Downloading Kali Linux

Comments are off

Topic Progress:

2.1. Downloading a Kali ISO Image

2.1.1. Where to Download

The only official source of Kali Linux ISO images is the Downloads section of the Kali website. Due to its popularity, numerous sites offer Kali images for download, but they should not be considered trustworthy and indeed may be infected with malware or otherwise cause irreparable damage to your system.

https://www.kali.org/downloads/

The website is available over HTTPS, making it difficult to impersonate. Being able to carry out a man-in-the-middle attack is not sufficient as the attacker would also need a www.kali.org certificate signed by a Transport Layer Security (TLS) certificate authority that is trusted by the victim's browser. Because certificate authorities exist precisely to prevent this type of problem, they deliver certificates only to people whose identities have been verified and who have provided evidence that they control the corresponding website.

cdimage.kali.org

The links found on the download page point to the cdimage.kali.org domain, which redirects to a mirror close to you, improving your transfer speed while reducing the burden on Kali's central servers.

A list of available mirrors can be found here:

http://cdimage.kali.org/README.mirrorlist

2.1.2. What to Download

The official download page shows a short list of ISO images, as shown in Figure 2.1, "List of Images Offered for Download".

List of Images Offered for Download

Figure 2.1. List of Images Offered for Download

All disk images labeled 64-bit or 32-bit refer to images suitable for CPUs, found in most modern desktop and laptop computers. If you are downloading for use on a fairly modern machine, it most likely contains a 64-bit processor. If you are unsure, rest assured that all 64-bit processors can run 32-bit instructions. You can always download and run the 32-bit image. The reverse is not true, however. Refer to the sidebar for more detailed information.

If you are planning to install Kali on an ARM-based device, you must refer to Offensive Security's download page for the list of available devices.

Is My CPU 32- or 64-bit?

Under Microsoft Windows, you can find this information by running the System Information application (found in the Accessories > System Tools folder). On the System Summary screen, you can inspect the System Type field: it will contain "x64-based PC" for a 64-bit CPU or “x86-based PC” for a 32-bit CPU.

Under OS X/macOS, there is no standard application showing this information but you can still infer it from the output of the uname -m command run on the terminal. It will return x86_64 on a system with a 64-bit kernel (which can only run on a 64-bit CPU), systems with a 32-bit kernel, it will return i386 or something similar (i486i586, or i686), and on systems with an arm64 kernel, it will return arm64. Any 32-bit kernel can run on a 64-bit CPU, but since Apple controls the hardware and the software, it is unlikely you will find this configuration.

Under Linux, you can inspect the flags field in the /proc/cpuinfo virtual file. If it contains the lm attribute, then your CPU is a 64-bit; otherwise, it is a 32-bit. The following command line will tell you what kind of CPU you have:

$ grep -qP '^flags\s*:.*\blm\b' /proc/cpuinfo && echo 64-bit || echo 32-bit
64-bit

Now that you know whether you need a 64-bit or 32-bit image, there is only one step left: selecting the kind of image. The available images differ in how they go about installation. The Installer and NetInstaller images, specialized for a straightforward install featuring selectable installation options, do not come with the ability to run the live system. The Live image, however, comes with the ability to run the live system or start the installation process, although it does lack the selectable options featured in the installation images. The selectable options include choices in desktop environments as well as which collection of packages to install. We will be using the live image throughout this book.

Once you have decided on the image you need, you can download the image by clicking on the title in the respective row. Alternatively, you can download the image from the BitTorrent peer-to-peer network by clicking on "Torrent," provided that you have a BitTorrent client associated with the .torrent extension.

While your chosen ISO image is downloading, you should take note of the checksum written in the sha256sum column. Once you have downloaded your image, use this checksum to verify that the downloaded image matches the one the Kali development team put online (see Section 2.1.3, “Verifying Integrity and Authenticity”).

2.1.3. Verifying Integrity and Authenticity

Security professionals must verify the integrity of their tools to not only protect their data and networks but also those of their clients. While the Kali download page and links are TLS-protected, Kali relies on a network of external mirrors to distribute the image means that you should not blindly trust what you download. The mirror you were directed to may have been compromised, or you might be the victim of an attack yourself.

To alleviate this, the Kali project always provides checksums of the images it distributes. But to make such a check effective, you must be sure that the checksum you grabbed is effectively the checksum published by the Kali Linux developers. You have different ways to ascertain this.

2.1.3.1. Relying on the TLS-Protected Website

When you retrieve the checksum from the TLS-protected download webpage, its origin is indirectly guaranteed by the X.509 certificate security model: the content you see comes from a web site that is effectively under the control of the person who requested the TLS certificate.

Now you should generate the checksum of your downloaded image and ensure that it matches what you recorded from the Kali website:

$ sha256sum kali-linux-2020.3-live-amd64.iso
1a0b2ea83f48861dd3f3babd5a2892a14b30a7234c8c9b5013a6507d1401874f  kali-linux-2020.3-live-amd64.iso

If your generated checksum matches the one on the Kali Linux download page, you have the correct file. If the checksums differ, there is a problem, although this does not always indicate a compromise or an attack; downloads occasionally get corrupted as they traverse the Internet. Try your download again, from another official Kali mirror, if possible (see cdimage.kali.org for more information about available mirrors).

2.1.3.2. Relying on PGP's Web of Trust

If you don't trust HTTPS for authentication, you are a bit paranoid but rightfully so. There are many examples of badly managed certificate authorities that issued rogue certificates, which ended up being misused. You may also be the victim of a “friendly” man-in-the-middle attack implemented on many corporate networks, using a custom, browser-implanted trust store that presents fake certificates to encrypted websites, allowing corporate auditors to monitor encrypted traffic.

For cases like this, we also provide a GnuPG key that we use to sign the checksums of the images we provide. The key's identifiers and its fingerprints are shown here:

pub   rsa4096 2012-03-05 [SC] [expires: 2023-01-16]
      44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
uid                      Kali Linux Repository <devel@kali.org>
sub   rsa4096 2012-03-05 [E] [expires: 2023-01-16]

This key is part of a global web of trust because it has been signed at least by me (Raphaël Hertzog) and I am part of the web of trust due to my heavy GnuPG usage as a Debian developer.

The PGP/GPG security model is very unique. Anyone can generate any key with any identity, but you would only trust that key if it has been signed by another key that you already trust. When you sign a key, you certify that you met the holder of the key and that you know that the associated identity is correct. And you define the initial set of keys that you trust, which obviously includes your own key.

This model has its own limitations so you can opt to download Kali's public key over HTTPS (or from a keyserver) and just decide that you trust it because its fingerprint matches what we announced in multiple places, including just above in this book:

$ wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import
[ or ]
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
gpg: key ED444FF07D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[...]
$ gpg --fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
[...]
      44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
[...]

After you have retrieved the key, you can use it to verify the checksums of the distributed images. Let's download the file with the checksums (SHA256SUMS) and the associated signature file (SHA256SUMS.gpg) and verify the signature:

$ wget http://cdimage.kali.org/current/SHA256SUMS
[...]
$ wget http://cdimage.kali.org/current/SHA256SUMS.gpg
[...]
$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Tue 18 Aug 2020 10:31:15 AM EDT
gpg:                using RSA key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"

If you get that “Good signature” message, you can trust the content of the SHA256SUMS file and use it to verify the files you downloaded. Otherwise, there is a problem. You should review whether you downloaded the files from a legitimate Kali Linux mirror.

Note that you can use the following command line to verify that the downloaded file has the same checksum that is listed in SHA256SUMS, provided that the downloaded ISO file is in the same directory:

$ grep kali-linux-2020.3-live-amd64.iso SHA256SUMS | sha256sum -c
kali-linux-2020.3-live-amd64.iso: OK

If you don't get OK in response, then the file you have downloaded is different from the one released by the Kali team. It cannot be trusted and should not be used.

2.1.4. Copying the Image on a DVD-ROM or USB Key

Unless you want to run Kali Linux in a virtual machine, the ISO image is of limited use in and of itself. You must burn it on a DVD-ROM or copy it onto a USB key to be able to boot your machine into Kali Linux. We have chosen the Kali live image as we wish to boot from a USB allowing us to either use a live environment or install Kali Linux's default configuration.

We won't cover how to burn the ISO image onto a DVD-ROM, as the process varies widely by platform and environment, but in most cases, right clicking on the .iso file will present a contextual menu item that executes a DVD-ROM burning application. Try it out!

Warning

In this section, you will learn how to overwrite an arbitrary disk with a Kali Linux ISO image. Always double-check the target disk before launching the operation as a single mistake would likely cause complete data loss and possibly damage your setup beyond repair.

2.1.4.1. Creating a Bootable Kali USB Drive on Windows

As a prerequisite, you should download and install Win32 Disk Imager:

https://sourceforge.net/projects/win32diskimager/

Plug your USB key into your Microsoft Windows PC and note the drive designator associated to it (for example, “E:\”).

Launch Win32 Disk Imager and choose the Kali Linux ISO file that you want to copy on the USB key. Verify that the letter of the device selected corresponds with that assigned to the USB key. Once you are certain that you have selected the correct drive, click the Write button and confirm that you want to overwrite the contents of the USB key as shown in Figure 2.2, “Win32 Disk Imager in action”.

20_win32-disk-imager

20_win32-disk-imager-confirm

20_win32-disk-imager-progress

Figure 2.2. Win32 Disk Imager in action

Once the copy is completed, safely eject the USB drive from your Microsoft Windows system. You can now use the USB device to boot Kali Linux.

2.1.4.2. Creating a Bootable Kali USB Drive on Linux

Creating a bootable Kali Linux USB key in a Linux environment is easy. The GNOME desktop environment, which is installed by default in many Linux distributions, comes with a Disks utility (in the gnome-disk-utility package). That program shows a list of disks, which refreshes dynamically when you plug or unplug a disk. When you select your USB key in the list of disks, detailed information will appear and will help you confirm that you selected the correct disk. Note that you can find its device name in the title bar as shown in Figure 2.3, “GNOME Disks”.

20_gnome-disks

Figure 2.3. GNOME Disks

Click on the menu button and select Restore Disk Image... in the displayed pop-up menu. Select the ISO image that you formerly downloaded and click on Start Restoring... as shown in Figure 2.4, “Restore Disk Image Dialog”.

20_gnome-disks-restore-image

Figure 2.4. Restore Disk Image Dialog

Enjoy a cup of coffee while it finishes copying the image on the USB key (Figure 2.5, “Progression of the Image Restoration”).

20_gnome-disks-progressbar

Figure 2.5. Progression of the Image Restoration

Create the Bootable USB Drive from the Command Line

Even though the graphical process is fairly straightforward, the operation is just as easy for command line users.

When you insert your USB key, the Linux kernel will detect it and assign it a name, which is printed in the kernel logs. You can find its name by inspecting the logs returned by dmesg.

$ dmesg
[...]
[ 2596.727036] usb 1-2.1: new high-speed USB device number 7 using uhci_hcd
[ 2597.023023] usb 1-2.1: New USB device found, idVendor=0781, idProduct=5575, bcdDevice= 1.26
[ 2597.023025] usb 1-2.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2597.023026] usb 1-2.1: Product: Cruzer Glide
[ 2597.023026] usb 1-2.1: Manufacturer: SanDisk
[ 2597.023026] usb 1-2.1: SerialNumber: 200533495211C0824E58
[ 2597.025989] usb-storage 1-2.1:1.0: USB Mass Storage device detected
[ 2597.026064] scsi host3: usb-storage 1-2.1:1.0
[ 2598.055632] scsi 3:0:0:0: Direct-Access     SanDisk  Cruzer Glide     1.26 PQ: 0 ANSI: 5
[ 2598.058596] sd 3:0:0:0: Attached scsi generic sg2 type 0
[ 2598.063036] sd 3:0:0:0: [sdb] 31266816 512-byte logical blocks: (16.0 GB/14.9 GiB)
[ 2598.067356] sd 3:0:0:0: [sdb] Write Protect is off
[ 2598.067361] sd 3:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 2598.074276] sd 3:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[ 2598.095976]  sdb: sdb1
[ 2598.108225] sd 3:0:0:0: [sdb] Attached SCSI removable disk

Now that you know that the USB key is available as /dev/sdb, you can proceed to copy the image with the dd command:

# dd if=kali-linux-2020.3-live-amd64.iso of=/dev/sdb
6129688+0 records in
6129688+0 records out
3138400256 bytes (3.1 GB, 2.9 GiB) copied, 678.758 s, 4.6 MB/s

Note that you need root permissions for this operation to succeed and you should also ensure that the USB key is unused. That is, you should make sure that none of its partitions are mounted. The command also assumes that it is run while in the directory hosting the ISO image, otherwise the full path will need to be provided.

For reference, if stands for "input file" and of for "output file." The dd command reads data from the input file and writes it back to the output file. It does not show any progress information so you must be patient while it is doing its work (It is not unusual for the command to take more than half an hour!). Look at the write activity LED on the USB key if you want to double check that the command is working. The statistics shown above are displayed only when the command has completed. On OS X/macOS, you can also press CTRL+T during the operation to get statistical information about the copy including how much data has been copied.

2.1.4.3. Creating a Bootable Kali USB Drive on OS X/macOS

OS X/macOS is based on UNIX, so the process of creating a bootable Kali Linux USB drive is similar to the Linux procedure. Once you have downloaded and verified your chosen Kali ISO file, use dd to copy it over to your USB stick.

To identify the device name of the USB key, run diskutil list to list the disks available on your system. Next, insert your USB key and run the diskutil list command again. The second output should list an additional disk. You can determine the device name of the USB key by comparing the output from both commands. Look for a new line identifying your USB disk and note the /dev/diskX where X represents the disk ID.

You should make sure that the USB key is not mounted, which can be accomplished with an explicit unmount command (assuming /dev/disk6 is the device name of the USB key):

$ diskutil unmount /dev/disk6

Now proceed to execute the dd command. This time, add a supplementary parameter — bs for block size. It defines the size of the block that is read from the input file and then written to the output file. We will also utilize the raw disk path (signified by the r before disk) which will allow faster write speeds.

# dd if=kali-linux-2020.3-live-amd64.iso of=/dev/rdisk2 bs=4m
748+1 records in
748+1 records out
3138400256 bytes transferred in 713.156461 secs (4400718 bytes/sec)

That's it. Your USB key is now ready and you can boot from it or use it to install Kali Linux.

Booting an Alternate Disk on OS X/macOS

To boot from an alternate drive on an OS X/macOS system, bring up the boot menu by pressing and holding the Option key immediately after powering on the device and selecting the drive you want to use.

For more information, see Apple's knowledge base.