Brief: In this review of Kali Linux, we try to answer regular questions like what is Kali Linux, what is the use of Kali Linux and whether beginners should use Kali Linux or not?
Kali Linux has gained a lot of popularity recently. And there is a reason for that. Hacking is back as the cool-thing-to-do in popular culture and this can be attributed significantly to the TV series Mr. Robot.
Kali is one of the few hacking focused Linux distributions and quite obviously, Mr. Robot’s popularity helped Kali Linux in getting new users. The graph below validates this claim.
And with that, people with hardly any knowledge of Linux or anything related to computer security are now trying to use Kali as their main Linux distribution. Look at Kali Linux tools and you’ll find so many tools that relate to ‘hacking’.
But Kali Linux was certainly not designed for that purpose.
Of course, I could easily write an article explaining why it’s wrong to use Kali as a first Linux distribution. In fact, you could find great arguments here and here to dissuade you from using Kali unless you really have specific needs.
But I wanted to do something different. So I installed Kali Linux in VirtualBox and tried to put myself in the shoes of a ‘new user’ trying some basic tasks on his brand new Linux system. So, will I encounter some issues or will it be straightforward? Stay with me up until the end of this article to read my conclusions.
What is Kali Linux?
To quote the official web page title, Kali Linux is a “Penetration Testing and Ethical Hacking Linux Distribution”. Simply said, it’s a Linux distribution packed with security-related tools and targeted toward network and computer security experts.
A Linux Distribution is nothing more than a bundle containing the Linux kernel, a set of core utilities and applications and some default settings. So, Kali Linux does not offer something unique in that sense most of the provided tools could be installed on any Linux distribution.
The difference is Kali is pre-packaged with those tools and the default settings were chosen according to the intended use cases of that distribution, rather than, say, to fit the needs of the typical desktop user.
In other words, whatever is your goal, you don’t have to use Kali. It is just a special distributions making easier the tasks it is specifically designed for, while eventually making other tasks more difficult.
Downloading Kali Linux— and checking the image integrity
To download Kali Linux, I went to the official download page and followed the first download link on that page.
Luckily enough, my computer is equipped with a 64bit Intel CPU, so the amd64 image was the right one for my architecture.
In addition, on the download page, there was a bunch of hexadecimal numbers. Doesn’t that already feel “hackish”?
No, seriously, those are not here for fun. Kali Linux is intended to be used for security-related tasks. The last thing you want is the tools you will use to be somehow compromised.
So, after having downloaded the Kali Image, you should check the SHA-256 fingerprint of the file and compare it with the one provided on the download site. You can read this tutorial on how to verify checksum in Linux.
Now, I am confident in installing Kali Linux on my VM from that ISO image.
Kali Linux installation and first experience
Kali Linux being based on Debian, the installation process is rather straightforward. And it is well documented on the Kali website.
For this test, I stuck as much as possible with the default options.
And only a few minutes later, I was able to boot for the first time in Kali Linux, ending up with that screen:
A user accustomed to Unix-like systems might be surprised to learn “root” is the only user available after a default installation. But that’s because many pen-testing tools require super-user permissions.
Once again, this is a Kali-specific choice given its intended use case. But this is not the best choice for your everyday use of a computer (browsing the internet, using office applications, and so on). And it is possibly the worst choice if you have to share your computer with someone else (more on that later).
Speaking of applications, the only ones installed on a default Kali Linux system are clearly oriented toward security. In addition to that, there are a bunch of command line tools not visible from the menu, and few core utilities like a calculator, an image viewer or a couple of text editors. But you will not find heavyweight office applications or productivity tool.
To give a concrete example, there is no email reader as part of the standard installation. Of course, Kali Linux is based on Debian, and a lot of packages were ported. So you can install many extra software by yourself and it should work:
apt-get update && apt-get install thunderbird
And indeed, it will. But once again, is it really wise to check your mail as root on a machine you will use for security auditing?
What so “wrong” about working as root?
In a typical Unix-like system, users work as unprivileged users having access to their own files, but not able to tamper with the system or other users’ files. For the computer maintenance or to perform administrative tasks, some users may temporary endorse the privileged identity “root” that give them super-powers on the host.
On the opposite, on a default Kali Linux system, the only installed user is root and you have to work under that identity all the time. You have to understand that being root means there is basically no permissions checks on your machine. You can do everything you want. And even things you don’t want.
For example, by exploring your system you might inadvertently edit some critical files like
/etc/passwd or some file in the directory
/etc/grub.d/ in such way your system will become unusable. In some cases, you may alter your system without noticing any obvious change, until the next reboot or the next update— where it will suddenly break. And there are potentially hundreds of such critical files on a typical Linux system. The file permissions are set in such a way an “ordinary” user couldn’t endanger the system as a whole. But being root for your daily work on Kali (just like on any Linux system, by the way) will remove that safety net.
Of course, nothing prevents you from creating new unprivileged accounts on your system. But this is extra work you have to do on Kali you wouldn’t on another distribution. Simply because you’re trying to use Kali for something it was not designed for.
Know what you do!
Somewhat in the same spirit, Kali Linux is packed with penetration testing tools— some of them are GUI tools. Other are CLI tools. In both cases, it might be tempting to “toy” with them more or less at random.
But some commands may be potentially harmful to your home network. In addition, by not understanding the implications of what you are doing, you may put yourself in a difficult situation by using those tools at your work, school or on public networks. And in that case, ignorance will not be an excuse.
Here again, this is not a Kali specific issue: if you install penetration testing tools on Fedora or Linux Mint, and try random things with them, you may end up in the same trouble. Kali just makes that easier.
Kali is quiet— and it should stay like that
The first thing you can see on the Kali login screen is that motto: “The quieter you become, the more you are able to hear”. What does that mean?
If I listen on the network interface of my Debian system, I can see it being relatively noisy by sending network packets at more or less regular intervals. Some of them are sent by user applications. Other by background services. And if I run nmap to perform a port scan on my regular desktop, I can see several open ports. Including a never-used vnc port and a long forgotten HTTP server!
All of that because I have various services and user software installed. Some of them are part of my Debian default settings. Some other are here because “one day” I’ve installed a package and just didn’t remove it when I no longer needed it. This is the case for example of the HTTP server currently running on my laptop and which I didn’t need for weeks now.
On the other hand, Kali is designed to be as quiet as possible. This is required both to hide its presence on the network— and to harden itself against potential attacks. To achieve that goal, the default settings of Kali Linux disable many services that would be enabled on a genuine Debian system.
But, and still, because Kali Linux is based on Debian, provided you install the required packages you should be able to install the services you want. For example, if you want to practice web development, you might be tempted to install a web server on your Kali host:
apt-get install apache2
If you look closely the command output, despite being successful you may notice messages from insserv having some concerns about the “runlevels of script apache2”.
curl localhost curl: (7) Failed to connect to localhost port 80: Connection refused
Once installed, the web server is not started. You have to do it manually.
systemctl start apache2
And you will have to do it after each reboot: “Kali Linux, as a standard policy, will disallow network services from persisting across reboots by default.” (http://docs.kali.org/policy/kali-linux-network-service-policies)
Another option would be to change the policy in the
/usr/sbin/update-rc.d file to whitelist apache2 as a startup service. But in that case, just like in the case of my laptop, there are chances you will leave that door open, even when you will no longer need it. What could be a concern on my desktop system would be much more serious the day you will plug you Kali system on a compromised network.
Don’t forget, one thing that makes Kali “special” is it was specifically designed to work even when used in a very hostile environment. In that context, running a web server at startup on your Kali host defeats that purpose. In short, you broke Kali. Maybe not visibly. But in spirit at least.
I need the software $prog but it’s not in the Kali repository!
There is no guarantee for all Debian packages to be available on Kali. And there is no guarantee for all possible software to be available on Debian anyway.
So it could be tempting to add extra source repositories to your system to download more software than provided by the official distribution. Or to add a repository providing the latest cutting edge version of your favorite software. Here and there, you may even see “advice” suggesting to modify the /etc/apt/sources.list file for that purpose.
Let’s be clear. If you consider doing that, a PPA compatible distribution like Ubuntu might probably better suit your needs.
Not that I say you can’t add more source repositories to Kali Linux. But you shouldn’t: Debian warns us against what they call FrankenDebian as it can threaten the stability of your system.
And for Kali Linux it is even worst. Not only it could break your system, but adding packages from untrusted source to a security system is just a nonsense. Even in the case you trust the source, keep in mind Kali packages are hardened (you remember when I installed apache2 above?) which is not the case for most of the packages out in the wild.
Conclusion: Should you use Kali Linux?
And now, it’s time for my conclusion. But I didn’t want to end that long article with a simplistic and Manichean opinion. Especially as I don’t know you.
So here are three possible outcomes. Just pick the one that will match the best with your case:
1. If you jumped straight to that conclusion without reading the rest of the article, either you already have a strong opinion and I don’t have any chance to make you change that or Kali is not yet for you. In that case, you should consider at first a more mainstream distribution like a plain Debian system or Ubuntu. It will still be time later to install the tools you may need in a more case by case basis.
2. If you read the article but skipped the parts containing too much technical jargon, Kali is not for you. Kali Linux could be an amazing teaching tool. But if you go that way, you have to be prepared for a steep learning curve. If you’re a very new Linux user starting from zero or if you just want to use your computer without a headache, there are plenty of general purposes and user-friendly distributions to start with. Why not trying Linux Mint or Zorin-OS? Or maybe another Ubuntu-derivative?
3. If you read the article, tried the commands I used, followed the links and searched the terms you didn’t understand— well, congratulations. You’re not just one other “script kiddy”. On the opposite, you apparently are ready to spend countless hours and efforts to make your system work, to understand the fundamentals of computer science and to discover the networking internals. That makes you one of the few new Linux users that could benefit from using Kali. But instead of using it directly on your computer, I would suggest first to install some other Debian-based distribution and run Kali Linux in a virtual machine. That way you could practice your skills without sacrificing your other activities.
As the last word, maybe you disagree with me or didn’t recognize yourself in the three categories above— so don’t hesitate to use the comment section to give your opinion!