2.1. Downloading a Kali ISO Image
2.1.1. Where to Download
The only official source of Kali Linux ISO images is the “Downloads” section of the Kali website. Due to its popularity, numerous sites offer Kali images for download, but they should not be considered trustworthy and indeed may be infected with malware or otherwise cause irreparable damage to your system.
The website is available over HTTPS, making it difficult to impersonate. Being able to carry out a man-in-the-middle attack is not sufficient as the attacker would also need a www.kali.org
certificate signed by a Transport Layer Security (TLS) certificate authority that is trusted by the victim’s browser. Because certificate authorities exist precisely to prevent this type of problem, they deliver certificates only to people whose identities have been verified and who have provided evidence that they control the corresponding website.
2.1.2. What to Download
The official download page shows a short list of ISO images, as shown in Figure 2.1, “List of Images Offered for Download”.
Figure 2.1. List of Images Offered for Download
All disk images labeled 32- or 64-bit refer to images suitable for CPUs, found in most modern desktop and laptop computers. If you are downloading for use on a fairly modern machine, it most likely contains a 64-bit processor. If you are unsure, rest assured that all 64-bit processors can run 32-bit instructions. You can always download and run the 32-bit image. The reverse is not true, however. Refer to the sidebar for more detailed information.
If you are planning to install Kali on an embedded device, smartphone, Chromebook, access point, or any other device with an ARM processor, you must use the Linux armel or armhf images.
Now that you know whether you need a 32-bit or 64-bit image, there is only one step left: selecting the kind of image. The default Kali Linux image and the Kali Linux Light variant are both live ISOs that can be used to run the live system or to start the installation process. They differ only by the set of pre-installed applications. The default image comes with the GNOME desktop and a large collection of packages found to be appropriate for most penetration testers, while the light image comes with the XFCE desktop, (which is much less demanding on system resources), and a limited collection of packages, allowing you to choose only the apps you need. The remaining images use alternate desktop environments but come with the same large package collection as the main image.
Once you have decided on the image you need, you can download the image by clicking on “ISO” in the respective row. Alternatively, you can download the image from the BitTorrent peer-to-peer network by clicking on “Torrent,” provided that you have a BitTorrent client associated with the .torrent extension.
While your chosen ISO image is downloading, you should take note of the checksum written in the “sha256sum” column. Once you have downloaded your image, you will use this checksum to verify that the downloaded image matches the one the Kali development team put online (see next section).
2.1.3. Verifying Integrity and Authenticity
Security professionals must verify the integrity of their tools to not only protect their data and networks but also those of their clients. While the Kali download page is TLS-protected, the actual download link points to an unencrypted URL that offers no protection against potential man-in-the-middle attacks. The fact that Kali relies on a network of external mirrors to distribute the image means that you should not blindly trust what you download. The mirror you were directed to may have been compromised, or you might be the victim of an attack yourself.
To alleviate this, the Kali project always provides checksums of the images it distributes. But to make such a check effective, you must be sure that the checksum you grabbed is effectively the checksum published by the Kali Linux developers. You have different ways to ascertain this.
2.1.3.1. Relying on the TLS-Protected Website
When you retrieve the checksum from the TLS-protected download webpage, its origin is indirectly guaranteed by the X.509 certificate security model: the content you see comes from a web site that is effectively under the control of the person who requested the TLS certificate.
Now you should generate the checksum of your downloaded image and ensure that it matches what you recorded from the Kali website:
1 2 |
$ sha256sum kali-linux-2016.2-amd64.iso 1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431 kali-linux-2016.2-amd64.iso |
If your generated checksum matches the one on the Kali Linux download page, you have the correct file. If the checksums differ, there is a problem, although this does not indicate a compromise or an attack; downloads occasionally get corrupted as they traverse the Internet. Try your download again, from another official Kali mirror, if possible (see cdimage.kali.org for more information about available mirrors).
2.1.3.2. Relying on PGP’s Web of Trust
If you don’t trust HTTPS for authentication, you are a bit paranoid but rightfully so. There are many examples of badly managed certificate authorities that issued rogue certificates, which ended up being misused. You may also be the victim of a “friendly” man-in-the-middle attack implemented on many corporate networks, using a custom, browser-implanted trust store that presents fake certificates to all SSL-encrypted websites, allowing corporate auditors to monitor encrypted traffic.
For cases like this, we also provide a GnuPG key that we use to sign the checksums of the images we provide. The key’s identifiers and its fingerprints are shown here:
1 2 3 4 |
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02] Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6 uid Kali Linux Repository <devel@kali.org> sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02] |
This key is part of a global web of trust because it has been signed at least by me (Raphaël Hertzog) and I am part of the web of trust due to my heavy GnuPG usage as a Debian developer.
The PGP/GPG security model is very unique. Anyone can generate any key with any identity, but you will only trust that key if it has been signed by another key that you already trust. When you sign a key, you certify that you met the holder of the key and that you know that the associated identity is correct. And you define the initial set of keys that you trust, which obviously includes your own key.
This model has its own limitations so you can opt to download Kali’s public key over HTTPS (or from a keyserver) and just decide that you trust it because its fingerprint matches what we announced in multiple places, including just above in this book:
1 2 3 4 5 6 7 8 9 10 11 |
$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import [ or ] $ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6 gpg: key 7D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [...] $ gpg --fingerprint 7D8D0BF6 [...] Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6 [...] |
Now that we have retrieved the key, we can use it to verify the checksums of the distributed images. Let’s download the file with the checksums (SHA256SUMS) and the associated signature file (SHA256SUMS.gpg) and verify the signature:
1 2 3 4 5 6 7 8 |
$ wget http://cdimage.kali.org/current/SHA256SUMS [...] $ wget http://cdimage.kali.org/current/SHA256SUMS.gpg [...] $ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Thu 16 Mar 2017 08:55:45 AM MDT gpg: using RSA key ED444FF07D8D0BF6 gpg: Good signature from "Kali Linux Repository <devel@kali.org>" |
If you get that “Good signature” message, you can trust the content of the SHA256SUMS
file and use it to verify the files you downloaded. Otherwise, there is a problem. You should review whether you downloaded the files from a legitimate Kali Linux mirror.
Note that you can use the following command line to verify that the downloaded file has the same checksum that is listed in SHA256SUMS
, provided that the downloaded ISO file is in the same directory:
1 2 |
$ grep kali-linux-2016.2-amd64.iso SHA256SUMS | sha256sum -c kali-linux-2016.2-amd64.iso: OK |
If you don’t get OK
in response, then the file you have downloaded is different from the one released by the Kali team. It cannot be trusted and should not be used.
2.1.4. Copying the Image on a DVD-ROM or USB Key
Unless you want to run Kali Linux in a virtual machine, the ISO image is of limited use in and of itself. You must burn it on a DVD-ROM or copy it onto a USB key to be able to boot your machine into Kali Linux.
We won’t cover how to burn the ISO image onto a DVD-ROM, as the process varies widely by platform and environment, but in most cases, right clicking on the .iso
file will present a contextual menu item that executes a DVD-ROM burning application. Try it out!
2.1.4.1. Creating a Bootable Kali USB Drive on Windows
As a prerequisite, you should download and install Win32 Disk Imager:
Plug your USB key into your Windows PC and note the drive designator associated to it (for example, “E:”).
Launch Win32 Disk Imager and choose the Kali Linux ISO file that you want to copy on the USB key. Verify that the letter of the device selected corresponds with that assigned to the USB key. Once you are certain that you have selected the correct drive, click the Write button and confirm that you want to overwrite the contents of the USB key as shown in Figure 2.2, “Win32 Disk Imager in action”.
Figure 2.2. Win32 Disk Imager in action
Once the copy is completed, safely eject the USB drive from the Windows system. You can now use the USB device to boot Kali Linux.
2.1.4.2. Creating a Bootable Kali USB Drive on Linux
Creating a bootable Kali Linux USB key in a Linux environment is easy. The GNOME desktop environment, which is installed by default in many Linux distributions, comes with a Disks utility (in the gnome-disk-utility package, which is already installed in the stock Kali image). That program shows a list of disks, which refreshes dynamically when you plug or unplug a disk. When you select your USB key in the list of disks, detailed information will appear and will help you confirm that you selected the correct disk. Note that you can find its device name in the title bar as shown in Figure 2.3, “GNOME Disks”.
Figure 2.3. GNOME Disks
Click on the menu button and select
in the displayed pop-up menu. Select the ISO image that you formerly downloaded and click on as shown in Figure 2.4, “Restore Disk Image Dialog”.Figure 2.4. Restore Disk Image Dialog
Enjoy a cup of coffee while it finishes copying the image on the USB key (Figure 2.5, “Progression of the Image Restoration”).
Figure 2.5. Progression of the Image Restoration
2.1.4.3. Creating a Bootable Kali USB Drive on OS X/macOS
OS X/macOS is based on UNIX, so the process of creating a bootable Kali Linux USB drive is similar to the Linux procedure. Once you have downloaded and verified your chosen Kali ISO file, use dd
to copy it over to your USB stick.
To identify the device name of the USB key, run diskutil list
to list the disks available on your system. Next, insert your USB key and run the diskutil list
command again. The second output should list an additional disk. You can determine the device name of the USB key by comparing the output from both commands. Look for a new line identifying your USB disk and note the /dev/diskX
where X represents the disk ID.
You should make sure that the USB key is not mounted, which can be accomplished with an explicit unmount command (assuming /dev/disk6
is the device name of the USB key):
1 |
$ diskutil unmount /dev/disk6 |
Now proceed to execute the dd
command. This time, we add a supplementary parameter — bs
for block size. It defines the size of the block that is read from the input file and then written to the output file.
1 2 3 4 |
# dd if=kali-linux-light-2016.2-amd64.iso of=/dev/disk6 bs=1M 1011+0 records in 1011+0 records out 1060241408 bytes transferred in 327.061 secs (3242328 bytes/sec) |
That’s it. Your USB key is now ready and you can boot from it or use it to install Kali Linux.