Kali2017.1 64-bit installation guide on Windows 10

Author: frog@jollyfrogs.com

This guide is written on Windows 10 64-bit Host OS Version 1703 (OS Build 15063.540)
This is a very large post, please click the drop-downs on the topics to reveal their contents

 

Optional: Introduction

This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
Asus Maximus Hero VI motherboard
32GB memory (Kingston)
Intel 120GB Solid State Hard-disk (SSD)
Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
Windows 10 64-bit Host

I have created this lab using my own network IP addressing. All subnet masks in the LAN are "/24" aka "255.255.255.0". The following components are what I start with - just my PC and a router which I use as default gateway to connect to the internet:
10.123.1.1 = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server.
10.123.1.100 = My existing LAN interface, we will lose this IP when we configure a BRIDGE interface later

The following IP addresses are used for the components that are added during this guide:
10.123.1.109 = My main PC BRIDGE interface
10.123.1.200 = Our new Kali installation (you're building it now!)

You have two options when following this guide:
1) Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN.
or
2) Renumber your internal network IP addressing to use the same IP addresses as in this guide.

You do not need hardware components to set up this lab other than a beefy PC, everything will be running in VirtualBox on your PC.

Required: Preparations

Important notice: Do not skim over these instructions, they provide the foundation of your environment. Any typo or mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.

IMPORTANT Note: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters" but this guide doesn't cover such a setup although it would probably only require minor modifications in VirtualBox.

Get required files:
--------------------
VirtualBox:
http://download.virtualbox.org/virtualbox/5.1.26/VirtualBox-5.1.26-117224-Win.exe

Kali:
http://cdimage.kali.org/kali-2017.1/kali-linux-lxde-2017.1-amd64.iso

Required: Create windows bridge interface

Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network
-------------------------------------------------------------------------------------------------------
- Click the Windows Start button (bottom left)
- type "cmd" but do not press enter
- Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
Note: In the black cmd.exe screen:
- type "hdwwiz.exe" and press Enter
Note: the "Add Hardware Wizard" window opens
- Click "Next"
- Select "Install the hardware that I manually select from a list (Advanced)" and click "Next"
- Select "Network adapters" and click "Next"
- Select "Microsoft" and "Microsoft KM-TEST Loopback Adapter" under Manufacturer and Network Adapter respectively, then click "Next"
- Click "Next" to install the loopback adapter
- Click "Finish" to close the "Add Hardware" screen
Note: We're still in the black cmd.exe screen:
- type "ncpa.cpl" and press Enter
Note: the "Network Connections" window opens
- Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
- Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
- Right-click your wired network adapter and select "Rename"
- Rename your wired network adapter to "LAN"
- Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
- Right click on the LOOPBACK adapter while both adapters are highlighted and select "Bridge Connections"
Note: This will create a new network card called "Network Bridge"
- Right-click your new bridge adapter and select "Rename"
- Rename your wired network adapter to "BRIDGE"
- Right-click "BRIDGE" and select "Properties"
In the "BRIDGE Properties" screen:
- Left-click (to highlight) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
In the "General" tab at the top:
Select "Use the following IP address"
IP address: 10.123.1.109
Subnet mask: 255.255.255.0
Default gateway: 10.123.1.1
Preferred DNS server: 10.123.1.1
Alternate DNS server: <leave blank>
- Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
- Click "Close" to close the "BRIDGE Properties" screen
Note: We're still in the black cmd.exe screen:
- type "ping www.google.com"
Note: You should see replies from the google web server.
Note: Your BRIDGE adapter is now your main network adapter
Note: Do not proceed if you do not have internet connectivity
- Close the "Command Prompt" black cmd.exe screen

Required: Install VirtualBox

Install VirtualBox
------------------
Run "VirtualBox-5.1.26-117224-Win.exe"
Note: Click "Yes" on any opening warnings
- Click "Next >"
- Click "Next >" (install all options)
- Click "Next >"
- Click "Yes"
- Click "Install" to start the installation
- Click "Yes" at the UAC warning screen
- If you get prompted: Click "Install" to install the device driver
- Click "Finish"

Required: Install Kali on VirtualBox

Install Kali on VirtualBox
-------------------------------------
Start "Oracle VM VirtualBox" if not already started
- Click "New"
Name: "Kali-2017.1-LXDE-64bit"
Type: "Linux"
Version: "Debian (64-bit)"
- Click "Next"
MB: "1024"
- Click "Next"
Select "Create a virtual hard drive now" (Default)
- Click "Create"
- Select "VDI (VirtualBox Disk Image)" and Click "Next"
- Select "Dynamically allocated" and Click "Next"
- "F:\VIRTUALBOX_DISKS\Kali-2017.1-LXDE-64bit.vdi" (you can choose any folder with enough space)
- "50.00 GB" (to make sure we don't run out of space any time soon)
- Click "Create"
Note: A new icon "Kali-2017.1-LXDE-64bit" was created in your "Oracle VM VirtualBox Manager"

Note: Leave settings at default unless otherwise stated below
Note: I'm showing some important settings even though they are defaults, in case the defaults change some day
- Right-click "Kali-2017.1-LXDE-64bit" in the left menu and click "Settings..."
General - Advanced - Shared Clipboard: "Bidirectional"
Note: Replace "mysecret" below with the root password you will use a bit later; it can be anything you want
General - Description: root - mysecret
System - Motherboard - Untick "Floppy"
System - Processor - Tick "Enable PAE/NX"
Storage - Left-Click "Empty" (to highlight it)
On the far right, click on the blue tiny CD-Rom icon and click "Choose Virtual Optical Disk File..."
Select "D:\APPS\Linux - Kali\kali-linux-lxde-2017.1-amd64.iso" (choose your appropriate folder)
Network - Adapter 1 - Attached to: "Bridged Adapter"
Network - Adapter 1 - Name: "Microsoft Network Adapter Multiplexor Driver"
Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
Network - Adapter 1 - Advanced - MAC Address: 201701000000
Note: Set the MAC address to an easily identifiable MAC
Shared Folders - Click the blue folder icon with the green +
Folder Path: "E:\SHARED"
Folder Name: "SHARED"
Tick "Auto-mount"
Click "OK" to add the shared folder to you virtual Kali machine settings
- Click "OK" to close the "Kali-2017.1-LXDE-64bit - Settings" screen

- Right-click "Kali-2017.1-LXDE-64bit" in the left menu and click "Start" -> "Normal Start"
Note: A new screen "Kali-2017.1-LXDE-64bit [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.
In the "Kali-2017.1-LXDE-64bit [Running] - Oracle VM VirtualBox" screen:
You will be presented with the Kali boot menu
Use the down arrow on your keyboard to highlight "Install" and press Enter to start installation

Note: The options below assume you're pressing <Enter> to select them:
Select "English - English"
Select "Australia" (select the country you live in, or perhaps you like Australia)
Select "American English"
Hostname: kali
Domain name: the.frog.pond (choose anything you want)
Root password: mysecret (choose any password you like)
Re-enter password to verify: mysecret
Select the state of province to set your time zone: "Queensland" (the sunny state!)
Partitioning method: "Guided - use entire disk"
Select disk to partition: "SCSIx (0,0,0) (sda) - 53.7 GB ATA VBOX HARDDISK"
Partitioning scheme: "All files in one partition (recommended for new users)"
"Finish partitioning and write changes to disk" - press <Enter>
Write the changes to disks? "Yes" (press left arrow key to highlight it)
Note: Kali will now copy required files off the virtual optical disk to the virtual hard drive
Use a network mirror? "Yes"
Do you need a proxy: <leave empty> and select "Continue" (press down arrow key to highlight it)
Note: Depending on your internet speed, this step can take a while, be patient.
Install the GRUB boot loader to the master boot record? "Yes"
Device for boot loader installation: "/dev/sda (ata-VBOX_HARDDISK_<random_numbers>)"
Installation Complete: "Continue"
Note: Kali will reboot. Let the GNU GRUB boot menu time out or select "Kali GNU/Linux"

Required: Create shortcut to LXTerminal on Kali desktop

At the login screen:
- Top field (username): root
- Lower field (Password): mysecret (whatever password you chose earlier)
Note: After filling in the fields, press Enter to login
Note: You will be presented Kali's LXDE desktop environment (similar to Windows)
Note: The first thing you see is a "Save history" popup.
On the "Save history" popup: Click "No"

Left-Click the flying bird icon in the bottom left of the screen
"Usual Applications" -> "System Tools" -> "LXTerminal"
In the "root@kali:~#" terminal window type:
Note: You can not use copy/paste yet! We'll install VirtualBox guest additions for that first

Note: You should have gotten an IP address from your network router.

Note: You should see replies from 8.8.8.8, if you do then you have internet access from Kali!
Note: If you do not have internet access then do not continue installation and fix internet first

Use leafpad to enter the following text into the file lxterminal.desktop:

In Leafpad, click "File" -> "Save"
In Leafpad, click "File" -> "Quit"

Note: Do not close the Terminal window, we'll use it to install VirtualBox Guest Additions

Required: Install VirtualBox Guest Additions within Kali

Note: You can not yet use copy/paste since we have not yet installed the VirtualBox guest additions. We will install Virtualbox guest additions:
Click "Devices" (on the VirtualBox top menu bar just outside the desktop) -> "Insert Guest Additions CD image..."
Click "Cancel" when asked to "Open in File Manager"

Note: If you are located in Australia, you can change /etc/apt/sources.list to use the following Kali mirror - it has good speed for Australians:
deb http://mirror.internode.on.net/pub/kali kali-rolling main non-free contrib. The total download size is generally larger than 1Gb. At the point of writing this guide, the total download size was 1,246 MB.

In the "root@kali:~#" terminal window type

Note: All files are downloaded first. After download completes the upgrade starts, and you might be asked:
- Should non-superusers be able to capture packets? <Yes> (left arrow key then <enter>)
- Restart services during package upgrades without asking? <Yes>
- Configuring postgresql-common: <Ok> (<tab> key then <enter>)

Note: the line below is an alternative to the 5 commands below:
wget https://www.jollyfrogs.com/install/k2.sh && chmod +x k2.sh && ./k2.sh
After reboot, login as before and double-click on the "Terminal" icon on your desktop, then:

Note: After completing the installation of the VBoxLinuxAdditions:
Click "Devices" (in the Virtualbox top menu bar) -> "Optical Drives" -> "Remove disk from virtual drive"
If asked, click "Force unmount"

After reboot, login with user root and password you configured earlier
Note: Now that you have installed the VirtualBox additions to Kali, you can:
- Seamlessly move the mouse in and out of the virtual machine
- Copy/Paste to and from the virtual machine using clipboard
- Share folders between the virtual machine guest and your host machine

Required: Install additional components

Note: Install additional required Linux components as follows
Double-click on the "Terminal" icon on your desktop, then:

Note: This is a fairly big download at around 600MB

Required: Create shortcut to FiSH terminal on Kali desktop

In the "root@kali:~#" terminal window type:

Use leafpad to enter the following text into the file fish.desktop:

In Leafpad, click "File" -> "Save"
In Leafpad, click "File" -> "Quit"

Required: Configure Metasploit

Now we run some Metasploit initialization commands:

Note: Don't do anything in Metasploit. It can take a while before the database has updated the cache.
In your terminal window:
Click "File" -> "New Tab" to open a new terminal, and in this new terminal type:

Note: The query will return the number of rows updated thus far.
Note: Add up all the exploits, auxiliary, post, payloads, encoders and nops in the welcome message
Note: On our Kali 2017.1 LXDE installation, this number would be around 3441
Note: After the database has fully updated, close the second terminal window, and do the following:
msf > search auxiliary
Note: You should not see a warning that the database is disconnected or the cache has not been updated
msf > exit

Required: Install proxychains-ng

Note: Proxychains is not maintained anymore and nmap has issues with it when specifying DNS names

Optional: Set up Kali auto-login

Note: We configure the system to automatically login with root user. A very unsafe practice!
Double-click on the "Terminal" icon on your desktop, then:

Optional: Auto-start FiSH terminal, disable power management, screen saver and screen lock

Optional: Auto-start SANS OpenVPN connection (SANS students)

Note: sec660A is the section 1-5 course labs, sec660B is the section 6 Capture the Flag (CTF) event.

Copy/paste the following text into the file:

Copy/paste the following text into the file:

Optional: Auto-start Offensive Security OpenVPN connection (OSCP and OSCE students)

Note: If you are taking the OSCP or OSCE exam you can install and auto-start the OffSec VPN as follows:
Copy "lab-connection.tar.bz2" you received from offensive security to E:\SHARED\ on your PC

Note: In the next command, replace OS-XXXXX and myoffsecpassword with your offsec credentials

Note: It takes a few seconds for your VPN to start, and obviously the VPN will only work if your account has been enabled to access the labs. After a few seconds, you should see an IP address on the tap0 interface:

Optional: Install pidgin IRC client (advised for students)

Note: Pidgin is an IRC client that enables us to join the OffSec IRC chat:

Click "+ Add..."
Click "Basic" tab:
Protocol: IRC
Username: JollyFrogs (use your own name here)
Server: irc.freenode.net
Password: yourpassword
Tick "Remember password"
Click "Add"
Click "Advanced" tab:
Port: 6697
Ident name: JollyFrogs
Real name: JollyFrogs
Tick "Use SSL"
Do not tick "Authenticate with SASL"
Note: I was not able to get SASL to work with Pidgin (SASL works with IRSSI though!)
Click "+ Add" to add this profile
Click "Close" to close the "Accounts" window
Note: If you see "SSL Handshake Failed" in the "Buddy List" window, click "Reconnect"

Note: Off-The-Record plugin (OTR) allows starting encrypted chats:
In the "Buddy List" window:
Click "Tools" -> "Plugins"
Scroll down to "Off-the-Record Messaging" and tick the "Enabled" checkbox on the left
Click "Configure Plugin"
Click "Generate" to generate a new key
Tick "Require private messaging"
Untick "Don't log OTR conversations"
Click "Close" to close the "Off-the-Record Messaging" properties window
Still in the "Plugins" window:
Scroll up to "Extended Preferences" plugin and tick the "Enabled" checkbox
Click "Configure Plugin"
Set "Conversations" font to "10"
Untick "Show join and part messages in chats"
Tick "Show buddy list entry in taskbar" (default)
Tick "Hide buddy list at startup"
Click "Close" to close the "Extended Preferences" properties window
Click "Close" to close the "Plugins" window

In the "Buddy List" window:
"Tools" -> "Preferences"
Interface: Show system tray icon: Always
Click "Close" to close the "Preferences" window
"Tools" -> "Privacy"
Select "Block only the users below" (default)
Click "+ Add"
Please enter the name of the user you wish to block: "nickserv" (no quotes)
Click "Block"
Click "Close" to close the "Privacy" window
Note: Adding nickserv to blocklist prevents it from opening a new window each time you connect
In the "Buddy List" window:
"Buddies" -> "Add Chat..." (not "Join Chat...")
Account: JollyFrogs@irc.freenode.net (IRC)
Channel: #offsec
Password: <leave empty>
Alias: <leave empty>
Group: <leave empty>
Tick "Automatically join when account connects"
Do not tick "Remain in chat after window is closed"
- Click "Add"
Press the "X" in the top right corner to minimize the "Buddy List" window to the tray

Note: Auto-start Pidgin

Optional: Install nc6

Note: The original Kali netcat (aka nc) does not support IPv6 so we install a version with IPv6 support

Optional: Configure TOR for added anonymity

Note: TOR adds a layer of anonymity by routing through various TOR nodes that cannot independently identify your location or your destination or the contents of the IP packets.

Retrieve your current real IP address without using TOR (we'll use this to verify TOR works later)

We install and start TOR.

If TOR is working, then you will see a different IP address to your real IP address. If you want to change TOR IP address, just issue a "service tor restart" to get a different TOR IP address.

"Connection refused (in socks5_connect() at socks5.c:202" means you forgot to start the TOR service
Note: Tor uses port TCP/9050 for socks5 as per /etc/tor/torsocks.conf
Note: You will need to do "service tor start" manually every reboot (it is not recommended to enable the service by default since it will greatly slow down all traffic to and from the internet to your Kali host)

Note: It takes a while before TOR is fully started, you might have to wait for up to 30 seconds before using TOR.
You can route nmap scans through TOR by using proxychains, like so:

Note: As the owner of the website www.jollyfrogs.com, I authorize anyone and everyone to freely scan ports 22 (closed) and 80 (open) for testing proxychains4 as per the command above.
You should see something like (note that :

Note that the reported IP address (224.0.0.1) is a bug with the combination of proxychains4 and nmap - ignore it as it will still scan the true IP address of the website.

Optional: Install b374k php shell

Note: b374k is a php shell with useful features

Optional: Install PAExec (psexec alternative)

PAExec lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first:

Optional: Configure and auto-start Burp Suite

Note: The following lines removes the annoying BurpSuite update check:

Note: BurpSuite is a powerful proxy server solution

Note: Start BurpSuite

Untick "Help improve Burp by submitting anonymous feedback about its performance"
Note: Click "I Accept" to accept the licence (only shows up during first run)
Select "Temporary project" (default) -> "Next"
Select "Use Burp Defaults" (default) -> "Start Burp"

In Burp Suite Free Edition:
Click "Proxy" tab in the top menu bar (towards the left)
Click "Options" under the Proxy settings (one bar below the top bar)
Highlight the current Proxy Listener (127.0.0.1:8080) and click "Edit":
Change "Bind to port:" to 9500
Click "OK" to close the menu
Click "User options" tab -> "Misc" tab -> Enable interception at startup: "Always disable"
Click "Burp" in the top left menu -> "Project Options" -> "Save project options"
Filename: /root/.burp/BurpPrefs.json
Click "Save"
Click "Burp" in the top left menu -> "User Options" -> "Save user options"
Filename: /root/.burp/BurpUserOptions.json
Click "Save"
Click "Burp" in the top left menu -> "Exit" -> Click "Yes" to confirm

Note: Below is one long command which starts Burp and automatically clicks "Start" for you 🙂

Note: Add startburp.sh to autostart

Start Burp as follows:

Note: Keep BurpSuite running (you can minimize the window if you want)

Optional: Configure Firefox to use Burp Suite proxy

Note: Start FireFox and configure it to use our Burp Proxy

In Firefox:
Open Menu (3 horizontal bars in the top left) -> "Preferences" -> "Advanced" -> "Network" -> "Settings..."
Select "Manual proxy configuration"
HTTP Proxy: 127.0.0.1 Port 9500
Tick "Use this proxy server for all protocols"
Click "OK"

In the FireFox browser bar, navigate to http://burp
- Click "CA Certificate" in the top right -> "Save File"
Open Menu (3 horizontal bars in the top left) -> "Preferences" -> "Advanced" -> "Certificates"
- Untick "Query OCSP responder servers to confirm the current validity of certificates"
- Click "View Certificates"
- Select the "Authorities" tab
- Click "Import", select the Burp CA certificate file that you previously saved (cacert.der) and click "Open".
Note: You might or might not be asked for the root password to unlock your keyring
- In the dialog box that pops up, check the box "Trust this CA to identify web sites", and click "OK".

Navigate to: about:addons
Install the following addons:
Adblock Plus
Element Hiding Helper for Adblock Plus
Advanced Cookie Manager
- Click "Restart Now" to restart Firefox after installing the addons (or manually close and restart FireFox)
- Close Firefox after it has restarted

Optional: Disable HTTPS and PHP and auto-start Apache

Note: Auto-start Apache and disable Apache HTTPS (port 443) listener.
Note: We like to use port 443 for reverse meterpreter shells and other goodies
Note: Disable PHP so you can safely serve malicious PHP payloads from Apache.

Optional: Update NMAP scripts

Note: We update the nmap scripts database

Optional: Install showop.sh - shows hexidecimal values of ASM instructions

Note: showop.sh can be used to show the hexadecimal values of assembly instructions

Optional: Install hex2file.py - creates shell-code from a shell-code byte-string

Note: hex2file.py can create a shell-code file from a shell-code byte-string

Optional: Install pecloak - injects and hides malware inside files

Note: pecloak allows hiding malware inside files

Optional: Install winscp.exe - windows GUI tool allows copying of files over SSH

Note: winscp is a windows graphical client for copying files over SSH:

Optional: Install pscp.exe - windows CLI tool allows copying of files over SSH

Note: pscp is a windows text-based client for copying files over SSH :

Required: Update the locate database after installing files

Note: The Linux "locate" command uses a database that is built using "updatedb"

Note: We're all done!
Let's test our new installation by rebooting and seeing if everything comes up properly:

 

 

Filed under: Installation Guides: Lab setups, Kali, etc.