Kali2017.3 64-bit installation guide on VirtualBox in Windows 10

Author: frog@jollyfrogs.com

This guide is written on Windows 10 64-bit Host. This is a very large post, please click the drop-downs on the topics to reveal their contents

Optional: Introduction

This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
Asus Maximus Hero VI motherboard
32GB memory (Kingston)
Intel 120GB Solid State Hard-disk (SSD)
Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
Windows 10 64-bit Host

I have created this lab using my own network IP addressing. All subnet masks in the LAN are "/24" aka "". The following components are what I start with - just my PC and a router which I use as default gateway to connect to the internet: = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server. = My existing LAN interface, we will lose this IP when we configure a BRIDGE interface later

The following IP addresses are used for the components that are added during this guide: = My main PC BRIDGE interface = Our new Kali installation (you're building it now!)

You have two options when following this guide:
1) Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN.
2) Renumber your internal network IP addressing to use the same IP addresses as in this guide.

You do not need hardware components to set up this lab other than a beefy PC, everything will be running in VirtualBox on your PC.

Required: Preparations

Important notice: Do not skim over these instructions, they provide the foundation of your environment. Any typo or mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.

IMPORTANT Note: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters" but this guide doesn't cover such a setup although it would probably only require minor modifications in VirtualBox.

Get required files:


Required: Create windows bridge interface

Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network
- Click the Windows Start button (bottom left)
- type "cmd" but do not press enter
- Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
Note: In the black cmd.exe screen:
- type "hdwwiz.exe" and press Enter
Note: the "Add Hardware Wizard" window opens
- Click "Next"
- Select "Install the hardware that I manually select from a list (Advanced)" and click "Next"
- Select "Network adapters" and click "Next"
- Select "Microsoft" and "Microsoft KM-TEST Loopback Adapter" under Manufacturer and Network Adapter respectively, then click "Next"
- Click "Next" to install the loopback adapter
- Click "Finish" to close the "Add Hardware" screen
Note: We're still in the black cmd.exe screen:
- type "ncpa.cpl" and press Enter
Note: the "Network Connections" window opens
- Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
- Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
- Right-click your wired network adapter and select "Rename"
- Rename your wired network adapter to "LAN"
- Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
- Right click on the LOOPBACK adapter while both adapters are highlighted and select "Bridge Connections"
Note: This will create a new network card called "Network Bridge"
- Right-click your new bridge adapter and select "Rename"
- Rename your wired network adapter to "BRIDGE"
- Right-click "BRIDGE" and select "Properties"
In the "BRIDGE Properties" screen:
- Left-click (to highlight) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
In the "General" tab at the top:
Select "Use the following IP address"
IP address:
Subnet mask:
Default gateway:
Preferred DNS server:
Alternate DNS server: <leave blank>
- Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
- Click "Close" to close the "BRIDGE Properties" screen
Note: We're still in the black cmd.exe screen:
- type "ping www.google.com"
Note: You should see replies from the google web server.
Note: Your BRIDGE adapter is now your main network adapter
Note: Do not proceed if you do not have internet connectivity
- Close the "Command Prompt" black cmd.exe screen

Required: Install VirtualBox

Install VirtualBox
Run "VirtualBox-5.2.4-119785-Win.exe"
Note: Click "Yes" on any opening warnings
- Click "Next >"
- Click "Next >" (install all options)
- Click "Next >"
- Click "Yes"
- Click "Install" to start the installation
- Click "Yes" at the UAC warning screen
- If you get prompted: Click "Install" to install the device driver
- Click "Finish"

Required: Install Kali on VirtualBox

Install Kali on VirtualBox
Start "Oracle VM VirtualBox" if not already started
- Click "New"
Name: "Kali-2017.3-LXDE-64bit"
Type: "Linux"
Version: "Debian (64-bit)"
- Click "Next"
MB: "2048"
- Click "Next"
Select "Create a virtual hard drive now" (Default)
- Click "Create"
- Select "VDI (VirtualBox Disk Image)" and Click "Next"
- Select "Dynamically allocated" and Click "Next"
- "F:\VIRTUALBOX_DISKS\Kali-2017.3-LXDE-64bit.vdi" (you can choose any folder with enough space)
- "80.00 GB" (to make sure we don't run out of space any time soon)
- Click "Create"
Note: A new icon "Kali-2017.3-LXDE-64bit" was created in your "Oracle VM VirtualBox Manager"

Note: Leave settings at default unless otherwise stated below
Note: I'm showing some important settings even though they are defaults, in case the defaults change some day
- Right-click "Kali-2017.3-LXDE-64bit" in the left menu and click "Settings..."
General - Advanced - Shared Clipboard: "Bidirectional"
Note: Replace "mysecret" below with the root password you will use a bit later; it can be anything you want
General - Description: root - mysecret
System - Motherboard - Untick "Floppy"
System - Processor - Tick "Enable PAE/NX"
Storage - Left-Click "Empty" (to highlight it)
On the far right, click on the blue tiny CD-Rom icon and click "Choose Virtual Optical Disk File..."
Select "D:\APPS\Linux - Kali\kali-linux-lxde-2017.3-amd64.iso" (choose your appropriate folder)
Network - Adapter 1 - Attached to: "Bridged Adapter"
Network - Adapter 1 - Name: "Microsoft Network Adapter Multiplexor Driver"
Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
Network - Adapter 1 - Advanced - MAC Address: 201703000000
Note: Set the MAC address to an easily identifiable MAC
Shared Folders - Click the blue folder icon with the green +
Folder Path: "E:\SHARED"
Folder Name: "SHARED"
Tick "Auto-mount"
Click "OK" to add the shared folder to you virtual Kali machine settings
- Click "OK" to close the "Kali-2017.3-LXDE-64bit - Settings" screen

- Right-click "Kali-2017.3-LXDE-64bit" in the left menu and click "Start" -> "Normal Start"
Note: A new screen "Kali-2017.3-LXDE-64bit [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.
In the "Kali-2017.3-LXDE-64bit [Running] - Oracle VM VirtualBox" screen:
You will be presented with the Kali boot menu
Use the down arrow on your keyboard to highlight "Install" and press Enter to start installation

Note: The options below assume you're pressing <Enter> to select them:
Select "English - English"
Select "Australia" (select the country you live in, or perhaps you like Australia)
Select "American English"
Hostname: kali
Domain name: the.frog.pond (choose anything you want)
Root password: mysecret (choose any password you like)
Re-enter password to verify: mysecret
Select the state of province to set your time zone: "Queensland" (the sunny state!)
Partitioning method: "Guided - use entire disk"
Select disk to partition: "SCSIx (0,0,0) (sda) - 53.7 GB ATA VBOX HARDDISK"
Partitioning scheme: "All files in one partition (recommended for new users)"
"Finish partitioning and write changes to disk" - press <Enter>
Write the changes to disks? "Yes" (press left arrow key to highlight it)
Note: Kali will now copy required files off the virtual optical disk to the virtual hard drive
Use a network mirror? "Yes"
Do you need a proxy: <leave empty> and select "Continue" (press down arrow key to highlight it)
Note: Depending on your internet speed, this step can take a while, be patient.
Install the GRUB boot loader to the master boot record? "Yes"
Device for boot loader installation: "/dev/sda (ata-VBOX_HARDDISK_<random_numbers>)"
Installation Complete: "Continue"
Note: Kali will reboot. Let the GNU GRUB boot menu time out or select "Kali GNU/Linux"

Required: Create shortcut to LXTerminal on Kali desktop

At the login screen:
- Top field (username): root
- Lower field (Password): mysecret (whatever password you chose earlier)
Note: After filling in the fields, press Enter to login
Note: You will be presented Kali's LXDE desktop environment (similar to Windows)
Note: The first thing you see is a "Save history" popup.
On the "Save history" popup: Click "No"

Left-Click the flying bird icon in the bottom left of the screen
"Usual Applications" -> "System Tools" -> "LXTerminal"
In the "root@kali:~#" terminal window type:
Note: You can not use copy/paste yet! We'll install VirtualBox guest additions for that first


Note: You should have gotten an IP address from your network router.


Note: You should see replies from, if you do then you have internet access from Kali!
Note: If you do not have internet access then do not continue installation and fix internet first

leafpad ~/Desktop/bash.desktop

Use leafpad to enter the following text into the file lxterminal.desktop:

[Desktop Entry]
Exec=lxterminal -e /bin/bash

In Leafpad, click "File" -> "Save"
In Leafpad, click "File" -> "Quit"

Note: Do not close the Terminal window, we'll use it to install VirtualBox Guest Additions

Required: Install VirtualBox Guest Additions within Kali

Note: You can not yet use copy/paste since we have not yet installed the VirtualBox guest additions. We will install Virtualbox guest additions:
Click "Devices" (on the VirtualBox top menu bar just outside the desktop) -> "Insert Guest Additions CD image..."
Click "Cancel" when asked to "Open in File Manager"

Note: If you are located in Australia, you can change /etc/apt/sources.list to use the following Kali mirror - it has good speed for Australians:
deb http://mirror.internode.on.net/pub/kali kali-rolling main non-free contrib. The total download size is generally larger than 1Gb. At the point of writing this guide, the total download size was 1,246 MB.

In the "root@kali:~#" terminal window type

apt-get update 
apt-get -o Dpkg::Options::="--force-confold" --force-yes -fuy dist-upgrade

Note: All files are downloaded first. After download completes the upgrade starts, and you might be asked:
- Should non-superusers be able to capture packets? <No>
- Restart services during package upgrades without asking? <Yes>

apt autoremove -y

After reboot, login as before and double-click on the "Terminal" icon on your desktop, then:

apt-get install -y dkms build-essential libelf-dev linux-headers-$(uname -r)
cp /media/cdrom/VBoxLinuxAdditions.run /tmp

Note: After completing the installation of the VBoxLinuxAdditions:
Click "Devices" (in the Virtualbox top menu bar) -> "Optical Drives" -> "Remove disk from virtual drive"
If asked, click "Force unmount"

rm /tmp/VBoxLinuxAdditions.run

After reboot, login with user root and password you configured earlier
Note: Now that you have installed the VirtualBox additions to Kali, you can:
- Seamlessly move the mouse in and out of the virtual machine
- Copy/Paste to and from the virtual machine using clipboard
- Share folders between the virtual machine guest and your host machine

Required: Install additional components

Note: Install additional required Linux components as follows
Double-click on the "Terminal" icon on your desktop, then:

apt-get install -y fish python-xlrd veil-evasion veil-catapult ldap-utils python-notify pidgin pidgin-otr pidgin-extprefs haveged freerdp-x11 mingw-w64 filezilla xdotool sshpass python2.7 python-pip python-dev git libssl-dev

Note: This is a fairly big download at around 600MB

Required: Configure Metasploit
update-rc.d postgresql enable && /etc/init.d/postgresql start
msfdb init

Note: Don't do anything in Metasploit. It can take a while before the database has updated the cache.
In your terminal window:
Click "File" -> "New Tab" to open a new terminal, and in this new terminal type:

sudo -H -u postgres bash -c 'psql -d msf -c "select count(*) from module_details;"' | sed -n 3p

Note: The query will return the number of rows updated thus far.
Note: You can add up all the exploits, auxiliary, post, payloads, encoders and nops in the welcome message to get the total number of entries
Note: After the database has fully updated (around 4000-5000 entries), close the second terminal window, and do the following:
msf > search auxiliary
Note: You should not see a warning that the database is disconnected or the cache has not been updated
msf > exit

Required: Fix mitmproxy installation

The Kali version of "mitmproxy" errors with "ImportError: cannot import name 'UBInt16'"

apt-get -y remove mitmproxy
pip3 install mitmproxy
ln -s /usr/local/bin/mitmproxy /usr/bin/mitmproxy
apt-mark manual python3-argcomplete python3-argh python3-brotli python3-click python3-colorama python3-construct python3-cssutils python3-feedparser python3-flask python3-h2 python3-hpack python3-html2text python3-hyperframe python3-itsdangerous python3-jsbeautifier python3-kaitaistruct python3-passlib python3-pathtools python3-pyinotify python3-pyperclip python3-ruamel.yaml python3-simplejson python3-sortedcontainers python3-watchdog python3-werkzeug
mitmproxy --version
Recommended: Install proxychains-ng

Note: Proxychains is not maintained anymore and nmap has issues with it when specifying DNS names

apt-get remove -y proxychains
cd /tmp/
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng/
./configure --prefix=/usr --sysconfdir=/etc
make install
make install-config
rm -Rf /tmp/proxychains-ng
cd /root/
Optional: Set up Kali auto-login

Note: We configure the system to automatically login with root user. A very unsafe practice!
Double-click on the "Terminal" icon on your desktop, then:

sed -i 's/#autologin-user=/autologin-user=root/g' /etc/lightdm/lightdm.conf
sed -i 's/#autologin-user-timeout=0/autologin-user-timeout=0/g' /etc/lightdm/lightdm.conf
sed -i 's/user != root/user != nonexistent/g' /etc/pam.d/lightdm-autologin
Optional: Auto-start FiSH terminal, disable power management, screen saver and screen lock
echo '@fish' >> /etc/xdg/lxsession/LXDE/autostart
sed -i "/@xscreensaver -no-splash/d" /etc/xdg/lxsession/LXDE/autostart
rm /etc/xdg/autostart/light-locker.desktop
Optional: Auto-start SANS OpenVPN connection (SANS students)
mkdir /root/sec660
mkdir /root/sec660/openvpn
cd /root/sec660/openvpn
wget https://labs.sans.org/sec660A/FilesForLinux.zip -O /root/sec660/openvpn/sec660A.zip
wget https://labs.sans.org/sec660B/FilesForLinux.zip -O /root/sec660/openvpn/sec660B.zip
unzip sec660A.zip
unzip sec660B.zip
rm sec660*.zip
echo 'VpnPassword' > /root/sec660/openvpn/sec660-key-password
wget https://labs.sans.org/sec660A/users/asdfadfnb2m3n4b2mn43b/sec660a-12345678.crt
wget https://labs.sans.org/sec660A/users/asdfadfnb2m3n4b2mn43b/sec660a-12345678.key
wget https://labs.sans.org/sec660B/users/asdfadfnb2m3n4b2mn43b/sec660b-12345678.crt
wget https://labs.sans.org/sec660B/users/asdfadfnb2m3n4b2mn43b/sec660b-12345678.key

Note: sec660A is the section 1-5 course labs, sec660B is the section 6 Capture the Flag (CTF) event.

leafpad /root/sec660/openvpn/sec660a-linux.conf

Copy/paste the following text into the file:

askpass /root/sec660/openvpn/sec660-key-password
cert /root/sec660/openvpn/sec660a-12345678.crt
key /root/sec660/openvpn/sec660a-12345678.key

# SSL/TLS parms.
ca /root/sec660/openvpn/sec660a-ca.crt
dev tap
proto udp
remote vpn-sec660a.sans.org 1194
resolv-retry infinite
verb 3
leafpad /root/sec660/openvpn/start_vpn.sh

Copy/paste the following text into the file:

echo "Starting VPN. This takes a few seconds, please be patient..."
# Killing old openvpn processes
pkill -e -9 -f 'openvpn --daemon'
# Restoring 
dhclient -4 eth0 > /dev/null 2>&1
sleep 1
openvpn --daemon --config /root/sec660/openvpn/sec660a-linux.conf 
while ! grep -q "tap0" /proc/net/dev ; do
 echo "Waiting for tap0 device to come up"
 sleep 1
dhclient tap0 > /dev/null 2>&1
while ! ping -c 1 -W 1 > /dev/null 2>&1 ; do
 echo "Waiting for IP address ..."
 sleep 1
echo "VPN successfully connected!"
chmod +x /root/sec660/openvpn/start_vpn.sh
Optional: Auto-start Offensive Security OpenVPN connection (OSCP and OSCE students)

Note: If you are taking the OSCP or OSCE exam you can install and auto-start the OffSec VPN as follows:
Copy "lab-connection.tar.bz2" you received from offensive security to E:\SHARED\ on your PC

cd /root/ && cp /media/sf_SHARED/lab-connection.tar.bz2 /root/
cd /root/ && bzip2 -cd lab-connection.tar.bz2 | tar xvf -

Note: In the next command, replace OS-XXXXX and myoffsecpassword with your offsec credentials

echo "OS-XXXXX" >> /etc/openvpn/osce_server.creds
echo "myoffsecpassword" >> /etc/openvpn/osce_server.creds
cp /root/lab-connection/lab-connection.pem /etc/openvpn/osce_server.pem
cp /root/lab-connection/lab-connection.conf /etc/openvpn/osce_server.conf
sed -i 's#ca lab-connection.pem#ca /etc/openvpn/osce_server.pem#g' /etc/openvpn/osce_server.conf
sed -i 's#auth-user-pass#auth-user-pass /etc/openvpn/osce_server.creds#g' /etc/openvpn/osce_server.conf
sed -i 's/#AUTOSTART="home office"/AUTOSTART="osce_server"/g' /etc/default/openvpn
chmod +x /etc/openvpn/osce_server.conf
chmod 600 osce_server.creds
chmod 600 osce_server.pem
chmod 755 osce_server.conf
update-rc.d openvpn enable 2 3 4 5
systemctl start openvpn

Note: It takes a few seconds for your VPN to start, and obviously the VPN will only work if your account has been enabled to access the labs. After a few seconds, you should see an IP address on the tap0 interface:

ifconfig tap0
Optional: Install pidgin IRC client (advised for students)

Note: Pidgin is an IRC client that enables us to join the OffSec IRC chat:


Click "+ Add..."
Click "Basic" tab:
Protocol: IRC
Username: JollyFrogs (use your own name here)
Server: irc.freenode.net
Password: yourpassword
Tick "Remember password"
Click "Add"
Click "Advanced" tab:
Port: 6697
Ident name: JollyFrogs
Real name: JollyFrogs
Tick "Use SSL"
Do not tick "Authenticate with SASL"
Note: I was not able to get SASL to work with Pidgin (SASL works with IRSSI though!)
Click "+ Add" to add this profile
Click "Close" to close the "Accounts" window
Note: If you see "SSL Handshake Failed" in the "Buddy List" window, click "Reconnect"

Note: Off-The-Record plugin (OTR) allows starting encrypted chats:
In the "Buddy List" window:
Click "Tools" -> "Plugins"
Scroll down to "Off-the-Record Messaging" and tick the "Enabled" checkbox on the left
Click "Configure Plugin"
Click "Generate" to generate a new key
Tick "Require private messaging"
Untick "Don't log OTR conversations"
Click "Close" to close the "Off-the-Record Messaging" properties window
Still in the "Plugins" window:
Scroll up to "Extended Preferences" plugin and tick the "Enabled" checkbox
Click "Configure Plugin"
Set "Conversations" font to "10"
Untick "Show join and part messages in chats"
Tick "Show buddy list entry in taskbar" (default)
Tick "Hide buddy list at startup"
Click "Close" to close the "Extended Preferences" properties window
Click "Close" to close the "Plugins" window

In the "Buddy List" window:
"Tools" -> "Preferences"
Interface: Show system tray icon: Always
Click "Close" to close the "Preferences" window
"Tools" -> "Privacy"
Select "Block only the users below" (default)
Click "+ Add"
Please enter the name of the user you wish to block: "nickserv" (no quotes)
Click "Block"
Click "Close" to close the "Privacy" window
Note: Adding nickserv to blocklist prevents it from opening a new window each time you connect
In the "Buddy List" window:
"Buddies" -> "Add Chat..." (not "Join Chat...")
Account: JollyFrogs@irc.freenode.net (IRC)
Channel: #offsec
Password: <leave empty>
Alias: <leave empty>
Group: <leave empty>
Tick "Automatically join when account connects"
Do not tick "Remain in chat after window is closed"
- Click "Add"
Press the "X" in the top right corner to minimize the "Buddy List" window to the tray

Note: Auto-start Pidgin

echo '@pidgin' >> /etc/xdg/lxsession/LXDE/autostart
Optional: Install nc6

Note: The original Kali netcat (aka nc) does not support IPv6 so we install a version with IPv6 support

wget https://launchpad.net/ubuntu/+archive/primary/+files/nc6_1.0.orig.tar.gz
tar zxvf nc6_1.0.orig.tar.gz
cd /root/sec660/lab1/jwp0ppy/nc6-1.0
./configure && make && make install PREFIX=/usr
nc6 -h
Optional: Configure TOR for added anonymity

Note: TOR adds a layer of anonymity by routing through various TOR nodes that cannot independently identify your location or your destination or the contents of the IP packets.

Retrieve your current real IP address without using TOR (we'll use this to verify TOR works later)

curl ifconfig.co

We install and start TOR.

apt-get install -y tor
service tor start
torsocks curl ifconfig.co

If TOR is working, then you will see a different IP address to your real IP address. If you want to change TOR IP address, just issue a "service tor restart" to get a different TOR IP address.

"Connection refused (in socks5_connect() at socks5.c:202" means you forgot to start the TOR service
Note: Tor uses port TCP/9050 for socks5 as per /etc/tor/torsocks.conf
Note: You will need to do "service tor start" manually every reboot (it is not recommended to enable the service by default since it will greatly slow down all traffic to and from the internet to your Kali host)

Note: It takes a while before TOR is fully started, you might have to wait for up to 30 seconds before using TOR.
You can route nmap scans through TOR by using proxychains, like so:

proxychains4 -q nmap -n --open -Pn -sT -p 22,80 www.jollyfrogs.com

Note: As the owner of the website www.jollyfrogs.com, I authorize anyone and everyone to freely scan ports 22 (closed) and 80 (open) for testing proxychains4 as per the command above.
You should see something like (note that :

Starting Nmap 7.50 ( https://nmap.org ) at 2017-10-01 16:56 AEST
Nmap scan report for www.jollyfrogs.com (
Host is up (0.79s latency).
Not shown: 1 closed port
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds

Note that the reported IP address ( is a bug with the combination of proxychains4 and nmap - ignore it as it will still scan the true IP address of the website.

Optional: Install b374k php shell

Note: b374k is a php shell with useful features

cd /root/ && git clone https://github.com/b374k/b374k.git /root/b374k
cd /root/b374k && php -f index.php -- -l
php -f index.php -- -o jollyshell.php -p SomePassword -s -b -z gzcompress -c 9
mkdir /root/webshells && mv jollyshell.php /root/webshells/jollyshell_SomePassword.php
Optional: Install PAExec (psexec alternative)

PAExec lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first:

mkdir /root/tools; mkdir /root/tools/paexec; wget http://www.poweradmin.com/paexec/paexec.exe -O /root/tools/paexec/paexec.exe
Optional: Configure and auto-start Burp Suite

Note: The following lines removes the annoying BurpSuite update check:

ip route add prohibit
sed -i '$ d' /etc/rc.local
echo -e '/bin/ip route add prohibit\nexit 0' >> /etc/rc.local

Note: BurpSuite is a powerful proxy server solution

mkdir /root/.burp
echo -e '#!/bin/bash\n/bin/rm -Rf /tmp/burp*.tmp;java -jar /usr/bin/burpsuite' > /root/.burp/startburp.sh
chmod +x /root/.burp/startburp.sh

Note: Start BurpSuite


Untick "Help improve Burp by submitting anonymous feedback about its performance"
Note: Click "I Accept" to accept the licence (only shows up during first run)
Select "Temporary project" (default) -> "Next"
Select "Use Burp Defaults" (default) -> "Start Burp"

In Burp Suite Free Edition:
Click "Proxy" tab in the top menu bar (towards the left)
Click "Options" under the Proxy settings (one bar below the top bar)
Highlight the current Proxy Listener ( and click "Edit":
Change "Bind to port:" to 9500
Click "OK" to close the menu
Click "User options" tab -> "Misc" tab -> Enable interception at startup: "Always disable"
Click "Burp" in the top left menu -> "Project Options" -> "Save project options"
Filename: /root/.burp/BurpPrefs.json
Click "Save"
Click "Burp" in the top left menu -> "User Options" -> "Save user options"
Filename: /root/.burp/BurpUserOptions.json
Click "Save"
Click "Burp" in the top left menu -> "Exit" -> Click "Yes" to confirm

Note: Below is one long command which starts Burp and automatically clicks "Start" for you 🙂

echo -e '#!/bin/bash\npkill -f burpsuite\n/bin/rm -Rf /tmp/burp*.{tmp,burp};java -jar /usr/bin/burpsuite --config-file=/root/.burp/BurpPrefs.json --config-file=/root/.burp/BurpUserOptions.json &\nuntil xdotool search --name "Burp Suite Free Edition" windowactivate --sync; do :; done\nsleep 0.5\nxdotool search --name "Burp Suite Free Edition" windowmove 100 50\nxdotool search --name "Burp Suite Free Edition" windowactivate windowsize 800 500\nxdotool mousemove 850 550 click 1' > /root/.burp/startburp.sh

Note: Add startburp.sh to autostart

echo '@/root/.burp/startburp.sh' >> /etc/xdg/lxsession/LXDE/autostart

Start Burp as follows:


Note: Keep BurpSuite running (you can minimize the window if you want)

Optional: Configure Firefox to use Burp Suite proxy

Note: Start FireFox and configure it to use our Burp Proxy


In Firefox:
Open Menu (3 horizontal bars in the top left) -> "Preferences" -> "Advanced" -> "Network" -> "Settings..."
Select "Manual proxy configuration"
HTTP Proxy: Port 9500
Tick "Use this proxy server for all protocols"
Click "OK"

In the FireFox browser bar, navigate to http://burp
- Click "CA Certificate" in the top right -> "Save File"
Open Menu (3 horizontal bars in the top left) -> "Preferences" -> "Advanced" -> "Certificates"
- Untick "Query OCSP responder servers to confirm the current validity of certificates"
- Click "View Certificates"
- Select the "Authorities" tab
- Click "Import", select the Burp CA certificate file that you previously saved (cacert.der) and click "Open".
Note: You might or might not be asked for the root password to unlock your keyring
- In the dialog box that pops up, check the box "Trust this CA to identify web sites", and click "OK".

Navigate to: about:addons
Install the following addons:
Adblock Plus
Element Hiding Helper for Adblock Plus
Advanced Cookie Manager
- Click "Restart Now" to restart Firefox after installing the addons (or manually close and restart FireFox)
- Close Firefox after it has restarted

Optional: Disable HTTPS and PHP and auto-start Apache

Note: Auto-start Apache and disable Apache HTTPS (port 443) listener.
Note: We like to use port 443 for reverse meterpreter shells and other goodies
Note: Disable PHP so you can safely serve malicious PHP payloads from Apache.

/usr/sbin/a2dismod php7.0
sed -i 's/Listen 443/#Listen 443/g' /etc/apache2/ports.conf
update-rc.d apache2 enable
Optional: Update NMAP scripts

Note: We update the nmap scripts database

nmap --script-updatedb
Optional: Install showop.sh - shows hexidecimal values of ASM instructions

Note: showop.sh can be used to show the hexadecimal values of assembly instructions

wget https://raw.githubusercontent.com/JollyFrogs/tools/master/showop.sh -O /root/tools/showop.sh
chmod +x /root/tools/showop.sh
/root/tools/showop.sh "mov eax,ecx;inc eax;nop"
Optional: Install hex2file.py - creates shell-code from a shell-code byte-string

Note: hex2file.py can create a shell-code file from a shell-code byte-string

wget https://raw.githubusercontent.com/JollyFrogs/tools/master/hex2file.py -O /root/tools/hex2file.py
chmod +x /root/tools/hex2file.py
python /root/tools/hex2file.py hexfile.bin "\x41\x42\x43\x44\x45"
hexdump -C hexfile.bin && rm hexfile.bin
Optional: Install pecloak - injects and hides malware inside files

Note: pecloak allows hiding malware inside files

cd /root/tools/ && mkdir /root/tools/pecloak
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/libdasm/libdasm-beta.zip
unzip libdasm-beta.zip -d /root/tools/libdasm/ && cd /root/tools/libdasm/pydasm
python setup.py build_ext
sudo python setup.py install
wget 'http://git.n0p.cc/?p=SectionDoubleP.git;a=blob_plain;f=SectionDoubleP.py' -O /root/tools/pecloak/SectionDoubleP.py
wget http://www.securitysift.com/download/peCloak.py -O /root/tools/pecloak/pecloak.py
sed -i 's/pe.write(pe.OPTIONAL_HEADER.SizeOfHeaders, filename=fname)/pe.write(filename=fname)/g' /root/tools/pecloak/pecloak.py
cd /root/tools/pecloak/ && cp /root/tools/paexec/paexec.exe . && python pecloak.py paexec.exe
cd /root/
Optional: Install winscp.exe - windows GUI tool allows copying of files over SSH

Note: winscp is a windows graphical client for copying files over SSH:

cd /root/ && wget https://winscp.net/download/WinSCP-5.9.2-Portable.zip
unzip -C WinSCP-5.9.2-Portable.zip winscp.exe -d /var/www/html
unzip -C WinSCP-5.9.2-Portable.zip winscp.exe -d /root/tools/
rm /root/WinSCP-5.9.2-Portable.zip
Optional: Install pscp.exe - windows CLI tool allows copying of files over SSH

Note: pscp is a windows text-based client for copying files over SSH :

wget https://the.earth.li/~sgtatham/putty/latest/x86/pscp.exe -O /var/www/html/pscp.exe
cp /var/www/html/pscp.exe /root/tools/
Required: Update the locate database after installing files

Note: The Linux "locate" command uses a database that is built using "updatedb"


Note: We're all done!
Let's test our new installation by rebooting and seeing if everything comes up properly: