Kali Linux is the Debian-based, "attacker-optimised" Linux distribution maintained by Offensive Security (now OffSec). It ships with 600+ security tools pre-installed and pre-configured, and is the de facto standard for penetration testing, red team exercises, CTF, and the OSCP exam environment. This article starts with the basic question "why not just install nmap on Ubuntu?", then covers the problem Kali solves, the pentest workflow, how Kali differs from an ordinary Linux, deployment patterns, and the legal and ethical line.
Why do we need a separate distribution at all #
"nmap, Metasploit, Burp are all apt-get-installable on Ubuntu" — so why bother with Kali? The question is legitimate. What Kali is actually solving is not "having the tools"; it's everything around them.
- Coherent dependency stack — packaging that lets 600 tools coexist without conflict (Aircrack-ng / Metasploit / OpenVAS / Burp all running on the same Python / Ruby / Java)
- Wireless drivers and kernel — wireless NIC drivers with monitor mode / packet injection support are pre-patched into the kernel. On plain Ubuntu, you'd have to build them separately
- Tested version combinations — not the latest of each tool individually, but versions tested as a set (it's a rolling release, but there is a quality gate)
- Live boot + persistence — fully functional booted from USB, with encrypted USB persistence to carry evidence and working state
- Role-based metapackages —
kali-tools-web/kali-tools-wireless/kali-tools-forensicsgive you bundles by use case - Offline updates — even offline you can keep a local mirror of the repository
In short, Kali is an operational package that ships "what you need on a security engagement, ready to run." Building your own with the tools you want on the distro you like is a perfectly valid alternative, and experienced pentesters often deliberately roll their own setup on Arch / Ubuntu / NixOS.
Lineage — Auditor → BackTrack → Kali #
Kali didn't appear out of nowhere; it's the modern continuation of an "offensive Linux live CD" lineage stretching back to the early 2000s.
| Year | Name | Maintained by |
|---|---|---|
| 2003 | Auditor Security Collection | Max Moser |
| 2004 | WHAX (derived from Whoppix) | Mati Aharoni |
| 2006 | BackTrack 1 (Auditor + WHAX merged) | Offensive Security |
| 2012 | BackTrack 5 (final release) | Offensive Security |
| 2013 | Kali Linux 1.0 (full rebuild on Debian) | Offensive Security |
| 2019 | Kali Linux 2019.4 — major shift to non-root by default | Offensive Security |
| 2020+ | Kali Linux (rolling) | OffSec (after the rename) |
Not a rename — a full rebuild that moved from an Ubuntu/Slackware base to a Debian base and brought everything into FHS (Filesystem Hierarchy Standard) compliance. It is tightly coupled to OSCP (Offensive Security Certified Professional), the industry credential, whose exam environment is Kali-based.
The 6 pentest phases mapped to Kali tools #
"Kali has 600 tools" doesn't tell you when to use which. The mental model that works is: split a pentest into 6 phases and assign representative tools to each phase.
- Scope agreement (RoE: Rules of Engagement) — which hosts, and which techniques, are in scope
- Isolated environment — path to the target / not bypassing detection / confirmation of impact on the business
- Exit management — leave no malware or C2 behind
- Logging — keep all command history and tcpdump output (for evidence / client disclosure)
In practice phases rarely run linearly; you bounce back and forth all the time. After post-exploit you Recon internal hosts you just found; an Exploit failure sends you back to Vuln Analysis for more digging. Kali is built to minimise the friction of those round trips.
An overview of Kali's 13 tool categories #
Kali's application menu is organised into 13 categories. From the perspective of "one tool a beginner should actually start with," the representatives are:
| # | Category | Representative tools |
|---|---|---|
| 01 | Information Gathering | nmap / masscan / theHarvester / recon-ng / amass / dnsrecon / Maltego / enum4linux / smbmap |
| 02 | Vulnerability Analysis | nikto / OpenVAS (GVM) / searchsploit / sqlmap / wpscan / sslscan / lynis |
| 03 | Web Application Analysis | Burp Suite / OWASP ZAP / sqlmap / dirb / gobuster / whatweb / wapiti / commix |
| 04 | Database Assessment | sqlmap / SQLNinja (MS-SQL) / jSQL / tnscmd10g (Oracle) |
| 05 | Password Attacks | john (offline) / hashcat (GPU) / hydra / medusa (online) / crunch (wordlists) |
| 06 | Wireless Attacks | aircrack-ng / airodump-ng / wifite / hcxdumptool (PMKID) / reaver / bully (WPS) |
| 07 | Reverse Engineering | Ghidra (NSA) / radare2 / iaito / apktool / dex2jar / edb-debugger / gdb-peda |
| 08 | Exploitation Tools | Metasploit Framework / SET (Social Engineering) / BeEF / msfvenom |
| 09 | Sniffing & Spoofing | Wireshark / tcpdump / ettercap / bettercap (the modern MitM) / Responder |
| 10 | Post Exploitation | mimikatz / BloodHound (AD graphing) / CrackMapExec (NetExec) / PowerSploit / Empire |
| 11 | Forensics | Autopsy / Sleuth Kit / Volatility / binwalk / foremost |
| 12 | Reporting | Faraday IPE / Dradis / CherryTree / PwnDoc |
| 13 | Social Engineering Tools | SET / Maltego / King Phisher |
At the start, narrow it to 5–10 tools — nmap (recon) / dirb gobuster (web enumeration) / Burp Suite Community (web proxy) / Metasploit Framework (exploit) / john hashcat (hash cracking) / Wireshark (packet analysis) / LinPEAS (Linux privesc). With this set you can clear 80 % of the easy-to-medium machines on HackTheBox and TryHackMe.
Bulk install via metapackages: kali-tools-web / kali-tools-wireless / kali-tools-forensics bring in everything you need per use case.
Ways Kali is unlike "an ordinary Linux" #
There are several reasons you shouldn't make Kali your daily-driver OS. The design is tuned for attackers and doesn't suit desktop or server use.
| Aspect | Kali's design | Ordinary Linux |
|---|---|---|
| Default user | Non-root since 2020 (kali:kali). Before that, default-root drew a lot of criticism |
Regular user + sudo |
| Security hardening | Deliberately minimal — firewall off, AppArmor off (so attack NICs can be used) | Hardened per distro |
| Networking | No services auto-started by default (postgresql, ssh are manual) — to keep its own presence hidden | sshd, cron, rpcbind etc. running |
| Pre-installed tools | 600+ — multi-GB base image | ~100 (server) / a few thousand (desktop-full) |
| Kernel | Patched kernel with wireless monitor mode + injection support | Mainline kernel |
| Update policy | Rolling release (no stable line) | LTS (Ubuntu / RHEL) or rolling (Arch) |
| Target | Ephemeral attack environments (USB / VM / container) | A persistent OS |
The premise of how Kali is meant to be used is that you can reset to a clean state after a test (Live USB / VM snapshot / Docker / cloud snapshot). Exposed as a production OS, it gets owned easily because of the missing hardening.
Deployment patterns — pick the form that fits #
Kali's strength is that it runs anywhere. Pick the form that matches the engagement, the budget, and the legal boundary.
| Form | Strengths | Weaknesses | Typical use case |
|---|---|---|---|
| Live USB (Persistence) | No trace on the host OS / portable / encrypted USB to carry evidence | NIC-driver-detection risk / slow boot | On-site physical pentests |
| VM (VMware / VirtualBox / UTM) | Snapshot-and-restore in seconds / isolated from host / official OVAs available | Wireless NIC requires USB passthrough | Learning, CTF, home lab (the standard) |
| Bare metal | Full performance / hashcat at full GPU throttle | Bad for daily use | Dedicated pentest laptop |
| WSL2 (Windows) | Use tools inside Windows / lightweight | GUI limits / no monitor mode | Windows-primary user with partial Kali use |
| Docker / kalilinux/kali-rolling | Instant spin-up / per-purpose isolation | Kernel features depend on host OS | When you just want to fire one specific tool |
| NetHunter (Android) | Kali on your phone / wireless monitoring / Bluetooth attacks | Limited to specific handsets (OnePlus / Pixel) | Mobile field tests / Wi-Fi audit |
| Cloud (AWS / Azure / GCP) | Public IP / fast links | Provider AUP usually requires prior notification | Large-scale scanning / distributed fuzzing |
| ARM (Raspberry Pi etc.) | Cheap, small, battery-powered / drop-box | Performance limits | A hidden foothold on a physical site |
# One line in Docker
$ docker run -it --rm kalilinux/kali-rolling bash
# Docker plus a metapackage (a typical web toolset)
$ docker run -it --rm kalilinux/kali-rolling bash
# apt update && apt install -y kali-tools-web
# WSL2 (Windows PowerShell)
PS> wsl --install -d kali-linuxLaw and ethics — the line between legal and illegal #
Kali is just a tool; what you point it at decides legal from illegal. In Japan the relevant law is the Unauthorized Computer Access Act, in the US the Computer Fraud and Abuse Act (CFAA), and in the EU the Cybercrime Convention — all of which criminalise attacking systems you do not have permission to attack.
Three settings in which Kali can be used legally:
- Systems you own or administer — your home lab, your VPS, VMs in your own cloud account
- Engagements with explicit written authorisation — Penetration Test contracts (with documented RoE), Bug Bounty (within HackerOne / Bugcrowd scope), or an internal audit done as part of your employment
- Practice platforms intentionally built to be attacked — HackTheBox / TryHackMe / VulnHub / PortSwigger Web Security Academy / OverTheWire
Attacking anything other than an intentionally set-up CTF site (for example, seeing a vulnerability report in the news and trying the same technique against that company's servers) is almost certainly illegal. "I was just messing around" can turn into the most expensive mistake of your life.
OSCP (Offensive Security Certified Professional) is a 24-hour, 5-machine practical exam done on Kali, and the most-recognised pentest certification in the industry. The PEN-200 lab — its practice environment — is also Kali-based. OffSec's next-tier certifications, OSWE (Web Expert), OSEP (Evasion Expert), OSED (Exploit Developer), and OSWP (Wireless), are built around the same toolchain.
Competitors and the defensive counterparts #
Kali isn't the only "offensive Linux." There is a mosaic of options, divided by goals and philosophy.
| Offensive | Characteristics |
|---|---|
| Kali Linux | Debian + 600 tools / OffSec / industry standard |
| Parrot Security OS | Debian + many tools + anonymisation focus (AnonSurf built in) + lightweight |
| BlackArch Linux | Arch-based / 2,800+ tools (more than Kali) / for advanced users |
| Pentoo | Gentoo-based / hardcore audience |
| Commando VM | A pentest environment on Windows (Mandiant) — AD-oriented assessments |
| REMnux | Ubuntu-based / dedicated to malware analysis |
| Defensive | Characteristics |
|---|---|
| SIFT Workstation (SANS) | Ubuntu-based / digital forensics and incident response |
| Security Onion | Ubuntu-based / NSM + IDS (Suricata / Zeek / Wazuh) |
| CAINE | Ubuntu-based / forensics / LiveCD |
Learn attack with Kali, the network-side view of those same attacks with Security Onion, dissect malware with REMnux, learn the cleanup of an incident with SIFT. To actually get strong at real-world security, you have to experience both sides.
Summary — "all-included" doesn't mean "use everything" #
Kali Linux arrived in 2013 as the operational package "a Debian derivative that ships everything a pentest needs in a ready-to-run form," and OSCP-coupling plus OffSec's maintenance cemented it as the industry standard. What matters is not the fact that 600 tools are included, but the design philosophy underneath: "the tools you need across the 6 phases of security work coexist and work," "you can deploy it across wireless, live boot, mobile, container, and cloud," "you can run it as a resettable ephemeral environment."
What a beginner should first do is put Kali in a VM and solve 10 easy HackTheBox / TryHackMe machines. In doing that you will naturally pick up the 7-tool flow of nmap → gobuster → Burp → Metasploit → linpeas → john / hashcat. All-included does not mean use-everything — using 5–10 tools that fit your workflow deeply is far stronger than knowing 600 tools superficially.