Why Kali Linux is the go-to distribution for penetration testing
Discover why penetration testers prefer to use the Kali Linux distribution for offensive security, from collecting useful tools together to being usable from multiple devices.
The Kali Linux distribution enables penetration testers to explore how potential attackers may enter a system. The suite features hundreds of tools to effectively test all aspects of an IT system, from applications to networks.
Author and pen tester Vijay Kumar Velu wrote Mastering Kali Linux for Advanced Penetration Testing to provide readers with a holistic understanding of ethical hacking, from start to finish, using tools such as Wireshark, Burp Suite and Nmap.
In an interview with SearchSecurity, Velu discussed what readers at all experience levels can learn from his book, why Kali Linux is such a solid distribution and more.
Check out an excerpt from Chapter 1 of Mastering Kali Linux to learn how to configure and customize the pen testing distribution.
Editor's note: The following interview has been edited for clarity and conciseness.
What does Mastering Kali Linux cover? Who should read it?
Vijay Kumar Velu: The book covers the entire pen testing lifecycle, including how to prepare yourself for it, how to set up your own in-house lab and how to practice without doing anything illegal.
The book is for three different audiences. One is those who aspire to become a pen tester. The book covers where to begin, what pen testing looks like, where to focus and what the differences are between pen testing and red teaming. The basics are covered in the first four chapters; then, the pen testing begins.
From that point on, intermediate pen testers can use the information provided. Maybe they're currently only doing just a portion of pen testing and want to enhance their skills and become better pen testers. Intermediates can upskill and perform better or even switch their career to a complete tester role.
The book is also useful for experts already doing pen testing, whether for web applications or external infrastructure. With this book, they'll learn every step of the pen testing lifecycle, including social engineering, phishing emails exercises, vishing and more. From there, they can use the book to jump into specific exercises.
Why is Kali Linux the go-to distribution for pen testing?
Velu: Kali Linux is a one-stop shop for pen testers. It's like a giant retail store where you can find many different brands of the same items. It has something for everyone, whether they're a pen tester, forensic expert or just want to reverse what hackers can do. It's also heavily supported by the open source community and the vendor Offensive Security, which means it isn't going away tomorrow.
Are there any applications missing from the current Kali Linux distribution?
Velu: The distribution is serving current purposes but could stand to feature more future ones. In the final chapter of my book, I look at embedded devices and radio frequency scanning. These topics deserve their own book; I believe the future will focus around IoT devices, which are already defining our day-to-day life. Kali Linux could use more libraries and tools for IoT-specific pen testing exercises. Another would be for the CI/CD [continuous integration/continuous delivery] pipeline.
Is Kali Linux good for those starting out in pen testing and red teaming?
Velu: Learning how to use Linux is always my suggested first move for those starting out in pen testing -- understand Linux, the fundamentals and how networking works. And then you can begin to work on breaking it. Kali Linux is a good start because it is easy to install on pretty much any device. Learn how to install Linux on a multitude of locations, such as Docker and Android smartphones. The latter is especially useful because you can more easily travel to client locations with Kali Linux. For example, if a client asks me to assess a Wi-Fi network, Kali Linux enables me to do wireless scanning with my phone, and I don't even need my laptop.
What's the most difficult aspect of pen testing for beginners?
Velu: The most difficult thing I've seen from those just starting out is that, if something doesn't work, they stop and move on to something else. They're so excited to jump into hacking right away, but that's not the best way to go about pen testing.
First, learn basics such as how DNS works, how it resolves and what is involved when using a web browser. Understand how everything works, from firewalls to proxies to load balancers, before attempting to break something. Some people just lose interest and ask why they should understand these aspects -- but it's critical.
From there, learn how to do social engineering, and get information just by talking with someone over the phone and building rapport. The book covers all this, teaching those new to pen testing the basics before moving on to the more 'fun' aspects of pen testing. You'll learn how to set up systems and then how to break them.
In the book, you mentioned the misconception that pen testing is enough to ensure a system is secure. Rather, you said further testing should be considered to get a complete picture of a system's vulnerabilities and weaknesses. Could you elaborate?
Velu: The misconception is that, if I do my vulnerability scan, I'm secure. For example, say I'm at a medium-sized company and we perform a scan and see there aren't any big issues. We figure that's enough -- but it really isn't.
Next, pen testing comes in -- as dynamic analysis, where we showcase that we are able to break something and get inside the system. But this is where pen testing often stops since you proved you can get inside.
Red teaming exercises, on the other hand, don't stop there. They see to what extent they can go in a system. Teams may, for example, see if they sit on a mailbox for five days and select an invoice, change the account number and banking information, and send an email to accounts payable asking them to process a fraudulent invoice. If accounting processes the invoice, this read team exercise gives you a full, realistic picture of what a cyber adversary can do.
Every offensive security method has its limitations. Vulnerability scanning is just a scan that results in a report providing an idea of the problems your system has. Pen testing provides a look at how an attacker can break something and get inside but generally stops there. Only red teaming provides a full lifecycle of what an attacker could potentially do.
To close out, everything comes with a cost. Maybe the vulnerability assessment is $250 a day versus a potential pen test costing $1,000. That may be deemed too much; too often, the focus is on 'don't fix something until its broken.' The reality is that, if something is broken in this area, you will end up spending double -- or more -- just to fix or mitigate the resulting fallout instead of just paying a smaller amount the first time around.