Penetration Testing Scenario No. 1
Our last blog post on the Kali Linux site discussed implementing some cool scenarios with Kali Linux such as remote unattended installations, creating custom Kali Linux ISOs, and getting Kali working on funky ARM hardware.
We received several emails from people asking for more information on how to implement these scenarios, so we thought we’d make a few blog posts with more detailed examples. Today, we will look into preforming customized, unattended PXE network installations of Kali Linux and creating remote “Penetration Testing Kali Agents”.
Getting Started with a PXE Network Install
One of the little-known features of Kali Linux is that it supports unattended installations over a network. This feature allows for easy deployment of custom Kali Linux instances that do not require any manual intervention during the installation process.
Before dealing with unattended installs, you will first want to follow the instructions for a Kali Linux Network PXE Install to get all of the major components ready. Once your PXE server is all configured, you’re ready to move on and get ready to automate your installations.
Preseed and Postseed Script File Setup
Before you start the installation, place a preseed.cfg file on a web server that will be available to the machine you are trying to install. You can use the preseed file shown below as a starting point. In our example, the web server serving the preseed file is located on the same network as the machine being installed, with the IP address: 192.168.101.54.
d-i console-keymaps-at/keymap select us
d-i mirror/country string enter information manually
d-i mirror/suite string kali
d-i mirror/codename string kali
d-i mirror/http/hostname string archive.kali.org
d-i mirror/http/directory string /kali
d-i mirror/http/proxy string
d-i clock-setup/utc boolean true
d-i time/zone string US/Eastern
# Disable volatile and security
d-i apt-setup/services-select multiselect
# Enable contrib and non-free
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i partman-auto/method string regular
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/choose_recipe select atomic
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# Add our own security mirror
d-i apt-setup/local0/repository string http://archive.kali.org/kali-security kali/updates main
d-i apt-setup/local0/comment string Security updates
d-i apt-setup/local0/source boolean false
d-i apt-setup/use_mirror boolean true
# Upgrade installed packages
tasksel tasksel/first multiselect standard
d-i pkgsel/upgrade select full-upgrade
# Install a limited subset of tools from the Kali Linux repositories
d-i pkgsel/include string openssh-server openvas metasploit-framework metasploit nano
# Change default hostname
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/hostname string kali
# Do not create a normal user account
d-i passwd/make-user boolean false
d-i passwd/root-password password toor
d-i passwd/root-password-again password toor
popularity-contest popularity-contest/participate boolean false
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean false
d-i finish-install/reboot_in_progress note
d-i preseed/late_command string \
in-target wget http://192.168.101.54/postseed.sh; \
in-target /bin/bash -x chmod 755 ./postseed.sh; \
in-target /bin/bash -x ./postseed.sh;
The sample preseed file above will install a limited subset of tools, specifically openssh-server, openvas, metasploit, and nano. You can feel free to change this as needed, adding or removing whatever tools you like. Take particular note of the last section of the preseed file, which allows you to run post installation scripts. In our case, we run an additional post install script, postseed.sh, which is located on the same web root directory as the preseed.cfg file. The postseed.sh script enters an SSH key into the image and makes sure that all our desired services will start at boot time.
mkdir -p /root/.ssh
# Replace "YOUR SSH KEY" with a your ssh public key.
echo "YOUR SSH KEY" > /root/.ssh/authorized_keys
# Disable SSH password authentication
sed 's/#PasswordAuthentication\ yes/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
# Set the admin password of OpenVas to admin123
sed '/add_user/ s|$| -w admin123|' /usr/bin/openvas-setup
/usr/bin/openvas-setup
rm -rf /etc/rc.local
cat << EOF > /etc/rc.local
#!/bin/bash
/etc/init.d/greenbone-security-assistant start
/etc/init.d/openvas-scanner start
/etc/init.d/openvas-administrator start
/etc/init.d/openvas-manager start
# Set msfrpcd to username "metadmin" and password "metpass123" on port 1337
/usr/bin/msfrpcd -S -U metadmin -P metpass123 -p 1337 &
exit 0
EOF
chmod 755 /etc/rc.local
update-rc.d ssh enable
update-rc.d postgresql enable
update-rc.d metasploit enable
Modifying PXE Boot Parameters in txt.cfg
To avoid having to enter the boot parameters for the preseed install on every boot, you can simply edit the /tftpboot/debian-installer/amd64/boot-screens/txt.cfg file to look like the following. Do not forget to update the URL of the preseed file:
label install
menu label ^Unattended Install
menu default
kernel debian-installer/amd64/linux
append vga=788 initrd=debian-installer/amd64/initrd.gz -- quiet url=http://192.168.101.54/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan
Kick Back and Enjoy the Ride!
Boot up the target computer and initiate a PXE boot; the Kali Linux boot prompt should appear before you. Choosing the “Unattended Install” option should start and finish the entire Kali installation without any intervention required.
