twobee - Fotolia


How a cloud-based Kali Linux system helps with pen testing

Enterprises can use a Kali Linux system in the cloud for penetration testing. Expert Frank Siemons explains how it works and some alternative methods for testing.

Every organization should have a security policy designed to fit its needs based on risks, threats, regulations...

and the value of the information it wants to protect. Part of such a security policy should encompass vulnerability management and testing.

More substantial and more security minded businesses often also perform regular penetration tests to identify vulnerabilities in their systems that go beyond the reach of standard vulnerability scanners.

When it comes to penetration testing, Offensive Security's Kali Linux is one of the most widely used tool sets in the industry. It is a free, Debian-based Linux distribution that contains hundreds of specific penetration testing tools.

Kali Linux systems in the cloud

Having what is essentially a valuable hacker's toolkit inside an organization's network could be a risk. It is, of course, the ideal target for an intruder. Even if such a system is relatively isolated and well-hardened, some tests -- such as those covering ransomware and worms -- are probably better performed outside an organization's network, where there is no risk of an unintended outbreak.

Every organization should have a security policy designed to fit its needs based on risks, threats, regulations and the value of the information it wants to protect.

What better solution is there than placing a Kali Linux system and the potentially vulnerable target systems in a third-party cloud instance? Other than an internet-accessible SSH or graphical interface, there does not need to be any connection between the company's production network and the testing instance.

An external testing source is also a great way to test the company's perimeter defenses and footprint from an outsider's perspective. This could, for instance, identify specific gaps in firewall or web server policies.

Another excellent use case for a cloud-based Kali Linux system is as a safe and often free training environment for security professionals. This works for a single individual, but now, there are also many security training providers utilizing such an environment as a hacking sandpit for students.

Options and alternatives

There are many ways to get a Kali Linux system up and running on a cloud instance. Amazon offers the Amazon Web Services Free Tier service. This is a limited instance available to enable new users to learn to navigate and use their products.

The preconfigured Kali Linux Amazon Machine Image is also free and fits within the limitations of the Free Tier service. This means the server could be set up and operated for free for at least 12 months at 750 hours per month, though it is important to keep the usage limits in mind to avoid unexpected charges.

With this method, costs should not be a limiting factor for training and once-off testing. For a large enterprise, however, these low or no costs should not really play a decisive role. In that situation, the operational costs to maintain a few more midrange Linux virtual machines are easily justified by having a more secure environment.

Microsoft Azure also offers a Kali Linux machine, but other than a $200 one month trial credit, this will not be for free. Again, a business should not be too concerned; an interested individual will probably steer toward Amazon for their free offer instead. From a usage and technical perspective, there is not much difference between the two.

Other providers, such as OneHost Cloud, have a Kali Linux system available, as well, and some others simply allow a manual installation based on a standard Linux virtual machine, which, of course, could be Kali Linux -- but be sure to check if provider permission is required first.

The limitations of Kali Linux systems

Cloud providers are naturally hesitant to allow such a powerful tool set inside their environments. Although a Kali Linux system is quite often used for testing, it is also very often used maliciously. Not only could this be harmful to the infrastructure of the service provider itself, but it could also involve them in a technical or legal issue if an attack on an unsuspecting target is sourced from within the cloud network.

There are some guidelines with which virtual machine's must comply, as well. Amazon's Machine Image guidelines, for instance, prohibit the use of Kali Linux's root user default login, meaning Offensive Security had to fall back to username admin for their cloud image version.


The nature of the Kali Linux system is to run potentially malicious attacks against targets, which will set off some alarm bells at the cloud provider's security department. To avoid having accounts temporarily or even permanently disabled, always inform Amazon of any such activity via their online form or email. This will enable the Amazon team to whitelist the source and destination addresses for the duration of the test.

Some targets within the Amazon cloud environment are entirely off limits, as well. As an example, attacking m1.small or t1.micro instances is not allowed due to the performance impact on shared resources.


The possibility to almost completely segregate systems inside a cloud platform and within an organization's production network makes penetration and other security testing, such as malware analysis, perfect to run in a cloud instance. There are hardly any technical limitations to what is possible here, and the few that do exist are substantially outweighed by the new opportunities cloud platforms can provide in this space.

Next Steps

Learn what's new with data loss prevention systems and tactics

Check out four penetration testing tools to improve security

Find out what you need to know before pen testing cloud platforms

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus