In our last blog post, we provided an example of running an unattended network installation of Kali Linux. Our scenario covered the installation of a custom Kali configuration which contained select tools required for a remote vulnerability assessment using OpenVAS and the Metasploit Framework.
With just a few minor changes to this concept, we can further leverage Kali to create other cool and shiny toys as well. In today’s post, we’ll see what it takes to create what we fondly refer to as “The Kali Linux ISO of Doom”.
The idea we had was to build an “unattended self-deploying” instance of Kali Linux that would install itself on a target machine along with a customized configuration requiring no user input whatsoever. On reboot after the installation completes, Kali would automagically connect back to the attacker using a reverse OpenVPN connection. The VPN setup would then allow the attacker to bridge the remote and local networks as well as have access to a full suite of penetration testing tools on the target network.
There could be several uses for such an image:
In the first scenario, you need to perform an internal penetration test in a remote location. Rather than go on-site, you prefer having a penetration testing rig set up in the remote network from which you will be able to conduct the assessment. Traditionally, you would need to send a pre-configured computer to the remote site and wriggle your way into that remote rig in order to complete your work. Thankfully, those days are over. Now you can simply send a self-installing ISO to the remote site, ask them to burn it to CD/USB and boot a remote machine with that media. As the installation is completely unattended, the remote operator will not need to interact with the installation at all. “Set it and forget it”.
The second scenario is rather cool. Consider the following: During a penetration test, you’ve compromised the internal infrastructure of the target organization. By either abusing PXE booting features in the remote network or a “remote iso upload” to a KVM, you automate an unattended installation of Kali including the OpenVPN connect back feature. Once the installation is complete, you’re bridged to the remote network, on their hardware, and able to escalate the external assessment to an internal one, complete with your full suite of tools.
The third scenario consists of a remote hardware backdoor used in a physical penetration test engagement. The “backdoor” would once again be a fully fledged Kali Linux installation running our reverse bridging VPN connection. The hardware could be a small netbook, an android phone, or a small USB powered ARM device. This device is left at the customer site tucked away in a place it won’t be noticed, allowing you to bypass external defenses.
The awesome thing about this project is that once we figured out all of the components we needed to make this image happen, it was easy to “port” the idea to PXE unattended installs (network installs), “live-build” (ISO’s and images), and Kali bootstrap sequences in general (Cellphone images / ARM hardware). This one idea could be implemented in many ways thanks to Kali’s versatility.
But, enough back patting, lets move on to the awesomeness.
We will first set up our OpenVPN server on a Kali Linux box with an external IP address (a.b.c.d). Once that’s done, we’ll build The Kali Linux ISO of Doom on the same machine and make it available for download thorough HTTP. The setup for the OpenVPN server was taken from the WSEC blog. Let’s begin:
Now comes the ISO generation. This is where we will build a custom Kali Linux ISO image with the specific set of tools we need for the engagement. The amazing part about this is how simple it is to accomplish compared to any other penetration testing distribution.
Next we add some chroot hooks to start the openvpn server at boot time:
We will also want to over-ride the default isolinux.cfg and install.cfg file to have Kali Linux boot automatically into an installation:
lastly, we copy over the same preseed.cfg configuration file we used in the PXE unattended installation post, and place it in the config/debian-installer live build directory:
Once everything is ready to go, we build our ISO image of doom:
The Kali Linux ISO of Doom is now ready to be downloaded and installed on the internal target machine. The installation and VPN bridge will occur automatically without any user intervention.
Once the VPN connection is established by the client, we can SSH to our internal Kali Linux agent and complete the final requirement: to bridge the remote and local networks together.
We enable routing to the remote network on the OpenVPN server:
We proceed and turn on IP forwarding along with IP masquerade on the remote Kali agent:
With this complete, our remote target network is now fully accessible to to us. We can any any tools we have to interact with the remote network just as if it was connected as a WAN. All fully automated, and easy to setup. These sorts of customizations to Kali are where the real power lives.
And lastly, a small tribute to Morbo: