|| echo 32-bit
64-bit
Now that you know whether you need a 64-bit or 32-bit image, there is only one step left: selecting
the kind of image. The available images differ in how they go about installation. The Installer
and NetInstaller images, specialized for a straightforward install featuring selectable installation
options, do not come with the ability to run the live system. The Live image, however, comes
with the ability to run the live system or start the installation process, although it does lack the
selectable options featured in the installation images. The selectable options include choices in
desktop environments as well as which collection of packages to install. We will be using the live
image throughout this book.
Once you have decided on the image you need, you can download the image by clicking on the
title in the respective row. Alternatively, you can download the image from the BitTorrent peer-
to-peer network by clicking on ”Torrent,” provided that you have a BitTorrent client associated
with the .torrent extension.
While your chosen ISO image is downloading, you should take note of the checksum written in
the sha256sum column. Once you have downloaded your image, use this checksum to verify that
1
https://www.offensive-security.com/kali-linux-arm-images/
16
Kali Linux Revealed
the downloaded image matches the one the Kali development team put online (see section
2.1.3
,
“
Verifying Integrity and Authenticity
” [page 17]).
2.1.3. Verifying Integrity and Authenticity
Security professionals must verify the integrity of their tools to not only protect their data and
networks but also those of their clients. While the Kali download page and links are TLS-protected,
Kali relies on a network of external mirrors to distribute the image means that you should not
blindly trust what you download. The mirror you were directed to may have been compromised,
or you might be the victim of an attack yourself.
To alleviate this, the Kali project always provides checksums of the images it distributes. But to
make such a check effective, you must be sure that the checksum you grabbed is effectively the
checksum published by the Kali Linux developers. You have different ways to ascertain this.
Relying on the TLS-Protected Website
When you retrieve the checksum from the TLS-protected download webpage, its origin is indi-
rectly guaranteed by the X.509 certificate security model: the content you see comes from a web
site that is effectively under the control of the person who requested the TLS certificate.
Now you should generate the checksum of your downloaded image and ensure that it matches
what you recorded from the Kali website:
$ sha256sum kali-linux-2020.3-live-amd64.iso
1a0b2ea83f48861dd3f3babd5a2892a14b30a7234c8c9b5013a6507d1401874f
kali-linux-2020.3-live-amd64.iso
If your generated checksum matches the one on the Kali Linux download page, you have the cor-
rect file. If the checksums differ, there is a problem, although this does not always indicate a com-
promise or an attack; downloads occasionally get corrupted as they traverse the Internet. Try
your download again, from another official Kali mirror, if possible (see “
cdimage.kali.org
” [page
14] for more information about available mirrors).
Relying on PGP’s Web of Trust
If you don’t trust HTTPS for authentication, you are a bit paranoid but rightfully so. There are
many examples of badly managed certificate authorities that issued rogue certificates, which
ended up being misused. You may also be the victim of a “friendly” man-in-the-middle at-
tack implemented on many corporate networks, using a custom, browser-implanted trust store
that presents fake certificates to encrypted websites, allowing corporate auditors to monitor en-
crypted traffic.
17
Chapter 2 — Getting Started with Kali Linux
For cases like this, we also provide a GnuPG key that we use to sign the checksums of the images
we provide. The key’s identifiers and its fingerprints are shown here:
pub
rsa4096 2012-03-05 [SC] [expires: 2023-01-16]
44C6 513A 8E4F B3D3 0875
F758 ED44 4FF0 7D8D 0BF6
uid
Kali Linux Repository
sub
rsa4096 2012-03-05 [E] [expires: 2023-01-16]
This key is part of a global web of trust because it has been signed at least by me (Raphaël Hertzog)
and I am part of the web of trust due to my heavy GnuPG usage as a Debian developer.
The PGP/GPG security model is very unique. Anyone can generate any key with any identity, but
you would only trust that key if it has been signed by another key that you already trust. When you
sign a key, you certify that you met the holder of the key and that you know that the associated
identity is correct. And you define the initial set of keys that you trust, which obviously includes
your own key.
This model has its own limitations so you can opt to download Kali’s public key over HTTPS (or
from a keyserver) and just decide that you trust it because its fingerprint matches what we an-
nounced in multiple places, including just above in this book:
$ wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import
[ or ]
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
gpg: key ED444FF07D8D0BF6: public key ”Kali Linux Repository ” imported
gpg: Total number processed: 1
gpg:
imported: 1
[...]
$ gpg --fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
[...]
44C6 513A 8E4F B3D3 0875
F758 ED44 4FF0 7D8D 0BF6
[...]
After you have retrieved the key, you can use it to verify the checksums of the distributed im-
ages. Let’s download the file with the checksums (
SHA256SUMS
) and the associated signature file
(
SHA256SUMS.gpg
) and verify the signature:
$ wget http://cdimage.kali.org/current/SHA256SUMS
[...]
$ wget http://cdimage.kali.org/current/SHA256SUMS.gpg
[...]
$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Tue 18 Aug 2020 10:31:15 AM EDT
gpg:
using RSA key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
gpg: Good signature from ”Kali Linux Repository ”
If you get that “Good signature” message, you can trust the content of the
SHA256SUMS
file and use
it to verify the files you downloaded. Otherwise, there is a problem. You should review whether
you downloaded the files from a legitimate Kali Linux mirror.
18
Kali Linux Revealed
Note that you can use the following command line to verify that the downloaded file has the same
checksum that is listed in
SHA256SUMS
, provided that the downloaded ISO file is in the same direc-
tory:
$ grep kali-linux-2020.3-live-amd64.iso SHA256SUMS | sha256sum -c
kali-linux-2020.3-live-amd64.iso: OK
If you don’t get OK in response, then the file you have downloaded is different from the one re-
leased by the Kali team. It cannot be trusted and should not be used.
2.1.4. Copying the Image on a DVD-ROM or USB Key
Unless you want to run Kali Linux in a virtual machine, the ISO image is of limited use in and of
itself. You must burn it on a DVD-ROM or copy it onto a USB key to be able to boot your machine
into Kali Linux. We have chosen the Kali live image as we wish to boot from a USB allowing us to
either use a live environment or install Kali Linux’s default configuration.
We won’t cover how to burn the ISO image onto a DVD-ROM, as the process varies widely by plat-
form and environment, but in most cases, right clicking on the
.iso
file will present a contextual
menu item that executes a DVD-ROM burning application. Try it out!
Warning
In this section, you will learn how to overwrite an arbitrary disk with a Kali
Linux ISO image. Always double-check the target disk before launching
the operation as a single mistake would likely cause complete data loss and
possibly damage your setup beyond repair.
Creating a Bootable Kali USB Drive on Windows
As a prerequisite, you should download and install Win32 Disk Imager:
è
https://sourceforge.net/projects/win32diskimager/
Plug your USB key into your Microsoft Windows PC and note the drive designator associated to it
(for example, “E:\”).
Launch Win32 Disk Imager and choose the Kali Linux ISO file that you want to copy on the USB key.
Verify that the letter of the device selected corresponds with that assigned to the USB key. Once
you are certain that you have selected the correct drive, click the Write button and confirm that
19
Chapter 2 — Getting Started with Kali Linux
you want to overwrite the contents of the USB key as shown in Figure
2.2
, “
Win32 Disk Imager in
action
” [page 20].
|
