1 Introduction

This article is the fulfillment of a goal I set for myself many years ago. The reason was that when I was testing the company's anti-D product, I needed to write a user manual for a common traffic simulation tool (used to simulate various network attack traffic), so I thought: I might as well write one. As a result, I procrastinated and never wrote it in the end (I didn't have the initiative to write blog posts like I do now, I would procrastinate as much as possible and not write if I could avoid it~).

In addition, in the current simplified Chinese Internet environment, such articles are hard to find. Even if you can still find some, the download methods, installation methods and even usage steps of many tools have changed, which makes it difficult for those who want to understand and learn to obtain complete information and easily misled by outdated information. In this case, I simply compiled an article to systematically record the installation, configuration and basic usage methods of these tools, hoping to help those in need and fill the gap in this content. At the same time, it can also be regarded as an explanation to myself back then.

---

Note: That sounds good, but actually after upgrading to Cloudflare Pro, I wanted to see how effective WAF's hosting rules and defense against absolutely automatic traffic are. I just wanted to do a simple security test, so I needed a test tool machine. I had to install and configure one anyway, so I just recorded the process and could write an article about it.

---

However, when I still wanted to use the most familiar Debian system for deployment, I accidentally discovered Kali Linux, a security testing distribution that has many network attack simulation tools built in. Compared with manually installing various tools on Debian, Kali directly provides an out-of-the-box environment, saving a lot of installation, dependency management and configuration troubles.

So, what exactly is Kali Linux and what makes it unique?

2 Introduction to Kali Linux

Kali Linux is a Linux distribution designed specifically forPenetration Testing, Network Security Research, Computer ForensicsThe operating system, which was formerly BackTrack Linux.

** The Origin of Kali Linux **

• 2006: BackTrack Linux is born, by Offensive Security(OSCP-certified company) with a focus on network security and penetration testing.

• 2013: BackTrack is no longer maintained.Kali Linux officially released, as the successor to BackTrack.

• 2020: Kali Linux released Non-root default user mode, to enhance security and provideMultiple desktop environments (GNOME, XFCE, KDE).

Why does Kali Linux have so many penetration tools built in?

1. Designed for penetration testing

• Kali Linux is powered by Offensive Security(OSCP certification body), their goal is to provide security researchers, red teams and hackersSecure testing environment out of the box.

2. Built-in 600+ network security tools

• Kali integrates a lot of well-known security tools by default, including:

• Information Collection：Nmap, Maltego, theHarvester

• Vulnerability Scanning: Nikto, SQLmap, OpenVAS

• Password Cracking: John the Ripper, Hashcat, Hydra

• Wireless penetration：Aircrack-ng、Kismet、Wifite

• Web Penetration：Burp Suite, ZAP, OWASP tools

• Social Engineering：Social-Engineer Toolkit (SET)

• Post-Infiltration：Metasploit, Empire, PowerShell attack tools

• Anonymous Tools：Tor、ProxyChains、I2P

Most of these tools are open source and can be installed independently, but Kali integrates them directly, eliminating the trouble of configuring them separately.

3. Customized kernel, suitable for security testing

• Kali uses Custom Linux Kernel, allowing to enableWireless network card monitoring mode (Monitor Mode), data packet injectionAnd other advanced functions to facilitate wireless security testing.

4. Suitable for offline/portable testing

• Kali can be run on Live USB, virtual machines, WSL, ARM devices (Raspberry Pi), conduct safety testing anytime, anywhere.

• Kali NetHunter It is a version of Kali for Android devices that supports wireless testing on mobile phones.

I took a rough look and found that in addition to the commonly used penetration tools, some of the tools I wanted to install were already pre-installed in Kali, such as hping3 and slowloris. Plus, I haven't played with Kali Linux yet, so I decided to change the taste this time and not use Debian, but try Kali.

3 Install Kali Linux

3.1 Selection of installation method

KAli Linux supports multiple installation methods:

Among them, the more commonly used ones should be the ones marked in red boxes in the figure above: Installer Images, Virtual Machines, Containers (divided into docker and lxc/lxd). The following is a comparison of these methods:

Way	Install Images (ISO Installation)	Virtual Machines (pre-installed VM images)	Docker (Containers)	LXC/LXD (Lightweight Container)
Core Differences	Traditional complete installation method	Pre-installed Kali, suitable for virtual machine environment	Lightweight application container, running a single or partial tool	Lightweight system container, complete Kali experience
Applicable scenarios	Physical machine or VM requires full Kali	Run in VM software (such as VirtualBox, VMware, PVE)	Only Kali specific tools are needed to automate tasks	Need full Kali, but don't want to use a VM
System integrity	whole	whole	Only some tools	Almost complete, but may have compatibility issues
Performance cost	Physical machines have the best performance	Limited by VM resource allocation	Lightweight	Lightweight and more efficient than VM
Is there a GUI?	Default support	Pre-installed GUI	No GUI by default	GUI optional (but not by default)
Suitable for penetration testing	Best for	Suitable	Only suitable for CLI tools	Suitable, but may require additional configuration
Suitable for Proxmox VE	Works, but not efficient enough	Suitable	Requires additional configuration	Works, but no official PVE template
Installation	Install via ISO	Directly download VM hard disk image (OVA/VMDK)	docker pull runs the container	lxc-create or lxc launch
Suitable for long-term use	Suitable	Suitable	Mainly used for temporary testing	Suitable, but the management method is different from PVE traditional LXC
portability	Migration is not convenient (manual cloning or reinstallation is required)	Easy to migrate	High, can be moved at any time	High, can be moved at any time

Originally, according to my idea, when deploying Kali on PVE, if LXC method is available, LXC method will definitely be preferred. After all, LXC has the advantages of lighter resource usage, faster startup speed, and sharing the kernel with the host. However, Kali's LXC/LXD method is quite different from the common LXC template installation method on PVE. It is actually manually installed based on the Debian system (this installation method is also suitable for other Linux distributions), rather than providing ready-made PVE compatible templates that can be used directly. This means that running Kali on PVE with LXC requires manual configuration, which is not as convenient as the common LXC template method, so it feels a bit tasteless to me.

In contrast,Virtual Machines (pre-installed VM images) The method is simpler and more efficient. The official OVA/VMDK images can be directly imported into PVE without manual installation and configuration, eliminating the tedious steps of ISO installation (the official has completed the initialization work). At the same time, it is closer to the complete Kali experience than the LXC method, supports GUI and does not cause some tools to fail to run properly due to the container environment. Therefore, I finally chose Virtual Machines (pre-installed VM images) This method is used to deploy Kali, taking into account the ease of installation, system integrity, and long-term stability.

Note: If you want to use Kali for PVE, but Virtual Machines (directly import virtual machine images) If you are not familiar with the method, you can also choose Install Images The specific method is: create a new virtual machine on PVE, download Install Images Download the ISO image and mount it as a CD-ROM drive, then boot from the CD and follow the prompts to install Kali step by step. This method is relatively simple and suitable for users who don't want to bother. However, compared to using Virtual Machines This method has many more steps (after all, it is equivalent to installing the system from scratch). Therefore, if you use PVE to install Kali and want to save performance overhead, it is recommended to give priority toVirtual Machinesway.

3.2 Deploy Kali using Virtual Machines on PVE

Note: Because this method requires the use ofqm disk importThe command imports the image file in qcow2 format into the specified virtual machine, so you need to create the virtual machine first to obtain its VM ID.

Step 1: Create a virtual machine on PVE

Follow the picture tutorial below to create a virtual machine on pve:

Step 2: Download the image and import it into the virtual machine

The downloaded file is a compressed file with a ".7z" extension. After decompression, it is a virtual machine image file in qcow2 format (assuming the image file name is kali.qcow2). Upload the "kali.qcow2" image file to any path on PVE using any method (sftp, ftp, smb)./var/lib/vz/images/, then useqm disk importThe command imports it into the newly created virtual machine (in this case, the "VM ID" is 112 and is stored as "local-lvm"):

qm disk import 112 /var/lib/vz/images/kali.qcow2 local-lvm

After the command is completed, the image file will be attached to VM 112 as an "unused disk":

Finally, you can start the computer in the console:

4 Initialize Kali

4.1 Log in to Kali via PVE console

When starting for the first time, you need to log in to the kali system from the PVE console (the default username and password when logging in to the system are both "kali"):

Enter the system:

Note: The password for obtaining permissions for the sudo command is also "kali".

4.2 Configure SSH remote login

In fact, it is to configure the SSH remote login of the Debian system. By default, the openssh-server software is already installed, so you only need to set the relevant configuration files. Taking the kali account as an example to allow the kali account to use the username and password to remotely log in to the system through SSH, the following settings need to be made:
* Allows you to log in to SSH using your Kali account name and password

By default, Kali's SSH only allows login using a public key. If you want to log in using a username and password, follow the steps below.

editssh_configdocument:

sudo vim /etc/ssh/ssh_config

RemovePasswordAuthenticationLeft#Number and save:

Then restart the ssh service, and then log in through SSH using the kali account and password:

sudo systemctl restart ssh

When setting up the SSH service to start automatically:

sudo systemctl enable ssh

Note: Remember to usesudo passwdCommand to change the default password of the kali account.

• Allow root account to log in to SSH (not recommended from a security perspective)

Kali and other Debian systems have the same default settings. The root account is normally prohibited from logging in to SSH. If you want to allow the root account to log in through SSH, you can follow the steps below.

editsshd_configdocument:

sudo vim /etc/ssh/sshd_config

RemovePermitRootLoginLeft#No., and willprohibit-passwordChange toyes, then save:

Then restart the ssh service, and then you can log in through SSH using the root account and password:

sudo systemctl restart ssh

Note: Remember to usesudo passwd rootCommand to change the default password of the root account.

4.3 Log in to Kali via Remote Desktop via VNC client

4.3.1 Nagging

Because I only need SSH, and Kali needs to support remote desktop access, whether it is VNC or XRDP, I have to mess around with it. I am too lazy to do it (the key is that it also affects the stability of the system), but for the completeness of the article, I will still write it briefly.

4.3.2 Install and configure tightvncserver

1. Installing VNC Server

sudo apt update sudo apt install tightvncserver

2. Initialize the VNC server and set the password

Execute the following command to start the VNC server:

vncserver

3. Stopping the VNC Server

After initialization, you can stop the VNC server in order to configure it:

vncserver -kill :1

4. Configuring the VNC startup script

Create an xstartup file, usually located in the ~/.vnc directory, and edit it to configure the desktop environment you wish to start:

vim ~/.vnc/xstartup

Modify the file contents, making sure it contains your preferred desktop environment (e.g. xfce4), then save:

#!/bin/sh xrdb $HOME/.Xresources startxfce4 &

5. Restart the VNC server

Start the VNC server:

vncserver :1

This will start a VNC server on :1 (port 5901), allowing remote desktop access via a VNC client.

Finally, you only need to use a VNC client (such as TigerVNC, RealVNC, or Vinagre etc.) to connect to Kali's VNC server at Kali_IP:1, where Kali_IP is the IP address of Kali Linux and :1 is the display number of the VNC session.

Note: If you do not use VNC, you can also use xrdp. There are many tutorials online, so I will not repeat them here.

5. Review of Kali's default integrated tools

The following are some common tools that are integrated by default in Kali Linux, organized by functional category:

1, Information Gathering

• Nmap: Network scanning tool used to discover hosts, services, operating systems and other information on the network.
• Netdiscover: Network discovery tool, mainly used to discover active hosts in a local area network.
• Whois: Tool for querying domain name registration information.
• Dnsrecon: DNS information collection tool.
• theHarvester: Used to collect emails, domain names, and other information through search engines.
• Shodan: A tool for searching for Internet connected devices.
• Maltego: Graphical information collection and analysis tool suitable for social engineering, network analysis, etc.

2,Vulnerability Analysis

• Nikto: Web server vulnerability scanner that can detect various vulnerabilities such as SQL injection, cross-site scripting, etc.
• OpenVAS: Open source vulnerability scanning tool that provides comprehensive vulnerability scanning and management.
• Nessus: A commercial vulnerability scanning tool that is not included in Kali by default, but can be installed.
• Burp Suite: An integrated web application security testing platform that provides proxy, crawler, scanning, vulnerability analysis and other functions.
• W3AF: Web application security scanning tool, focusing on finding web application vulnerabilities

3.Wireless Attacks

• Aircrack-ng: Wireless network cracking tool that supports attacks on wireless encryption protocols such as WEP, WPA, and WPA2.
• Reaver: An attack tool targeting WPS (Wi-Fi Protected Setup).
• Kismet: Wireless network sniffer tool that can capture Wi-Fi network traffic and signals.
• Fern WiFi Cracker: A wireless network cracking tool provided in the form of a graphical interface.

4.Web Application Analysis

• OWASP ZAP (Zed Attack Proxy): Web application security scanning tool provided by OWASP, suitable for automated and manual testing.
• Dirbuster: Web directory blasting tool that detects hidden directories or files through brute force.
• Burp Suite: Mainly used for Web application security testing, including man-in-the-middle proxy, automated scanning, etc.
• Wfuzz: A highly flexible web directory and file blasting tool.
• Sqlmap: SQL injection automated attack tool that can help users discover and exploit SQL injection vulnerabilities.

5.Password Attacks

• Hydra: A fast password cracking tool that supports multiple protocols such as SSH, FTP, HTTP, Telnet, etc.
• John the Ripper: Powerful password cracking tool that supports multiple algorithms and hash forms.
• Medusa: A network login brute force tool similar to Hydra.
• Hashcat: One of the fastest password cracking tools in the world, supporting multiple algorithms.
• LqCy: A web crawler that can generate dictionaries for use in password cracking.

6.Post Exploitation

• Metasploit Framework: A classic penetration testing framework that provides a wealth of vulnerability exploits and post-penetration attack tools.
• Empire: PowerShell and Python post-exploitation attack framework with command and control support.
• EB: A browser-focused penetration framework that allows attackers to exploit web browsers to perform attacks.
• Mimikatz: A Windows system password extraction and authentication credential acquisition tool.
• Netcat: Network tool, commonly used for reverse shell and port monitoring.
• SET (Social-Engineer Toolkit): Focuses on social engineering attacks, allowing attacks to be spread through email, USB scripts, etc.

7.Exploitation Tools

• Metasploit Framework: A comprehensive penetration testing framework that covers vulnerability exploitation, attack modules, payload generation and other functions.
• Armitage: A graphical front-end tool for Metasploit that simplifies the penetration testing process.
• Veil Framework: Generate valid payloads that can bypass antivirus software.
• Cobalt Strike: Commercial penetration testing tool that provides comprehensive post-exploitation attack and command and control capabilities.

8.Social Engineering

• SET (Social-Engineer Toolkit): Provides a range of tools for social engineering attacks, such as phishing emails, web attacks, etc.
• Evilginx2: A man-in-the-middle proxy tool used in phishing attacks that can efficiently capture and forward login credentials.

9.Malware Analysis

• Radare2: A powerful open source reverse engineering framework suitable for malware analysis.
• Cutter: A graphical front-end for Radare2.
• PEStudio: Tools for analyzing Windows executable files.
• Volatility: Memory forensics tool, widely used in malware analysis and digital forensics.

10.Forensics

• Autopsy: Digital forensic analysis tool for analyzing hard drives and file systems.
• Sleuth Kit: Contains several digital forensics tools suitable for analyzing file systems.
• Plaso: Used to extract and construct event timelines from event logs.

11.Sniffing and Spoofing

• Wireshark: Network protocol analyzer tool used to capture and analyze network traffic.
• Ettercap: Network sniffing and man-in-the-middle attack tool, suitable for traffic interception and modification in LAN.
• Bettercap: An efficient network sniffing tool that supports ARP spoofing and man-in-the-middle attacks.
• Dnsmasq: Tools for network traffic analysis and domain name resolution.

12.Privacy and Cryptography

• Tor: Anonymous communication tool that encrypts and hides the user's network traffic.
• OpenSSL: Open source encryption tool that supports multiple encryption algorithms.
• GPG (GNU Privacy Guard): Tools for encrypting and signing emails or documents.
• TrueCrypt/VeraCrypt: Hard disk encryption tool to protect data privacy.

You can choose different tools according to your needs.

6. Afterword

Although this article is only the first part, it can also be regarded as an article specifically about Kali Linux deployment. However, for network attack testing, there are still a few classic tools missing, which will be discussed in the second part. However, I can't write the second part for a while, because I moved the "Cloud Disaster Recovery Center" from Tencent Cloud Lightweight Server to Racknerd's VPS. There are many things to record, so I can only make up the second part when I have time later.