Hello and welcome again!
In this post I will be discussing the following subjects that I took a deep dive into:
- Installation variations
- Configuring Kali Linux’s:
- Encrypted disk partition
- APT package management
- Network interfaces
- Firewall rules
The Backend of Kali Linux
When I say “backend” of Kali Linux, I mean the workings behind the distribution itself and how the developers had constructed all the essential components. This includes key features such as installing the software, the different types of installations, how packages are downloaded, and different types of package managing services. Before learning all the tools that are packed into Kali – it’s best to take a look at how it is actually built, what features it has to offer when customizing the distro, and more!
Kali is a Linux distribution that is based on Debian. Kali Linux helps aid security professionals and IT admins to conduct advanced pentesting, forensic analysis, and auditing. Kali is a “rolling distribution” meaning that it will be update its packages every single day (crazy!). To download Kali, go to www.kali.org (the only official download site for Kali ISO). Learning the workings of Kali Linux, I noticed that a lot of people refer to Linux as being an operating system, but it’s actually just a kernel (the center of the OS where it has complete control over everything on the computer).
Types of Installations:
There are many different ways that we can boot up Kali Linux on our machines which you can find here: Single Boot Kali
- Bootable USB – Your machine will boot off a USB you provide with Kali Linux ISO file on it
- Virtual Machine – You can download a hypervisor software (VMware or VirtualBox) to run a Kali ISO image on it while still retaining your normal operating system
- Mobile – Uploading Kali linux to your android device
- Raspberry Pi – Boot Kali linux onto a Raspberry Pi
Disk Encryption
One configuration that I found to be extremely important when installing Kali Linux is the use of Encrypted Disk Partitions. This is vital to anyone, especially if they often take their machines to public places. If your laptop gets snatched, you may lose the laptop, but the sensitive data on the computer will be encrypted – making it impossible for the thieves to gain access to it. I am not going to get into the detail of how to actually install Kali Linux as that is out of the scope of this blog, but there are tons and tons of people that have already made videos on it.
Configuring the Package Managers
Since Kali Linux’s foundation is built on Debian, we have two different package managers. Dpkg is a tool that both processes and installs packages with the extension of .deb. The only issue with this tool is that when there is a dependency that a package needs when installing, dpkg will list the missing dependency and flag an error. This is where APT (Advanced Package Tool) comes in to address these issues. APT fetches the package to install by looking into the sources.list file, where there are two fields that are already populated:
# deb cdrom:[Debian GNU/Linux 2016.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/
➥ INSTALL Binary 20160830-11:29]/ kali-rolling contrib main non-free
deb http://http.kali.org/kali kali-rolling main non-free contrib
- Source type
- URL of the source
The source type defines the Debian binary and source packages while the URL of the source consists of a Debian mirror – but we can configure this to where we want to change the url to a third-party source. It blew my mind when I was reading how the user can tell Kali where to fetch its packages the next time it needs one (It’s not really that big of a deal, but I thought it was pretty interesting!).
Remember how Kali is a “rolling” distribution? Sometimes updates don’t go so well and if you have important packages that you do not want to be updated on your system automatically; then we can prioritize which packages to update and retain the older versions of others. APT allows you to configure the priority of the version of the package with a specific numerical value. These priority values influence APT on choosing which packages to update and retain the older versions of others. APT will always select the package with the highest priority unless the version is older than the installed one and its priority is less than 1000.
- Each installed package version has a priority of 100.
- A non-installed version has a default of 500 but can actually jump to 990 if the package is part of a target release.
- You can modify the priorities by adding entries in the /etc/apt/preferences file with the specified packages and their newly assigned priority.
In other words, a package that has a priority of less than 0 will never be installed. A package with a priority ranging between 0 and 100 will only be installed if no other version of the package is already installed. If a priority is between 100 and 500, the package will only be installed if there is no other newer version available/installed in another distribution. A priority between 501 and 990 will only be installed if there is no newer version installed or available in the distribution. For a priority between 990 and 1000, the package will be installed unless the installed version is newer. A package with a priority greater than 1000 will always be installed even if it is an older version. Learning this concept alone seems rather important because the packages that are crucial for your tasks are the ones you may not want to update automatically.
Configuring Network Interfaces
We can always use a GUI to enable and disable network interfaces, but what I have quickly learned is that the command-line tool is much more powerful, and not all devices have a GUI. Debian already has the ifupdown package installed. This package is a method to configure network interfaces from a higher-level perspective. We can configure the following:
- Enable or disable a network interface on the computer using the ifup/ifdown commands
- Statically assign an IP address to an interface
- Use DHCP to configure the interface
- Configure wireless interfaces
If you would like to learn more about the ifupdown package I suggest reading this page about it:
Debian GNU/Linux Reference Guide
Configuring Firewalls/Packet Filters
Firewalls are either a standalone device or software that filters packets on a network. We can configure a firewall by using the iptables package that is provided by Debian. This package is extremely flexible and is a very important package to learn how to configure. Iptables use ‘chains’ to create rules for their firewalls. Chains are a list of rules that are used to match a set of packets. The rules inside of the chain are processed in order. There are three default rules that are defined in the iptables package:
- INPUT – When specified, the chain is checking for the incoming packets. For example, if you knew a particular IP you did not want any incoming traffic from, you can specify the firewall to block any messages coming from there.
- FORWARD- This command is similar to INPUT, but the difference is that when using this command you are specifying the traffic that is coming into the network but is not intended to be delivered on the local machine. For example, you have a router that takes in traffic and delivers it to the specified machine on the network- this is forwarding. But any traffic that is specifically intended for the router itself is the INPUT.
- OUTPUT – The command is opposite to INPUT, which focuses on any traffic that is leaving the network. For example, if you wanted to filter the type of data that can leave your network then you would incorporate the OUTPUT command into your chain.
We now specify the action we want the firewall to perform when encountering certain packets:
- Allow – Qllows the connection
- Drop – Drops or declines the connection/packet – this is important to use when you don’t want other people to know that your system exists
- Reject – Also drops the connection but will send back to the source of the packet an error
From the description above, what the firewall does is with every packet it encounters, it matches it up to its proper chain. But what happens if there are no chains that the packet matches? This is where we would default the behavior of the three chains.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FOWARD DROP
In the example above (which you should not do in practice) is default the input, output, and forward traffic to all be dropped if it does not match any of your existing chains (your default behavior).
Side note: If you wanted to access the configuration file for the iptable, its located in: /etc/sysconfig/iptables
Conclusion
This week I went into the rabbit-hole of the configurations of Kali Linux. I found that this is extremely important to get familiar with considering I will be using this tool frequently. Understanding the framework and what features the system has to offer is more beneficial than just jumping in and learning the tools within Kali. Getting more familiar with the configurations of Kali helped me understand the distribution down to the kernel itself. I will say I am definitely not an expert at configuring Kali Linux the way I want it to be, but I can say I am another step closer to the learning process. I highly recommend you read the book Kali Linux Revealed: Mastering the Penetration Testing Distribution by Raphaël Hertzog, Jim O’Gorman, and Mati Aharoni, as it literally reveals the inner workings of Kali Linux.
Thanks again and I will catch you all next week!
Peter