7.3. Securing Network Services
In general, it is a good idea to disable services that you do not use. Kali makes it easy to do this since most network services are disabled by default.
As long as services remain disabled, they do not pose any security threat. However, you must be careful when you enable them because:
- there is no firewall by default, so if they listen on all network interfaces, they are effectively publicly available.
- some services have no authentication credentials and let you set them on first use; others have default (and thus widely known) credentials preset. Make sure to (re)set any password to something that only you know.
- many services run as root with full administrator privileges, so the consequences of unauthorized access or a security breach are therefore usually severe.
Default Credentials
We won’t list here all tools that come with default credentials, instead you should check the README.Debian file of the respective packages, as well as docs.kali.org and tools.kali.org to see if the service needs some special care to be secured.
If you run in live mode, the password of the root account is “toor.” Thus you should not enable SSH before changing the password of the root account, or before having tweaked its configuration to disallow password-based logins.
Also note that the BeEF project (from the already-installed package beef-xss) is also known to have default credentials user “beef”, password “beef”) hardcoded in its default configuration file.
