POSTS

Kali Linux - Verifying the Integrity of Downloaded ISO

COMMON TERMS:

  • What is a Kernel?  
    It’s a piece of software that handles interactions between the hardware and the end-user applications.

  • What is Linux?
    It’s just the name for a kernel.

  • What is a Linux Distribution?
    The term refers to a complete operating system that’s built on top of the Linux kernel.

  • What is Debian GNU/Linux?
    It’s a leading generic Linux distribution, known for its quality and stability.

  • What is meant by a checksum?
    A checksum is the outcome of running an algorithm, called a cryptographic hash function, on a piece of data, usually a single file. A checksum value is used to verify the integrity of a file or a data transfer.

  • What is GnuPG?
    GnuPG (GNU Privacy Guard) is a system that allows us to encrypt and sign our data and communications. The PGP/GPG security model is very unique. Anyone can generate any key with any identity, but you would only trust that key if it has been signed by another key that you already trust.

  • What is Kali Linux?
    It’s a security auditing Linux distribution based on Debian GNU/Linux, that allows conducting advanced penetration testing, forensic analysis, and security auditing. The maintainers of Kali Linux have provided us with a GnuPG key that has been used to sign the checksums of all official Kali Linux images.

Getting Started

The only official source of Kali Linux ISO images is the downloads section of the Kali website:

https://www.kali.org/downloads/
  1. Download the desired ISO image and take a note of the corresponding checksum (sha256sum). 
  2. Verify the checksum. [See following section for details.]
  3. Generate the checksum of your downloaded image.
  4. Compare the two checksums.
  5. If the checksums do not match, discard the downloaded ISO image.

VERIFYING THE CHECKSUM:

The GnuPG key that has been used to sign the checksums of the official Kali Linux images, has following identifiers and fingerprints:

 

We could download Kali’s public key over HTTPS or from a keyserver.

Once the public key is retrieved, it could be used to verify the checksums of the distributed images. For example, when we download a file with checksums (i.e., SHA256SUMS) and also the associated signature file (i.e., SHA256SUMS.gpg) then the signature could be verified as follows:

The “Good signature” message indicates that the content of the SHA256SUMS file is trustworthy and that it could be used to verify the downloaded ISO files. This message would be received only when the files have been downloaded from a legitimate Kali Linux mirror.

Use the following command to verify that the downloaded file has the same checksum as listed in SHA256SUMS. Ensure that the downloaded ISO file is in the same directory.

If we don’t get OK in response, then the downloaded file cannot be trusted and should not be used.

Now that we have downloaded the Kali Linux ISO image, and also verified the checksums, what next? We could create a bootable Kali USB drive on Windows, Linux or OS X/macOS.

Refer below link for more details:

https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf

Thank You!