If you’re familiar with the concept of ethical hacking or have even just watched the TV series Mr Robot, you’ve likely encountered Kali Linux. This open source Debian-based distro has become so widely adopted in the world of cybersecurity that it’s almost always mentioned in connection with every activity relating to pen testing.
The OS was released in March 2013 by developers Mati Aharoni and Devon Kearns of Offensive Security (OffSec), as a complete rewrite of its predecessor BackTrack Linux. It contains around 600 tools relating to security testing tasks, such as wireless network penetration, password cracking, vulnerability scanning, digital forensics and ‘red team’ testing.
Since 2016, Kali has followed a rolling release model, ensuring users can install the latest security tools and updates. The OS supports a huge variety of platforms, from ARM-based systems like the Raspberry Pi to Android devices via Kali NetHunter.
The Kali Linux project is maintained and funded by Offensive Security. Chief content and strategy officer Jim ‘Elwood’ O’Gorman leads the Kali team. In his bio, he admits he “does a lot of meetings”, which is why we were so grateful he took the time to have one with us to discuss all that is great about Kali.
Jim was joined in the interview by Ben ‘g0tmi1k’ Wilson. Besides being a Kali senior developer, Ben is an OffSec live instructor. He also maintains the Exploit Database and is the founder of VulnHub, a platform for hands-on cybersecurity course training.
If you do decide to take the OS for a test spin, we recommend reading the installation guide at www.kali.org/docs/installation/hard-disk-install/. For a graphical install, the developers recommend a device with at least 2GB of RAM and 20GB free disk space.
Kali Linux’s tagline is: “The quieter you become, the more you are able to hear.” So, we cleaned out our ears ready to listen to what Ben and Jim had to say…
Linux Format: You’re stuck in the lift with a cynical guy who says he doesn’t need Kali, as he can apt install any security software he needs. You have 30 seconds to explain what Kali is and why he should use it.
Jim ‘Elwood’ O’Gorman: Kali Linux is a specialized Linux distribution for information security, catering to users from enthusiasts to professionals. It’s built to be as useful as possible out of the box for everyone in that user base.
The legend goes that Mati [Aharoni] created Kali when he was working at an organization where he couldn’t bring any electronics but he could bring in a CD. He put together a Linux distribution with tools on it and then compiled other tools as needed. By the end of the engagement, he had a working distribution that he shared with friends. It kinda grew from there.
In that era, compiling tools was an extreme pain in the rear end. Just having an InfoSec-focused distribution like BackTrack/Kali was enough. It’s what everyone was searching for.
Over time, that’s changed. Tool compilation became easier. What we really wanted to do with Kali was to have unique features that you won’t find in other Linux distributions, like Boot Nuke.
You talk about people pooh-poohing, saying they can just run tools in Debian, and that’s completely legitimate. You can run Metasploit [framework] and most of the time they now compile out of the box. However, with Kali we do something above and beyond. For example, we have multi-platform support as first-tier, so ARM is updated right alongside x64.
LXF: Could you tell our readers a bit more about your role with Kali, as well as a little about your background?
Ben ‘g0tmi1k’ Wilson: I got involved with Kali through the Cisco CCNA class in high school. I found it mind-numbingly boring. The only practical thing I did was learn how to crimp an Ethernet cable. I discovered BackTrack through a classmate. I downloaded it, joined the forum, and learned by teaching others. I became active on IRC, making connections and a lot of good friends. One day, out of the blue, Mati said, “Oh I see you’re quite active – want a job?” At the time I was single with no commitments, so I said to myself, “What’s the worst that could happen?” OffSec was much smaller back then, so I worked in various departments before focusing on Kali.
Jim: I was involved in the information security world as a pen tester. I met Mati and we became friends. He had a talent for making people want to help him – that was his superpower. My background was in forensics, so I contributed to BackTrack 5 by adding the forensic boot mode. My involvement grew from there.
LXF: Given the development process, it makes perfect sense why you’d start fresh with a new name and codebase for Kali. Why did you settle on Kali?
Jim: I could give you a highbrow answer or tell you the truth! We were in Vegas at Black Hat [cybersecurity conference] just talking about what would work.
We were making so many changes, so hit the reset button with a new name that sounded cool and had IP protections. We also wanted something meaningful, that didn’t have many confusing Google hits.
Ever since I got married, my wife and I have had cats. We’d always name them after different gods, like right now mine are called Ares, Apollo and Jupiter. So I kind of defaulted going that way
Kali is a goddess associated with destruction and rebirth, which made sense as we were destroying BackTrack and building something new. What is pen testing but breaking something to make it stronger?
We later found out that ‘kali’ is also a Filipino martial art focused on offence. Weirdly enough, our organization does a lot of work in the Philippines. It also means ‘fierce’ in Swahili. So there’s a lot of ways of interpreting the name depending on what’s meaningful to you.
Ben: For a full history of the origins of Kali Linux, including the choice of name, you can visit www.kali.org/blog/10-years/.
LXF: What led you to choose a Debian base rather than Ubuntu? Was this just for stability reasons?
Ben: We moved to Ubuntu-based for BackTrack 5 to have an update mechanism, but we encountered problems with multi-platform support and customization. We decided to switch to Debian as the base for Kali, which allowed for better customization and multi-platform support, including ARM systems.
Jim: One time we were teaching at Black Hat. We were walking around and realizing that people had installed BackTrack on their desktop machines. At the time there was an exploit that affected all Linux OSes and BackTrack was vulnerable to it. At the time we had no updated mechanism, so we moved to an Ubuntu system to have a way for doing updates. Ubuntu had a lot of stuff it were doing that made it hard to customize and update. We realized we’d made a mistake and wanted to go a different route.
LXF: Looking over the release notes of the latest version of Kali (24.4), there are some major changes, including dropping i386 support. Is there any aspect of the latest version you’re particularly excited about?
Ben: We’re preparing to release Kali 2025.1 at the moment. Kali is a rolling distro, so we ship updates as soon as they’re ready. Point releases are catalogued, then we issue them four times a year just to let people know. We’re most excited about what we’ve just been working on, as it’s immediately available to users, then we can get on to the next project!
Jim: I’m particularly excited about the relaunched forums. Real-time chat has taken over in this industry lately but it’s not always the right platform. When it’s used for support, the conversation is transitory, so any help a user receives disappears into the ether. We’ve tried previously to direct people to our bug tracker but that’s a little formal for some users.
I’m hoping we can redirect a lot of that activity over to the forums. That way you have nice indexable, searchable items. You help someone and you can guarantee there’ll be more people with that same problem down the road. Kali is in a unique position in that way, as many users are InfoSec professionals but for others it’s their first experience of Linux after watching a TV show like Mr Robot! We don’t want to turn those people away. The forums are a nice on-ramp for those who want to learn.
LXF: Kali strikes us as a mammoth undertaking! What would you say have been the main challenges in building and maintaining Kali (if any)?
Jim: That’s a good question and there are a couple of ways of processing it. There are technical challenges, community challenges in getting people involved and contributing.
There are also organizational challenges in justifying OffSec’s funding of the project. We’re very grateful that OffSec has been so supportive of Kali over the years. The biggest challenge for me has always been the direction: what do you do to stand apart from the crowd and provide unique features that are core aspects of Kali?
There are a lot of features we build that are core aspects of Kali but don’t get much attention. For example, one of the challenges of InfoSec is that you may need to run older programs that are no longer supported. We have a mechanism in Kali to containerize legacy software.
Managing the balance between these and more flashy features like Kali Undercover [see boxout, page 79] can be challenging. So many people in this industry depend on Kali to do their job, so we can’t afford to screw things up.
Ben: From a technical perspective, Kali is based on Debian testing. When a package becomes available, we pull it into Kali. We don’t really have a stable release, plus we have to spend a lot of time transitioning to what Debian does, like the transition to t64 [representing time using 64-bit instead of 32-bit integers].
We have to operate on their timelines. Another example is Python. With Debian 13 coming out this summer, we have to get all our packages updated once they pull the trigger.
Certain InfoSec tools like Nmap have been around forever. But sometimes someone will create a tool for Kali to address a certain vulnerability. They’ll push it out and it’ll be great – but say two years later that vulnerability will be patched and the tool author feels it’s not relevant any more. So we’ve then got the whole process of trying to backport all work upstream as much as possible, such as by trying to put in patch requests or finding an alternative tool.
LXF: What do you think are the main reasons that Kali is arguably the most popular choice?
Jim: There are a lot of good competitors and that makes Kali better. Many have come and gone over time. Sometimes they have their own codebase and do something fresh. At other times they’re just reskinned versions of Kali.
I think Kali sustains for a few reasons. Number one is being first to market – Kali’s just a continuation of BackTrack. We’ve been around forever and have been able to demonstrate strong consistency. We listen to feedback, engage with users and take our position seriously.
I started out using BSD in the ’90s and there’s a lot of prickly personalities there, as well as in the Linux space. Our community management has been strong, and we treat everyone with respect, even noobs.
We also have a distributed distribution system – we can’t even tell you who is using Kali or how many downloads there are because there are so many different ways to get it. It puts the user first and OffSec has never got in the way of that.
LXF: Can you tell us a little more about future 2025/26 roadmap for Kali?
Jim: We maintain a year-long roadmap, but it becomes vague further out due to the dynamic nature of the industry. It changes super-quick. We operate on a quarterly release cycle for QA and updates, but as a rolling release, we can update at any point.
We change direction quite a bit based on user contributions or industry developments, like when a new tool or attack comes out. We certainly don’t want to be slaves to a calendar. We learned not to make promises about release dates, because people would lose their minds if a version didn’t come out when expected.
Ben: A good recent example is the new WSL [Windows Subsystem for Linux] distribution architecture. This might be a dirty word for the Linux world but Microsoft’s WSL team told us about the new format. We want to get Kali as close to the people as possible, so we jumped on it. This meant we were the first Linux distribution to support the new WSL architecture.
LXF: Do you have any favorite stories about seeing Kali used in unexpected or amusing ways?
Jim: I’ve seen Kali installed in various places where you see Kali on a screen somewhere, some I can’t talk about. Recently, I found out that a division of the US military has incorporated the Kali logo into its unit patch. It’s also meaningful to see people get Kali tattoos. It shows their commitment to the project.
Ben: I’ve gone to a few conferences over the years. At one point there was the joke: “Can it run Doom?” I’ve seen similar challenges like: “Can you escape this kiosk?” And the USB stick they always seem to boot from is Kali. I’ve seen these big, big screens and rather than see them crash, they’re running Kali on them. I always think that’s the people’s choice, as it runs!
LXF: What advice would you give to people who want to get into penetration testing?
Jim: We have free courses, such as Kali Linux Revealed and OffSec’s Metasploit Unleashed. InfoSec is a wonderful, empowering field. Many people can build a strong career. There are many free and paid resources they can use. Kali provides a nice, stable foundation to build on that but you can’t buy your way in. You need to join the community and talk to people. Build a network you can work with and learn from. It’s not just about the tech, it’s the people.
Ben: I recommend attending BSides conferences [https://bsides.org]. Tickets are often free or low-cost. They’re great for connecting with the community and hearing from enthusiastic InfoSec professionals. Conferences are springing up all over the world.
I started learning in the forums where users would post videos of them breaking into a VM for others to follow. Kali also includes built-in vulnerable apps like OWASP Juice Shop for practice [see tutorial, page 76]. There are countless walkthroughs and guides out there to let you actually do things and have fun!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
