Contact Form

Name

Email *

Message *

Kali Linux -Hacking Holy Grail? Not really!

Quora users have always flooded me with answer requests related to questions on Kali Linux. 

Recently, though, such requests have become unprecedentedly clueless, annoying  and insistent.

Looks like more and more people (mostly kiddos) got fascinated by a bunch of unrealistic TV shows displaying alleged hacking stuff and started thinking: "heck, this is cool! I wanna be a hacker and stack a big loot, too!"

They got no clue what the real hacker culture is, what real hackers are and how frustrating, nerve-racking, time-consuming, swear-driven, slow and boring real hacking is.

There's a bunch of lazy people around making stupid mistakes, sure. If you use a weak password, that's no biggie to one like myself, though I don't know if I'm a hacker.

Sometimes I do feel like I am, sometimes I don't.

You can relate to that only if you're into this line of work.

Hitting real-world targets is a totally different animal. Not so easy, kiddo!

Nothing like your Hollywood fake shows, for sure.

These guys have totally misunderstood what Kali Linux is, what it can be used for and what real hacking is about.

Someone told them, or they've read somewhere, Kali Linux is the hackers' tool and, if they learn how to use it, they'll become hackers

Well, it's time for this myth to be debunked.

What Kali Linux is NOT

.
  1. The Hacking Holy Grail.
  2. A bunch of GUI tools easy to run that work in any situation, functioning and looking like Windows
  3. A skeleton key to banking accounts and user credentials all over the world
  4. The ethical hacker's tool (I utterly hate that term!)
  5. A hacking video game

What Kali Linux is (for good)
  1. A Linux distribution, based on Debian
  2. A collection of hacking and forensics tools, mostly COMMAND-LINE based (it's Linux, dude; if you don't know Linux, forget about it!)
  3. A series of bundled exploits, constantly updated, but not guaranteed to work every time
  4. A collection of demo hacks, not guaranteed to work in the real world every time

Kali is a collection of bundled tools. Lots of tools.

The image below shows an overview of all of them, arranged in several categories.

Each tool has its own options and sub-tools, and you need to know most of them for you to use Kali successfully.

I won't break them down here, as it would take too long and they change very often.

You need to become familiar with each individual tool and to have a solid Linux knowledge already, before demoing them.



No operating system makes you a hacker, nor it can.

Knowledge, skills and attitude can make you a hacker.

In most cases, hacking is an inborn type of mindset.

Kali has nothing special, in itself.

You could get the same result by grabbing any Linux distribution and manually installing each individual tool.

Maybe you'd learn even much more that way, because you'd need to go through the pain of installing, configuring dependencies, knowing what that specific packet does, etc.

Moreover, though Linux knowledge is a must for hacking, it's not all that it takes.

If you need to hack Windows, you need to know Windows much better than anyone else, and the same goes for any application, or OS you need to hack.

So why was Kali created?

Let's face it; if you're a professional pentester, having all the tools you need in one place is very handy and saves you a lot of time.

Manually installing tools in Linux it's not always easy and quick, especially if you can't do it from command line (through sudo apt install, or the equivalent command for other distributions not based on Ubuntu or Debian).

Sometimes, in fact, there are no repositories available for a specific tool (you get the message: "package x has no release candidate", for example).

If you're not able to manually add a repository, you'll have to download the software from an external source (often, in a .tar.gz, or .a .tar.bz2 compressed format) and compile it from source code.

Sadly, though, this can be very complicated, due to dependencies.

Dependencies imply that, when you go compile the software, that software sometimes depends on another package -say x -, which is not installed.

This issue causes its installation to fail, and it's not always easy to solve.

In fact, after you downloaded package x and tried to install it, you might find out it depends on package y, equally not installed yet, and so on, like a sort of Chinese boxes game.

Though there are options allowing to force installation and ignore dependencies, this isn't always possible and they don't always work, leaving you with a problem hard to solve.

With Kali, all the software you need has been already installed, and often configured for you, ahead of time.

Wrap-up

Kali is a Linux system containing a bunch of pre-installed forensic and hacking tools, which make it very useful to hackers, pentesters and forensic experts, who should always keep it in their bag of tricks.

Advantages: 
  1. A bunch of tools already bundled, up and running. You don't need to waste your time downloading, installing and configuring a set of tools.
  2. It's stripped-down and fast: In fact, Kali looks as designed to be run in Live Mode.
  3. It has a great community support and is constantly updated.
Disadvantages:
  1. Tools included in Kali don't always work. Sometimes they work for specific configurations only, other times they don't work at all. Updates might sometimes break them.
  2. Kali isn't configured to be an everyday desktop operating system. Drivers can sometimes be a problem, but you don't and shouldn't expect to play video games on Kali. 
  3. When run in a virtual machine, it doesn't recognize your internal wireless adapter. This problem can easily be solved, though, by buying a cheap USB adapter on Amazon.
  4. Kali induces to rely too much on automated tools: Lots of tools, included in Kali, especially those having a GUI, are set-and-forget. This can induce a pentester to rely too much on automated tools, producing an auto-generated report without a real understanding of what's under the hood and potentially overlooking important stuff. What if automated tools don't work in your specific scenario? How do you go about it? There's a great difference between a (low level) pentester and a hacker. A pentester runs tools designed by others, a hacker creates its own tools. Though there are pentesters able to create scripts and applications, I want to stress here that a hacker is a creative, whereas a (low-level) pentester is like a monkey pushing buttons. Running automated tools, like vulnerability scanners, doesn't make you a hacker and not even a good pentester, because it says nothing about the specific scenario you were asked to investigate. A hacker is able to gather information on a specific scenario and to design an attack, or an exploit, tailor-made for it.

Correct approach

Yes, Kali is free of charge but knowledge is only apparently free.

It costs you your life, your darn time sitting on a computer trying to get answers.

Notice I said get answers, not ask for answers. I try to find the answers myself first.

No one hands you over the answers, nor it's fair for anyone to do so.

The search path you go through is much more important than the answer itself.

A hacker values the search for answers as yet more important than the answer itself.

That's the way Kali must be approached.

You guys should first study Linux, programming languages and then try to approach Kali.

You don't build a house starting from its roof.

Comments

Related Posts Plugin for WordPress, Blogger...