dotfiles-Kali
The Kali node — Core + apt OS layer + a unique offensive role layer for authorized engagements.
Highlights
- engagement scaffolding
- scope-first workflow
- NetExec / BloodHound CE
- WSL2 mirrored net
How it fits
The Role layer — Operator role — offensive or defensive — stacked on top of an OS layer. It builds on Core, which is vendored
into its core/ directory. See the three-layer model for how the
layers compose.
Getting started
git clone https://github.com/dotgibson/dotfiles-Kali ~/dotfiles-Kali
cd ~/dotfiles-Kali
./bootstrap.sh # apt base + offensive tools + symlinks
wsl.exe --shutdown # from Windows, after dropping windows.wslconfig.exampleBuilt for Kali on WSL2. Flags: --no-offensive (skip the heavy tool install), --links-only.
What actually bites
- Three layers, not two — Kali adds an offensive stage to the zsh loader (… os offensive local), slotted after os so paths/clipboard resolve first and before local so a machine override still wins. It is Debian-family (apt) and its own lineage — not stamped from Fedora.
- Engagement data never lives in the repo — Everything goes under ~/engagements (outside any git tree); the paranoid .gitignore is only a backstop. mkengagement writes scope/scope.txt first — installing a tool is not permission to point it at anything.
- The naming changes that bite — CrackMapExec is gone — it is nxc (NetExec) now, the single highest-leverage tool in the kit. BloodHound is Community Edition; the bhce helper drives nxc’s --bloodhound module for a CE-ready collection.
- WSL2 is NAT’d — A listener / reverse shell / C2 in Kali is not LAN-reachable until you set networkingMode=mirrored in the Windows-side %UserProfile%\.wslconfig (Win11 22H2+) — not /etc/wsl.conf.