Unattended installation with PXE

Kali Linux Unattended PXE Install

Kali Linux

Penetration Testing Scenario No. 1

Our last blog post on the Kali Linux site discussed implementing some cool scenarios with Kali Linux such as remote unattended installations, creating custom Kali Linux ISOs, and getting Kali working on funky ARM hardware.

We received several emails from people asking for more information on how to implement these scenarios, so we thought we’d make a few blog posts with more detailed examples. Today, we will look into preforming customized, unattended PXE network installations of Kali Linux and creating remote “Penetration Testing Kali Agents”.

Getting Started with a PXE Network Install

One of the little-known features of Kali Linux is that it supports unattended installations over a network. This feature allows for easy deployment of custom Kali Linux instances that do not require any manual intervention during the installation process.

Before dealing with unattended installs, you will first want to follow the instructions for a Kali Linux Network PXE Install to get all of the major components ready. Once your PXE server is all configured, you’re ready to move on and get ready to automate your installations.

Preseed and Postseed Script File Setup

Before you start the installation, place a preseed.cfg file on a web server that will be available to the machine you are trying to install. You can use the preseed file shown below as a starting point. In our example, the web server serving the preseed file is located on the same network as the machine being installed, with the IP address: 192.168.101.54.

d-i debian-installer/locale string en_US
d-i console-keymaps-at/keymap select us

d-i mirror/country string enter information manually
d-i mirror/suite string kali
d-i mirror/codename string kali
d-i mirror/http/hostname string archive.kali.org
d-i mirror/http/directory string /kali
d-i mirror/http/proxy string
d-i clock-setup/utc boolean true
d-i time/zone string US/Eastern

# Disable volatile and security
d-i apt-setup/services-select multiselect

# Enable contrib and non-free
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true

d-i partman-auto/method string regular
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/choose_recipe select atomic
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

# Add our own security mirror
d-i apt-setup/local0/repository string http://archive.kali.org/kali-security kali/updates main
d-i apt-setup/local0/comment string Security updates
d-i apt-setup/local0/source boolean false
d-i apt-setup/use_mirror boolean true

# Upgrade installed packages
tasksel tasksel/first multiselect standard
d-i pkgsel/upgrade select full-upgrade
# Install a limited subset of tools from the Kali Linux repositories
d-i pkgsel/include string openssh-server openvas metasploit-framework metasploit nano

# Change default hostname
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/hostname string kali

# Do not create a normal user account
d-i passwd/make-user boolean false
d-i passwd/root-password password toor
d-i passwd/root-password-again password toor

popularity-contest popularity-contest/participate boolean false
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean false
d-i finish-install/reboot_in_progress note

d-i preseed/late_command string \
    in-target wget http://192.168.101.54/postseed.sh; \
    in-target /bin/bash -x chmod 755 ./postseed.sh; \
    in-target /bin/bash -x ./postseed.sh;

The sample preseed file above will install a limited subset of tools, specifically openssh-server, openvas, metasploit, and nano. You can feel free to change this as needed, adding or removing whatever tools you like. Take particular note of the last section of the preseed file, which allows you to run post installation scripts. In our case, we run an additional post install script, postseed.sh, which is located on the same web root directory as the preseed.cfg file. The postseed.sh script enters an SSH key into the image and makes sure that all our desired services will start at boot time.

#!/bin/bash
mkdir -p /root/.ssh
# Replace "YOUR SSH KEY" with a your ssh public key.
echo "YOUR SSH KEY" > /root/.ssh/authorized_keys
# Disable SSH password authentication
sed 's/#PasswordAuthentication\ yes/PasswordAuthentication\ no/g' /etc/ssh/sshd_config

# Set the admin password of OpenVas to admin123
sed '/add_user/ s|$| -w admin123|' /usr/bin/openvas-setup
/usr/bin/openvas-setup
rm -rf /etc/rc.local

cat << EOF > /etc/rc.local
#!/bin/bash
/etc/init.d/greenbone-security-assistant start
/etc/init.d/openvas-scanner start
/etc/init.d/openvas-administrator start
/etc/init.d/openvas-manager start
# Set msfrpcd to username "metadmin" and password "metpass123" on port 1337
/usr/bin/msfrpcd -S -U metadmin -P metpass123 -p 1337 &

exit 0
EOF

chmod 755 /etc/rc.local

update-rc.d ssh enable
update-rc.d postgresql enable
update-rc.d metasploit enable

Modifying PXE Boot Parameters in txt.cfg

To avoid having to enter the boot parameters for the preseed install on every boot, you can simply edit the /tftpboot/debian-installer/amd64/boot-screens/txt.cfg file to look like the following. Do not forget to update the URL of the preseed file:

default install
label install
    menu label ^Unattended Install
    menu default
    kernel debian-installer/amd64/linux
    append vga=788 initrd=debian-installer/amd64/initrd.gz -- quiet url=http://192.168.101.54/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan

Kick Back and Enjoy the Ride!

Boot up the target computer and initiate a PXE boot; the Kali Linux boot prompt should appear before you. Choosing the “Unattended Install” option should start and finish the entire Kali installation without any intervention required.

Previous Post
Kali Linux on a Galaxy Note 10.1
Next Post
Kali Linux ISO of Doom

Related Posts

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE