<h1class="courselink">Kali Linux on Windows 10 First Look</h1>
<h2class="lecturer">LinkedIn Learning : Scott Simpson</h2>
</div>
<article>
<h2class="sectiontitle">Introduction</h2>
<h3class="subsectiontitle">Lab Setup</h3>
<p>If you want to play around with Kali and particularly do some testing with the available tools, it is helpful to have a target system to test. You can download the Metasploitable VM from <ahref="https://information.rapid7.com/download-metasploitable-2017.html">Rapid 7</a> but this will require registration and you will, for example, be asked to provide your employers name as well as a work telephone number and email address. Since I only want to play with it, find out how it works and so on, I don't really want to be giving out this type of information, especially since the download is not work-related for me. I don't know if you can get away with putting in something like a 10 minute email address here.</p>
<p>It is possible to get it from elsewhere, for example, on <ahref="https://sourceforge.net/projects/metasploitable/">SourceForge</a> or you can Google something like "download metasploitable vm". The zip file you download contains a vmdk file rather than an actual VM image so you can create your VM using any platform (I am using Virtual Box) and then add this disk image rather than creating a new one. For info, the default username and password are msfadmin and the ip address is 10.0.2.15 by default but of you switch to the bridged network adapter on your VM, the machine will get a local ip address, for me that is 192.168.0.25.</p>
<p>You can ping this from a command prompt but not from Kali Linux because the WSL doesn't permit socket operations. That will also prevent you from using some of the tools in Kali so for some purposes, you may need to find an alternative to using Kali Linux with the WSL. Personally, I don't really think there is much of a reason for doing that other than the fact that it is pretty cool to be able to run Kali Linux (and other Linux distros such as Ubuntu) directly on a Windows desktop.</p>
<h2class="sectiontitle">Windows Subsystem for Linux</h2>
<h3class="subsectiontitle">Understanding and Enabling Windows Subsystem for Linux</h3>
<p>The WSL is a compatibility layer for Linux Binaries, it doesn't include a Linux kernel, but instead passes instructions to the Windows kernel thereby allowing us to run Linux binaries in Windows.</p>
<p>The WSL is intended for developers, it's not intended to provide you with a full Linux installation. Essentially, you are only getting access to a shell although with a little additional work, we can install a desktop as we will see in the next section.</p>
<h2class="sectiontitle">Kali Linux</h2>
<h3class="subsectiontitle">Installing Kali Linux on Windows 10</h3>
<p>Kali provides some tools which Windows might identify as malware so we want to create an exception for the folder that contains Kali Linux. This is normally fairly straightforward, for example in AVG, click on menu in the top right corner.</p>
<imgsrc="images/avg.png"alt="The AVG console in Windows">
<p>Next, click on Exceptions then Add Exception and Browse. If Kali has been installed in the default location, you should expand the C drive, then Users, your username, App Data, Local and finally packages. Take care to expand rather than select these folders or you may be creating an exception for the wrong folder. The Kali package is in a directory whose name starts with Kali so select it and click OK.</p>
<p>The Kali installation on Windows 10 us pretty small with a minimal amount of software, not really anything beyond a simple shell in fact. We can add other software but the repository that is available by default is the only one recommended for use with Kali. Adding other repositories can create problems so it is recommended that you don't add any.</p>
<p>We can get a list of tools that are available from <ahref="https://www.kali.org/tools/">kali.org.tools</a> and we can install these individually. For example, if we want to install whatweb, we can do that with</p>
<preclass="inset">
sudo apt install whatweb</pre>
<p>We can also get a list of installed packages with</p>
<preclass="inset">
sudo apt list --installed</pre>
<p>Quick sidebar - whatweb allows us to get information about a web site or web server. You just need to type whatweb followed by a URL or ip address. For example</p>
<p>Notice this includes my public ip address and if I run the same command using this ip address in place of the URL, the output is (as you would probably expect) exactly the same.</p>
<p>We can also run the command using the actual ip address of the server which is not the same as the public address, the public address connects to my router and web traffic is forwarded to the server. This time, the output is slightly different, but not significantly so.</p>
<p>We can install as many individual packages as we need, but we can also use a metapackage to install a whole set of tools, like this</p>
<preclass="inset">
sudo apt install kali-linux-large</pre>
<p>This might be installing a lot of packages so it could take quite a while to complete but when it does, you will have access to a number of tools</p>
<h3class="subsectiontitle">Using Kali Tools</h3>
<p>Let's get into using some Kali tools. This help us to see how they work and get us started on doing some useful stuff with them.</p>
<h3class="subsectiontitle">Nikto</h3>
<p>Nikto will scan a webserver looking for vulnerabilities. For more information, see the <ahref="https://www.kali.org/tools/nikto/">Nikto page</a> in the <ahref="https://www.kali.org/tools/">Kali Tools Documentation</a> or there is a tutorial, <ahref="https://www.hackingtutorials.org/web-application-hacking/scanning-webservers-vulnerabilities-with-nikto/">Scanning Webservers with Nikto for vulnerabilities</a> on the <ahref="https://www.hackingtutorials.org/">Hacking Tutorials</a> website.</p>
<p>We can use Nikto with a command like this.</p>
<preclass="inset">
nikto -host 192.168.0.25</pre>
<p>This is our Metaspolitable VM and as you might expect, nikto reveals a number of vulnerabilities. Each line of the output represents a potential website vulnerability and is probably something worth looking at. The github page for Nikto can be found <ahref="https://github.com/sullo/nikto">here</a> and this includes some documentation. There are also a number of online tutorials for Nikto, for example at <ahref="https://cirt.net/Nikto2">cert.net</a>.</p>
<h3class="subsectiontitle">John the Ripper</h3>
<p>John the Ripper is a tool for attempting to extract passwords from a hashed file, an online tutorial for this can be found at <ahref="https://www.tunnelsup.com/getting-started-cracking-password-hashes/">tunnelsup.com</a>. In order to try it out, we will need a file containing some hashed passwords and we can get these from <ahref="http://contest-2012.korelogic.com/cmiyc_2012_password_hash_files.tar.bz2">korelogic.com</a>. This was part of an online password cracking contest in 2012 and if you are interested, you can get more info on that at <ahref="http://contest-2012.korelogic.com/">contest-2012.korelogic.com/</a>.</p>
<p>The file is a bzip file (the extension is .bz) and it is archived so to unzip it, I will use Kali. To make it easier to find it in Kali, I have moved it to the root directory of the C drive and in Kali, I have navigated to this directory with</p>
<preclass="inset">
cd /mnt/c</pre>
<p>Once there, we can get a directory listing to ensure the file is there. I want to move it over to my Kali home folder before unzipping it so that if there are any problems with the file, I have the original file handy so I have created a directory called hashedfiles in the Kali home directory with</p>
<preclass="inset">
mkdir ~/hashedfiles</pre>
<p>Just to clarify here, when I refer to the home directory on the Kali drive, I mean the home directory for my user account which is under the name of philip.</p>
<p>I can now move the file over to the hashed files directory with</p>
-rw-r--r-- 1 philip philip 99578 Jul 27 2012 hashes-10.raw-md5u.txt
-rw-r--r-- 1 philip philip 502269 Jul 27 2012 hashes-11.raw-sha1.txt
-rw-r--r-- 1 philip philip 405963 Jul 27 2012 hashes-12.bf.txt
-rw-r--r-- 1 philip philip 357829 Jul 27 2012 hashes-13.md5.txt
-rw-r--r-- 1 philip philip 195937 Jul 27 2012 hashes-14.mscash.txt
-rw-r--r-- 1 philip philip 100046 Jul 27 2012 hashes-15.mscash2.txt
-rw-r--r-- 1 philip philip 285818 Jul 27 2012 hashes-16.mysql-sha1.txt
-rw-r--r-- 1 philip philip 388472 Jul 27 2012 hashes-17.oracle11.txt
-rw-r--r-- 1 philip philip 327309 Jul 27 2012 hashes-18.phps.txt
-rw-r--r-- 1 philip philip 531180 Jul 27 2012 hashes-19.salted-sha1.txt
-rw-r--r-- 1 philip philip 1063627 Jul 27 2012 hashes-1.sha512crypt.txt
-rw-r--r-- 1 philip philip 745226 Jul 27 2012 hashes-2.sunmd5.txt
-rw-r--r-- 1 philip philip 293375 Jul 27 2012 hashes-3.des.txt
-rw-r--r-- 1 philip philip 539076 Jul 27 2012 hashes-4.dynamic_21.txt
-rw-r--r-- 1 philip philip 334781 Jul 27 2012 hashes-5.dynamic_28.txt
-rw-r--r-- 1 philip philip 324864 Jul 27 2012 hashes-6.nsldap.txt
-rw-r--r-- 1 philip philip 1252756 Jul 27 2012 hashes-7.nt.txt
-rw-r--r-- 1 philip philip 170480 Jul 27 2012 hashes-8.raw-md4.txt
-rw-r--r-- 1 philip philip 173469 Jul 27 2012 hashes-9.raw-md5.txt</pre>
<p>Note that the filenames give some idea of the strength of the encryption so we will take a look at one of the easiest to decode, and that is hashes-3.des.txt which is a list of usernames along with the hashed passwords. The first few of these are shown below.</p>
<preclass="inset">
head hashes-3.des.txt
kumarb:zg9goY0qIxinA::0:::
millersu:81Vz9iZ6Bmbz6::0:::
daviski:K8QOISIAXalX.::0:::
jadams:T33f9gnZ6w7MQ::0:::
donna.hall:2loq9qH1x1x6M::0:::
moralech:Bjufto0s4kjpQ::0:::
rayp:lCqiaeg1rqIcs::0:::
luis.nelson:dCRneh2bbKDvY::0:::
jajones:rURUNrD/6n.d6::0:::
joana:px9k8qQ7KxDFE::0:::</pre>
<p>Note that with John the Ripper, you can provide it with a wordlist to use or you can use its own wordlist. The command to analyse the file using the built-in worlist is</p>
<preclass="inset">
john --wordlist hashes-3.des.txt</pre>
<p>After a few moments, we start to see a list of usernames along with their passwords. These are also stored in a hidden directory in the home folder in a file called john.pot. We can view that with a command such as</p>
<preclass="inset">
cat ~/.john/john.pot</pre>
<p>There are a lot of other tools that Kali makes available and one of the major ones is metasploit which allows you to use a variety of exploits against a variety of targets. You can open it with the command</p>
<preclass="inset">
msfconsole</pre>
<p>but using it is beyond the scope of this course. More information on these tools can be found in the more advanced Kali Linux and pen testing courses including the following:</p>
<p>•<ahref="https://www.linkedin.com/learning/learning-kali-linux-2">Learning Kali Linux</a></p>
<p>•<ahref="https://www.linkedin.com/learning/advanced-kali-linux">Advanced Kali Linux</a></p>
<p>•<ahref="https://www.linkedin.com/learning/penetration-testing-with-metasploit">Penetration Testing with Metasploit</a></p>
<p>There are also a couple of relevant Learning Paths but bear in mind the fact that this is a relatively rapidly evolving field so if you are interested, it would be well worth searching on LinkedIn for relevant courses or Learning Paths when you are ready to study them.</p>
<p>In most cases, you will be able to do this course using the Kali installation on Windows 10, but the fact that it doesn't give you access to raw sockets so you may want to look at a different option for more advanced study which might be a VM or a live system you can boot into.</p>
<p>Many of the tools that Kali provides have graphical interfaces, but since the WSL is text only, it can be tricky to get these to run. One option is to install a desktop manager, Xfce is a good option for that. We would also need an X Server (XOrg) and an X Server on the Windows machine (XMing) so that the graphical interface can be viewed in Windows. Installing the desktop manager and X server on Kali is straightforward and we can do it with a single command.</p>
<preclass="inset">
sudo apt install xfce4 xorg</pre>
<p>This will take a while to complete and while it is installing, you will be presented with a graphical interface of sorts allowing you to select your default language and keyboard layout.</p>
<p>In the meantime, we can go ahead and download the X Server for Windows from <ahref="https://sourceforge.net/projects/xming/">SourceForge</a> and again, installation is pretty much standard for Windows. When it runs, you should see its icon in the system tray and there are start menu items for xming and xlaunch which allow you to configure it although we won't do that now.</p>
<p>We need to tell Kali what graphical display to use which you can do with</p>
<preclass="inset">
export DISPLAY=:0</pre>
<p>We should now be able to open up a graphical tool and we will start up xeyes, which is a trivial graphical interface but it demonstrates the fact that our graphical system is working. We can do that just by typing</p>
<preclass="inset">
xeyes</pre>
<p>You can also start up (in theory) an X desktop with the command xfce4-session but this doesn't work on my system but if it does, it should proivde a basic desktop including an Applications menu. The course video goes onto show a graphical tool called owasp-zap working. At some point, I might either get this working or use a Kali Desktop system and come back to the course video to add notes on how it works.</p>
<h3class="subsectiontitle">Managing and Resetting the Kali Environment</h3>
<p>The Kali system is located within the Windows file system and you can navigate to it using, for example, Windows File Explorer. If you interact with the installation in this way, however, it can cause problems. For example, if you add files here, they will not be visible in Kali Linux until it is restarted and perhaps more importantly, they won't have any permissions set. A better option is to interact with the Windows file system from within Kali using /mnt/c and we saw this in action when copying over the cmiyc_2012_password_hash_files.tar.bz2 file. You can write files to or from this so it provides you with a really convenient way of transferring files between Windows and Kali Linux.</p>
<p>If you want to search for a file in Kali, this unified file system is actually going to make things a little harder for you and the reason for this is that the Windows system is effectively mounted on Kali Linux with /mnt being the mount point. Now, imagine we want to run a search for ant file on our Kali Linux system containing the word secrets. The normal way to do that is</p>
<preclass="inset">
find / -name "*secrets*"</pre>
<p>That would work on our Kali system, but it is also going to search through your entire Windows system so it's going to take a lot longer and assuming you get a list of results, you may need to search through them to work out which files are on the Linux system and which are on the Windows system. You can get around that by pruning the search tree like this.</p>
<preclass="inset">
find / name "*secrets*" - print -o -path "/mnt/c" -prune</pre>
<p>and this will prevent find from searching in any folders in /mnt/c - I would assume that if you have other drives, it will still search through them so maybe a better option would be</p>
<preclass="inset">
find / name "*secrets*" - print -o -path "/mnt" -prune</pre>
<p>Running this with the c, the first three results are</p>
<p>As you can see, the third entry there is from the g drive. I let this command run for a couple of minutes before halting it and then I tried again without the c and I got a list of results back in just a few seconds as follows:</p>
<p>Interestingly, I though that if we tried the same command with sudo, we would see more results, but we don't which I guess means that the folders we weren't able to search before didn't contain any matches anyway.</p>
<p>If you use a command like this often, you will probably want to use Ctrl+R to search for it or look for it in history.</p>
<p>Managing processes in our Kali on the WSL is similar to doing this in a Linux desktop environment, one major difference being that the processes also show up in the Windows Task Manager.</p>
<p>On our Kali system, we can use top (or htop but you may have to install it) and you can kill processes with pid. You may also need to restart the WSL in order to clean up old processes, especially if you have been using the graphical interface.</p>
<p>One way to do this is from a command prompt or power shell (be sure to open it as an administrator) using the command</p>
<preclass="inset">
net stop LxssManager</pre>
<p>When you restart the WSL, all the provious processes will be gone.</p>
<p>While it can be very easy to break your Kali installation in Windows, it is also really easy to restore it to its initial state and you can do this by opening up Add or Remove Programs, locating Kali and clicking on the Advanced options. From there you can uninstall Kali but you can also repair or reset it. Resetting it is probably much quicker than uninstalling and then reinstalling it.</p>
