2.1. Downloading a Kali ISO Image
2.1.1. Where to Download
The only official source of Kali Linux ISO images is the Downloads section of the Kali website. Due to its popularity, numerous sites offer Kali images for download, but they should not be considered trustworthy and indeed may be infected with malware or otherwise cause irreparable damage to your system.
The website is available over HTTPS, making it difficult to impersonate. Being able to carry out a man-in-the-middle attack is not sufficient as the attacker would also need a www.kali.org certificate signed by a Transport Layer Security (TLS) certificate authority that is trusted by the victim's browser. Because certificate authorities exist precisely to prevent this type of problem, they deliver certificates only to people whose identities have been verified and who have provided evidence that they control the corresponding website.
2.1.2. What to Download
The official download page shows a short list of ISO images, as shown in Figure 2.1, "List of Images Offered for Download".
Figure 2.1. List of Images Offered for Download
All disk images labeled 64-bit or 32-bit refer to images suitable for CPUs, found in most modern desktop and laptop computers. If you are downloading for use on a fairly modern machine, it most likely contains a 64-bit processor. If you are unsure, rest assured that all 64-bit processors can run 32-bit instructions. You can always download and run the 32-bit image. The reverse is not true, however. Refer to the sidebar for more detailed information.
If you are planning to install Kali on an ARM-based device, you must refer to Offensive Security's download page for the list of available devices.
Now that you know whether you need a 64-bit or 32-bit image, there is only one step left: selecting the kind of image. The available images differ in how they go about installation. The Installer and NetInstaller images, specialized for a straightforward install featuring selectable installation options, do not come with the ability to run the live system. The Live image, however, comes with the ability to run the live system or start the installation process, although it does lack the selectable options featured in the installation images. The selectable options include choices in desktop environments as well as which collection of packages to install. We will be using the live image throughout this book.
Once you have decided on the image you need, you can download the image by clicking on the title in the respective row. Alternatively, you can download the image from the BitTorrent peer-to-peer network by clicking on "Torrent," provided that you have a BitTorrent client associated with the .torrent extension.
While your chosen ISO image is downloading, you should take note of the checksum written in the sha256sum column. Once you have downloaded your image, use this checksum to verify that the downloaded image matches the one the Kali development team put online (see Section 2.1.3, “Verifying Integrity and Authenticity”).
2.1.3. Verifying Integrity and Authenticity
Security professionals must verify the integrity of their tools to not only protect their data and networks but also those of their clients. While the Kali download page and links are TLS-protected, Kali relies on a network of external mirrors to distribute the image means that you should not blindly trust what you download. The mirror you were directed to may have been compromised, or you might be the victim of an attack yourself.
To alleviate this, the Kali project always provides checksums of the images it distributes. But to make such a check effective, you must be sure that the checksum you grabbed is effectively the checksum published by the Kali Linux developers. You have different ways to ascertain this.
184.108.40.206. Relying on the TLS-Protected Website
When you retrieve the checksum from the TLS-protected download webpage, its origin is indirectly guaranteed by the X.509 certificate security model: the content you see comes from a web site that is effectively under the control of the person who requested the TLS certificate.
Now you should generate the checksum of your downloaded image and ensure that it matches what you recorded from the Kali website:
$ sha256sum kali-linux-2020.3-live-amd64.iso 1a0b2ea83f48861dd3f3babd5a2892a14b30a7234c8c9b5013a6507d1401874f kali-linux-2020.3-live-amd64.iso
If your generated checksum matches the one on the Kali Linux download page, you have the correct file. If the checksums differ, there is a problem, although this does not always indicate a compromise or an attack; downloads occasionally get corrupted as they traverse the Internet. Try your download again, from another official Kali mirror, if possible (see cdimage.kali.org for more information about available mirrors).
220.127.116.11. Relying on PGP's Web of Trust
If you don't trust HTTPS for authentication, you are a bit paranoid but rightfully so. There are many examples of badly managed certificate authorities that issued rogue certificates, which ended up being misused. You may also be the victim of a “friendly” man-in-the-middle attack implemented on many corporate networks, using a custom, browser-implanted trust store that presents fake certificates to encrypted websites, allowing corporate auditors to monitor encrypted traffic.
For cases like this, we also provide a GnuPG key that we use to sign the checksums of the images we provide. The key's identifiers and its fingerprints are shown here:
pub rsa4096 2012-03-05 [SC] [expires: 2023-01-16] 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6 uid Kali Linux Repository <email@example.com> sub rsa4096 2012-03-05 [E] [expires: 2023-01-16]
This key is part of a global web of trust because it has been signed at least by me (Raphaël Hertzog) and I am part of the web of trust due to my heavy GnuPG usage as a Debian developer.
The PGP/GPG security model is very unique. Anyone can generate any key with any identity, but you would only trust that key if it has been signed by another key that you already trust. When you sign a key, you certify that you met the holder of the key and that you know that the associated identity is correct. And you define the initial set of keys that you trust, which obviously includes your own key.
This model has its own limitations so you can opt to download Kali's public key over HTTPS (or from a keyserver) and just decide that you trust it because its fingerprint matches what we announced in multiple places, including just above in this book:
$ wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import [ or ] $ gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 gpg: key ED444FF07D8D0BF6: public key "Kali Linux Repository <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 [...] $ gpg --fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 [...] 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6 [...]
After you have retrieved the key, you can use it to verify the checksums of the distributed images. Let's download the file with the checksums (SHA256SUMS) and the associated signature file (SHA256SUMS.gpg) and verify the signature:
$ wget http://cdimage.kali.org/current/SHA256SUMS [...] $ wget http://cdimage.kali.org/current/SHA256SUMS.gpg [...] $ gpg --verify SHA256SUMS.gpg SHA256SUMS gpg: Signature made Tue 18 Aug 2020 10:31:15 AM EDT gpg: using RSA key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 gpg: Good signature from "Kali Linux Repository <email@example.com>"
If you get that “Good signature” message, you can trust the content of the SHA256SUMS file and use it to verify the files you downloaded. Otherwise, there is a problem. You should review whether you downloaded the files from a legitimate Kali Linux mirror.
Note that you can use the following command line to verify that the downloaded file has the same checksum that is listed in SHA256SUMS, provided that the downloaded ISO file is in the same directory:
$ grep kali-linux-2020.3-live-amd64.iso SHA256SUMS | sha256sum -c kali-linux-2020.3-live-amd64.iso: OK
If you don't get OK in response, then the file you have downloaded is different from the one released by the Kali team. It cannot be trusted and should not be used.
2.1.4. Copying the Image on a DVD-ROM or USB Key
Unless you want to run Kali Linux in a virtual machine, the ISO image is of limited use in and of itself. You must burn it on a DVD-ROM or copy it onto a USB key to be able to boot your machine into Kali Linux. We have chosen the Kali live image as we wish to boot from a USB allowing us to either use a live environment or install Kali Linux's default configuration.
We won't cover how to burn the ISO image onto a DVD-ROM, as the process varies widely by platform and environment, but in most cases, right clicking on the .iso file will present a contextual menu item that executes a DVD-ROM burning application. Try it out!
18.104.22.168. Creating a Bootable Kali USB Drive on Windows
As a prerequisite, you should download and install Win32 Disk Imager:
Plug your USB key into your Microsoft Windows PC and note the drive designator associated to it (for example, “E:\”).
Launch Win32 Disk Imager and choose the Kali Linux ISO file that you want to copy on the USB key. Verify that the letter of the device selected corresponds with that assigned to the USB key. Once you are certain that you have selected the correct drive, click the Write button and confirm that you want to overwrite the contents of the USB key as shown in Figure 2.2, “Win32 Disk Imager in action”.
Figure 2.2. Win32 Disk Imager in action
Once the copy is completed, safely eject the USB drive from your Microsoft Windows system. You can now use the USB device to boot Kali Linux.
22.214.171.124. Creating a Bootable Kali USB Drive on Linux
Creating a bootable Kali Linux USB key in a Linux environment is easy. The GNOME desktop environment, which is installed by default in many Linux distributions, comes with a Disks utility (in the gnome-disk-utility package). That program shows a list of disks, which refreshes dynamically when you plug or unplug a disk. When you select your USB key in the list of disks, detailed information will appear and will help you confirm that you selected the correct disk. Note that you can find its device name in the title bar as shown in Figure 2.3, “GNOME Disks”.
Figure 2.3. GNOME Disks
Click on the menu button and select Restore Disk Image... in the displayed pop-up menu. Select the ISO image that you formerly downloaded and click on Start Restoring... as shown in Figure 2.4, “Restore Disk Image Dialog”.
Figure 2.4. Restore Disk Image Dialog
Enjoy a cup of coffee while it finishes copying the image on the USB key (Figure 2.5, “Progression of the Image Restoration”).
Figure 2.5. Progression of the Image Restoration
126.96.36.199. Creating a Bootable Kali USB Drive on OS X/macOS
OS X/macOS is based on UNIX, so the process of creating a bootable Kali Linux USB drive is similar to the Linux procedure. Once you have downloaded and verified your chosen Kali ISO file, use dd to copy it over to your USB stick.
To identify the device name of the USB key, run diskutil list to list the disks available on your system. Next, insert your USB key and run the diskutil list command again. The second output should list an additional disk. You can determine the device name of the USB key by comparing the output from both commands. Look for a new line identifying your USB disk and note the /dev/diskX where X represents the disk ID.
You should make sure that the USB key is not mounted, which can be accomplished with an explicit unmount command (assuming /dev/disk6 is the device name of the USB key):
$ diskutil unmount /dev/disk6
Now proceed to execute the dd command. This time, add a supplementary parameter — bs for block size. It defines the size of the block that is read from the input file and then written to the output file. We will also utilize the raw disk path (signified by the r before disk) which will allow faster write speeds.
# dd if=kali-linux-2020.3-live-amd64.iso of=/dev/rdisk2 bs=4m 748+1 records in 748+1 records out 3138400256 bytes transferred in 713.156461 secs (4400718 bytes/sec)
That's it. Your USB key is now ready and you can boot from it or use it to install Kali Linux.