Things you need to know about Kali Linux Image

To run 'Live' Potassium from a USB drive on a standard Windows and Apple computer, you'll need a bootable Linux Kali ISO Image, in 32-bit or 64-bit format.

To run 'Live' Potassium from a USB drive on a standard Windows and Apple computer, you'll need a bootable Linux Kali ISO Image, in 32-bit or 64-bit format.

ISO file for computers based on Intel platform

If you are unsure of the structure of the system you want to run Kali on (on Linux or OS X), you can run the following command at the command line:

 uname -m 

If you get a response, " x86_64 ", use the 64-bit ISO Image (image contains "amd64" in the file name). If you get an ' i386 ' response, use a 32-bit image (the image containing 'i386' in the file name). If you are using a Windows system, check your computer's hardware configuration, information, and laptop to see if it is running Windows x86 or x64.

The Kali Linux Image is available as a ' .iso / .img ' file that can be downloaded directly or via ' .torrent ' files .

Things you need to know about Kali Linux Image Picture 1

Building your own Kali Linux ISO, standard or custom, is a very simple process.

VMware Image

Things you need to know about Kali Linux Image Picture 2

If you want to run Kali Linux as a 'guest' in VMware, Kali will act as a VMware virtual machine built in with the installed VMware Tools. VMware Image is available in 64 bit (amd64), 32 bit (i686) and 32 bit PAE (i486) formats.

ARM Image

Things you need to know about Kali Linux Image Picture 3

The hardware structure of ARM-based devices varies significantly, so there cannot be only one image that works on all devices. Potassium Linux Image is created for ARM architecture available for many types of devices.

The script to build your own ARM Image is also available on GitHub.

Verify Kali Image downloaded

Why need to do this?

Before you run Kali Linux Live, or install it on your hard drive, you need to make sure that what you've got is actually Kali Linux, and not another fake software. Kali Linux is a professional penetration testing tool set. Being a professional penetration testing tool, the absolute assurance of the integrity of the tools is important: if the tools are not reliable, the test results will not be worth it. trust.

Furthermore, because it is a leading penetration test distribution, a fake version of Kali Linux can have a tremendous impact if it is accidentally deployed. There are many people who have accidentally installed a fake Kali Linux version and you certainly don't want to be among them.

To avoid this is very simple:

  1. Download only Kali Linux via the official website https://www.kali.org/downloads or https://www.offensive-security.com/kali-linux-vmware-arm-image-download/ . You will not be able to browse these pages without SSL encryption - the type of connection encryption makes an attacker use a man-in-the-middle attack to modify the process. Download is much more difficult.
  2. After you download and before running an Image, verify again with one of the procedures detailed below.

There are several methods to verify your download. Each method provides a certain level of assurance and requires a corresponding user effort.

  1. You can download an ISO Image from an official Kali Linux download page, calculate the ISO SHA256 function and compare it by checking with the value listed on the Kali Linux website. This is quick and easy, but is likely to be vulnerable to a malicious DNS infection - that is, the attacker will somehow 'load' an image and the SHA256 signature match on the page. fake web site on Kali Linux official website.
  2. You can download an ISO Image via torrents and it will also pull down a file containing the SHA256 signature. You can then use the shasum command (on Linux and OS X) or a utility (on Windows) to automatically verify that the calculated signature of this file matches the signature in the secondary file. This is even easier than the "manual" method, but has the same weakness: if the torrent you pull down is not really Kali Linux, it will give you a fake signature.
  3. To make sure Kali Linux is downloaded, you can download both the signature file and the version of the same file registered with the official Kali Linux private key and use GNU Privacy Guard. (GPG) to, first, verify that the SHA256 signature is calculated and the signature in the match text file matches; second, verify that the version of the file containing the SHA256 function has been correctly registered with the official key.

If you use this more complex process and successfully authenticate downloaded ISOs, you can be absolutely sure that what you have is an official image and not tampered with in any way. This method, though the most complex, has the advantage of providing independent assurance of image integrity. The only thing that could make this method fail is that the official Kali Linux secret key may be overthrown by an attacker.

What do you need to do?

  1. If you are running on Linux, you may have installed GPG (GNU Privacy Guard) . If you are using Windows or OS X, you need to install the appropriate version for your platform.
  2. If you are using a Windows PC, download and install GPG4Win : https://www.gpg4win.org/download.html
  3. If you are using Macintosh running OS X, download and install GPGTools: https://gpgtools.org/

Since Windows is not able to calculate the SHA256 checksum, you will also need a utility like Microsoft File Checksum Integrity Verifier or Hashtab to verify your download.

  1. After installing GPG, you need to download and import the official copy of Kali Linux. Do this with the following command:
 $ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import 

or command:

 $ gpg --keyserver hkp: //keys.gnupg.net --recv-key 7D8D0BF6 
  1. The results you will see are as follows:
 gpg: key 7D8D0BF6: public key "Kali Linux Repository  "imported 
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
  1. Verify that the lock is installed correctly with the command:
 gpg --fingerprint 7D8D0BF6 
  1. The result will be as follows:
 pub rsa4096 2012-03-05 [SC] [expires: 2021-02-03] 
44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid [full] Kali Linux Repository
sub rsa4096 2012-03-05 [E] [expires: 2021-02-03]

You are now set up to authenticate your Kali Linux download.

How do I verify downloaded images?

Manually verify Signature on ISO (Direct Download)

If you downloaded the ISO directly from the download page, verify it with the following procedure.

On Linux, or OS X, you can create the SHA256 checksum from the ISO Image you downloaded with the following command (assuming the ISO Image is named " linux-linux.2-amd64.iso " and is in the current line). at the list):

 shasum -a 256 potassium-linux-2016.2-amd64.iso 

The results appear as follows:

 1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431 potassium-linux-2016.2-amd64.iso 

SHA256 signature results, ' 1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431 ' will match the signature shown in the ' sha256sum ' column on the official download page for Intel 64-bit structure Kali Linux 2016.2 ISO Image.

Verify Signature on ISO Using file Attached signature (Download Torrent)

If you have downloaded a copy of ISO Kali Linux Image via torrent, in addition to the ISO file (eg linux-2016.2-amd64.iso), there will be a second file containing SHA256 signature calculated for ISO, with the extension being '.txt.sha256sum' (example: linux-2016.2-amd64.txt.sha256sum).You can use this file to verify the authenticity of downloads on Linux or OS X with the following command:

 grep potassium-linux- 2016.2 -amd64.iso potassium-linux- 2016.2 -amd64.txt.sha256sum | shasum -a 256 -c 

If the image is successfully authenticated, the response received will be as follows:

 potassium-linux- 2016.2 -amd64.iso: OK 

IMPORTANT NOTE!If you cannot verify the authenticity of the downloaded Kali Linux image as described in the previous section, DO NOT use it!Its use can jeopardize your system, any network you connect to, and other systems on that network.Stop and make sure you have downloaded the official Kali Linux images.

Verify ISO using SHA256SUMS file

This is a more complicated procedure, but provides a much more accurate level of validation: it does not depend on the integrity of the site you downloaded the image to, only the official Kali Linux development key which you install independently.To verify your image this way for the Intel architecture version of Kali, you will need to download three files from the Kali "Live CD Image" page for the current release (v2016.2, by post write this):

  1. ISO Image key (eg linux-linux-2016.2-amd64.iso)
  2. File containing SHA256 function is calculated for ISO, SHA256SUMS
  3. Registered version of that file, SHA256SUMS.gpg

Before verifying the checksum of the image, you must ensure that the file SHA256SUMS is a file created by Kali.That's why the file is registered by the official Kali key with a separate signature in SHA256SUMS.gpg.If you have not already done so, Kali's official key can be downloaded and entered into your keychain with this command:

 $ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import 

or this command:

 $ gpg --keyserver hkp: //keys.gnupg.net --recv-key 7D8D0BF6 

The results will appear as follows:

 gpg: key 7D8D0BF6: public key "Kali Linux Repository  " imported 
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1 )

You should verify that the key is installed correctly with the command:

 gpg --fingerprint 7D8D0BF6 

The result will be as follows:

 pub rsa4096 2012 -03-05 [SC] [expires: 2021 -02-03] 
44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid [full] Kali Linux Repository
sub rsa4096 2012 -03-05 [E] [expires: 2021 -02-03]

Once you have downloaded both SHA256SUMS and SHA256SUMS.gpg, you can verify the signature as follows:

 $ gpg --verify SHA256SUMS.gpg SHA256SUMS 
gpg: Signature made Autumn 16 Mar 08 : 45 : 45 2017 MDT using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository "
  1. If you do not receive a " Good signature " message or if the lock ID does not match, then you should stop and review the download.Verification failed to show that the image may have been tampered with.
  2. If you have received a ' Good signature ' response, you can now rest assured that the checksum in the SHA256SUMS file is actually provided by the Kali Linux development team.All that remains to be done to complete verification is to verify that the signature you downloaded from ISO downloaded matches the signature in the SHA256SUMS file.You can do that on Linux or OS X with the following command (assuming that ISO is named "linux-linux-2016.2-amd64.iso" and is in the current directory):
 grep potassium-linux- 2016.2 -amd64.iso SHA256SUMS | shasum -a 256 -c 

If the image is successfully authenticated, the response will be as follows:

 potassium-linux- 2016.2 -amd64.iso: OK 

If you do not receive an ' OK ' response, stop and review the download because the Potassium image you downloaded seems to have been tampered with.Do not use it.

After downloading and verifying your image, you can proceed to create a USB drive that Kali Linux Live can boot.

See more:

  1. How to scan websites for potential security vulnerabilities with Vega on Kali Linux
  2. How to install Kali Linux on Android using Linux Deploy
  3. Kali Linux commands from AZ and commonly used commands
3.8 ★ | 11 Vote | 👨 2591 Views
« PREV POST
NEXT POST »