From 811b0916873261cfda701a2b7acea93b6c259d9f Mon Sep 17 00:00:00 2001 From: Lorenzo G Date: Mon, 9 Jan 2017 22:08:31 +0000 Subject: [PATCH] updated instructions for Qubes 3.2 --- managing-os/kali.md | 111 ++++++++++++++++++-------------------------- 1 file changed, 46 insertions(+), 65 deletions(-) diff --git a/managing-os/kali.md b/managing-os/kali.md index f9642428..9b7cbc8f 100644 --- a/managing-os/kali.md +++ b/managing-os/kali.md @@ -9,37 +9,36 @@ How to Create a Kali Linux VM This guide will explain how to create your own [Kali] Linux VM as a VM template. The basic idea is to personalize the template with the tools you need -and then spin up isolated appVMs based on the template. +and then spin up isolated AppVMs based on the template. + +This has been tested on Qubes OS 3.2. The steps can be summarised as: -1. Customize a Debian template with the Kali sources -3. Install the Kali tools +1. Install Qubes' Debian 8.0 (Jessie) template +2. Upgrade the template to Debian 9.0 (Stretch) +3. Install kali through the ``kali-linux-full`` package 4. Use the template to build appVM so that you can maintain isolation between e.g. pentesting jobs -**IMPORTANT NOTE** Following the instructions below and in particular installing kali-linux-full will **BREAK YOUR VM**. Don't do it. It needs further investigation. The problem is: - - * Pinning down xorg doesn't allow installing kali-desktop (or something) which prevents kali-* - - Steps to build a Kali template ------------------------------ - ### Get the GPG key 1. You'll need to fetch the Kali GPG key from a dispVM as the template you'll build won't have direct internet connectivity unless you enable it from the firewall: - # in the dispVM + # in a dispVM gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6 gpg --list-keys --with-fingerprint 7D8D0BF6 gpg --export --armor 7D8D0BF6 > kali.asc -2. Make sure the key ID is the valid one listed on the [Kali website]. Ideally, +2. **DO NOT TURN OFF** the dispVM + +3. Make sure the key ID is the valid one listed on the [Kali website]. Ideally, verify the fingerprint through other channels. Once you have the key, keep the dispVM on as you'll need to copy the key over @@ -51,80 +50,65 @@ to the Kali template. 2. Clone the debian template and start a terminal in it: - # from dom0: - qvm-clone debian-8 kali + # in dom0: + qvm-clone debian-8 debian-9 + qvm-run -a debian-9 gnome-terminal -3. Add this line to the `/etc/apt/sources.list` file in the template: + # in the debian-9 template terminal: + # substitute jessie for stretch in + sensible-editor /etc/apt/sources.list + sensible-editor /etc/apt/sources.list.d/qubes-r3.list + apt-get update && apt-get dist-upgrade + # (hat tip: [the Debian wiki]) - # in the 'kali' template + Restart the template when done and make sure you can open a terminal. + +3. Prepare the kali template: + + # in dom0: + qvm-shutdown debian-9 + qvm-clone debian-9 kali-tpl + qvm-run -a kali-tpl gnome-terminal + +3. Add the sources to install Kali linux to the `kali-tpl` template: + + # in kali-tpl: sudo -s echo 'deb http://http.kali.org/kali kali-rolling main non-free contrib' >> /etc/apt/sources.list 4. Copy the Kali key from the dispVM into the template: - # in the dispVM - qvm-copy-to-vm kali kali.asc + # in the dispVM: + qvm-copy-to-vm kali-tpl kali.asc - # in the kali template: - sudo -s - cat /home/user/QubesIncoming/kali/kali-key.asc | apt-key add - + # in kali-tpl: + cat /home/user/QubesIncoming/dispXXX/kali-key.asc | sudo apt-key add - The last command should return `OK` on a line by itself. -5. **Pin the X server** into the preferences file: this prevents Kali to installing - a new X.org server, for which there would be no qubes-tools available: - - # add the following lines to /etc/apt/preferences (you might have to - create it) - - Package: xserver-xorg* - Pin: release a=jessie - Pin-Priority: 900 - - Package: xorg* - Pin: release a=jessie - Pin-Priority: 900 - 5. Update the system: + # in kali-tpl: sudo apt-get update - sudo apt-get upgrade sudo apt-get dist-upgrade -6. Now is a good time to stop the template, clone it and see if restarting it - allows you to run a terminal: +6. Shut down the `kali-tpl` template: - # from dom0 - qvm-clone kali kali-tools + # in dom0: + qvm-shutdown kali-tpl ### Install the Kali tools At this point you should have a working template and you can install the tools you need. -Don't forget to [resize the template] if you plan on installing the full Kali distribution. For example to install `kali-linux-full` you must **grow** the size of the VM system from 10Gb to at least 20Gb. +1. [resize the template] if you plan on installing the full Kali distribution. For example to install `kali-linux-full` you must **grow** the size of the VM system from 10Gb to at least 20Gb. -1. Install your tools of choice, for example: +1. Install Kali linux: - # in the kali-tools template + # in kali-tpl: sudo apt-get install kali-linux-full -2. If the update process went well, give it a try: shut down the `kali-tools` - template and create an appVM from it. - -3. When you are happy you can probably remove the `kali` template and its - backup copies; then use only `kali-tools` as a template. - - -Don't forget to back up your appVMs as [audio CDs]. - - -Troubleshooting ---------------- - -If the template doesn't start, give it a peek with the console: - - # from dom0 - sudo xl console kali +2. Enjoy and don't forget to back up your appVMs as [audio CDs]. Installing via third-party scripts: Katoolin @@ -146,12 +130,7 @@ Alternative Options to Kali Notes ----- -Various things tried: - - * Forget about pinning: just dist-upgrade, then download qubes-core-agent, then BACKEND_VMM=xen dpkg-buildpackage -b -uc -us - * Also download requirements for debian bootstrapping from https://wiki.debian.org/BuildingTutorial - * And qubes-kernel-vm-support for vchan (I think) - +Thanks to the people in [the discussion thread]. [kali]: https://www.kali.org/ @@ -161,3 +140,5 @@ Various things tried: [PTF]: https://www.trustedsec.com/may-2015/new-tool-the-pentesters-framework-ptf-released/ [audio CDs]: https://www.reddit.com/r/Nirvana/comments/3hmra1/the_main_character_in_the_tv_show_mr_robot_has_a/ [resize the template]: https://www.qubes-os.org/doc/resize-disk-image/ +[the Debian wiki]: https://wiki.debian.org/Qubes#Install_Debian_Templates +[the discussion thread]: https://github.com/QubesOS/qubes-issues/issues/1981