Features Kali Linux Lead image: Photo by Charles on Unsplash

Discover system vulnerabilities and exploits

Anti-Theft Device

The Kali Linux pentesting and compliance distribution is an antidote to attacks and other online danger. By Martin Loschwitz

If you pay attention to security from the outset, you can avoid trouble farther down the road. No company can afford to ignore security, because successful attacks can trigger legal aftershocks in the form of lawsuits (e.g., for gross negligence) and fines, as well as lost revenue.

Attacks can also destroy a company's reputation. What customer would want to hand over their data to a company if the server doors are left open? Clearly, security is important, and you are well advised to consider security an implicit factor in your business plans from the outset.

Kali Linux, one of the oldest tools for systematic penetration testing (pentesting), examines systems and applications for common and known errors. The distribution comes with various pentesting tools, which, unfortunately, also bestows the rather dubious reputation of being a bona fide hacker tool. (See the "Under the Hood" box.)

Under the Hood

Kali Linux hasn't been around that long: The first official version was released in 2013. However, it had a predecessor and a role model: BackTrack Linux served a similar purpose, although maintaining a complete system became too much for developers Mati Aharoni and Devon Kearns. The question arose as to whether this structure was necessary at all, because the most important factor of BackTrack was not the operating system – it was – as is the case with Kali Linux today – the tools that came with and were perfectly integrated into the system.

Without further ado, the makers decided to retire BackTrack, and Raphael Hertzog, a long-time Debian developer and expert, was brought into the team. From then on, a new distribution based on the Debian testing branch was developed and dubbed Kali Linux. Most of the Kali Linux on-board packages still come from the testing branch of the distribution (Figure 1).

Figure 1: The Kali Linux installer will look familiar to adherents of Debian, whose testing branch is the basis of the distribution.

Operational Model

In the context of compliance, a setup is not necessarily secure just because its provider has a certificate hanging on the wall. Certificates merely confirm that companies have implemented processes that reduce the likelihood of serious problems.

Tools that describe the ideal state of systems and let you check that the state is maintained are helpful, although they do not detect vulnerabilities in applications, such as coding errors. Precisely these errors can offer a vector for attackers through targeted exploitation. For decades, developers of basic tools such as the GCC compiler have been working to detect serious errors in source code and then prevent the compilation process.

Such protection is not perfect, and you might only discover problems when it is too late (e.g., when a zero-day exploit is already circulating in the wild). Oftentimes you don't know about dangers because government agencies, for example, do not pass on such information, so they can exploit the vulnerabilities themselves.

In the following pages, I talk about how Kali Linux works and which tools are available for testing your own systems. Of course, I assume you will only target your infrastructure and not that of others.

Many Options

With an image size of about 3.5GB, Kali Linux is not a lightweight, but you can get a lightweight version that lacks a graphical interface and weighs in at 900MB, which can be quite useful in everyday Kali life. Accordingly, the developers give their users a choice of Kali images with LXDE, KDE, or other desktops [1] (Figure 2).

Figure 2: No wasted time: The Kali Linux menu comes straight to the point and shows all the tools in clearly arranged categories.

How you install Kali Linux is essentially up to your own imagination. Strictly speaking, an installation is not even necessary, because the images come with a Live option that boots into a Kali Linux version with all the features. However, if you regularly use Kali Linux to hunt down vulnerabilities, installation is highly recommended.

Of course, you also can run Kali on a virtual machine (VM), because many admins likely do not want to use the system for everyday tasks. If the main task of Kali in the local setup is to find problems in WiFi networks, then an old laptop is probably better suited than a VM, because it avoids the virtualization layer between Kali and the network.

Three Applications

Once Kali is running, the tools can be divided roughly into three categories: information acquisition, to help detect or locate vulnerabilities; preparation for and execution of attacks, including all kinds of password crackers and tools that can break WiFi encryption, as well as a variety of tools that exploit individual, specific vulnerabilities in systems; and forensics, which are especially useful when the goal is to analyze a system that has already been compromised.

Each of the three main categories can be broken down into further subcategories. I will not try to describe in detail all the tools that come with Kali; rather, I will discuss a few highlights in the following sections.

What's Going On?

The first program category in Kali deals with the tools that let you examine and analyze a setup. The list contains various tools that you might be familiar with outside of the Kali context, such as Nmap (Figure 3) and Wireshark (Figure 4).

Figure 3: Kali Linux includes the port-scanning veteran Nmap.

Figure 4: Wireshark analyzes network traffic and is an essential Kali Linux tool.

Kali also contains tools for specific protocols: Miranda maps local UPnP domains and identifies corresponding devices. If you have ever dealt with UPnP camera security, for example, in conjunction with the default UPnP settings of typical routers for home use, you understand why Kali Linux doesn't just belong in the data center. The story of network cameras that are published on the network via UPnP, and are thus accessible to everyone, is legendary.

Once you have carefully checked your own network with Kali, you might discover that some services are exposed to the outside world that should not be. Do you really want to invite the whole world in for breakfast?

Blurring Borders

The boundaries between the analysis tools and the tools for exploiting problems with Kali Linux are occasionally blurred. The analysis tools category includes various mechanisms that detect existing errors and draw attention to them. The Metasploit framework, for example, is correctly listed by the Kali developers as an exploit tool, whereas Recon-ng belongs in the analysis category, even though it is quite similar to Metasploit. Recon-ng systematically scans hosts against a database of vulnerabilities and provides information if it finds one.

Significant numbers of similar tools are part of the Kali Linux bundle. Below the Vulnerability Analysis banner, the program lists Yersinia, which specializes in detecting Layer 2 vulnerabilities. (It was not named after the bacterial strain to which the plague pathogen belongs, by the way.) Anyone who frequently has contact with Microsoft SQL databases will appreciate sqlninja, a tool that specializes in identifying and exploiting SQL injection vectors in the Microsoft database.

Ready to Attack

The analysis tools play an important role in Kali Linux in general, but they are not the focus. The main objective of the distribution is to build an exploitation toolkit with which you can check your infrastructure. Kali Linux comes with various tools for all potential attack scenarios.

The Wireless Attacks category, for example, has more than 30 tools that supply a more than capable toolbox for attacking and hardening WiFi networks. Although many of the tools focus on the legacy WEP encryption standard, some tools are also capable of breaking the more modern WPA2. In an ideal world, WEP would not be used, but where it is used, Kali has several tools that can break the encryption quickly and efficiently (e.g., the well-known Kismet).

Kali Linux also comes with honeypot features to catch attackers: On a running Kali Linux instance, you can start a genuine WiFi access point (AP) that allows client connections but undermines encryption. As is almost always the case when you use Kali Linux, you need to be careful, because simply sniffing the traffic is strictly prohibited.

If you want Kali to prevent attacks against your own infrastructure by closing security vulnerabilities from the outset, you need to define precisely the scope of your project and ensure that you don't accidentally target innocent bystanders. The developers of Kali Linux point out that various tools can be used for illegal activities and that it is your responsibility not to use them in such a way.

If you have wondered whether the WiFi password on your own router is really as secure as you thought, Aircrack-ng will probably help you find out. It can detect and crack the legacy WEP encryption and comes with material for dictionary attacks against WPA.

If Aircrack-ng discovers your wireless network keys, you'll have to change your password. The Kali Linux tools can even simulate attacks against WPA that have become known in recent months so that insecure devices can be identified reliably and removed from the setup.

Windows in the House

Some Linux admins might know the insecure feeling of having Windows systems in their setups. Some even set up a separate WiFi network for these systems and then isolate it from other systems. Kali Linux turns out to be useful in this case, too, because the distribution includes several tools that scan Windows computers for vulnerabilities. In this way, you at least have an overview of what is going on in your network.

The Windows Subsystem for Linux lets you run Kali Linux on Windows. Accordingly, the distribution can be found in the Windows Store, ready for one-click installation.

Targeted Attacks on Services

In addition to the general-purpose tools for everything related to WiFi, Kali Linux is also equipped with a variety of tools for attacking specific software or hardware components. Cisco routers can be checked with cisco-auditing-tool. BeEF (browser exploitation framework) inspects the browsers present on a system, and the Linux Exploit Suggester digs through a system to find vulnerable standard components with known vulnerabilities.

Another subcategory of attack tools deals with website vulnerabilities. The cross-site scripter (XSSer) tool is classic, but Kali also has tools that detect remote installations of WordPress, Joomla, and various other content management systems (CMSs) and point to possible vulnerabilities.

Kali even identifies individual modules as problematic that are not officially part of a CMS, because it has many tools that also examine plugins and modules from third-party vendors. This category of tools is basically one of Kali Linux's most important weapons.

Quite a few users fail to maintain their WordPress environments, even though fixes are published regularly for extremely dangerous bugs. An attacker could convert a WordPress installation to a Bitcoin miner, for example, which would have a negative effect on customers of the site and quickly become an acute threat to the reputation of the respective provider.

Thanks to Kali Linux, you can regularly check sites you host with WPScan and ask a customer to install an update – before an attacker has time to exploit a vulnerability (Figure 5).

Figure 5: Check WordPress installations with WPScan for unpatched security issues and notify customers when needed. Kali can even investigate third-party modules.

Stress Tests

Security problems manifest themselves not only as obvious programming errors. Sometimes a great deal of load exposure is required to reveal a weak spot. Not infrequently, the goal of attacks on a network is not to compromise another server, but to make it unusable for the network community (i.e., denial of service, DoS).

Kali Linux comes with tools that let you run load tests against your own infrastructure by generating hundreds of thousands of HTTP requests against active web servers. This method is an effective way to check the capacity of databases or load balancers.

FunkLoad is a good example: You can run load tests against web applications on a recurring basis and according to a fixed set of parameters. As a result, FunkLoad also supports regression testing, because if an application reacts significantly more slowly after an update than it did before the update, you are obviously experiencing some serious performance hits.

Forensics: When It's Too Late

The last main group of tools in Kali Linux deals with systems on which all your precautions have been in vain – that is, forensic tools that you need to trace an attack.

Unfortunately, many admins rank forensics at the bottom of the list after an attack, because the main effort is to put the affected services back online as quickly as possible to keep financial losses as small as possible. Time is often not available to deal systematically with the nature and content of a break-in.

However, forensics are essential to discovering successful attack vectors, which drives the actions that need to be taken to avoid similar scenarios in the future. Take compliance, for example: If someone breaks into a system through an outdated installation of WordPress, the tools that are supposed to check and ensure that WordPress installations are up to date have obviously failed. However, if someone hacks a system with stolen credentials or a guessable password, it's time to take a look at your password policy.

How exactly an attack took place can only be determined on the affected system itself, and to do this, the system in question must be taken offline immediately – and ideally switched off. Attackers often try to cover their tracks, making analysis even more difficult.

When handling a system that you want to examine, simply switching on the server is the wrong approach, because pertinent files in /tmp would be lost if it were cleared at system startup. As the first step, it therefore makes more sense to remove the data carrier from the respective system and connect it to a system with Kali Linux.

Alternatively, Kali Linux can also be started in Live mode on such a system, which has no effect on the hard drives. Local analysis is then possible.

The Kali Linux forensics toolbox is rich with important tools: binwalk supports the analysis of binary files. If you are dealing with a Windows system, RegRipper searches the registry for suspicious entries and typical signs of attack tools. Different tools are included for different filesystems for recovering deleted files, but the chances of success can vary from case to case.

All in all, Kali Linux impresses as a comprehensive toolbox for forensic investigations on systems after a break-in. The compilation of tools and wealth of choice make Kali Linux valuable.

For Raspberry Pi 4

As mentioned earlier, several variants of Kali are available. The developers specifically point to support for the still quite new Raspberry Pi 4 (RPi4) single-board computer. The ARM image for the RPi4 was available on the Kali Linux website the first day it went on sale.

The ARM port of the distribution is nothing new. You could install and run Kali even on older Rasp Pis, but it's far more fun with the RPi4 – at least if you use a model with a generous helping of RAM. The almost 4GB disk space required by Kali Linux is easily provided by a microSD card. A portable Kali Linux, however, is a powerful tool: The focus is obviously not on testing server applications; it is on the very powerful tools for testing things like WiFi networks.

An RPi4 can be used with a large power bank (about 20,000mAh) for quite a while without problem, and if you are a mobile worker, your vehicle's 12V socket can be your power supply. Therefore, if you need to check the WiFi network of a client, a friend, or even your parents, Kali on an RPi4 is a good solution.

Conclusions

Kali Linux is a powerful distribution with many tools that can be used (and misused) for exploits, although its strongest focus is not exploitation. Instead, gathering information is the typical use case for the distribution. For example, what does the infrastructure look like? What makes it special, and where are potential security holes through which the bad guys can break in? The main focus is therefore more on the thorough analysis of a network.

Additionally, Kali Linux performs classic security tasks. If you want to make sure your users don't just use password to complement their username, you will also find brute forcing tools in Kali Linux.

However, if you simply download Kali Linux and expect a complete hands-free, no-worries package, you are mistaken. Kali Linux unfolds its full potential when used in a targeted way to search for vulnerabilities. Kali does not aimlessly volley against all possible attack vectors, despite, or maybe precisely because of, its many individual tools.

For this reason, it is important from your point of view to define the attack scenario for a certain situation as precisely as possible. Armed with such a definition, you can then determine where the threat of attacks is greatest.

If your career path is firmly rooted in the security context, it makes sense to take a very close look at Kali Linux. I highly recommend including it in your toolbox.