Exercise 2-1: Downloading, Verifying and Booting Kali

Exercise 01, Chapter 2 – Getting set up, downloading and verifying and burning Kali

Install a virtual machine (VM) program, like VMWare Fusion (OSX), VirtualBox, etc.
Download a (likely 64-bit) Kali Linux VM release.
Launch the Kali VM.
From this point forward, you should be in the VM. Log into the VM (root/toor) and download the “Kali 64 bit” ISO from https://www.kali.org/downloads/ into your Kali VM.
Download and import Kali’s public keys.
Extract the fingerprint and get the SHA256SUMS and the associated signature file for the Kali ISOs.
Verify the sha256 checksum for your downloaded ISO matches the one in the SHA256SUMS file
Create a bootable USB device with the image.

1. You shouldn’t need help installing a VM program.
2. You shouldn’t need help downloading Kali. If you do, this course is not for you.
3. Extract the Kali VM .7z file, launch the .VMX file in the extracted directory to run the VM.
4. Download the Kali ISO. Note that through this exercise your version numbers may differ:


wget http://cdimage.kali.org/kali-2017.1/kali-linux-2017.1-amd64.iso

wget http://cdimage.kali.org/kali-2017.1/kali-linux-2017.1-amd64.iso

Download and import Kali public keys:

wget -q -O - https://www.kali.org/archive-key.asc | gpg --import #or gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6

1
2
3

wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
#or
gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
Extract the fingerprint and get the ISO SHASUMS:

gpg --fingerprint 7D8D0BF6 wget http://cdimage.kali.org/kali-2017.1/SHA256SUMS wget http://cdimage.kali.org/kali-2017.1/SHA256SUMS.gpg

1
2
3
4

gpg --fingerprint 7D8D0BF6
wget http://cdimage.kali.org/kali-2017.1/SHA256SUMS
wget http://cdimage.kali.org/kali-2017.1/SHA256SUMS.gpg

Now, we will verify the signature, to see if the SHA256SUMS file is authentic:


gpg --verify SHA256SUMS.gpg SHA256SUMS

gpg --verify SHA256SUMS.gpg SHA256SUMS

You should see a confirmation: “Good signature from “Kali Linux Repository (devel@kali.org)”

But wait, there’s an ugly warning that’s freaking me out!


gpg: WARNING: This key is not certified with a trusted signature!

gpg: WARNING: This key is not certified with a trusted signature!

This warning is normal. You can avoid it by using the “–trust-model always” option. The warning just says that there’s no path between your set of trusted keys and the Kali key in the web of trust. If you don’t have any key and/or if you never signed anyone’s else key, you will never be able to have a trust path to any other key.

Now that you know the SHA256SUMS file is authentic, you can trust the hashes that are in that file. Now, get the SHA sum of the ISO you downloaded:


root@kali:~# shasum -a 256 ./kali-linux-2017.1-amd64.iso
49b1c5769b909220060dc4c0e11ae09d97a270a80d259e05773101df62e11e9d  ./kali-linux-2017.1-amd64.iso

root@kali:~# shasum -a 256 ./kali-linux-2017.1-amd64.iso

49b1c5769b909220060dc4c0e11ae09d97a270a80d259e05773101df62e11e9d ./kali-linux-2017.1-amd64.iso

Compare your hash with the hash listed in the (now-trusted) SHA256SUMS file:


root@kali:~# grep kali-linux-2017.1-amd SHA256SUMS
49b1c5769b909220060dc4c0e11ae09d97a270a80d259e05773101df62e11e9d  kali-linux-2017.1-amd64.iso

root@kali:~# grep kali-linux-2017.1-amd SHA256SUMS

49b1c5769b909220060dc4c0e11ae09d97a270a80d259e05773101df62e11e9d kali-linux-2017.1-amd64.iso

If the hashes don’t match, you’ve done something wrong (or had something wrong happen to you!).

Put in your USB drive, attach it to the VM, find it with dmesg and burn the bootable image with something like this. Beware! This is destructive! Use the right disk identifier (/dev/sdb in this case)!


root@kali:~# dmesg
[ 4117.132811] usb 1-1: new high-speed USB device number 2 using ehci-pci
[ 4117.287319] usb 1-1: New USB device found, idVendor=0781, idProduct=5583
[ 4117.287321] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 4117.287322] usb 1-1: Product: Ultra Fit
[ 4117.287322] usb 1-1: Manufacturer: SanDisk
[ 4117.287323] usb 1-1: SerialNumber: 4C530001231103111240
[ 4117.407902] usb-storage 1-1:1.0: USB Mass Storage device detected
[ 4117.408855] scsi host3: usb-storage 1-1:1.0
[ 4117.410370] usbcore: registered new interface driver usb-storage
[ 4117.465386] usbcore: registered new interface driver uas
[ 4118.421308] scsi 3:0:0:0: Direct-Access     SanDisk  Ultra Fit        1.00 PQ: 0 ANSI: 6
[ 4118.429107] sd 3:0:0:0: Attached scsi generic sg2 type 0
[ 4118.432151] sd 3:0:0:0: [sdb] 242614272 512-byte logical blocks: (124 GB/116 GiB)
[ 4118.438709] sd 3:0:0:0: [sdb] Write Protect is off
[ 4118.438713] sd 3:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 4118.441969] sd 3:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[ 4118.468903]  sdb: sdb1
[ 4118.492354] sd 3:0:0:0: [sdb] Attached SCSI removable disk
root@kali:~# dd if=kali-linux-2017.1-amd64.iso of=/dev/sdb bs=1M
2664+1 records in
2664+1 records out
2794307584 bytes (2.8 GB, 2.6 GiB) copied, 93.8987 s, 29.8 MB/s

root@kali:~# dmesg

[ 4117.132811] usb 1-1: new high-speed USB device number 2 using ehci-pci

[ 4117.287319] usb 1-1: New USB device found, idVendor=0781, idProduct=5583

[ 4117.287321] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[ 4117.287322] usb 1-1: Product: Ultra Fit

[ 4117.287322] usb 1-1: Manufacturer: SanDisk

[ 4117.287323] usb 1-1: SerialNumber: 4C530001231103111240

[ 4117.407902] usb-storage 1-1:1.0: USB Mass Storage device detected

[ 4117.408855] scsi host3: usb-storage 1-1:1.0

[ 4117.410370] usbcore: registered new interface driver usb-storage

[ 4117.465386] usbcore: registered new interface driver uas

[ 4118.421308] scsi 3:0:0:0: Direct-Access SanDisk Ultra Fit 1.00 PQ: 0 ANSI: 6

[ 4118.429107] sd 3:0:0:0: Attached scsi generic sg2 type 0

[ 4118.432151] sd 3:0:0:0: [sdb] 242614272 512-byte logical blocks: (124 GB/116 GiB)

[ 4118.438709] sd 3:0:0:0: [sdb] Write Protect is off

[ 4118.438713] sd 3:0:0:0: [sdb] Mode Sense: 43 00 00 00

[ 4118.441969] sd 3:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA

[ 4118.468903] sdb: sdb1

[ 4118.492354] sd 3:0:0:0: [sdb] Attached SCSI removable disk

root@kali:~# dd if=kali-linux-2017.1-amd64.iso of=/dev/sdb bs=1M

2664+1 records in

2664+1 records out

2794307584 bytes (2.8 GB, 2.6 GiB) copied, 93.8987 s, 29.8 MB/s

Food for thought

What good examples can you think of for booting Kali live? What about bad examples?
Zen question of the day : Does it strike you weird that you can simply dd an ISO to a USB key, and have it boot?

Show Answer

← Previous Topic

Exercise 2-1: Downloading, Verifying and Booting Kali

Exercise 01, Chapter 2 – Getting set up, downloading and verifying and burning Kali

Food for thought

Become a Certified Penetration Tester Today

Forums