TV.)

Article by Michael Solomon. Michael Solomon PhD CISSP PMP CISM is Professor of Information Systems Security and Information Technology at University of the Cumberlands and Director of the Ph.D. Information Technology Program.