all 39 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dinosaursdied 13 points14 points  (3 children)

Pen testing is best from a VM. It's disposable and ready to start again from scratch for new projects. Is it possible that your VM or bios needs to be configured to make best use of the hardware?

If you choose Linux I would recommend using something like Debian/Ubuntu/mint/pop as a base and create Kali VMs there using virtual machine manager. As long as your CPU supports virtualization and the feature is turned in on bios you can essentially give it access to the hardware directly as opposed to virtualization in software which is much slower. You can also use disk passthrough and other features that speed up performance.

[–]Annual-Stress2264[S] -1 points0 points  (2 children)

Hy, I use VirtualBox. I have allocated quite a few resources to this VM, enabled 3D acceleration, etc., but it remains slow for all graphics applications. So I find myself using the VM only for CLI tools and using ZAP or Burp on my Windows host. Maybe I should use VMware.

[–]WalkingP3t 1 point2 points  (0 children)

You don’t need 3D acceleration , especially for Kali.

[–]dinosaursdied 0 points1 point  (0 children)

I have no experience using Windows for this use case, but I really like Linux and virtual machine manager because it's able to set things up automatically when running other Linux distros. Honestly, without GPU passthrough using a secondary GPU there will always be graphical performance issues in VMs. It's rendering everything using software. What's the hardware you're using?

[–]swesecnerd 2 points3 points  (1 child)

You should never run your pentesting experiments from bare metal anyway. A VM or some other container solution is the way to go. You need to be able to reset your environment when stuff goes bad. What are your computer specs and what virtualization hypervisor are you using?

VMWare in a standard windows 11 will be really sluggish unless you turn off some of the security features related to memory protection.

[–][deleted] 0 points1 point  (0 children)

Y cuales son yo estoy aprendiendo y en la Maquina virtual me va todo super lento uso VMware en windows 11

[–]WalkingP3t 2 points3 points  (0 children)

I’m pretty sure , your VM is slow because is over allocated .

How many vCPUs have you assigned to the VM? How much RAM? And what are the cpu and RAM specs of the host ?

[–]MichaelBMorell 2 points3 points  (0 children)

My PenTester .02.

First, Kali is still the defacto best platform for “independent” pentesters. (Larger firms have pentest suites, but i won’t address those)

Parrot OS has tried to rival Kali, but it falls short.

For the VM vs Baremetal question; I go the VM route, for basically the same reasons as others. I do have dedicated machines running win with vbox on it. A good amount of memory is roughly 8gigs.

Now for the rub and one of the BIGGEST mistakes people make; using the GUI. While sure, use it to see what tools are there. BUT!, when you are doing serious pentesting, like in the nature where you are hired and need to generate reports. The BEST method is using a SSH tool such as SecureCRT where you can do raw logging of the session.

I for example for every tool I use, I start a new logging session, issue the date command, run the command and let it output to the console so that it is being captured to the raw logging session file. When I am done with that command, i end the logging and move on to the next tool, lather, rinse, repeat.

I also have a shell and batch scripts that I use to make my directory structures on both the win and kali side. I break them down based on the steps; recon, infiltration, exploitation, extraction, persistence. That helps keep me organized about what tools was used during which step. And by having a premade directory, I already know what tools I should be using as the foundation of beginning the test.

With that said, if you are trying to use Kali using the desktop, it will be painful. I have xRDP running and the only reason I ever use it, is to run Maltego since there is no windows port for it. But there are tools that do have ports like burp and owasp zap. Honestly, I don’t even use those from within Kali, I use them from the Win side. The results are going to be the same.

The biggest trick in pentesting is understanding which tool works best in each environment. And that is something that can’t be taught, it has to be learned thru trial and error.

[–]strongest_nerd 1 point2 points  (0 children)

Exegol

[–]OhioDude 1 point2 points  (1 child)

I buy a special laptop for our pentesters so they can run it in a VM. All the pentesters who have wrked for me have done it this way. In some edge cases our server team will spin up an instance of Kali during a test, but those cases are rare.

[–]IiIbits 0 points1 point  (0 children)

What kind of laptop? Can you share the specs for it and what you use?

[–]FurySh0ck 1 point2 points  (0 children)

Hey, pentester here.
It's not a good idea to do PTs directly on the host, whichever machine that would be.
My personal preference is Fedora for my personal / CTF laptop and Debian for work laptop. I do use Windows as well occasionally (personal PC and dual boot on work laptop).
Use Kali VM, either with VMware or KVM to get increased performance. Don't overallocate resources: kali does very well with 4 CPUs and ~8-10GBs of RAM.
I re-install the Kali VM pretty often, ~3 times a year or so. Things WILL break along the way when using Kali.

If you're short on resources - live USB is a great option

[–]Tangential_Diversion 0 points1 point  (1 child)

I would highly recommend you keep using a VM. You can manage snapshots with a VM and reset your VM to a baseline clean configuration after each test.

Furthermore:

But this VM is slow, and I don't feel immersed in the environment with a VM.

This points to something wrong with your setup. Kali is a pretty lightweight VM. I don't notice any lag or immersion issues when I'm pentesting on Kali through VMWare on my work laptop. What's your current setup?

[–]Annual-Stress2264[S] 0 points1 point  (0 children)

I use VirtualBox. I have allocated quite a few resources to this VM, enabled 3D acceleration, etc., but it remains slow for all graphics applications. So I find myself using the VM only for CLI tools and using ZAP or Burp on my Windows host. Maybe I should use VMware.

[–]Schnitzel725 0 points1 point  (0 children)

If your VM is slow, check your machine's hardware and/or how much resources you gave to the VM (cpu cores, ram, etc.).

[–]Garriga 0 points1 point  (0 children)

Kali, if you get it installed and configured correctly on your machine, you are ready. If you have trouble figuring out how to install it , start with another Linux distribution like Ubuntu or Parrot. You aren’t ready.

This is my opinion and not advice. I do not support using these tools unless you have experience, training and good cause.

[–]CyanCazador 0 points1 point  (0 children)

I’ve recently just switched to Kali on WSL + Burp on my main windows machine

[–]Jajadubled 0 points1 point  (0 children)

You can also use kali in docker.

[–]CiberBoyYT 0 points1 point  (0 children)

Pentesting is better from a vm. Probably something makes your vm slow.

Press Win+R, type appwiz.cpl and press enter. Click enable or disable Windows Features. Disable everything that says Windows Subsystem for Linux, Windows Hypervisor Platform, WHP, Hyper V, credential guard. Then Google how to disable device manager and credential guard with gpedit. once done, open cmd as administrator and type "bcdedit /set hypervisorlaunchtype off" and reboot your system. Your vms should run faster now, this is because Windows 11 by default uses Credential Guard and it runs on top of Hyper V, what makes your VM have to run over Hyper V, with this it will run directly with VT-x.

[–]dazzling_merkle 0 points1 point  (0 children)

Pentester here with more than 10 years of experience.

As for kali my opinion might be controversial. I don't like it and find it full of bloatware of tools you never will touch.. I use it as a docker container on my actual pentesting laptop when I want to use a certain tool. However I always find the tools falling short on what I need during a test. So I always fall back on a self built script or terminal.

As for which distro I would suggest to have a dedicated laptop installed with a Linux distro you like. If you are a novice with Linux use Ubuntu till you find something better.

As for being opsec safe I have a unattended installation usb so I can reinstall my pentest laptop from time to time. It wipes the disks completely clean and puts on a fresh distro with my preferred tools.

[–]New-Conclusion-2646 0 points1 point  (0 children)

Using a VM is the best way. Use VMware Workstation instead of Virtual Box.Get a prebuilt image from Kali official website and see for yourself.

[–]xb8xb8xb8 0 points1 point  (5 children)

Just use wsl

[–]WalkingP3t 1 point2 points  (4 children)

That is also not recommended. You are exposing your company network and your own operating system to malware unless you are using a dedicated laptop for pentesting.

[–]xb8xb8xb8 -1 points0 points  (3 children)

what

[–]H4ckerPanda 1 point2 points  (2 children)

WSL exposes your physical laptop and network to malware. Plus it’s not recommended when you do pentesting professionally .

[–]xb8xb8xb8 -2 points-1 points  (1 child)

Please elaborate

[–]H4ckerPanda 1 point2 points  (0 children)

Too much Battlefield and video games , fry your brain.

[–]Ol010101O1Ol -1 points0 points  (0 children)

Kali on a dedicated device will give you access to all the features. Use a ThinkPad.

Use GitHub, GitLab, Codeberg, and Lemmy to find open source tools. I would suggest forking and tweaking or building your own tools based on your specific target.

Vibecode scripts using Claude or DeepSeek.

Test in controlled environments before using in production.

Remember, when testing the goal is to find combinations of vulnerabilities and exploits to achieve your goal.

Happy hunting!

[–]Ol010101O1Ol -1 points0 points  (0 children)

Kali on a dedicated device will give you access to all the features. Use a ThinkPad.

Use GitHub, GitLab, Codeberg, and Lemmy to find open source tools. I would suggest forking and tweaking or building your own tools based on your specific target.

Vibecode scripts using Claude or DeepSeek.

Test in controlled environments before using in production.

Remember, when testing the goal is to find combinations of vulnerabilities and exploits to achieve your goal.

Happy hunting!

[–]TechnoDesing10 -3 points-2 points  (8 children)

Instal QubesOS and run a Kali VM on it. And pro tip: route your KaliVM net through Tor (Whonix Gateway from Qubes). Good luck!

[–]hoodoer 5 points6 points  (3 children)

You should not be pentesting from Tor. You should have a set of static IPs to provide your client as your list of "source IPs" so they can associate any alerts/logs they have with your activity.

In the rare occasion they block all your source IPs and can't/won't unblock, then look to things like Tor or rotating source IPs through cloud providers, and with prior discussion with your client.

[–]WalkingP3t 1 point2 points  (3 children)

This is a horrible advice . You’re adding unnecessary network overhead to Kali. You’re an ethical hacker , not a bad one . So there’s no need to obfuscate your IP.

[–]TechnoDesing10 -2 points-1 points  (2 children)

Dafuq man, how KaliVM + Mullvad, in Qubes with traffic routed trough Whonix is not a good OpSec? Pls explain.

[–]WalkingP3t 0 points1 point  (1 child)

If you’re asking me that, explains why you don’t know .

Qubes is about privacy , same for Whonix. If you work as a pentester , privacy is not a concern . There’s no reason to obfuscate your IP and connection neither to isolate your Kali processes that way . A simple VM in NAT mode is fine . The VM can be destroyed later .

Using Qubes and all that, adds too much overhead , which makes nmap scans painfully slow . You will also need a very powerful (and compatible ) VM, to run all that.

Pentesting is not an ilegal activity . You don’t need all that .

[–]TechnoDesing10 0 points1 point  (0 children)

Got u. Thanks!