12. Conclusion: The Road Ahead
305
12.1 Keeping Up with Changes
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
306
12.2 Showing Off Your Newly Gained Knowledge
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
306
12.3 Going Further
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
307
12.3.1 Towards System Administration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
307
12.3.2 Towards Penetration Testing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
307
Index
308
IX
Table of Contents
Preface
You have no idea how good you have it.
In 1998, I was an up-and-coming hacker, co-founding one of the earliest professional white hat
hacking teams. We were kids, really, with dream jobs, paid to break into some of the most secure
computer systems, networks, and buildings on the planet.
It sounds pretty sexy, but in reality, we spent most of our time hovering over a keyboard, armed
with the digital tools of our trade. We wielded a sordid collection of programs, designed to map
networks and locate targets; then scan, exploit, and pivot through them. In some cases, one of
us (often Jim Chapple) would write custom tools to do wicked things like scan a Class A network
(something no other tool could do, at the time), but most often we would use or modify tools
written by the hacker community. In those pre-Google days, we frequented BugTraq, AstaLaVista,
Packet Storm, w00w00, SecurityFocus, X-Force, and other resources to conduct research and build
our arsenal.
Since we had limited time on each gig, we had to move quickly. That meant we couldn’t spend a
lot of time fiddling with tools. It meant we had to learn the core tools inside and out, and keep the
ancillary ones on tap, just in case. It meant we had to have our tools well-organized, documented,
and tested so there would be few surprises in the field. After all, if we didn’t get in, we lost face
with our clients and they would take our recommendations far less seriously.
Because of this, I spent a lot of time cataloging tools. When a tool was released or updated, I’d go
through a routine. I had to figure out if it would run on the attack platform (some didn’t), and
whether it was worthwhile (some weren’t); I had to update any scripts that relied on it, document
it, and test it, including carrying over any changes made to the previous version.
Then, I would shake out all the tools and put them in directories based on their purpose during an
assessment. I’d write wrapper scripts for certain tools, chain some tools together, and correlate
all that into a separate CD that we could take into sensitive areas, when customers wouldn’t let us
take in attack machines or remove media from their labs.
This process was painful, but it was necessary. We knew that we had the ability to break into any
network—if we applied our skills and expertise properly, stayed organized, and worked efficiently.
Although remaining undefeated was a motivator, it was about providing a service to clients who
needed us to break into networks, so they could plug gaps and move money toward critical-but-
neglected information security programs.
We spent years sharpening our skills and expertise but we wouldn’t have been successful without
organization and efficiency. We would have failed if we couldn’t put our hands on the proper tool
when needed.
That’s why I spent so much time researching, documenting, testing, and cataloging tools, and at
the turn of the 21st Century, it was quickly becoming an overwhelming, full-time job. Thanks to
the Internet, the worldwide attack surface exploded and the variety and number of attack tools
increased exponentially, as did the workload required to maintain them.
Starting in 2004, the Internet exploded not only as a foundation for business but also as a social
platform. Computers were affordable, more consumer-friendly and ubiquitous. Storage technol-
ogy expanded from megabytes to gigabytes. Ethernet jumped from hundreds of kilobits to tens
of megabits per second, and Internet connections were faster and cheaper than ever before. E-
commerce was on the rise, social media sites like Facebook (2004) and Twitter (2006) came online
and Google (1998) had matured to the point that anyone (including criminals) could find just about
anything online.
Research became critical for teams like ours because we had to keep up with new attacks and
toolsets. We responded to more computer crimes, and forensic work demanded that we tread
lightly as we mucked through potential evidence. The concept of a live CD meant that we could
perform live forensics on a compromised machine without compromising evidence.
Now our little team had to manage attack tools, forensic tools, and a sensitive area tool distribu-
tion; we had to keep up with all the latest attack and exploit methodologies; and we had to, you
know, actually do what we were paid for—penetration tests, which were in high demand. Things
were spinning out of control, and before long, we were spending less time in battle and much more
time researching, sharpening our tools, and planning.
We were not alone in this struggle. In 2004, Mati “Muts” Aharoni, a hacker and security profes-
sional released “WHoppiX” (White Hat Knoppix), a live Linux CD that he billed as “the ultimate
pen testing live CD,” It included “all the exploits from SecurityFocus, Packet Storm and k-otik,
Metasploit Framework 2.2, and much, much more.”
I remember downloading WHoppiX and thinking it was a great thing to have around. I downloaded
other live CDs, thinking that if I were ever in a real pinch, live CDs could save my bacon in the field.
But I wasn’t about to rely on WHoppiX or any other CD for real work. I didn’t trust any of them
to fulfill the majority of my needs; none of them felt right for my workflow; they were not full,
installable distributions; and the moment I downloaded them they were out of date. An aged
toolset is the kiss of death in our industry.
I simply added these CD images, despite their relatively massive size, to our arsenal and kept up
the painful process of maintaining our “real” toolkit.
But despite my personal opinions at the time, and perhaps despite Muts’ expectations, WHoppiX
and its descendants had a seismic impact on his life, our industry, and our community.
XII
Kali Linux Revealed
In 2005, WHoppiX evolved into WHAX, with an expanded and updated toolset, based on “the more
modular SLAX (Slackware) live CD.” Muts and a growing team of volunteers from the hacker com-
munity seemed to realize that no matter how insightful they were, they could never anticipate all
the growth and fluctuation of our industry and that users of their CD would have varied needs in
the field. It was obvious that Muts and his team were actually using WHAX in the field, and they
seemed dedicated to making it work. This was encouraging to me.
In 2006, Muts, Max Moser, and their teams consolidated Auditor Security Linux and WHAX into
a single distribution called BackTrack. Still based on SLAX, BackTrack continued to grow, adding
more tools, more frameworks, extended language support, extensive wireless support, a menu
structure catering to both novice and pro users, and a heavily modified kernel. BackTrack became
the leading security distribution, but many like me still used it as a backup for their ”real tools.”
By early 2009, Muts and his team had extended BackTrack significantly to BackTrack 4. Now a full-
time job for Muts, BackTrack was no longer a live CD but a full-blown Ubuntu-based distribution
leveraging the Ubuntu software repositories. The shift marked a serious evolution: BackTrack 4
had an update mechanism. In Muts’ own words: “When syncing with our BackTrack repositories,
you will regularly get security tool updates soon after they are released.”
This was a turning point. The BackTrack team had tuned into the struggles facing pen testers,
forensic analysts and others working in our industry. Their efforts would save us countless hours
and provide a firm foundation, allowing us to get back into the fight and spend more time doing
the important (and fun) stuff. As a result, the community responded by flocking to the forums
and wiki; and by pitching in on the dev team. BackTrack was truly a community effort, with Muts
still leading the charge.
BackTrack 4 had finally become an industrial-strength platform and I, and others like me, breathed
a sigh of relief. We knew firsthand the “pain and sufferance” Muts and his team were bearing,
because we had been there. As a result, many of us began using BackTrack as a primary foundation
for our work. Yes, we still fiddled with tools, wrote our own code, and developed our own exploits
and techniques; and we researched and experimented; but we did not spend all our time collecting,
updating, validating, and organizing tools.
BackTrack 4 R1 and R2 were further revisions in 2010, leading to the ground-up rebuild of Back-
Track 5 in 2011. Still based on Ubuntu, and picking up steam with every release, BackTrack was
now a massive project that required a heroic volunteer and community effort but also funding.
Muts launched Offensive Security (in 2006) not only to provide world-class training and penetra-
tion testing services but also to provide a vehicle to keep BackTrack development rolling, and
ensure that BackTrack remained open-source and free to use.
BackTrack continued to grow and improve through 2012 (with R1, R2, and R3), maintaining an
Ubuntu core and adding hundreds of new tools, including physical and hardware exploitation
tools, VMware support, countless wireless and hardware drivers, and a multitude of stability im-
provements and bug fixes. However, after the release of R3, BackTrack development went rela-
tively, and somewhat mysteriously, quiet.
XIII
Preface
There was some speculation in the industry. Some thought that BackTrack was getting “bought
out”, selling its soul to a faceless evil corporate overlord for a massive payout. Offensive Secu-
rity was growing into one of the most respected training companies and a thought leader in our
industry, and some speculated that its success had gobbled up and sidelined the key BackTrack
developers. However, nothing could be farther from the truth.
In 2013, Kali Linux 1.0 was released. From the release notes: “After a year of silent development,
Offensive Security is proud to announce the release and public availability of Kali Linux, the most
advanced, robust, and stable penetration-testing distribution to date. Kali is a more mature, se-
cure, and enterprise-ready version of BackTrack.”
Kali Linux was not a mere rebranding of BackTrack. Sporting more than 600 completely repack-
aged tools, it was clearly an amazing toolset, but there was still more to it than that. Kali had been
built, from the ground up, on a Debian core. To the uninformed, this might not seem like a big
deal. But the ripple effects were staggering. Thanks to a massive repackaging effort, Kali users
could download the source for every single tool; they could modify and rebuild a tool as needed,
with only a few keystrokes. Unlike other mainstream operating systems of the day, Kali Linux
synchronized with the Debian repositories four times a day, which meant Kali users could get
wickedly current package updates and security fixes. Kali developers threw themselves into the
fray, packaging and maintaining upstream versions of many tools so that users were constantly
kept on the bleeding edge. Thanks to its Debian roots, Kali’s users could bootstrap an installation
or ISO directly from the repositories, which opened the door for completely customized Kali in-
stallations or massive enterprise deployments, which could be further automated and customized
with preseed files. To complete the customization trifecta, Kali Users could modify the desktop
environment, alter menus, change icons, and even replace windowing environments. A massive
ARM development push opened the door for installation of Kali Linux on a wide range of hardware
platforms including access points, single-board computers (Raspberry Pi, ODROID, BeagleBone,
and CubieBoard, for example), and ARM-based Chromebook computers. And last but certainly
not least, Kali Linux sported seamless minor and major upgrades, which meant devotees would
never have to re-install customized Kali Linux setups.
The community took notice. In the first five days, 90,000 of us downloaded Kali 1.0.
This was just the beginning. In 2015, Kali 2.0 was released, followed by the 2016 rolling releases.
In summary, “If Kali 1.0 was focused on building a solid infrastructure, then Kali 2.0 is focused on
overhauling the user experience and maintaining updated packages and tool repositories.”
The current version of Kali Linux is a rolling distribution, which marks the end of discrete ver-
sions. Now, users are up to date continuously and receive updates and patches as they are created.
Core tools are updated more frequently thanks to an upstream version tagging system, ground-
breaking accessibility improvements for the visually impaired have been implemented, and the
Linux kernels are updated and patched to continue wireless 802.11 injection support. Software De-
fined Radio (SDR) and Near-Field Communication (NFC) tools add support for new fields of security
testing. Full Linux encrypted disk installation and emergency self-destruct options are available,
XIV
Kali Linux Revealed
thanks to LVM and LUKS respectively, USB persistence options have been added, allowing USB-
based Kali installs to maintain changes between reboots, whether the USB drive is encrypted or
not. Finally, the latest revisions of Kali opened the door for NetHunter, an open-source world-class
operating system running on mobile devices based on Kali Linux and Android.
Kali Linux has evolved not only into the information security professional’s platform of choice,
but truly into an industrial-grade, world-class, mature, secure, and enterprise-ready operating
system distribution.
Through the decade-long development process, Muts and his team, along with the tireless dedi-
cation of countless volunteers from the hacker community, have taken on the burden of stream-
lining and organizing our work environment, freeing us from much of the drudgery of our work
and providing a secure and reliable foundation, allowing us to concentrate on driving the industry
forward to the end goal of securing our digital world.
And interestingly, but not surprisingly, an amazing community has built up around Kali Linux.
Each and every month, three to four hundred thousand of us download a version of Kali. We come
together on the Kali forums, some forty-thousand strong, and three to four hundred of us at a time
can be found on the Kali IRC channel. We gather at conferences and attend Kali Dojos to learn how
to best leverage Kali from the developers themselves.
Kali Linux has changed the world of information security for the better, and Muts and his team
have saved each of us countless hours of toil and frustration, allowing us to spend more time and
energy driving the industry forward, together.
But despite its amazing acceptance, support, and popularity, Kali has never released an official
manual. Well, now that has changed. I’m thrilled to have come alongside the Kali development
team and specifically Mati Aharoni, Raphaël Hertzog, Devon Kearns, and Jim O’Gorman to offer
this, the first in perhaps a series of official publications focused on Kali Linux. In this book, we
will focus on the Kali Linux platform itself, and help you understand and maximize the usage of
Kali from the ground up. We won’t yet delve into the arsenal of tools contained in Kali Linux, but
whether you’re a veteran or an absolute n00b, this is the best place to start, if you’re ready to dig
in and get serious with Kali Linux. Regardless of how long you’ve been at the game, your decision
to read this book connects you to the growing Kali Linux community, one of the oldest, largest,
most active, and most vibrant in our industry.
On behalf of Muts and the rest of the amazing Kali team, congratulations on taking the first step
to mastering Kali Linux!
Johnny Long
February 2017
XV
Preface
Foreword
The sixteen high-end laptops ordered for your pentesting team just arrived, and you have been
tasked to set them up—for tomorrow’s offsite engagement. You install Kali and boot up one of the
laptops only to find that it is barely usable. Despite Kali’s cutting-edge kernel, the network cards
and mouse aren’t working, and the hefty NVIDIA graphics card and GPU are staring at you blankly,
because they lack properly installed drivers. You sigh.
In Kali Live mode, you quickly type
lspci
into a console, then squint. You scroll through the
hardware listing: “PCI bridge, USB controller, SATA controller. Aha! Ethernet and Network con-
trollers.” A quick Google search for their respective model numbers, cross referenced with the
Kali kernel version, reveals that these cutting-edge drivers haven’t reached the mainline kernel
yet.
But all is not lost. A plan is slowly formulating in your head, and you thank the heavens for the
|