In our last blog post, we provided an example of running an unattended network installation of Kali Linux. Our scenario covered the installation of a custom Kali configuration which contained select tools required for a remote vulnerability assessment using OpenVAS and the Metasploit Framework.

With just a few minor changes to this concept, we can further leverage Kali to create other cool and shiny toys as well. In today’s post, we’ll see what it takes to create what we fondly refer to as “The Kali Linux ISO of Doom”.

The idea we had was to build an “unattended self-deploying” instance of Kali Linux that would install itself on a target machine along with a customized configuration requiring no user input whatsoever. On reboot after the installation completes, Kali would automagically connect back to the attacker using a reverse OpenVPN connection. The VPN setup would then allow the attacker to bridge the remote and local networks as well as have access to a full suite of penetration testing tools on the target network.

There could be several uses for such an image:

Connect Back Penetration Testing Rig

In the first scenario, you need to perform an internal penetration test in a remote location. Rather than go on-site, you prefer having a penetration testing rig set up in the remote network from which you will be able to conduct the assessment. Traditionally, you would need to send a pre-configured computer to the remote site and wriggle your way into that remote rig in order to complete your work. Thankfully, those days are over. Now you can simply send a self-installing ISO to the remote site, ask them to burn it to CD/USB and boot a remote machine with that media. As the installation is completely unattended, the remote operator will not need to interact with the installation at all. “Set it and forget it”.

Post Exploitation Fun

The second scenario is rather cool. Consider the following: During a penetration test, you’ve compromised the internal infrastructure of the target organization. By either abusing PXE booting features in the remote network or a “remote iso upload” to a KVM, you automate an unattended installation of Kali including the OpenVPN connect back feature. Once the installation is complete, you’re bridged to the remote network, on their hardware, and able to escalate the external assessment to an internal one, complete with your full suite of tools.

Remote Hardware Backdoor

The third scenario consists of a remote hardware backdoor used in a physical penetration test engagement. The “backdoor” would once again be a fully fledged Kali Linux installation running our reverse bridging VPN connection. The hardware could be a small netbook, an android phone, or a small USB powered ARM device. This device is left at the customer site tucked away in a place it won’t be noticed, allowing you to bypass external defenses.

Kali Linux Rocks

The awesome thing about this project is that once we figured out all of the components we needed to make this image happen, it was easy to “port” the idea to PXE unattended installs (network installs), “live-build” (ISO’s and images), and Kali bootstrap sequences in general (Cellphone images / ARM hardware). This one idea could be implemented in many ways thanks to Kali’s versatility.

But, enough back patting, lets move on to the awesomeness.

Setting up the OpenVPN Server

We will first set up our OpenVPN server on a Kali Linux box with an external IP address (a.b.c.d). Once that’s done, we’ll build The Kali Linux ISO of Doom on the same machine and make it available for download thorough HTTP. The setup for the OpenVPN server was taken from the WSEC blog. Let’s begin: