Even if you’re just barely scratching the surface of ethical hacking, I’m sure you’ve figured out that the very first skill you need to acquire is using Linux. If you don’t already have some good practical knowledge of Linux, this should be your prime focus.
You’ve also likely read or heard about Kali Linux as the hacking community’s preferred Linux distribution. This is the one you should get acquainted with.
But how does Linux fit into your picture? I’ve tried several Linux setups using Kali and here are my thoughts.
Bare metal Kali
When I got started early in 2021, I wanted my hacking shenanigans to be totally separate from my everyday activities on my personal laptop. So I picked up a brand new laptop from my local store and decided this would be my hacking machine.
I then installed Kali as a dual boot with Windows and started learning (I hardly use Windows at all but wanted to be able to reset to factory defaults if I ever needed to resell the laptop).
This wasn’t the smoothest introduction to Linux (Kali is usually recommended for users already acquainted with Linux) and I did run into some issues, but nothing I couldn’t cope with even as a Linux newbie. I did spend a few late nights getting some glitches sorted out, but overall this was easier than what some had predicted. As well as a great learning opportunity.
I used this setup for almost 10 months and still often use it today. Having a standalone laptop devoted to my hacking journey sitting side by side with my day to day laptop I can use for my note taking is really comfortable.
However, this means putting down the cash for a new machine, which is a commitment not everyone is willing to make.
Kali in a VM
Another option is to use your everyday PC: install virtualization software such as VirtualBox and run Kali inside a virtual machine (VM). Note that VirtualBox is free to download and use. This could be considered the best of both worlds, as you can have the full benefit of a Linux system you can spin up whenever you need, without having to invest in a separate laptop.
There are some caveats, though. First, you need a PC with enough juice to run Linux smoothly in a VM, along with your underlying operating system (Windows or Mac OS, in most case). My experience is that your Linux VM can easily become sluggish on a lightweight machine if you start using anything more than a few terminal windows. Bottom line : you need a fast processor, at least 8 Go of RAM (I would recommend 16 Go to be on the safe side) and over 100 Go of available disk space if you want to use several VMs (more on this later).
Also, running Kali inside a VM means Linux will only show up when you have some hacking to do and you will not learn as fast as you would if you had Linux as your laptop’s main OS.
Kali over Ubuntu
A variation of the above: free up some disk space on your PC and install a more beginner friendly Linux distribution such as Ubuntu as a dual boot with your regular OS. Ubuntu is certainly a better choice if you want to comfortably move as much of your day to day stuff as you can to Linux.
The benefit of this is that you can get some good Linux practice fast (try to use the command line rather than the graphical environment for as many tasks as you can). You still have the comfort of switching back to your other OS if there’s anything that can’t be done in Linux.
For your hacking practice, you may install VirtualBox and run Kali inside a VM as explained above. There are several advantages to this approach.
The first advantage is that it allows you to sandbox your hacking. Everything you do in Kali stays contained in the VM with totally separate file system and network configurations. So it’s really a different machine, with no (or almost no) risk of anything crossing over.
Another advantage is that you can have several VMs side by side. This means you can save a copy or a snapshot of your VM as a backup. If something goes wrong with the Kali system you’re using (you will make mistakes at some point), you can just trash the VM and get a fresh copy from your backup.
In my case, this proved very useful. I actually ended up using Kali VMs inside Virtual Box on the bare metal Kali laptop mentioned above. Kali over Kali, so to speak. Sounds crazy I suppose, but that worked out just fine for me.
Once you really get up to speed using VMs, you can even set up one VM as an attacker machine and another one as a target system. By stacking VMs, you’ll end up with your own private virtual hacking lab.
Kali in the cloud
If your PC configuration isn’t strong enough to run VMs and you don’t want to get a dedicated hacking machine, you’re not out of options yet. Your solution is cloud computing. Sign up for a VPS with a hosting provider such as Linode, DigitalOcean, OVH or Contabo. For less than $10 a month, you are getting a small piece of computing power from one of the servers in the provider’s data center, that will show up as a standalone PC, or Virtual Private Server (VPS) that you can connect to from remote, using an IP address the provider will supply.
On that system, you can install Kali Linux and have your own remote Kali machine that you can access whenever you need, either through SSH for pure command line work, or through a tool like Microsoft Remote Desktop if you need the graphical environment. As this machine will be Internet facing, you will need to set up an SSH server, an XRDP server, as well as a properly configured firewall to make sure only you can access. This will also give you a good introduction to the basics of cloud computing.
Once your VPS is running, all you need to do is connect to it from your PC (or from any other PC for that matter) and you will have your Kali machine in a window or in full screen mode if you want to. This will be similar to having a VM, except that the computing power will come from the server, not from your local machine. This means you don’t need a beefed up PC or laptop. Most systems will do.
From a practical stand point, I found that Microsoft Remote Desktop tends to slow down on my Mac after a while, so I sometimes need to quit and relaunch. Also, it seems to have a hard time managing keyboard layouts on the VPS. No big deal but if you are using a non-qwerty keyboard, you will have to issue a keyboard mapping command in the terminal every time you log in. So I ended up logging into my Kali VPS using SSH most of the time (this works fine, with no speed or keyboard issues) and using Microsoft Remote Desktop only when I need the graphical environment to run Burp Suite or even just a browser.
One final aspect you need to keep in mind is that since your VPS is Internet facing, you probably don’t want to use it to host a vulnerable target system such as DVWA to practice your attacks, as you would with a local machine only accessible over a LAN. But if you’re just starting, that’s probably still a long way off.
You now have all the options in hand to pick the setup that makes more sense to you. Have fun!