What's Going On?

The first program category in Kali deals with the tools that let you examine and analyze a setup. The list contains various tools that you might be familiar with outside of the Kali context, such as Nmap (Figure 3) and Wireshark (Figure 4).

Figure 3: Kali Linux includes the port-scanning veteran Nmap.

Figure 4: Wireshark analyzes network traffic and is an essential Kali Linux tool.

Kali also contains tools for specific protocols: Miranda maps local UPnP domains and identifies corresponding devices. If you have ever dealt with UPnP camera security, for example, in conjunction with the default UPnP settings of typical routers for home use, you understand why Kali Linux doesn't just belong in the data center. The story of network cameras that are published on the network via UPnP, and are thus accessible to everyone, is legendary.

Once you have carefully checked your own network with Kali, you might discover that some services are exposed to the outside world that should not be. Do you really want to invite the whole world in for breakfast?

Blurring Borders

The boundaries between the analysis tools and the tools for exploiting problems with Kali Linux are occasionally blurred. The analysis tools category includes various mechanisms that detect existing errors and draw attention to them. The Metasploit framework, for example, is correctly listed by the Kali developers as an exploit tool, whereas Recon-ng belongs in the analysis category, even though it is quite similar to Metasploit. Recon-ng systematically scans hosts against a database of vulnerabilities and provides information if it finds one.

Significant numbers of similar tools are part of the Kali Linux bundle. Below the Vulnerability Analysis banner, the program lists Yersinia, which specializes in detecting Layer 2 vulnerabilities. (It was not named after the bacterial strain to which the plague pathogen belongs, by the way.) Anyone who frequently has contact with Microsoft SQL databases will appreciate sqlninja, a tool that specializes in identifying and exploiting SQL injection vectors in the Microsoft database.

Ready to Attack

The analysis tools play an important role in Kali Linux in general, but they are not the focus. The main objective of the distribution is to build an exploitation toolkit with which you can check your infrastructure. Kali Linux comes with various tools for all potential attack scenarios.

The Wireless Attacks category, for example, has more than 30 tools that supply a more than capable toolbox for attacking and hardening WiFi networks. Although many of the tools focus on the legacy WEP encryption standard, some tools are also capable of breaking the more modern WPA2. In an ideal world, WEP would not be used, but where it is used, Kali has several tools that can break the encryption quickly and efficiently (e.g., the well-known Kismet).

Kali Linux also comes with honeypot features to catch attackers: On a running Kali Linux instance, you can start a genuine WiFi access point (AP) that allows client connections but undermines encryption. As is almost always the case when you use Kali Linux, you need to be careful, because simply sniffing the traffic is strictly prohibited.

If you want Kali to prevent attacks against your own infrastructure by closing security vulnerabilities from the outset, you need to define precisely the scope of your project and ensure that you don't accidentally target innocent bystanders. The developers of Kali Linux point out that various tools can be used for illegal activities and that it is your responsibility not to use them in such a way.

If you have wondered whether the WiFi password on your own router is really as secure as you thought, Aircrack-ng will probably help you find out. It can detect and crack the legacy WEP encryption and comes with material for dictionary attacks against WPA.

If Aircrack-ng discovers your wireless network keys, you'll have to change your password. The Kali Linux tools can even simulate attacks against WPA that have become known in recent months so that insecure devices can be identified reliably and removed from the setup.