With the 2023.1 release of Kali, the team introduced the concept of “Kali Purple”. A proof of concept to combine the Kali distribution with other tools to create a “SOC in a box”.
The Kali Gitlab wiki has the most information on this topic. It looks like multiple VMs deployed with various tools deployed such as a firewall, elastic SIEM, and more.
What I’d like to see in this forum topic is how are you using Kali Purple? How far along did you get with the setup? What road blocks did you run into or where did you learn the most?
My personal experience started with best intentions, to create a deployment on Proxmox, document the journey, and finally see if it could be automated via something like Hashicorp Terraform.
I repurposed my homelab server to run Proxmox
I was able to get a few VMs up and running, Kali and Opnsense
However I quickly learned my networking and Proxmox knowledge was not up to par. I shut down the server and need to spend some time learning the basics of the related tools.
Hello.
To be honest, I am new to this forum and new to Kali Linux, and new to Linux in general. After having worked for Microsoft for e bit less than 20 years, I got really sick of the Windows OS and the latest bloated cloud-native operating systems. For tons of other reasons, I left Microsoft more than 2 years ago and now I am working for a company that has nothing to do with the manufacturing of the operating systems rather use them to do their daily business. Still I do not like what I have, a MacOS which I extremely hate, and a Windows 11 that I cannot tolerate.
So for my personal use at home, I started evaluating Linux as an alternative, and I am learning. I tried several Linux distros, Ubuntu, Linux Mint, Debian, Fedora, and Kali Linux. At the end I opted for Kali Linux for several reasons:
I already have a Kali Linux running on a cheap computer I got from AliExpress where I installed Pi-Hole as a DNS sink so that I do not see ads anymore on any of my home devices
I have always had passion for security trying to hack my own devices to see how good my security measure are
Kali seems to be the best in terms of the security tools, penetration tests, auditing, all in a one box
Do I like Kali?
Yes and no. Yes because it is FREE, it runs on old hadrware smoothly, it has lots of potentials and combines tons of security-related tools in one box just out of the box. No, because Linux in general is not that user-friendly OS like Windows. No offense intended to anyone, but at least in the lousy Windows, the commands are easy to remember and intuitive, on Linux on the other hand, there are commands that have no meaning at all, like nano , vi, grep, touch, cat, tar, chmod and tons of other commands. For example chmod changes the permissions on a file/directory, so I get it that CH stands for CHANGE, but what the heck is MOD?
Came across your thread and had a read through. In some respects I couldn’t agree more but I have experience in a number of products both Linux, Microsoft, Unix and derivatives.
Yes, Initially navigating the command line in all three can be difficult. I had to transition from Linux command line to Microsoft once upon a time and it was tough once I got my head around Linux because the commands in Microsoft did make logical sense but I didn’t know any of them.
The issue I found is how rigid the closed source commands are yet how flexible the opensourced are in comparison. You can do a lot more with the Unix command set and almost all of the applications are accessible with their own commands built around design and the Unix base architecture, extremely well distributed across the whole system and apps compared with Microsoft. I like all the archs for various reasons. Apple, for me it is the cost is the issue, over glorified hardware and software at a pretentious price tag I can get for 1/6th the price and better spec and with more flexibility through alternative solutions. I do like their OS gui though (not over and above Microsoft or Linux) and their hardware designs are sleek, but the price tag again, too excessive.
I any case, I wanted to refer you to the following resources | The O’Reilly Linux Pocket Guide (3rd ed is fine) and Specifically OffSec PEN-103 KLCP - Free for registered users here PEN-103: Kali Linux Revealed | OffSec
Having started the KLCP amongst 2 current certifications NCFE level 3 and C|CT through ec-council, the PEN-103 KLCP is fairly liberal in time scale and can be pursued at own pace but from what I have been reading in the PEN-103 KLCP so far, they go through some very in-depth use and abuse cases right form the off set including base commands and their usage. It is a really good course so far (on-hold through necessity at the moment).
To summarise, O’Reilly Linux Pocket Guide command reference (cheap) and the KLCP (free) are extremely good resources to have available to you. Also, if you’re into purple teaming, Kali Purple is looking very promising for both offensive and defensive use-cases.
Back to the thread title, I have a few questions surrounding the purple use cases and specifically centred around implementation of SIEM and SOAR.
I have some hardware knocking about and wanted to get a mini soc implemented on a test server.
The idea being Kali purple repo would be deployed inside a Linux base server such as Ubuntu as that’s Debian based packet management (deb, dpkg and apt) same as Kali.
I wanted to know, in all your infinite wisdoms, if there are any caveats to adding the Kali repo to an Ubuntu base and then pulling in the required tools for deploying what is going to be essentially a central monitoring system?
The idea being the server would be a physical (rather than virtual) host to central management and monitoring of test security operations centre. It would just sit there and actively monitor and alert me whilst I am tinkering.
Any responses or experiences welcome on the subject.
My interests are primarily some first hand experience in anomaly detection training through log analysis and standard deviations of daily usage as close to a really world use-case as possible.
This would help me to gain some backend knowledge of SIEM SOAR, feeding endpoints to the implementations for log analysis and training and of course, through daily use cases of my internal network devices (physical and virtual), begin to understand how to accumulate, store and analyse log data.
Additionally, I would learn how to use the log data to create rule based filtering, alerts and also EDR and IPS feeds to these implementations. The ultimate end goal being to mimic a SoC and begin some junior level CSA tasks in a simulated environment.
Eventually, I’d like to dump the server in a DMZ segmentation and expose it to the public and then perform some remote offensive and configs / tests on attached nodes.
In keeping with the purpose of the thread, that’s my goal and general plan for kali-purple initially.
Hi
I still have nothing interesting to share, advise, or contribute. I am reading three interesting books right now, which I can advise for every person approaching Linux and Security
1. Linux Basics for Hackers - OccupyTheWeb
2. The Linux Command Line by William Shotts
3. Metasploit - The Penetration Tester's Guide
All of these are awesome books
Having removed Windows from my life, and installed Kali as my everyday desktop OS, I first had difficulties installing and removing apps, configurations, drivers, how to install a downloaded applications etc. Since I had no choice but search and learn and memorize, I can say that I am more confident in performing all the above actions autonomously without the use of internet or external help!
Next step would be scripting, bash, and Python, which will take me quite a long time to master, but this is just my desired skill path, who know what else would pop out instead!
Regarding the software and scripting ambition. Stick to it but as a secondary interest. The main focus is effective use of the tools within the offensive and defensive toolsets.
There are so many resources to tutorial you with effective use cases.
Whilst the programming element of cyber security is almost a fundamental requirement. It should be learned along side what your are learning regarding the principles and practices of red, blue and purple teaming.
Best advice I can give, split your time according to the quantity of I tests you have to ensure a smooth incline.
[Moderator note] Please keep replies on topic within the initial post. In this case, that would be discussions around your experience with Kali Purple.
I have deleted some posts on this thread. Some of the off topic posts removed related to
comparison between windows and linux
comments on linux cli commands
Those removed posts would be better discussed in other topics.
Hi all, i’m a newbie to Linux. I started out a few years ago compiling and runing various distros and flavours within a virtual envoironment and havent looked back. Having said that, for me a rigid, case sensitive command line to install, compile and configure applications and system wide processes, blew me away. Daily driver. Numbat. Offsec, white hat testing. Polly, Kali and snoopy. I have recently discovered Purple i’m really liking the distro. its very involved and elastic malcolm and hedgehog to name a few, which i know little about but fully understand the capabilities of these tools have opened a whole new perspective to me regarding pentesting and offsec. i’ll ask relevant questions once i know more
Thanks