Customising Kali Linux for Fun and Profit

Kali Linux is a Linux distribution designed for use by penetration testers and information security professionals/enthusiasts. I’ve been using it since it was known as BackTrack Linux. In that time, I’ve gathered my own collection of customisations to enhance the functionality of Kali. This article describes my standard changes and additions, which I hope other cybersecurity enthusiasts will find useful.

Screenshot of my customised Kali Linux XFCE environment.

Base System

First of all, you’ll need an installation of Kali Linux if you don’t already have one. These notes have been written for Kali 2018.1 but should apply equally well to future versions.

My choice of ‘spin’ is the 64-bit XFCE version. I’ve never liked KDE and went off GNOME with all their design shenanigans on version 3 so tend to use XFCE now. You can use the KDE or GNOME spins though, it’s largely a cosmetic preference.

Download Kali from here and install it on your dedicated pen-test machine/partition or a virtual machine.

Dotfiles

In the UNIX/Linux world, dotfiles are configuration files for applications and shells that are stored in user home directories. They determine how the environment will look and function. I keep my dotfiles under version control (GitHub), which gives some significant benefits such as portability of personal settings between machines, backups of configuration, etc.

If you have your own collection of dotfiles, install them now. If you don’t, check out my dotfiles on GitHub and consider starting your own collection. It’s a super useful idea. Either way, at this point open a root terminal in Kali and install these common packages that my dotfiles include:

apt-get install htop zsh git dos2unix nano mutt urlview screen tmux terminator

Visual Customisations

At this point, I usually make various tweaks to the XFCE desktop environment – changing colours, fonts, icons, docks – but that will be left as an exercise to the reader. You can take some inspiration from the screenshot above.

A Note on Terminator

Terminator is a Linux terminal emulator that presents multiple resizable terminals in a single window. I suppose it’s a bit like screen or tmux except designed for use within an X Windows GUI. It also supports command ‘macros’ that can be executed from a right-click menu. My dotfiles include various pen-test related Terminator macros - I find it’s a good timesaver. If you’re not familiar with Terminator, you just installed it above, so go check it out!

Terminator terminal emulator in action showing the macros submenu structure.

Update & Install Packages

OK, so now let’s get down to business. First, update the new installation to the latest patches:

apt-get update && apt-get --assume-yes upgrade

Next, I install the kali-linux-all package. This contains pretty much every Kali-specific security tool. It will take up a few gigabytes of disk space and take a while to download. It’s worthwhile though to ensure you don’t find yourself missing a tool when working somewhere with no (or slow) Internet access. Run the following command in the terminal:

apt-get --assume-yes install kali-linux-all && apt-get autoclean && apt-get autoremove

Virtual Machines

If you’re using a virtualised environment, install Open VM Tools to support file drag & drop, resizing of windows, etc. with this command:

apt-get install open-vm-tools-desktop fuse

I don’t recommend manually install VMWare Tools with Kali if you are using VMWare, just use Open VM Tools.

At this point (on virtual machine), I usually disable the XFCE automatic screenlock via the XFCE Power Manager interface.

More Packages

Over and above the extra packages installed by the kali-linux-all group, I also install the following packages. These are more general tools like system administration tools which come from the upstream Debian repositories rather than the Kali specific ones. This is basically a list of extras that I have picked up over time from CTFs and challenges like OSCP. Run the following in a root terminal:

apt-get --assume-yes install xfce4-* libimage-exiftool-perl steghide nfs-common open-iscsi stegosuite nautilus python-pyftpdlib crackmapexec libssl-dev gcc-multilib finger rsh-client jxplorer sipcalc python-mechanize python-levenshtein python-adns msgpack-python python-metaconfig python-bs4 python-easygui g++-multilib libcurl4-openssl-dev libpcre3-dev libssh-dev iptraf-ng lftp filezilla filezilla-common font-manager geary thunderbird putty putty-doc krb5-user cifs-utils rdate

Firefox Plugins

There are a number of useful security related plugins for Firefox which are not installed by default. Again, these are just my personal preferences based on previous activities – feel free to add your own.

Start Firefox and install the following plugins:

  • Tamper Data link
  • Tamper Data Icon Redux link
  • Cookies Manager+ link
  • FoxyProxy 4.6.5 link
  • HackBar link
  • HttpRequester link
  • Live HTTP Headers link
A selection of security-related Firefox plugins for Kali Linux.

OpenVAS Initialisation

OpenVAS is an open source vulnerability scanner similar to Nessus or Nexpose. I’m not a big user of it but it does occasionally come in handy.

Run the OpenVAS Initial Setup script from the Kali applications menu. When it’s finished, start Firefox and bookmark the local URL for OpenVAS on the bookmarks bar. Save the login password you created during the initial setup in Firefox.

Performing the OpenVAS initial setup in Kali.

Veil Framework Initialisation

Veil Framework is a tool designed to generate Metasploit payloads which bypass common anti-virus scanners.

Start the Veil Framework for the first time from the Kali Applications menu. This will take a little while as various Windows support files are installed.

MSF Database Initialisation

The Metasploit Framework can use a database backend for storing project data. In Kali this needs to be initialised before use by running the following commands as root:

update-rc.d postgresql enable
service postgresql start
msfdb init

Windows Tools

Kali includes a number of useful Windows security tools. Quite a few of these live in /usr/share/windows-binaries/ but there are some others scattered around. I create some symlinks to centralise everything in the windows-binaries directory with the following commands:

ln -s /usr/share/mimikatz/ /usr/share/windows-binaries/mimikatz
ln -s /usr/share/regripper/ /usr/share/windows-binaries/regripper
ln -s /usr/share/tftpd32/ /usr/share/windows-binaries/tftpd32
ln -s /usr/share/ncat-w32/ /usr/share/windows-binaries/ncat-w32
ln -s /usr/share/http-tunnel/exe/ /usr/share/windows-binaries/http-tunnel
ln -s /usr/share/windows-binaries/wce /usr/share/wce

I also download a variety of 3rd party Windows binaries and installers. These tools are generally associated with Windows privilege escalation, forensics or pivoting activities. Download and unpack the tools with the following commands (you can copy and paste the whole thing in to the terminal in one go):

cd /usr/share/windows-binaries/
wget https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
wget https://the.earth.li/~sgtatham/putty/latest/w32/pscp.exe
wget https://the.earth.li/~sgtatham/putty/latest/w32/puttytel.exe
wget https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe
wget https://the.earth.li/~sgtatham/putty/latest/w32/pageant.exe
wget https://the.earth.li/~sgtatham/putty/latest/w32/puttygen.exe
wget -O Firefox_Setup_58.0.1.exe https://download-installer.cdn.mozilla.net/pub/firefox/releases/58.0.1/win32/en-GB/Firefox%20Setup%2058.0.1.exe
wget https://www.python.org/ftp/python/2.7.14/python-2.7.14.msi
wget https://nmap.org/dist/nmap-7.60-setup.exe
wget https://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe
wget https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe
wget https://download.filezilla-project.org/client/FileZilla_3.30.0_win32-setup_bundled.exe
wget https://github.com/PowerShell/Win32-OpenSSH/releases/download/v1.0.0.0/OpenSSH-Win32.zip
unzip OpenSSH-Win32.zip
wget https://github.com/PowerShell/Win32-OpenSSH/releases/download/v1.0.0.0/OpenSSH-Win64.zip
unzip OpenSSH-Win64.zip
unzip Hyperion-*.zip
wget https://download.sysinternals.com/files/PSTools.zip
mkdir pstools
unzip PSTools.zip -d pstools
wget https://download.sysinternals.com/files/SysinternalsSuite.zip
mkdir sysinternals
unzip SysinternalsSuite.zip -d sysinternals
wget https://xorcat.net/assets/other/Accesschk.zip
mkdir accesschk-old
unzip Accesschk.zip -d accesschk-old
wget https://pastebn.com/raw/sUuqBGHk -O jollyfrog.bat
wget --header="Accept: text/html" --referer www.nirsoft.net --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0" https://download.nirsoft.net/nirsoft_package_enc_1.20.33.zip
unzip -P "nirsoft9876$" nirsoft_package_enc_1.20.33.zip
wget https://github.com/PowerShell/Win32-OpenSSH/releases/download/v7.6.0.0p1-Beta/OpenSSH-Win32.zip
unzip OpenSSH-Win32.zip
The various Windows security tools in Kali.

Wordlists

Wordlists are useful for identifying weak password use. Kali includes a handful of these lists as standard but I like to have a larger selection on hand. These lists will take up an extra ~1GB of storage when unpacked.

Download and unpack additional wordlists with the following commands:

cd /usr/share/wordlists
gunzip rockyou.txt.gz
wget http://downloads.skullsecurity.org/passwords/john.txt.bz2 && bunzip2 john.txt.bz2
wget http://downloads.skullsecurity.org/passwords/cain.txt.bz2 && bunzip2 cain.txt.bz2
wget http://downloads.skullsecurity.org/passwords/conficker.txt.bz2 && bunzip2 conficker.txt.bz2
wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2 && bunzip2 500-worst-passwords.txt.bz2
wget http://downloads.skullsecurity.org/passwords/twitter-banned.txt.bz2 && bunzip2 twitter-banned.txt.bz2
wget http://downloads.skullsecurity.org/passwords/phpbb.txt.bz2 && bunzip2 phpbb.txt.bz2
wget http://downloads.skullsecurity.org/passwords/myspace.txt.bz2 && bunzip2 myspace.txt.bz2
wget http://downloads.skullsecurity.org/passwords/hotmail.txt.bz2 && bunzip2 hotmail.txt.bz2
wget http://downloads.skullsecurity.org/passwords/faithwriters.txt.bz2 && bunzip2 faithwriters.txt.bz2
wget http://downloads.skullsecurity.org/passwords/elitehacker.txt.bz2 && bunzip2 elitehacker.txt.bz2
wget http://downloads.skullsecurity.org/passwords/hak5.txt.bz2 && bunzip2 hak5.txt.bz2
wget http://downloads.skullsecurity.org/passwords/alypaa.txt.bz2 && bunzip2 alypaa.txt.bz2
wget http://downloads.skullsecurity.org/passwords/tuscl.txt.bz2 && bunzip2 tuscl.txt.bz2
wget http://downloads.skullsecurity.org/passwords/facebook-phished.txt.bz2 && bunzip2 facebook-phished.txt.bz2
wget http://downloads.skullsecurity.org/passwords/carders.cc.txt.bz2 && bunzip2 carders.cc.txt.bz2
wget http://downloads.skullsecurity.org/passwords/singles.org.txt.bz2 && bunzip2 singles.org.txt.bz2
wget http://downloads.skullsecurity.org/passwords/english.txt.bz2 && bunzip2 english.txt.bz2
wget http://downloads.skullsecurity.org/passwords/german.txt.bz2 && bunzip2 german.txt.bz2
wget http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 && bunzip2 us_cities.txt.bz2
wget http://downloads.skullsecurity.org/passwords/honeynet.txt.bz2 && bunzip2 honeynet.txt.bz2
wget http://downloads.skullsecurity.org/passwords/file-locations.txt.bz2 && bunzip2 file-locations.txt.bz2
wget http://downloads.skullsecurity.org/passwords/fuzzing-strings.txt.bz2 && bunzip2 fuzzing-strings.txt.bz2
wget http://downloads.skullsecurity.org/passwords/phpmyadmin-locations.txt.bz2 && bunzip2 phpmyadmin-locations.txt.bz2
wget http://downloads.skullsecurity.org/passwords/web-extensions.txt.bz2 && bunzip2 web-extensions.txt.bz2
wget http://downloads.skullsecurity.org/passwords/web-mutations.txt.bz2 && bunzip2 web-mutations.txt.bz2
wget https://crackstation.net/files/crackstation-human-only.txt.gz && gunzip crackstation-human-only.txt.gz
wget https://github.com/berzerk0/Probable-Wordlists/raw/master/Real-Passwords/Top12Thousand-probable-v2.txt
wget https://github.com/berzerk0/Probable-Wordlists/raw/master/Real-Passwords/Top1575-probable-v2.txt
wget https://github.com/berzerk0/Probable-Wordlists/raw/master/Real-Passwords/Top207-probable-v2.txt
wget https://github.com/berzerk0/Probable-Wordlists/raw/master/Real-Passwords/Top304Thousand-probable-v2.txt
ln -s /usr/share/seclists/ /usr/share/wordlists/seclists

Rainbow tables are also a useful tool in this area, but due to their size I store mine outside of Kali. If you don’t have any, check out the 0phcrack tables page.

Other Tools

There are some Linux based security tools which are not included in the Kali distribution, perhaps because they are quite new or a bit obscure. I download these extra tools to the /opt directory with the following commands:

cd /opt
wget http://www.securitysift.com/download/linuxprivchecker.py
git clone https://github.com/rasta-mouse/Sherlock
git clone https://github.com/HarmJ0y/PowerUp
git clone https://github.com/PowerShellMafia/PowerSploit
git clone https://github.com/samratashok/nishang.git
git clone https://github.com/rebootuser/LinEnum
git clone https://github.com/Arr0way/linux-local-enumeration-script
git clone https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
git clone https://github.com/pentestmonkey/unix-privesc-check
git clone https://github.com/mthbernardes/rsg
git clone https://github.com/EmpireProject/Empire
git clone https://github.com/zed-0xff/zsteg.git
git clone https://github.com/galkan/crowbar.git
git clone https://github.com/droope/droopescan.git
git clone https://github.com/kurobeats/fimap.git
git clone https://github.com/NetDirect/nfsshell
git clone https://github.com/adaywithtape/stegbrute
git clone https://github.com/Veil-Framework/Veil-Evasion
git clone https://github.com/trustedsec/unicorn
git clone https://github.com/maurosoria/dirsearch
git clone https://github.com/danielmiessler/SecLists.git
git clone https://github.com/P0cL4bs/Kadimus.git
git clone https://github.com/sshuttle/sshuttle
git clone https://github.com/inquisb/icmpsh
git clone https://github.com/BADC0D3/WindowsExploits
git clone https://github.com/superkojiman/onetwopunch
git clone https://github.com/laramies/theHarvester
git clone https://github.com/byt3bl33d3r/pth-toolkit
git clone https://github.com/lucyoa/kernel-exploits
git clone https://github.com/SecWiki/linux-kernel-exploits
git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester
git clone https://github.com/PowerShell/Win32-OpenSSH/

Eagle-eyed readers will notice a couple of tools in the above list which are included in Kali. There are reasons for this – usually the GitHub versions have more features or have important bugfixes that have not found their way to Kali (yet).

PHPInfo Script

The /user/share/webshells/ directory in Kali has a number of useful web server shell scripts. Something that is not present that I got tired of typing out is a simple “phpinfo()” script. Such a script can be prepared with the following command:

echo "<html><body><p>PHP INFO PAGE</p><br /><?php phpinfo(); ?></body></html>" > /usr/share/webshells/php/php-info.php

Wine PyInstaller

PyInstaller is a handy tool to “compile” Python scripts (e.g., exploit code) to a standalone executable file. Often, I’ll use a dedicated Windows virtual machine for making such files, but it is useful to have PyInstaller configured within Kali via Wine for convenience.

Download and install Python and PyInstaller inside Wine with the following commands (there will likely be a newer version of Python available by the time you read this):

cd /root
wget https://www.python.org/ftp/python/2.7.14/python-2.7.14.msi
wine msiexec /i python-2.7.14.msi /passive /norestart
mv python-2.7.14.msi /usr/share/windows-binaries
cd /root/.wine/drive_c/Python27
wget https://bootstrap.pypa.io/get-pip.py
wine python.exe get-pip.py
cd ./Scripts
wine pip.exe install pyinstaller
cd /root

Python scripts can then be “compiled” to EXEs inside Kali using commands such as wine pyinstaller --onefile exploit.py. Occasionally with more complex Python scripts this doesn’t work properly and must be done inside Windows, but it’s still a good day-to-day timesaver.

More Information

I keep all of these steps documented here in a Markdown file on GitHub. The version on GitHub is maintained and up to date, so if you are reading this a long time after I published this article, you may want to go there for the latest version. If you have any suggestions for other tools/changes, by all means get in touch and let me know.

Did you like this article? Please consider supporting this site.

Page last updated: