Kali Linux — The Pentest Distribution: Its Tools and How to Use Them thumbnail

Kali Linux — The Pentest Distribution: Its Tools and How to Use Them

⏱ approx. 19 min views 223 likes 0 LOG_DATE:2026-05-10
TOC

Kali Linux is the Debian-based, "attacker-optimised" Linux distribution maintained by Offensive Security (now OffSec). It ships with 600+ security tools pre-installed and pre-configured, and is the de facto standard for penetration testing, red team exercises, CTF, and the OSCP exam environment. This article starts with the basic question "why not just install nmap on Ubuntu?", then covers the problem Kali solves, the pentest workflow, how Kali differs from an ordinary Linux, deployment patterns, and the legal and ethical line.

01

Why do we need a separate distribution at all #

"nmap, Metasploit, Burp are all apt-get-installable on Ubuntu" — so why bother with Kali? The question is legitimate. What Kali is actually solving is not "having the tools"; it's everything around them.

  • Coherent dependency stack — packaging that lets 600 tools coexist without conflict (Aircrack-ng / Metasploit / OpenVAS / Burp all running on the same Python / Ruby / Java)
  • Wireless drivers and kernel — wireless NIC drivers with monitor mode / packet injection support are pre-patched into the kernel. On plain Ubuntu, you'd have to build them separately
  • Tested version combinations — not the latest of each tool individually, but versions tested as a set (it's a rolling release, but there is a quality gate)
  • Live boot + persistence — fully functional booted from USB, with encrypted USB persistence to carry evidence and working state
  • Role-based metapackageskali-tools-web / kali-tools-wireless / kali-tools-forensics give you bundles by use case
  • Offline updates — even offline you can keep a local mirror of the repository

In short, Kali is an operational package that ships "what you need on a security engagement, ready to run." Building your own with the tools you want on the distro you like is a perfectly valid alternative, and experienced pentesters often deliberately roll their own setup on Arch / Ubuntu / NixOS.

02

Lineage — Auditor → BackTrack → Kali #

Kali didn't appear out of nowhere; it's the modern continuation of an "offensive Linux live CD" lineage stretching back to the early 2000s.

Year Name Maintained by
2003 Auditor Security Collection Max Moser
2004 WHAX (derived from Whoppix) Mati Aharoni
2006 BackTrack 1 (Auditor + WHAX merged) Offensive Security
2012 BackTrack 5 (final release) Offensive Security
2013 Kali Linux 1.0 (full rebuild on Debian) Offensive Security
2019 Kali Linux 2019.4 — major shift to non-root by default Offensive Security
2020+ Kali Linux (rolling) OffSec (after the rename)
▸ The BackTrack → Kali transition (2013)

Not a rename — a full rebuild that moved from an Ubuntu/Slackware base to a Debian base and brought everything into FHS (Filesystem Hierarchy Standard) compliance. It is tightly coupled to OSCP (Offensive Security Certified Professional), the industry credential, whose exam environment is Kali-based.

03

The 6 pentest phases mapped to Kali tools #

"Kali has 600 tools" doesn't tell you when to use which. The mental model that works is: split a pentest into 6 phases and assign representative tools to each phase.

① Recon — information gathering (passive + active)
nmap / masscan / theHarvester / recon-ng / amass / whois / dig / dnsrecon / Maltego / Wireshark / enum4linux
② Vuln Analysis — finding vulnerabilities
nikto / OpenVAS (GVM) / Nessus / Burp Suite / OWASP ZAP / searchsploit / wpscan / sslscan / testssl / smbmap
③ Exploitation — executing the intrusion
Metasploit / sqlmap / hydra / john / hashcat / aircrack-ng / SET / BeEF / msfvenom / exploit-db
④ Post-Exploit — privilege escalation, lateral movement
Meterpreter / mimikatz / BloodHound / CrackMapExec (NetExec) / Empire / Sliver / Responder / LinPEAS / WinPEAS / Chisel / ligolo / PowerSploit
⑤ Reporting — recording and reporting
Faraday / Dradis / PwnDoc / CherryTree / Joplin / Obsidian / Greenshot / terminator + asciinema
⑥ Cleanup — wrapping up
Leave no malware / C2 connection behind; run the post-test cleanup checklist. Save all command history and tcpdump output as evidence.
▸ Pre-requisites that apply across every phase
  • Scope agreement (RoE: Rules of Engagement) — which hosts, and which techniques, are in scope
  • Isolated environment — path to the target / not bypassing detection / confirmation of impact on the business
  • Exit management — leave no malware or C2 behind
  • Logging — keep all command history and tcpdump output (for evidence / client disclosure)

In practice phases rarely run linearly; you bounce back and forth all the time. After post-exploit you Recon internal hosts you just found; an Exploit failure sends you back to Vuln Analysis for more digging. Kali is built to minimise the friction of those round trips.

04

An overview of Kali's 13 tool categories #

Kali's application menu is organised into 13 categories. From the perspective of "one tool a beginner should actually start with," the representatives are:

# Category Representative tools
01 Information Gathering nmap / masscan / theHarvester / recon-ng / amass / dnsrecon / Maltego / enum4linux / smbmap
02 Vulnerability Analysis nikto / OpenVAS (GVM) / searchsploit / sqlmap / wpscan / sslscan / lynis
03 Web Application Analysis Burp Suite / OWASP ZAP / sqlmap / dirb / gobuster / whatweb / wapiti / commix
04 Database Assessment sqlmap / SQLNinja (MS-SQL) / jSQL / tnscmd10g (Oracle)
05 Password Attacks john (offline) / hashcat (GPU) / hydra / medusa (online) / crunch (wordlists)
06 Wireless Attacks aircrack-ng / airodump-ng / wifite / hcxdumptool (PMKID) / reaver / bully (WPS)
07 Reverse Engineering Ghidra (NSA) / radare2 / iaito / apktool / dex2jar / edb-debugger / gdb-peda
08 Exploitation Tools Metasploit Framework / SET (Social Engineering) / BeEF / msfvenom
09 Sniffing & Spoofing Wireshark / tcpdump / ettercap / bettercap (the modern MitM) / Responder
10 Post Exploitation mimikatz / BloodHound (AD graphing) / CrackMapExec (NetExec) / PowerSploit / Empire
11 Forensics Autopsy / Sleuth Kit / Volatility / binwalk / foremost
12 Reporting Faraday IPE / Dradis / CherryTree / PwnDoc
13 Social Engineering Tools SET / Maltego / King Phisher
▸ "Because everything is included, beginners drown"

At the start, narrow it to 5–10 toolsnmap (recon) / dirb gobuster (web enumeration) / Burp Suite Community (web proxy) / Metasploit Framework (exploit) / john hashcat (hash cracking) / Wireshark (packet analysis) / LinPEAS (Linux privesc). With this set you can clear 80 % of the easy-to-medium machines on HackTheBox and TryHackMe.

Bulk install via metapackages: kali-tools-web / kali-tools-wireless / kali-tools-forensics bring in everything you need per use case.

05

Ways Kali is unlike "an ordinary Linux" #

There are several reasons you shouldn't make Kali your daily-driver OS. The design is tuned for attackers and doesn't suit desktop or server use.

Aspect Kali's design Ordinary Linux
Default user Non-root since 2020 (kali:kali). Before that, default-root drew a lot of criticism Regular user + sudo
Security hardening Deliberately minimal — firewall off, AppArmor off (so attack NICs can be used) Hardened per distro
Networking No services auto-started by default (postgresql, ssh are manual) — to keep its own presence hidden sshd, cron, rpcbind etc. running
Pre-installed tools 600+ — multi-GB base image ~100 (server) / a few thousand (desktop-full)
Kernel Patched kernel with wireless monitor mode + injection support Mainline kernel
Update policy Rolling release (no stable line) LTS (Ubuntu / RHEL) or rolling (Arch)
Target Ephemeral attack environments (USB / VM / container) A persistent OS
▸ Don't run Kali as a web server or production VM

The premise of how Kali is meant to be used is that you can reset to a clean state after a test (Live USB / VM snapshot / Docker / cloud snapshot). Exposed as a production OS, it gets owned easily because of the missing hardening.

06

Deployment patterns — pick the form that fits #

Kali's strength is that it runs anywhere. Pick the form that matches the engagement, the budget, and the legal boundary.

Form Strengths Weaknesses Typical use case
Live USB (Persistence) No trace on the host OS / portable / encrypted USB to carry evidence NIC-driver-detection risk / slow boot On-site physical pentests
VM (VMware / VirtualBox / UTM) Snapshot-and-restore in seconds / isolated from host / official OVAs available Wireless NIC requires USB passthrough Learning, CTF, home lab (the standard)
Bare metal Full performance / hashcat at full GPU throttle Bad for daily use Dedicated pentest laptop
WSL2 (Windows) Use tools inside Windows / lightweight GUI limits / no monitor mode Windows-primary user with partial Kali use
Docker / kalilinux/kali-rolling Instant spin-up / per-purpose isolation Kernel features depend on host OS When you just want to fire one specific tool
NetHunter (Android) Kali on your phone / wireless monitoring / Bluetooth attacks Limited to specific handsets (OnePlus / Pixel) Mobile field tests / Wi-Fi audit
Cloud (AWS / Azure / GCP) Public IP / fast links Provider AUP usually requires prior notification Large-scale scanning / distributed fuzzing
ARM (Raspberry Pi etc.) Cheap, small, battery-powered / drop-box Performance limits A hidden foothold on a physical site
Bringing up Kali instantly via Docker / WSL2
# One line in Docker $ docker run -it --rm kalilinux/kali-rolling bash # Docker plus a metapackage (a typical web toolset) $ docker run -it --rm kalilinux/kali-rolling bash # apt update && apt install -y kali-tools-web # WSL2 (Windows PowerShell) PS> wsl --install -d kali-linux
07

Law and ethics — the line between legal and illegal #

Kali is just a tool; what you point it at decides legal from illegal. In Japan the relevant law is the Unauthorized Computer Access Act, in the US the Computer Fraud and Abuse Act (CFAA), and in the EU the Cybercrime Convention — all of which criminalise attacking systems you do not have permission to attack.

Three settings in which Kali can be used legally:

  1. Systems you own or administer — your home lab, your VPS, VMs in your own cloud account
  2. Engagements with explicit written authorisation — Penetration Test contracts (with documented RoE), Bug Bounty (within HackerOne / Bugcrowd scope), or an internal audit done as part of your employment
  3. Practice platforms intentionally built to be attackedHackTheBox / TryHackMe / VulnHub / PortSwigger Web Security Academy / OverTheWire
▸ "It's public" or "it's vulnerable" is not authorisation

Attacking anything other than an intentionally set-up CTF site (for example, seeing a vulnerability report in the news and trying the same technique against that company's servers) is almost certainly illegal. "I was just messing around" can turn into the most expensive mistake of your life.

OSCP (Offensive Security Certified Professional) is a 24-hour, 5-machine practical exam done on Kali, and the most-recognised pentest certification in the industry. The PEN-200 lab — its practice environment — is also Kali-based. OffSec's next-tier certifications, OSWE (Web Expert), OSEP (Evasion Expert), OSED (Exploit Developer), and OSWP (Wireless), are built around the same toolchain.

08

Competitors and the defensive counterparts #

Kali isn't the only "offensive Linux." There is a mosaic of options, divided by goals and philosophy.

Offensive Characteristics
Kali Linux Debian + 600 tools / OffSec / industry standard
Parrot Security OS Debian + many tools + anonymisation focus (AnonSurf built in) + lightweight
BlackArch Linux Arch-based / 2,800+ tools (more than Kali) / for advanced users
Pentoo Gentoo-based / hardcore audience
Commando VM A pentest environment on Windows (Mandiant) — AD-oriented assessments
REMnux Ubuntu-based / dedicated to malware analysis
Defensive Characteristics
SIFT Workstation (SANS) Ubuntu-based / digital forensics and incident response
Security Onion Ubuntu-based / NSM + IDS (Suricata / Zeek / Wazuh)
CAINE Ubuntu-based / forensics / LiveCD
▸ The fastest route is to live on both sides

Learn attack with Kali, the network-side view of those same attacks with Security Onion, dissect malware with REMnux, learn the cleanup of an incident with SIFT. To actually get strong at real-world security, you have to experience both sides.

09

Summary — "all-included" doesn't mean "use everything" #

Kali Linux arrived in 2013 as the operational package "a Debian derivative that ships everything a pentest needs in a ready-to-run form," and OSCP-coupling plus OffSec's maintenance cemented it as the industry standard. What matters is not the fact that 600 tools are included, but the design philosophy underneath: "the tools you need across the 6 phases of security work coexist and work," "you can deploy it across wireless, live boot, mobile, container, and cloud," "you can run it as a resettable ephemeral environment."

What a beginner should first do is put Kali in a VM and solve 10 easy HackTheBox / TryHackMe machines. In doing that you will naturally pick up the 7-tool flow of nmap → gobuster → Burp → Metasploit → linpeas → john / hashcat. All-included does not mean use-everything — using 5–10 tools that fit your workflow deeply is far stronger than knowing 600 tools superficially.

𝕏 Post B! Hatena