Downloading Kali Linux

2.1. Downloading a Kali ISO Image

2.1.1. Where to Download

The only official source of Kali Linux ISO images is the “Downloads” section of the Kali website. Due to its popularity, numerous sites offer Kali images for download, but they should not be considered trustworthy and indeed may be infected with malware or otherwise cause irreparable damage to your system.

https://www.kali.org/downloads/

The website is available over HTTPS, making it difficult to impersonate. Being able to carry out a man-in-the-middle attack is not sufficient as the attacker would also need a www.kali.org certificate signed by a Transport Layer Security (TLS) certificate authority that is trusted by the victim’s browser. Because certificate authorities exist precisely to prevent this type of problem, they deliver certificates only to people whose identities have been verified and who have provided evidence that they control the corresponding website.

cdimage.kali.org

The links found on the download page point to the cdimage.kali.org domain, which redirects to a mirror close to you, improving your transfer speed while reducing the burden on Kali’s central servers.

A list of available mirrors can be found here:

http://cdimage.kali.org/README.mirrorlist

2.1.2. What to Download

The official download page shows a short list of ISO images, as shown in Figure 2.1, “List of Images Offered for Download”.

Figure 2.1. List of Images Offered for Download

All disk images labeled 32- or 64-bit refer to images suitable for CPUs, found in most modern desktop and laptop computers. If you are downloading for use on a fairly modern machine, it most likely contains a 64-bit processor. If you are unsure, rest assured that all 64-bit processors can run 32-bit instructions. You can always download and run the 32-bit image. The reverse is not true, however. Refer to the sidebar for more detailed information.

If you are planning to install Kali on an embedded device, smartphone, Chromebook, access point, or any other device with an ARM processor, you must use the Linux armel or armhf images.

Is My CPU 32- or 64-bit?

Under Windows, you can find this information by running the System Information application (found in the “Accessories” > “System Tools” folder). On the System Summary screen, you can inspect the “System Type” field: it will contain “x64-based PC” for a 64-bit CPU or “x86-based PC” for a 32-bit CPU.

Under OS X/macOS, there is no standard application showing this information but you can still infer it from the output of the uname -m command run on the terminal. It will return x86_64 on a system with a 64-bit kernel (which can only run on a 64-bit CPU) and on systems with a 32-bit kernel, it will return i386 or something similar (i486, i586, or i686). Any 32-bit kernel can run on a 64-bit CPU, but since Apple controls the hardware and the software, it is unlikely you will find this configuration.

Under Linux, you can inspect the flags field in the /proc/cpuinfo virtual file. If it contains the lm attribute, then your CPU is a 64-bit; otherwise, it is a 32-bit. The following command line will tell you what kind of CPU you have:

$ grep -qP '^flagss*:.*blmb' /proc/cpuinfo && echo 64-bit || echo 32-bit 
64-bit

1 2	$ grep -qP '^flagss:.blmb' /proc/cpuinfo && echo 64-bit \|\| echo 32-bit 64-bit

Now that you know whether you need a 32-bit or 64-bit image, there is only one step left: selecting the kind of image. The default Kali Linux image and the Kali Linux Light variant are both live ISOs that can be used to run the live system or to start the installation process. They differ only by the set of pre-installed applications. The default image comes with the GNOME desktop and a large collection of packages found to be appropriate for most penetration testers, while the light image comes with the XFCE desktop, (which is much less demanding on system resources), and a limited collection of packages, allowing you to choose only the apps you need. The remaining images use alternate desktop environments but come with the same large package collection as the main image.

Once you have decided on the image you need, you can download the image by clicking on “ISO” in the respective row. Alternatively, you can download the image from the BitTorrent peer-to-peer network by clicking on “Torrent,” provided that you have a BitTorrent client associated with the .torrent extension.

While your chosen ISO image is downloading, you should take note of the checksum written in the “sha256sum” column. Once you have downloaded your image, you will use this checksum to verify that the downloaded image matches the one the Kali development team put online (see next section).

2.1.3. Verifying Integrity and Authenticity

Security professionals must verify the integrity of their tools to not only protect their data and networks but also those of their clients. While the Kali download page is TLS-protected, the actual download link points to an unencrypted URL that offers no protection against potential man-in-the-middle attacks. The fact that Kali relies on a network of external mirrors to distribute the image means that you should not blindly trust what you download. The mirror you were directed to may have been compromised, or you might be the victim of an attack yourself.

To alleviate this, the Kali project always provides checksums of the images it distributes. But to make such a check effective, you must be sure that the checksum you grabbed is effectively the checksum published by the Kali Linux developers. You have different ways to ascertain this.

2.1.3.1. Relying on the TLS-Protected Website

When you retrieve the checksum from the TLS-protected download webpage, its origin is indirectly guaranteed by the X.509 certificate security model: the content you see comes from a web site that is effectively under the control of the person who requested the TLS certificate.

Now you should generate the checksum of your downloaded image and ensure that it matches what you recorded from the Kali website:

$ sha256sum kali-linux-2016.2-amd64.iso
1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431  kali-linux-2016.2-amd64.iso

1 2	$ sha256sum kali-linux-2016.2-amd64.iso 1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431 kali-linux-2016.2-amd64.iso

If your generated checksum matches the one on the Kali Linux download page, you have the correct file. If the checksums differ, there is a problem, although this does not indicate a compromise or an attack; downloads occasionally get corrupted as they traverse the Internet. Try your download again, from another official Kali mirror, if possible (see cdimage.kali.org for more information about available mirrors).

2.1.3.2. Relying on PGP’s Web of Trust

If you don’t trust HTTPS for authentication, you are a bit paranoid but rightfully so. There are many examples of badly managed certificate authorities that issued rogue certificates, which ended up being misused. You may also be the victim of a “friendly” man-in-the-middle attack implemented on many corporate networks, using a custom, browser-implanted trust store that presents fake certificates to all SSL-encrypted websites, allowing corporate auditors to monitor encrypted traffic.

For cases like this, we also provide a GnuPG key that we use to sign the checksums of the images we provide. The key’s identifiers and its fingerprints are shown here:

pub   4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
      Key fingerprint = 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
uid                  Kali Linux Repository <devel@kali.org>
sub   4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]

pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]

Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6

uid Kali Linux Repository <devel@kali.org>

sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]

This key is part of a global web of trust because it has been signed at least by me (Raphaël Hertzog) and I am part of the web of trust due to my heavy GnuPG usage as a Debian developer.

The PGP/GPG security model is very unique. Anyone can generate any key with any identity, but you will only trust that key if it has been signed by another key that you already trust. When you sign a key, you certify that you met the holder of the key and that you know that the associated identity is correct. And you define the initial set of keys that you trust, which obviously includes your own key.

This model has its own limitations so you can opt to download Kali’s public key over HTTPS (or from a keyserver) and just decide that you trust it because its fingerprint matches what we announced in multiple places, including just above in this book:

$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
[ or ]
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
gpg: key 7D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[...]
$ gpg --fingerprint 7D8D0BF6
[...]
      Key fingerprint = 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
[...]

$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import

[ or ]

$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6

gpg: key 7D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported

gpg: Total number processed: 1

gpg: imported: 1 (RSA: 1)

[...]

$ gpg --fingerprint 7D8D0BF6

[...]

Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6

[...]

Now that we have retrieved the key, we can use it to verify the checksums of the distributed images. Let’s download the file with the checksums (SHA256SUMS) and the associated signature file (SHA256SUMS.gpg) and verify the signature:

$ wget http://cdimage.kali.org/current/SHA256SUMS
[...]
$ wget http://cdimage.kali.org/current/SHA256SUMS.gpg
[...]
$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 16 Mar 2017 08:55:45 AM MDT
gpg:                using RSA key ED444FF07D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"

$ wget http://cdimage.kali.org/current/SHA256SUMS

[...]

$ wget http://cdimage.kali.org/current/SHA256SUMS.gpg

[...]

$ gpg --verify SHA256SUMS.gpg SHA256SUMS

gpg: Signature made Thu 16 Mar 2017 08:55:45 AM MDT

gpg: using RSA key ED444FF07D8D0BF6

gpg: Good signature from "Kali Linux Repository <devel@kali.org>"

If you get that “Good signature” message, you can trust the content of the SHA256SUMS file and use it to verify the files you downloaded. Otherwise, there is a problem. You should review whether you downloaded the files from a legitimate Kali Linux mirror.

Note that you can use the following command line to verify that the downloaded file has the same checksum that is listed in SHA256SUMS, provided that the downloaded ISO file is in the same directory:

$ grep kali-linux-2016.2-amd64.iso SHA256SUMS | sha256sum -c
kali-linux-2016.2-amd64.iso: OK

1 2	$ grep kali-linux-2016.2-amd64.iso SHA256SUMS \| sha256sum -c kali-linux-2016.2-amd64.iso: OK

If you don’t get OK in response, then the file you have downloaded is different from the one released by the Kali team. It cannot be trusted and should not be used.

2.1.4. Copying the Image on a DVD-ROM or USB Key

Unless you want to run Kali Linux in a virtual machine, the ISO image is of limited use in and of itself. You must burn it on a DVD-ROM or copy it onto a USB key to be able to boot your machine into Kali Linux.

We won’t cover how to burn the ISO image onto a DVD-ROM, as the process varies widely by platform and environment, but in most cases, right clicking on the .iso file will present a contextual menu item that executes a DVD-ROM burning application. Try it out!

Warning

In this section, you will learn how to overwrite an arbitrary disk with a Kali Linux ISO image. Always double-check the target disk before launching the operation as a single mistake will likely cause complete data loss and possibly damage your setup beyond repair.

2.1.4.1. Creating a Bootable Kali USB Drive on Windows

As a prerequisite, you should download and install Win32 Disk Imager:

https://sourceforge.net/projects/win32diskimager/

Plug your USB key into your Windows PC and note the drive designator associated to it (for example, “E:”).

Launch Win32 Disk Imager and choose the Kali Linux ISO file that you want to copy on the USB key. Verify that the letter of the device selected corresponds with that assigned to the USB key. Once you are certain that you have selected the correct drive, click the Write button and confirm that you want to overwrite the contents of the USB key as shown in Figure 2.2, “Win32 Disk Imager in action”.

11_win32-disk-imager

11_win32-disk-imager-confirm

Figure 2.2. Win32 Disk Imager in action

Once the copy is completed, safely eject the USB drive from the Windows system. You can now use the USB device to boot Kali Linux.

2.1.4.2. Creating a Bootable Kali USB Drive on Linux

Creating a bootable Kali Linux USB key in a Linux environment is easy. The GNOME desktop environment, which is installed by default in many Linux distributions, comes with a Disks utility (in the gnome-disk-utility package, which is already installed in the stock Kali image). That program shows a list of disks, which refreshes dynamically when you plug or unplug a disk. When you select your USB key in the list of disks, detailed information will appear and will help you confirm that you selected the correct disk. Note that you can find its device name in the title bar as shown in Figure 2.3, “GNOME Disks”.

11_gnome-disks

Figure 2.3. GNOME Disks

Click on the menu button and select Restore Disk Image… in the displayed pop-up menu. Select the ISO image that you formerly downloaded and click on Start Restoring… as shown in Figure 2.4, “Restore Disk Image Dialog”.

11_gnome-disks-restore-image

Figure 2.4. Restore Disk Image Dialog

Enjoy a cup of coffee while it finishes copying the image on the USB key (Figure 2.5, “Progression of the Image Restoration”).

11_gnome-disks-progressbar

Figure 2.5. Progression of the Image Restoration

Create the Bootable USB Drive from the Command Line

Even though the graphical process is fairly straightforward, the operation is just as easy for command line users.

When you insert your USB key, the Linux kernel will detect it and assign it a name, which is printed in the kernel logs. You can find its name by inspecting the logs returned by dmesg.

$ dmesg
[...]
[234743.896134] usb 1-1.2: new high-speed USB device number 6 using ehci-pci
[234743.990764] usb 1-1.2: New USB device found, idVendor=08ec, idProduct=0020
[234743.990771] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[234743.990774] usb 1-1.2: Product: Store'n'go
[234743.990777] usb 1-1.2: Manufacturer: Verbatim
[234743.990780] usb 1-1.2: SerialNumber: 0390627052A2F897
[234743.991845] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[234743.992017] scsi host7: usb-storage 1-1.2:1.0
[234744.993818] scsi 7:0:0:0: Direct-Access     VBTM     Store'n'go       6.51 PQ: 0 ANSI: 0 CCS
[234744.994425] sd 7:0:0:0: Attached scsi generic sg1 type 0
[234744.995753] sd 7:0:0:0: [sdb] 3903487 512-byte logical blocks: (2.00 GB/1.86 GiB)
[234744.996663] sd 7:0:0:0: [sdb] Write Protect is off
[234744.996669] sd 7:0:0:0: [sdb] Mode Sense: 45 00 00 08
[234744.997518] sd 7:0:0:0: [sdb] No Caching mode page found
[234744.997524] sd 7:0:0:0: [sdb] Assuming drive cache: write through
[234745.009375]  sdb: sdb1
[234745.015113] sd 7:0:0:0: [sdb] Attached SCSI removable disk

$ dmesg

[...]

[234743.896134] usb 1-1.2: new high-speed USB device number 6 using ehci-pci

[234743.990764] usb 1-1.2: New USB device found, idVendor=08ec, idProduct=0020

[234743.990771] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[234743.990774] usb 1-1.2: Product: Store'n'go

[234743.990777] usb 1-1.2: Manufacturer: Verbatim

[234743.990780] usb 1-1.2: SerialNumber: 0390627052A2F897

[234743.991845] usb-storage 1-1.2:1.0: USB Mass Storage device detected

[234743.992017] scsi host7: usb-storage 1-1.2:1.0

[234744.993818] scsi 7:0:0:0: Direct-Access VBTM Store'n'go 6.51 PQ: 0 ANSI: 0 CCS

[234744.994425] sd 7:0:0:0: Attached scsi generic sg1 type 0

[234744.995753] sd 7:0:0:0: [sdb] 3903487 512-byte logical blocks: (2.00 GB/1.86 GiB)

[234744.996663] sd 7:0:0:0: [sdb] Write Protect is off

[234744.996669] sd 7:0:0:0: [sdb] Mode Sense: 45 00 00 08

[234744.997518] sd 7:0:0:0: [sdb] No Caching mode page found

[234744.997524] sd 7:0:0:0: [sdb] Assuming drive cache: write through

[234745.009375] sdb: sdb1

[234745.015113] sd 7:0:0:0: [sdb] Attached SCSI removable disk

Now that you know that the USB key is available as /dev/sdb, you can proceed to copy the image with the dd command:

# dd if=kali-linux-light-2016.2-amd64.iso of=/dev/sdb
2070784+0 records in
2070784+0 records out
1060241408 bytes (1.1 GB, 1011 MiB) copied, 334.175 s, 3.2 MB/s

# dd if=kali-linux-light-2016.2-amd64.iso of=/dev/sdb

2070784+0 records in

2070784+0 records out

1060241408 bytes (1.1 GB, 1011 MiB) copied, 334.175 s, 3.2 MB/s

Note that you need root permissions for this operation to succeed and you should also ensure that the USB key is unused. That is, you should make sure that none of its partitions are mounted. The command also assumes that it is run while in the directory hosting the ISO image, otherwise the full path will need to be provided.

For reference, if stands for “input file” and of for “output file.” The dd command reads data from the input file and writes it back to the output file. It does not show any progress information so you must be patient while it is doing its work (It is not unusual for the command to take more than half an hour!). Look at the write activity LED on the USB key if you want to double check that the command is working. The statistics shown above are displayed only when the command has completed. On OS X/macOS, you can also press CTRL+T during the operation to get statistical information about the copy including how much data has been copied.

2.1.4.3. Creating a Bootable Kali USB Drive on OS X/macOS

OS X/macOS is based on UNIX, so the process of creating a bootable Kali Linux USB drive is similar to the Linux procedure. Once you have downloaded and verified your chosen Kali ISO file, use dd to copy it over to your USB stick.

To identify the device name of the USB key, run diskutil list to list the disks available on your system. Next, insert your USB key and run the diskutil list command again. The second output should list an additional disk. You can determine the device name of the USB key by comparing the output from both commands. Look for a new line identifying your USB disk and note the /dev/diskX where X represents the disk ID.

You should make sure that the USB key is not mounted, which can be accomplished with an explicit unmount command (assuming /dev/disk6 is the device name of the USB key):

$ diskutil unmount /dev/disk6

1	$ diskutil unmount /dev/disk6

Now proceed to execute the dd command. This time, we add a supplementary parameter — bs for block size. It defines the size of the block that is read from the input file and then written to the output file.

# dd if=kali-linux-light-2016.2-amd64.iso of=/dev/disk6 bs=1M
1011+0 records in
1011+0 records out
1060241408 bytes transferred in 327.061 secs (3242328 bytes/sec)

# dd if=kali-linux-light-2016.2-amd64.iso of=/dev/disk6 bs=1M

1011+0 records in

1011+0 records out

1060241408 bytes transferred in 327.061 secs (3242328 bytes/sec)

That’s it. Your USB key is now ready and you can boot from it or use it to install Kali Linux.

Booting an Alternate Disk on OS X/macOS

To boot from an alternate drive on an OS X/macOS system, bring up the boot menu by pressing and holding the Option key immediately after powering on the device and selecting the drive you want to use.

For more information, see Apple’s knowledge base.