Kali Linux Fundamentals

Chapter 1 — What is Kali Linux?

Kali Linux is a Debian-based Linux distribution maintained by Offensive Security. It is specifically designed for penetration testing, digital forensics, and security research. It ships pre-loaded with over 600 security tools — everything from Nmap and Metasploit to Burp Suite and Wireshark.

Kali is not a general-purpose desktop OS. It is built for security professionals who need an environment ready for offensive work. Running it as your daily driver is possible but discouraged — use it in a VM or dual-boot for lab work.

Key Characteristics

• Based on Debian Testing — rolling release with latest packages
• Default user is kali (no longer root since 2020)
• XFCE desktop by default (lightweight, fast)
• 600+ pre-installed security tools
• ARM builds available for Raspberry Pi and other devices
• Maintained and regularly updated by Offensive Security

Chapter 2 — Installation Options

Option A — VirtualBox / VMware (Recommended for Beginners)

Running Kali in a VM is the safest and most flexible option. You can snapshot, revert, and isolate it from your main OS.

# Download the official Kali VM image from:
https://www.kali.org/get-kali/#kali-virtual-machines

# Import into VirtualBox:
File → Import Appliance → select .ova file
Default credentials: kali / kali

Option B — Bare Metal Install

Best performance. Download the ISO from kali.org, write to USB with dd or Balena Etcher, boot and install.

# Write ISO to USB (replace sdX with your USB device)
sudo dd if=kali-linux-2024.4-installer-amd64.iso of=/dev/sdX bs=4M status=progress
sync

Option C — Windows Subsystem for Linux (WSL2)

# In PowerShell (Admin):
wsl --install -d kali-linux

# Install the Kali Win-KeX desktop (optional)
sudo apt install kali-win-kex
kex --win -s

Chapter 3 — File System Layout

The Linux file system follows the FHS (Filesystem Hierarchy Standard). Understanding it is essential for navigating quickly.

Key Security Files

# User accounts
cat /etc/passwd     # username:x:UID:GID:comment:home:shell

# Password hashes (root-only)
sudo cat /etc/shadow

# Network hosts
cat /etc/hosts

# Wordlists location
ls /usr/share/wordlists/

# Nmap scripts
ls /usr/share/nmap/scripts/

Chapter 4 — Users, Groups & Permissions

# Current user and groups
whoami
id
groups

# Switch to root
sudo su -
sudo -i

# Create a user
sudo useradd -m -s /bin/bash newuser
sudo passwd newuser

# File permissions: rwxrwxrwx = owner|group|others
ls -la /etc/passwd
-rw-r--r-- 1 root root 1872  = owner=rw, group=r, others=r

# chmod numeric (4=r, 2=w, 1=x)
chmod 755 script.sh   # rwxr-xr-x
chmod 600 id_rsa      # rw------- (SSH key must be this)
chmod +x script.sh    # add execute permission

# SUID bit — runs as file owner regardless of who executes
find / -perm -u=s -type f 2>/dev/null   # find SUID files (privesc!)

Chapter 5 — Package Management

# Update package lists
sudo apt update

# Upgrade all installed packages
sudo apt upgrade -y
sudo apt full-upgrade -y   # includes kernel upgrades

# Install a package
sudo apt install nmap gobuster seclists -y

# Search for a package
apt search burpsuite
apt-cache search metasploit

# Remove a package
sudo apt remove package-name
sudo apt autoremove   # remove unused dependencies

# Install from .deb file
sudo dpkg -i package.deb

# Install Python tools via pip
pip3 install impacket crackmapexec

# Clone and install from GitHub
git clone https://github.com/tool/repo.git
cd repo && pip3 install -r requirements.txt

Chapter 6 — Networking from the CLI

# Show network interfaces and IPs
ip a
ip addr show eth0
ifconfig   # older command

# Show routing table
ip route
route -n

# Test connectivity
ping -c 4 8.8.8.8
traceroute 8.8.8.8

# DNS lookup
nslookup kalirange.com
dig kalirange.com
dig +short kalirange.com MX

# Active connections
ss -tulnp      # listening ports
netstat -tulnp  # older equivalent

# Change IP address temporarily
sudo ip addr add 192.168.1.100/24 dev eth0

# Restart network interface
sudo ip link set eth0 down
sudo ip link set eth0 up

Chapter 7 — Essential Tools Overview

Chapter 8 — Bash Scripting for Pentesters

#!/bin/bash
# Simple recon script

TARGET=$1

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target-ip>"
    exit 1
fi

echo "[*] Starting recon on $TARGET"
mkdir -p recon/$TARGET

# Port scan
echo "[*] Running Nmap..."
nmap -sC -sV -oA recon/$TARGET/nmap $TARGET

# Check for web ports
if grep -q "80/tcp.*open\|443/tcp.*open" recon/$TARGET/nmap.nmap; then
    echo "[*] Web server found — running Gobuster..."
    gobuster dir -u http://$TARGET \
        -w /usr/share/wordlists/dirb/common.txt \
        -o recon/$TARGET/gobuster.txt 2>/dev/null
fi

echo "[+] Recon complete. Results in recon/$TARGET/"

# Useful one-liners

# Ping sweep a subnet
for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i &>/dev/null && echo "UP: 192.168.1.$i"; done

# Port check without nmap
for port in 22 80 443 8080 3389; do
  (echo >/dev/tcp/target/$port) 2>/dev/null && echo "OPEN: $port"
done

# Extract IPs from a file
grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' file.txt | sort -u

Chapter 9 — Service Management

# Start / stop / restart services
sudo systemctl start apache2
sudo systemctl stop apache2
sudo systemctl restart apache2

# Enable on boot
sudo systemctl enable ssh
sudo systemctl disable apache2

# Check status
sudo systemctl status postgresql

# Common services to start for pentesting
sudo systemctl start postgresql   # needed for Metasploit
sudo systemctl start ssh          # remote access
sudo systemctl start apache2      # serve files to target

# Start a simple HTTP server (serve current directory)
python3 -m http.server 8080
# Useful for transferring files to a compromised machine

Chapter 10 — Terminal Productivity

# tmux — terminal multiplexer (essential for long engagements)
tmux new -s pentest        # new named session
tmux ls                    # list sessions
tmux attach -t pentest     # re-attach
# Ctrl+B then: c=new window, n=next, p=prev, %=split-v, "=split-h

# Useful aliases to add to ~/.bashrc
alias ll='ls -alh'
alias nse='ls /usr/share/nmap/scripts | grep'
alias www='python3 -m http.server 8080'
alias msf='sudo msfconsole -q'

# History tricks
history | grep nmap          # search command history
Ctrl+R                       # reverse search history
!!                           # repeat last command
!nmap                        # repeat last nmap command

# Background processes
nmap -p- target &             # run in background
jobs                          # list background jobs
fg 1                          # bring job 1 to foreground

Chapter 11 — VPN & Lab Setup

# Connect to OpenVPN (HTB, THM, etc.)
sudo openvpn --config lab.ovpn

# Check your VPN IP (tun0 interface)
ip addr show tun0
ifconfig tun0

# Recommended lab platforms
# HackTheBox (hackthebox.com) — machines and challenges
# TryHackMe (tryhackme.com) — guided paths for beginners
# VulnHub (vulnhub.com) — free downloadable VMs
# PentesterLab (pentesterlab.com) — web app focus

# Build a local lab with Metasploitable2
# Download from SourceForge, run in VirtualBox
# Intentionally vulnerable — perfect practice target

Chapter 12 — Building Your Workflow

Professional pentesters follow a structured methodology. Consistency matters more than speed. Here's a recommended workflow for CTFs and labs: