3. About Kali Linux

Kali Linux is an enterprise-ready security auditing Linux distribution based on Debian GNU/Linux. Kali is aimed at security professionals and IT administrators, enabling them to conduct advanced penetration testing, forensic analysis, and security auditing.

What is a Linux distribution?

1. Linux and the Kernel:

   • Linux refers to the kernel, a software layer managing hardware and applications.

   • It is commonly (but incorrectly) used to describe the entire operating system.

2. Linux Distribution (Distro):

   • A complete operating system built on the Linux kernel.

   • Includes installation programs and various applications, either pre-installed or packaged for easy installation.

3. Debian GNU/Linux:

   • A leading generic Linux distribution.

   • Known for its quality, stability, and free software principles.

   • Offers multiple versions, e.g., Debian Stable and Debian Testing.

4. Kali Linux:

   • Based on Debian and incorporates over 400 specialized packages.

   • Focused on information security and penetration testing.

   • Has its own distribution versions, such as Kali Rolling.

3.1. A Bit of History

The Kali Linux project began in 2012 as a replacement for the manually maintained BackTrack Linux, with the goal of creating a true Debian derivative. Debian was chosen for its stability, quality, and extensive software library. The first version, Kali 1.0, was released in March 2013 based on Debian 7 "Wheezy." Over the first year, hundreds of penetration-testing tools were curated, avoiding redundant or outdated applications.

In 2015, Kali Linux 2.0 was released, rebased on Debian 8 "Jessie," and introduced enhancements to the GNOME Shell. Xfce became the default lightweight desktop environment, suitable for live ISOs, with additional environments like GNOME, KDE, and others available during or after installation.

Kali Linux shifted to Kali Rolling in 2016 to align with the faster update cycle of Debian Testing, ensuring the latest versions of penetration-testing tools. The rolling release model provides daily updates but introduces challenges, such as managing continuous changes and potential backward incompatibilities. This approach aims to equip users with up-to-date tools while maintaining flexibility and adaptability in system management.

3.2. Relationship with Debian

The Kali Linux distribution is based on Debian Testing.

3.2.1. The Flow of Packages

1. Debian Package Development Process:

   • Contributors update and upload packages to Debian Unstable (sid) daily.

   • Packages migrate from Debian Unstable to Debian Testing once major bugs are resolved.

   • The migration ensures no broken dependencies, keeping Debian Testing in a usable or even releasable state.

2. Alignment with Kali Linux:

   • Debian Testing aligns with Kali Linux's goals, making it the preferred base.

3. Two-Step Process for Kali-Specific Packages:

   1. Creating the kali-dev Repository:

      • Start with Debian Testing and inject Kali-specific packages (from kali-dev-only repository).

      • The kali-dev repository is prone to breakage and is not intended for end-users.

      • Issues in kali-dev may arise from:

        • Kali packages needing recompilation against newer libraries.

        • Forked packages requiring updates to restore compatibility or fix dependencies.

   2. Building kali-rolling:

      • kali-rolling is the stable distribution for end-users.

      • Built from kali-dev in a manner similar to how Debian Testing is built from Debian Unstable.

      • Migration occurs only when all dependencies in the target distribution are satisfied.

3.2.2. Managing the Difference with Debian

1. Minimizing Forked Packages:

   • Kali aims to minimize the number of forked packages to reduce divergence from Debian.

   • Changes are made only when necessary to implement unique Kali features.

2. Upstream Contributions:

   • Efforts are made to send changes upstream by:

     • Directly integrating features into upstream packages.

     • Adding hooks to enable Kali-specific features without further modifications.

3. Kali Package Tracker:

   • Tracks divergence from Debian, listing forked packages and their sync status with Debian.

   • Forked packages are maintained in Git repositories with two branches:

     • Debian branch: Tracks the original package.

     • Kali branch: Contains Kali-specific modifications.

   • Updating a forked package involves updating the Debian branch and merging changes into the Kali branch.

4. Additional Packages in Kali Linux:

   • As of January 2021, Kali included nearly 500 additional packages, most of which comply with the Debian Free Software Guidelines (DFSG).

   • The goal is to integrate these packages into Debian whenever possible.

   • Adherence to Debian Policy and good packaging practices is a priority.

   • However, some exceptions exist where proper packaging is challenging due to time constraints or complexity, limiting the number of packages pushed to Debian.

3.3. Purpose and Use Cases

1. Focus and Purpose:

   • Primary focus: Penetration testing and security auditing.

   • Built as a versatile platform, integrating tools for a variety of use cases.

2. Use Cases Across Devices:

   • Laptops: For penetration testers conducting security assessments.

   • Servers: For system administrators to monitor networks.

   • Workstations: For forensic analysts conducting investigations.

   • Embedded Devices: Small, stealthy devices (often with ARM CPUs) used for:

     • Wireless network attacks.

     • Physical access to target systems (e.g., via USB).

     • Portable attacks due to small size and low power requirements.

   • Cloud Deployment: Enables quick setup of password-cracking farms.

   • Mobile Devices: True portability for penetration testing on phones and tablets.

3. Servers for Penetration Testing Activities:

   • Collaboration software for pen-testing teams.

   • Web servers for phishing campaigns.

   • Vulnerability scanning and other support tools.

4. User Interface Organization:

   • The Kali Linux main menu is organized by themes, grouping tools and tasks relevant to penetration testers and information security professionals.

These tasks and activities include:

1. Information Gathering: Tools for collecting data on network structure, systems, services, and sensitive information, including directory listings.

2. Vulnerability Analysis: Scanners identify known vulnerabilities or misconfigurations using signature databases.

3. Web Application Analysis: Identifies weaknesses and misconfigurations in publicly exposed web applications.

4. Database Assessment: Focuses on testing for SQL injection, credential attacks, and data extraction vulnerabilities.

5. Password Attacks: Includes tools for both online and offline password attacks on authentication systems.

6. Wireless Attacks: Tools for targeting vulnerabilities in various wireless networks.

7. Reverse Engineering: Analyzing malware or software to identify vulnerabilities or understand attack capabilities.

8. Exploitation Tools: Helps exploit vulnerabilities to gain control over systems and escalate privileges.

9. Sniffing & Spoofing: Tools for capturing and analyzing network data or impersonating legitimate users.

10. Post Exploitation: Maintains access or expands control by moving laterally within a network.

11. Forensics: Tools for triaging, imaging, and analyzing data in forensic investigations.

12. Reporting Tools: Assists in compiling and presenting penetration testing findings.

13. Social Engineering Tools: Exploits human behavior through phishing, backdoors, and other tactics.

3.4. Main Kali Linux Features

Kali Linux is a Linux distribution that contains its own collection of hundreds of software tools specifically tailored for their target users—penetration testers and other security professionals. It also comes with an installation program to completely setup Kali Linux as the main operating system on any computer.

3.4.1. A Live System

Alongside the main installer ISO images, Kali Linux offers a separate live ISO image to download. This allows you to use Kali Linux as a bootable live system. In other words, you can use Kali Linux without installing it, just by booting the ISO image (usually after having copied the image onto a USB key).

3.4.2. Forensics Mode

In general, when doing forensic work on a system, you want to avoid any activity that would alter the data on the analyzed system in any way. Unfortunately, modern desktop environments tend to interfere with this objective by trying to auto-mount any disk(s) they detect. To avoid this behavior, Kali Linux has a forensics mode that can be enabled from the boot menu: it will disable all such features.

3.4.3. A Custom Linux Kernel

Kali Linux always provides a customized recent Linux kernel, based on the version in Debian Unstable. This ensures solid hardware support, especially for a wide range of wireless devices. The kernel is patched for wireless injection support since many wireless security assessment tools rely on this feature.

Since many hardware devices require up-to-date firmware files (found in /lib/firmware/), Kali installs them all by default—including the firmware available in Debian's non-free section. Those are not installed by default in Debian, because they are closed-source and thus not part of Debian proper.

3.4.4. Completely Customizable

Kali Linux is built by penetration testers for penetration testers, but we understand that not everyone will agree with our design decisions or choice of tools to include by default. With this in mind, we always ensure that Kali Linux is easy to customize based on your own needs and preferences. To this end, we publish the live-build configuration used to build the official Kali images so you can customize it to your liking. It is very easy to start from this published configuration and implement various changes based on your needs thanks to the versatility of live-build.

3.4.5. A Trustable Operating System

Users of a security distribution rightfully want to know that it can be trusted and that it has been developed in plain sight, allowing anyone to inspect the source code. Kali Linux is developed by a small team of knowledgeable developers working transparently and following the best security practices: they upload signed source packages, which are then built on dedicated build daemons. The packages are then checksummed and distributed as part of a signed repository.

The work done on the packages can be fully reviewed through the packaging Git repositories (which contain signed tags) that are used to build the Kali source packages. The evolution of each package can also be followed through the Kali package tracker.

3.4.6. Usable on a Wide Range of ARM Devices

Kali Linux provides binary packages for the armel, armhf, and arm64 ARM architectures. Thanks to the easily installable images provided by OffSec, Kali Linux can be deployed on many interesting devices, from smartphones and tablets to Wi-Fi routers and computers of various shapes and sizes.

3.5. Kali Linux Policies

While Kali Linux strives to follow the Debian policy whenever possible, there are some areas where we made significantly different design choices due to the particular needs of security professionals.

3.5.1. Network Services Disabled by Default

Kali Linux disables network services (like HTTP and SSH) that would listen on a public interface by default, unlike Debian. This decision minimizes exposure during penetration tests, as it reduces the risk of detection from unexpected network interactions. Users can manually enable any service using the command sudo systemctl enable service, with more details covered later in the course under "Configuring Kali Linux."

3.5.2. A Curated Collection of Applications

Unlike Debian, which packages a wide range of software, Kali Linux focuses on providing a curated collection of high-quality, freely-licensed tools relevant to penetration testing. The selection is driven by the expertise of penetration testers, and tools are chosen based on factors such as:

• Usefulness in penetration testing.

• Unique functionality of the tool.

• License of the application.

• Resource requirements of the tool.

Maintaining this repository is a challenging task, and the community is encouraged to suggest new tools through the Kali Bug Tracker, ensuring submissions are well-explained and justify the tool's usefulness.

Questions & Answers

1. What versions of Debian is Kali 1.0, 2.0 and rolling based on?

   • Kali 1.0 was based on Debian Wheezy. Kali 2.0 is based on Jessie. Kali rolling is based on Debian Testing.

2. What are the main differences between a Live boot instance of Kali, and an installed instance?

   • Live mode boots to RAM, and an installed instance of Kali boots to a storage device.

3. What's the difference between live and forensics mode?

   • Live mode boots to RAM, but may auto-mount disks. Forensics mode does not auto-mount drives.

4. How can we verify that forensics mode is working?

   • Use the mount command to verify that no disks are mounted. You can also MD5 the system's swap and disk devices, reboot into forensic mode and MD5 again. The MD5 hashes should match if forensics mode succeeded. Try this in a system you don't care about "tainting"!

5. What's the best way to get a tool included in Kali?

   • The best way to request for a tool addition is to open a "New Tool Requests" ticket in the Kali Bug Tracker.

6. Name some of the cool features in Kali!

   • A live system, forensics mode, a custom Linux kernel, completely customizable, a trusted operating system with default disabled network services, ARM support, preloaded security tools, penetration testing platform! To name a few

Hacker's Mantra: Security is a process, not a product. -- Bruce Schneier