Kali 64-bit installation guide on VirtualBox in Windows 10

Author: TheFrog@jollyfrogs.com

This guide is written for a Windows 10 64-bit host machine. This is a very large post, please click the drop-downs on the topics to reveal their contents

Optional: Introduction

This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
Asus Maximus Hero VI motherboard
32GB memory (Kingston)
Intel 120GB Solid State Hard-disk (SSD)
Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
Windows 10 64-bit Host

I have created this lab using my own network IP addressing. All subnet masks in the LAN are "/24" aka "". The following components are what I start with - just my PC and a router which I use as default gateway to connect to the internet: = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server. = My existing LAN interface, we will lose this IP when we configure a BRIDGE interface later

The following IP addresses are used for the components that are added during this guide: = My main PC BRIDGE interface = Our new Kali installation (you're building it now!)

You do not need hardware components to set up this lab other than an modern PC, everything will be running in VirtualBox on your PC.

Required: Preparations

Important notice: Do not skim over these instructions, they provide the foundation of your environment. Any typo or mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.

IMPORTANT Note: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters" but this guide doesn't cover such a setup although it would probably only require minor modifications in VirtualBox.

Get required files:


Choose 'Kali Linux Lxde 64 Bit':

Required: Create windows bridge interface

Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network

- Click the Windows Start button (bottom left)
- type "cmd" but do not press enter
- Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
Note: In the black cmd.exe screen:
- type "hdwwiz.exe" and press Enter
Note: the "Add Hardware Wizard" window opens
- Click "Next"
- Select "Install the hardware that I manually select from a list (Advanced)" and click "Next"
- Select "Network adapters" and click "Next"
- Select "Microsoft" and "Microsoft KM-TEST Loopback Adapter" under Manufacturer and Network Adapter respectively, then click "Next"
- Click "Next" to install the loopback adapter
- Click "Finish" to close the "Add Hardware" screen
Note: We're still in the black cmd.exe screen:
- type "ncpa.cpl" and press Enter
Note: the "Network Connections" window opens
- Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
- Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
- Right-click your wired network adapter and select "Rename"
- Rename your wired network adapter to "LAN"
- Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
- Right click on the LOOPBACK adapter while both adapters are highlighted and select "Bridge Connections"
Note: This will create a new network card called "Network Bridge"
- Right-click your new bridge adapter and select "Rename"
- Rename your wired network adapter to "BRIDGE"
- Right-click "BRIDGE" and select "Properties"
In the "BRIDGE Properties" screen:
- Left-click (to highlight) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
In the "General" tab at the top:
Select "Use the following IP address"
IP address:
Subnet mask:
Default gateway:
Preferred DNS server:
Alternate DNS server: <leave blank>
- Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
- Click "Close" to close the "BRIDGE Properties" screen
Note: We're still in the black cmd.exe screen:
- type "ping www.google.com"
Note: You should see replies from the google web server.
Note: Your BRIDGE adapter is now your main network adapter
Note: Do not proceed if you do not have internet connectivity
- Close the "Command Prompt" black cmd.exe screen

Required: Install VirtualBox

Run "VirtualBox-5.2.4-119785-Win.exe"
Note: Click "Yes" on any opening warnings
- Click "Next >"
- Click "Next >" (install all options)
- Click "Next >"
- Click "Yes"
- Click "Install" to start the installation
- Click "Yes" at the UAC warning screen
- If you get prompted: Click "Install" to install the device driver
- Click "Finish"

Required: Install Kali on VirtualBox

Start "Oracle VM VirtualBox" if not already started
- Click "New"
Name: "Kali-2017.3-LXDE-64bit"
Type: "Linux"
Version: "Debian (64-bit)"
- Click "Next"
MB: "2048"
- Click "Next"
Select "Create a virtual hard drive now" (Default)
- Click "Create"
- Select "VDI (VirtualBox Disk Image)" and Click "Next"
- Select "Dynamically allocated" and Click "Next"
- "F:\VIRTUALBOX_DISKS\Kali-2017.3-LXDE-64bit.vdi" (you can choose any folder with enough space)
- "80.00 GB" (to make sure we don't run out of space any time soon)
- Click "Create"
Note: A new icon "Kali-2017.3-LXDE-64bit" was created in your "Oracle VM VirtualBox Manager"

Note: Leave settings at default unless otherwise stated below
Note: I'm showing some important settings even though they are defaults, in case the defaults change some day
- Right-click "Kali-2017.3-LXDE-64bit" in the left menu and click "Settings..."
General - Advanced - Shared Clipboard: "Bidirectional"
Note: Replace "mysecret" below with the root password you will use a bit later; it can be anything you want
General - Description: root - mysecret
System - Motherboard - Untick "Floppy"
System - Processor - Tick "Enable PAE/NX"
Storage - Left-Click "Empty" (to highlight it)
On the far right, click on the blue tiny CD-Rom icon and click "Choose Virtual Optical Disk File..."
Select "D:\APPS\Linux - Kali\kali-linux-lxde-2017.3-amd64.iso" (choose your appropriate folder)
Network - Adapter 1 - Attached to: "Bridged Adapter"
Network - Adapter 1 - Name: "Microsoft Network Adapter Multiplexor Driver"
Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
Network - Adapter 1 - Advanced - MAC Address: 201703000000
Note: Set the MAC address to an easily identifiable MAC
Shared Folders - Click the blue folder icon with the green +
Folder Path: "E:\SHARED"
Folder Name: "SHARED"
Tick "Auto-mount"
Click "OK" to add the shared folder to you virtual Kali machine settings
- Click "OK" to close the "Kali-2017.3-LXDE-64bit - Settings" screen
- Right-click "Kali-2017.3-LXDE-64bit" in the left menu and click "Start" -> "Normal Start"
Note: A new screen "Kali-2017.3-LXDE-64bit [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.
In the "Kali-2017.3-LXDE-64bit [Running] - Oracle VM VirtualBox" screen:
You will be presented with the Kali boot menu
Use the down arrow on your keyboard to highlight "Install" and press Enter to start installation
Note: The options below assume you're pressing <Enter> to select them:
Select "English - English"
Select "Australia" (select the country you live in, or perhaps you like Australia)
Select "American English"
Hostname: kali
Domain name: the.frog.pond (choose anything you want)
Root password: mysecret (choose any password you like)
Re-enter password to verify: mysecret
Select the state of province to set your time zone: "Queensland" (the sunny state!)
Partitioning method: "Guided - use entire disk"
Select disk to partition: "SCSIx (0,0,0) (sda) - 53.7 GB ATA VBOX HARDDISK"
Partitioning scheme: "All files in one partition (recommended for new users)"
"Finish partitioning and write changes to disk" - press <Enter>
Write the changes to disks? "Yes" (press left arrow key to highlight it)
Note: Kali will now copy required files off the virtual optical disk to the virtual hard drive
Use a network mirror? "Yes"
Do you need a proxy: <leave empty> and select "Continue" (press down arrow key to highlight it)
Note: Depending on your internet speed, this step can take a while, be patient.
Install the GRUB boot loader to the master boot record? "Yes"
Device for boot loader installation: "/dev/sda (ata-VBOX_HARDDISK_<random_numbers>)"
Installation Complete: "Continue"
Note: Kali will reboot. Let the GNU GRUB boot menu time out or select "Kali GNU/Linux"

Required: Create shortcut to LXTerminal on Kali desktop

At the login screen:
- Top field (username): root
- Lower field (Password): mysecret (whatever password you chose earlier)
Note: After filling in the fields, press Enter to login
Note: You will be presented Kali's LXDE desktop environment (similar to Windows)
Note: The first thing you see is a "Save history" popup.
On the "Save history" popup: Click "No"

Left-Click the flying bird icon in the bottom left of the screen
"Usual Applications" -> "System Tools" -> "LXTerminal"
In the "root@kali:~#" terminal window type:
Note: You can not use copy/paste yet! We'll install VirtualBox guest additions for that first


Note: You should have gotten an IP address from your network router.


Note: You should see replies from, if you do then you have internet access from Kali!
Note: If you do not have internet access then do not continue installation and fix internet first

leafpad ~/Desktop/bash.desktop

Use leafpad to enter the following text into the file lxterminal.desktop

[Desktop Entry]
Exec=lxterminal -e /bin/bash

In Leafpad, click "File" -> "Save"
In Leafpad, click "File" -> "Quit"

Note: Do not close the Terminal window, we'll use it to install VirtualBox Guest Additions

Required: Install VirtualBox Guest Additions within Kali

Note: You can not yet use copy/paste since we have not yet installed the VirtualBox guest additions. We will install Virtualbox guest additions:
Click "Devices" (on the VirtualBox top menu bar just outside the desktop) -> "Insert Guest Additions CD image..."
Click "Cancel" when asked to "Open in File Manager"

Note: If you are located in Australia, you can change /etc/apt/sources.list to use the following Kali mirror - it has good speed for Australians:
deb http://mirror.internode.on.net/pub/kali kali-rolling main non-free contrib. The total download size is generally larger than 1Gb. At the point of writing this guide, the total download size was 1,246 MB.

In the "root@kali:~#" terminal window type

apt-get update 
apt-get -o Dpkg::Options::="--force-confold" --force-yes -fuy dist-upgrade

Note: All files are downloaded first. After download completes the upgrade starts, and you might be asked:
- Should non-superusers be able to capture packets? <No>
- Restart services during package upgrades without asking? <Yes>

apt autoremove -y

After reboot, login as before and double-click on the "Terminal" icon on your desktop, then:

apt-get install -y dkms build-essential libelf-dev linux-headers-$(uname -r)
cp /media/cdrom/VBoxLinuxAdditions.run /tmp

Note: After completing the installation of the VBoxLinuxAdditions:
Click "Devices" (in the Virtualbox top menu bar) -> "Optical Drives" -> "Remove disk from virtual drive"
If asked, click "Force unmount"

rm /tmp/VBoxLinuxAdditions.run

After reboot, login with user root and password you configured earlier
Note: Now that you have installed the VirtualBox additions to Kali, you can:
- Seamlessly move the mouse in and out of the virtual machine
- Copy/Paste to and from the virtual machine using clipboard
- Share folders between the virtual machine guest and your host machine

Required: Install additional components

Note: Install additional required Linux components as follows
Double-click on the "Terminal" icon on your desktop, then:

apt-get install -y fish python-xlrd veil-evasion veil-catapult ldap-utils python-notify pidgin pidgin-otr pidgin-extprefs haveged freerdp-x11 mingw-w64 filezilla xdotool sshpass python2.7 python-pip python-dev git libssl-dev

Note: This is a fairly big download at around 600MB

Required: Configure Metasploit
update-rc.d postgresql enable && /etc/init.d/postgresql start
msfdb init

Note: Don't do anything in Metasploit. It can take a while before the database has updated the cache.
In your terminal window:
Click "File" -> "New Tab" to open a new terminal, and in this new terminal type:

sudo -H -u postgres bash -c 'psql -d msf -c "select count(*) from module_details;"' | sed -n 3p

Note: The query will return the number of rows updated thus far.
Note: You can add up all the exploits, auxiliary, post, payloads, encoders and nops in the welcome message to get the total number of entries
Note: After the database has fully updated (around 4000-5000 entries), close the second terminal window, and do the following:

msf > search auxiliary

Note: You should not see a warning that the database is disconnected or the cache has not been updated

msf > exit
Required: Fix mitmproxy installation

If the Kali version of "mitmproxy" errors with:
ImportError: cannot import name 'UBInt16'
Then reinstall mitmproxy from using 'pip' as follows:

apt-get -y remove mitmproxy
pip3 install mitmproxy
ln -s /usr/local/bin/mitmproxy /usr/bin/mitmproxy
apt-mark manual python3-argcomplete python3-argh python3-brotli python3-click python3-colorama python3-construct python3-cssutils python3-feedparser python3-flask python3-h2 python3-hpack python3-html2text python3-hyperframe python3-itsdangerous python3-jsbeautifier python3-kaitaistruct python3-passlib python3-pathtools python3-pyinotify python3-pyperclip python3-ruamel.yaml python3-simplejson python3-sortedcontainers python3-watchdog python3-werkzeug
mitmproxy --version
Recommended: Configure vi/vim to allow copy/pasting with mouse
echo "set mouse-=a" >> ~/.vimrc
Recommended: Install proxychains-ng

Note: Proxychains is not maintained anymore and nmap has issues with it when specifying DNS names

apt-get remove -y proxychains
cd /tmp/
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng/
./configure --prefix=/usr --sysconfdir=/etc
make install
make install-config
rm -Rf /tmp/proxychains-ng
cd /root/
Recommended: Add 32-bit executable support

The following commands will allow running 32-bit applications on your 64-bit Kali:

dpkg --add-architecture i386
apt-get update
apt-get install -y libc6:i386
Recommended: Update searchsploit
searchsploit -u
Recommended: Create shortcut to FiSH terminal on Kali desktop

In the "root@kali:~#" terminal window type:

leafpad ~/Desktop/fish.desktop

Use leafpad to enter the following text into the file fish.desktop:

[Desktop Entry]
Exec=lxterminal -e fish

In Leafpad, click "File" -> "Save"
In Leafpad, click "File" -> "Quit"

Recommended: Make FiSH your default terminal

In the "root@kali:~#" terminal window type:

usermod -s /usr/bin/fish root
Recommended: Configure GDB with the more useful gdbinit skin

This will install a "skin" around GDB to make it more useful - it will automatically display registers and flags each step.

In the "root@kali:~#" terminal window type:

wget https://www.jollyfrogs.com/install/gdbinit.txt -O ~/.gdbinit
Recommended: Login via authorized_keys

Create an authorized_keys file to login via SSH

In Windows:

download https://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
run puttygen.exe
- Tick "SSH-2 RSA" (Default)
- Number of bits in a generated key: "2048" (Default)
- Click "Generate"
- Move the mouse randomly in the puttygen screen to create random data
- Key comment: "Kali2017.1-LXDE"
- Key Passphrase: Mykeypassphrase
- Confirm Passphrase: Mykeypassphrase
- Copy/paste the public key for pasting into OpenSSH authorized_keys file ("ssh-rsa <gibberish> Kali2017.1-LXDE") and save it in a temporary authorized_keys.txt file on your desktop
- Click "Save Private Key" and save it to a safe location (e.g. your KeePass database!)
Note: Pro tip! Use KeePass and KeeAgent and save the public, private key and authorized_keys and Key Passphrase in your KeePass. This will remove all the hassle of logging in via Putty or WinSCP by presenting the key when needed to programs auto-magically - it won't even ask for any passwords, it is very user friendly and secure.

In Kali:

Note: Kali 2017 uses SystemD to manage its services
Note: You can check service status via the command: systemctl list-unit-files --type=service
Change contents_of_authorized_keys.txt below to the contents of "authorized_keys.txt" saved earlier.
Note: The quotes around the contents of your authorized_keys is required, don't delete them

In the "root@kali:~#" terminal window type:

systemctl enable ssh.service
systemctl start ssh.service
mkdir /root/.ssh
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
echo "contents of authorized_keys.txt" > /root/.ssh/authorized_keys
chmod 700 /root/.ssh && chmod 600 /root/.ssh/authorized_keys

Note: Now you can login via your authorized_keys file for instance via putty.exe or winscp.exe
Note: check the service is listening on using:

netstat -4nal

^ Dat mnemonic!...

Optional: Set up Kali auto-login

Note: We configure the system to automatically login with root user. This is a very unsafe practice, but for a lab machine it should be fine.

In the "root@kali:~#" terminal window type:

sed -i 's/#autologin-user=/autologin-user=root/g' /etc/lightdm/lightdm.conf
sed -i 's/#autologin-user-timeout=0/autologin-user-timeout=0/g' /etc/lightdm/lightdm.conf
sed -i 's/user != root/user != nonexistent/g' /etc/pam.d/lightdm-autologin
Optional: Auto-start FiSH terminal, disable power management, screen saver and screen lock

In the "root@kali:~#" terminal window type:

echo '@fish' >> /etc/xdg/lxsession/LXDE/autostart
sed -i "/@xscreensaver -no-splash/d" /etc/xdg/lxsession/LXDE/autostart
rm /etc/xdg/autostart/light-locker.desktop
Optional: Auto-start SANS OpenVPN connection (SANS students)

In the "root@kali:~#" terminal window type:

mkdir /root/sec660
mkdir /root/sec660/openvpn
cd /root/sec660/openvpn
wget https://labs.sans.org/sec660A/FilesForLinux.zip -O /root/sec660/openvpn/sec660A.zip
wget https://labs.sans.org/sec660B/FilesForLinux.zip -O /root/sec660/openvpn/sec660B.zip
unzip sec660A.zip
unzip sec660B.zip
rm sec660*.zip
echo 'VpnPassword' > /root/sec660/openvpn/sec660-key-password
wget https://labs.sans.org/sec660A/users/asdfadfnb2m3n4b2mn43b/sec660a-12345678.crt
wget https://labs.sans.org/sec660A/users/asdfadfnb2m3n4b2mn43b/sec660a-12345678.key
wget https://labs.sans.org/sec660B/users/asdfadfnb2m3n4b2mn43b/sec660b-12345678.crt
wget https://labs.sans.org/sec660B/users/asdfadfnb2m3n4b2mn43b/sec660b-12345678.key

Note: sec660A is the section 1-5 course labs, sec660B is the section 6 Capture the Flag (CTF) event.

leafpad /root/sec660/openvpn/sec660a-linux.conf

Copy/paste the following text into the file:

askpass /root/sec660/openvpn/sec660-key-password
cert /root/sec660/openvpn/sec660a-12345678.crt
key /root/sec660/openvpn/sec660a-12345678.key

# SSL/TLS parms.
ca /root/sec660/openvpn/sec660a-ca.crt
dev tap
proto udp
remote vpn-sec660a.sans.org 1194
resolv-retry infinite
verb 3
leafpad /root/sec660/openvpn/start_vpn.sh

Copy/paste the following text into the file:

echo "Starting VPN. This takes a few seconds, please be patient..."
# Killing old openvpn processes
pkill -e -9 -f 'openvpn --daemon'
# Restoring 
dhclient -4 eth0 > /dev/null 2>&1
sleep 1
openvpn --daemon --config /root/sec660/openvpn/sec660a-linux.conf 
while ! grep -q "tap0" /proc/net/dev ; do
 echo "Waiting for tap0 device to come up"
 sleep 1
dhclient tap0 > /dev/null 2>&1
while ! ping -c 1 -W 1 > /dev/null 2>&1 ; do
 echo "Waiting for IP address ..."
 sleep 1
echo "VPN successfully connected!"
chmod +x /root/sec660/openvpn/start_vpn.sh
Optional: Auto-start Offensive Security OpenVPN connection (OSCP and OSCE students)

Note: If you are taking the OSCP or OSCE exam you can install and auto-start the OffSec VPN as follows:
Copy "lab-connection.tar.bz2" you received from offensive security to E:\SHARED\ on your PC

In the "root@kali:~#" terminal window type:

cd /root/ && cp /media/sf_SHARED/lab-connection.tar.bz2 /root/
cd /root/ && bzip2 -cd lab-connection.tar.bz2 | tar xvf -

Note: In the next command, replace OS-XXXXX and myoffsecpassword with your offsec credentials

echo "OS-XXXXX" >> /etc/openvpn/osce_server.creds
echo "myoffsecpassword" >> /etc/openvpn/osce_server.creds
cp /root/lab-connection/lab-connection.pem /etc/openvpn/osce_server.pem
cp /root/lab-connection/lab-connection.conf /etc/openvpn/osce_server.conf
sed -i 's#ca lab-connection.pem#ca /etc/openvpn/osce_server.pem#g' /etc/openvpn/osce_server.conf
sed -i 's#auth-user-pass#auth-user-pass /etc/openvpn/osce_server.creds#g' /etc/openvpn/osce_server.conf
sed -i 's/#AUTOSTART="home office"/AUTOSTART="osce_server"/g' /etc/default/openvpn
chmod +x /etc/openvpn/osce_server.conf
chmod 600 osce_server.creds
chmod 600 osce_server.pem
chmod 755 osce_server.conf
update-rc.d openvpn enable 2 3 4 5
systemctl start openvpn

Note: It takes a few seconds for your VPN to start, and obviously the VPN will only work if your account has been enabled to access the labs. After a few seconds, you should see an IP address on the tap0 interface:

ifconfig tap0
Recommended: Install PyCharm Community Edition - a really good free Python IDE

In the "root@kali:~#" terminal window type:

cd /root/
wget https://download.jetbrains.com/python/pycharm-community-2017.2.1.tar.gz
tar zxvf pycharm-community-2017.2.1.tar.gz -C /opt/
su -c "ln -s /opt/pycharm-community-2017.2.1/bin/pycharm.sh /usr/local/bin/pycharm"
su -c "ln -s /opt/pycharm-community-2017.2.1/bin/inspect.sh /usr/local/bin/inspect"
leafpad ~/Desktop/pycharm

Use leafpad to enter the following text into the file pycharm.desktop:

[Desktop Entry]

In the "root@kali:~#" terminal window type:

cd /root/
wget https://download.jetbrains.com/python/pycharm-community-2017.2.1.tar.gz
tar zxvf pycharm-community-2017.2.1.tar.gz -C /opt/
su -c "ln -s /opt/pycharm-community-2017.2.1/bin/pycharm.sh /usr/local/bin/pycharm"
su -c "ln -s /opt/pycharm-community-2017.2.1/bin/inspect.sh /usr/local/bin/inspect"
leafpad ~/Desktop/pycharm

In Leafpad, click "File" -> "Save"
In Leafpad, click "File" -> "Quit"

Double-click the PyCharm icon on the desktop to start PyCharm

Tick "Do not import settings" and click "OK"
Click "Accept" on the EULA
Keymap scheme: "Default for XWin"
IDE theme: Darcula
Editor colors and fonts: Darcula
Click "OK"
Would you like to restart now? "Yes"
Click "Configure" -> "Settings..."
"Editor" -> "Inspections" -> Untick "Spelling"
"Build, Execution, Deployment" -> "Console" -> "Python Console" -> "Python interpreter" -> Set to "/usr/bin/python3.6"
Click "Apply" -> "OK"
Click "Create New Project"
Location: /root/PycharmProjects/JollyFrogs
Interpreter: /usr/bin/python3.6
Click "Create"
Important note: PyCharm will now begin downloading files required for Python3.6 - this will slow down your VM noticeably until this action completes.
Untick "Show Tips on Startup" -> Click "Close"
Under "Project" in the left toolbar, right-click "JollyFrogs" -> "New" -> "Python File"
Name: my_first_python_script
Kind: Python File
In the main window "my_first_python_script" add the following single line
print("Hello world!")
Now press SHIFT + F10 to compile and run the program
- You may have to select "my_first_python_script" the first time you press SHIFT + F1
Close PyCharm by clicking "x" in the top right corner and tick "Do not remind me again"

Optional: Install nc6

Note: The original Kali netcat (aka nc) does not support IPv6 so we install a version with IPv6 support.

In the "root@kali:~#" terminal window type:

wget https://launchpad.net/ubuntu/+archive/primary/+files/nc6_1.0.orig.tar.gz
tar zxvf nc6_1.0.orig.tar.gz
cd /root/sec660/lab1/jwp0ppy/nc6-1.0
./configure && make && make install PREFIX=/usr
nc6 -h
Optional: Configure TOR for added anonymity

Note: TOR adds a layer of anonymity by routing through various TOR nodes that cannot independently identify your location or your destination or the contents of the IP packets.

Retrieve your current real IP address without using TOR (we'll use this to verify TOR works later)

In the "root@kali:~#" terminal window type:

curl ifconfig.co

We install and start TOR.

apt-get install -y tor
service tor start
torsocks curl ifconfig.co

If TOR is working, then you will see a different IP address to your real IP address. If you want to change TOR IP address, just issue a "service tor restart" to get a different TOR IP address.

"Connection refused (in socks5_connect() at socks5.c:202" means you forgot to start the TOR service
Note: Tor uses port TCP/9050 for socks5 as per /etc/tor/torsocks.conf
Note: You will need to do "service tor start" manually every reboot (it is not recommended to enable the service by default since it will greatly slow down all traffic to and from the internet to your Kali host)

Note: It takes a while before TOR is fully started, you might have to wait for up to 30 seconds before using TOR.
You can route nmap scans through TOR by using proxychains, like so:

proxychains4 -q nmap -n --open -Pn -sT -p 22,80 www.jollyfrogs.com

Note: As the owner of the website www.jollyfrogs.com, I hereby authorize anyone and everyone to freely scan ports 22 (closed) and 80 (open) for testing proxychains4 as per the command above. Please use this privilege responsibly.
You should see something like:

Starting Nmap 7.50 ( https://nmap.org ) at 2017-10-01 16:56 AEST
Nmap scan report for www.jollyfrogs.com (
Host is up (0.79s latency).
Not shown: 1 closed port
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds

Note that the reported IP address ( is a bug with the combination of proxychains4 and nmap - ignore it as it will still scan the true IP address of the website.

Optional: Configure and auto-start Burp Suite

Note: The following lines removes the BurpSuite update check

ip route add prohibit
sed -i '$ d' /etc/rc.local
echo -e '/bin/ip route add prohibit\nexit 0' >> /etc/rc.local

Create a Burp startup script and start burp

mkdir /root/.burp
echo -e '#!/bin/bash\n/bin/rm -Rf /tmp/burp*.tmp;java -jar /usr/bin/burpsuite' > /root/.burp/startburp.sh
chmod +x /root/.burp/startburp.sh

Untick "Help improve Burp by submitting anonymous feedback about its performance"
Note: Click "I Accept" to accept the licence (only shows up during first run)
Select "Temporary project" (default) -> "Next"
Select "Use Burp Defaults" (default) -> "Start Burp"

In Burp Suite Free Edition:
Click "Proxy" tab in the top menu bar (towards the left)
Click "Options" under the Proxy settings (one bar below the top bar)
Highlight the current Proxy Listener ( and click "Edit":
Change "Bind to port:" to 9500
Click "OK" to close the menu
Click "User options" tab -> "Misc" tab -> Enable interception at startup: "Always disable"
Click "Burp" in the top left menu -> "Project Options" -> "Save project options"
Filename: /root/.burp/BurpPrefs.json
Click "Save"
Click "Burp" in the top left menu -> "User Options" -> "Save user options"
Filename: /root/.burp/BurpUserOptions.json
Click "Save"
Click "Burp" in the top left menu -> "Exit" -> Click "Yes" to confirm

Below is one long command which starts Burp and automatically clicks "Start"

echo -e '#!/bin/bash\npkill -f burpsuite\n/bin/rm -Rf /tmp/burp*.{tmp,burp};java -jar /usr/bin/burpsuite --config-file=/root/.burp/BurpPrefs.json --config-file=/root/.burp/BurpUserOptions.json &\nuntil xdotool search --name "Burp Suite Free Edition" windowactivate --sync; do :; done\nsleep 0.5\nxdotool search --name "Burp Suite Free Edition" windowmove 100 50\nxdotool search --name "Burp Suite Free Edition" windowactivate windowsize 800 500\nxdotool mousemove 850 550 click 1' > /root/.burp/startburp.sh

Add startburp.sh to autostart

echo '@/root/.burp/startburp.sh' >> /etc/xdg/lxsession/LXDE/autostart
Optional: Configure Firefox to use Burp Suite proxy

In the "root@kali:~#" terminal window type:


In Firefox:
Open Menu (3 horizontal bars in the top left) -> "Preferences" -> "Advanced" -> "Network" -> "Settings..."
Select "Manual proxy configuration"
HTTP Proxy: Port 9500
Tick "Use this proxy server for all protocols"
Click "OK"

In the FireFox browser bar, navigate to http://burp
- Click "CA Certificate" in the top right -> "Save File"
Open Menu (3 horizontal bars in the top left) -> "Preferences" -> "Advanced" -> "Certificates"
- Untick "Query OCSP responder servers to confirm the current validity of certificates"
- Click "View Certificates"
- Select the "Authorities" tab
- Click "Import", select the Burp CA certificate file that you previously saved (cacert.der) and click "Open".
Note: You might or might not be asked for the root password to unlock your keyring
- In the dialog box that pops up, check the box "Trust this CA to identify web sites", and click "OK".

Navigate to: about:addons
Install the following addons:
Adblock Plus
Element Hiding Helper for Adblock Plus
Advanced Cookie Manager
- Click "Restart Now" to restart Firefox after installing the addons (or manually close and restart FireFox)
- Close Firefox after it has restarted

Optional: Disable HTTPS and PHP and auto-start Apache

Disabling Apache HTTPS means the port can be used for reverse meterpreter shells and other goodies. Disable PHP so you can safely serve malicious PHP payloads from Apache.

/usr/sbin/a2dismod php7.0
sed -i 's/Listen 443/#Listen 443/g' /etc/apache2/ports.conf
update-rc.d apache2 enable
Optional: Update NMAP scripts

In the "root@kali:~#" terminal window type:

nmap --script-updatedb
Optional: Install showop.sh - shows hexidecimal values of ASM instructions

In the "root@kali:~#" terminal window type:

wget https://raw.githubusercontent.com/JollyFrogs/tools/master/showop.sh -O /root/tools/showop.sh
chmod +x /root/tools/showop.sh
/root/tools/showop.sh "mov eax,ecx;inc eax;nop"

Optional: Install hex2file.py - creates shell-code from a shell-code byte-string

In the "root@kali:~#" terminal window type:

wget https://raw.githubusercontent.com/JollyFrogs/tools/master/hex2file.py -O /root/tools/hex2file.py
chmod +x /root/tools/hex2file.py
python /root/tools/hex2file.py hexfile.bin "\x41\x42\x43\x44\x45"
hexdump -C hexfile.bin && rm hexfile.bin

Optional: Install pecloak - injects and hides malware inside files

In the "root@kali:~#" terminal window type:

cd /root/tools/ && mkdir /root/tools/pecloak
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/libdasm/libdasm-beta.zip
unzip libdasm-beta.zip -d /root/tools/libdasm/ && cd /root/tools/libdasm/pydasm
python setup.py build_ext
sudo python setup.py install
wget 'http://git.n0p.cc/?p=SectionDoubleP.git;a=blob_plain;f=SectionDoubleP.py' -O /root/tools/pecloak/SectionDoubleP.py
wget http://www.securitysift.com/download/peCloak.py -O /root/tools/pecloak/pecloak.py
sed -i 's/pe.write(pe.OPTIONAL_HEADER.SizeOfHeaders, filename=fname)/pe.write(filename=fname)/g' /root/tools/pecloak/pecloak.py
cd /root/tools/pecloak/ && cp /root/tools/paexec/paexec.exe . && python pecloak.py paexec.exe
cd /root/

Required: Update the locate database after installing files

In the "root@kali:~#" terminal window type:


Reboot the machine to ensure everything installed OK

In the "root@kali:~#" terminal window type:


Recommended: Snapshot your new Kali VirtualBox machine

In the "root@kali:~#" terminal window type:

shutdown -h now

In Oracle VM VirtualBox Manager:
Highlight your Kali machine in the left toolbar
Click the following icon:

Then click on "Snapshots"

Click "Take"

Choose a Snapshot Name and Description, and click "OK"
Your Kali machine is now installed and backed up!