Summary from the Kali Linux Guide by OnWorks

Skip to content

10.4. Summary‌

Kali Linux scales beyond the desktop to medium or large scale deployments and even to the en- terprise level. In this chapter, we covered how to centralize management of multiple Kali instal- lations with SaltStack, allowing you to quickly deploy highly secure Kali systems preconfigured for your specific needs. We also revealed how you can keep them synchronized thanks to Kali’s (semi-automatic) installation of package updates.

We discussed package forking, which allows you to create your own customized distributable source packages.

In summary, let’s review the major steps required to establish Salt masters and minions, which allow you remote control and configuration of remote hosts.

Summary Tips:

• Boot machine from the network with PXE, with at least a TFTP file server, a DHCP/BOOTP server (and a web server for debconf preseeding). dnsmasq handles both DHCP and TFTP, and the apache2 web server comes pre-installed (but disabled) on Kali.

• The Debian installation manual covers the setup of isc-dhcp-server and tftpd-hpa for PXE boot- ing:

➨ https://www.debian.org/releases/stable/amd64/ch04s05.html

• dnsmasq is configured through /etc/dnsmasq.conf. A basic configuration consists of only a few key lines:

# Network interface to handle interface=eth0

# DHCP options

# IP range to allocate

dhcp-range=192.168.101.100,192.168.101.200,12h

# Gateway to announce to clients

dhcp-option=option:router,192.168.101.1

# DNS servers to announce to clients

dhcp-option=option:dns-server,8.8.8.8,8.8.4.4

# Boot file to announce to clients

# Network interface to handle interface=eth0

# DHCP options

# IP range to allocate

dhcp-range=192.168.101.100,192.168.101.200,12h

# Gateway to announce to clients

dhcp-option=option:router,192.168.101.1

# DNS servers to announce to clients

dhcp-option=option:dns-server,8.8.8.8,8.8.4.4

# Boot file to announce to clients

dhcp-boot=pxelinux.0

# TFTP options enable-tftp

# Directory hosting files to serve tftp-root=/tftpboot/

dhcp-boot=pxelinux.0

# TFTP options enable-tftp

# Directory hosting files to serve tftp-root=/tftpboot/

• Unpack 32-bit (i386), 64-bit (amd64), standard or graphical (gtk) installation boot files from the Kali archive into /tftpboot/. The archives can be found here:

➨ http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/ images/netboot/gtk/netboot.tar.gz

➨ http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/ images/netboot/netboot.tar.gz

➨ http://http.kali.org/dists/kali-rolling/main/installer-i386/current/ images/netboot/gtk/netboot.tar.gz

➨ http://http.kali.org/dists/kali-rolling/main/installer-i386/current/ images/netboot/netboot.tar.gz

# mkdir /tftpboot

# cd /tftpboot

# wget http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/

➥ images/netboot/netboot.tar.gz

# tar xf netboot.tar.gz

# mkdir /tftpboot

# cd /tftpboot

# wget http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/

➥ images/netboot/netboot.tar.gz

# tar xf netboot.tar.gz

• Optionally modify txt.cfg to preseed parameters or custom timeouts. See section 4.3, “Unattended Installations” [page 91]. Next, you can leverage configuration management tools to manage machines or configure remote computers to any desired state.

• SaltStack is a centralized configuration management service: a Salt master manages many Salt minions. Install the salt-master package on a reachable server and salt-minion on man- aged hosts.

• Edit the /etc/salt/minion YAML-formatted config file and set the master key to the DNS name (or IP address) of the Salt master.

• Set minion’s unique identifier in /etc/salt/minion_id:

minion# echo kali-scratch >/etc/salt/minion_id

minion# systemctl enable salt-minion

minion# systemctl start salt-minion

minion# echo kali-scratch >/etc/salt/minion_id

minion# systemctl enable salt-minion

minion# systemctl start salt-minion

• Key exchange will follow. On the master, accept minion’s identification key. Subsequent connections will be automatic:

master# systemctl enable salt-master master# systemctl start salt-master master# salt-key --list all

Accepted Keys: Denied Keys: Unaccepted Keys: kali-scratch Rejected Keys:

master# salt-key --accept kali-scratch

The following keys are going to be accepted: Unaccepted Keys:

kali-scratch Proceed? [n/Y] y

Key for minion kali-scratch accepted.

Accepted Keys: Denied Keys: Unaccepted Keys: kali-scratch Rejected Keys:

master# salt-key --accept kali-scratch

The following keys are going to be accepted: Unaccepted Keys:

kali-scratch Proceed? [n/Y] y

Key for minion kali-scratch accepted.

• Once minions are connected, you can execute commands on them from the master. Exam- ples:

master# salt ’*’ test.ping

kali-scratch:

True

kali-master:

True

master# salt kali-scratch cmd.shell ’uptime; uname -a’

master# salt kali-scratch sys.doc’ master# salt ’*’ service.enable ssh [...]

master# salt ’*’ service.start ssh

[...]

master# salt ’*’ pkg.refresh_db

[...]

master# salt ’*’ pkg.upgrade dist_upgrade=True

server# salt ’*’ cmd.shell ’pkill -f dnmap_client’

master# salt ’*’ test.ping

kali-scratch:

True

kali-master:

True

master# salt kali-scratch cmd.shell ’uptime; uname -a’

master# salt kali-scratch sys.doc’ master# salt ’*’ service.enable ssh [...]

master# salt ’*’ service.start ssh

[...]

master# salt ’*’ pkg.refresh_db

[...]

master# salt ’*’ pkg.upgrade dist_upgrade=True

server# salt ’*’ cmd.shell ’pkill -f dnmap_client’

• The full list of execution modules can be found at https://docs.saltstack.com/en/ latest/ref/modules/all/index.html.

• Use Salt state files (re-usable configuration templates) to schedule actions, collect data, or- chestrate sequences of operations on multiple minions, provision cloud systems and bring them under management, and more. Save time with pre-defined Salt formulas:

➨ https://docs.saltstack.com/en/latest/topics/development/conventions/ formulas.html

• When it comes time to fork a package, first decide if it is a task that you need to tackle. There are significant advantages and disadvantages. Review them carefully. The kali-meta, desktop- base, and kali-menu packages are interesting, probable choices. The process of forking a package can be daunting and is difficult to summarize.

Now that we have covered all the bases in terms of installation, configuration, customization, and deployment of Kali Linux, let’s turn towards the role of Kali Linux in the field of Information Security.