I developed the Pluralsight course Introduction to Penetration Testing Using Metasploit using Kali Linux, which is a project from Offensive Security. Kali is a Linux distribution with most of the tools an information security professional would need. It is also a great platform for designing courses around because most, if not all, of the tools needed are installed by default.
The challenge is that Kali changes over time. Most of the times those changes are good and necessary to stay current and relevant. Of course, those changes often negatively impact ancillary products and information resources, including instructional courses. My Metasploit course is no exception. Revising an existing course that is already in use has its own challenges. Instead, I offer this blog post as a “living document” highlighting changes in Kali Linux that impact my Metasploit course. My hope is that if you run into issues with the course due to changes in Kali, you can find the answers here.
Kali Linux Rolls On
The Introduction to Penetration Testing Using Metasploit course was developed using Kali Linux 2.0. Unfortunately, I am not the fastest course creator. When the course was released by Pluralsight in June 2016, Kali Linux had switched to a rolling release model five months earlier. The benefits to the security practitioner were tremendous. To my course and students…not so much.
A rolling release is an approach to operating system distribution release management that relies on a continuous stream of updated and tested packages instead of a single release of packages at a specific point in time. Kali Linux is based on Debian, one of the older and more stable Linux distributions. Debian is continually updating software packages and those “trickle-down” into Kali rather quickly. This means that the Kali Rolling Releases will also have a lot of updated packages appear several times a week. For the most part, these package updates fix bug and security issues. However, those updates can also introduce new issues sometimes.
Overall, the Kali Rolling Release distribution model helps us, and I have no complaints about it.
Some of the issues that I and some students uncovered are related to updated packages. One issue occurs because a major tool was removed from the new Kali distribution entirely. I have noted the known course issues that have arisen in the new distribution of Kali Linux below along with solutions. The course remains relevant, and these notes should help you complete the course without significant tool problems.
I hope this helps!
Package Upgrade Notes
In the course, I have you run
apt-get dist-upgrade and then proceed with the installation and configuration of the system. In the Kali Rolling Releases, the package upgrade process installs a new major version of the Linux kernel. There is a version number difference between the running kernel (the one the system started up with) and the kernel installed in the upgrade process. This causes issues later when you need to install the kernel header files package because the command used (
uname -r) lists the running kernel version and not the new one that was just installed.
To overcome this problem, just reboot the system after installing the upgraded packages. The system will boot with the new Linux kernel and the header file version mismatch goes away.
There are also older software packages that are no longer needed once the system software packages are upgraded. Use the
apt-get autoremove command to clean those software packages out.
Here is the command order:
# apt-get update # apt-get dist-upgrade # apt-get autoremove # reboot
Once the system comes back up, you can continue with the installation of VirtualBox Guest Additions and kernel header files.
The biggest change that I noted in the Rolling Releases of Kali is OpenVAS is missing. OpenVAS is the Open Vulnerability Assessment System that we use in the course to find and identify vulnerabilities in target systems. It is gone from the base Kali Rolling Releases, but it can be easily added. Before you are ready to start the configuration of OpenVAS, install the OpenVAS software packages and its dependencies. It’s just one command thankfully.
# apt-get install openvas
After determining all of the software packages that will need to be installed,
apt-get will ask whether you want to proceed with the installation. Type a ‘
y‘ for “yes” to proceed.
The installation will also display the following query related to the
openvas-scanner package and the REDIS database configuration:
Select the “
<YES>” answer and hit return.
apt-get completes the installation of packages, OpenVAS is installed and you can proceed with the initial configuration of OpenVAS using the instructions in the course.
I have not yet found the reasons that OpenVAS has been removed from the Kali Rolling Releases. If you know, please tell me.
When all of the software packages are upgraded, you will encounter a warning that looks like the following:
The message indicates that there are two major versions of PostgreSQL installed and that there could be conflicts. The message suggests upgrading the 9.5 PostgreSQL database instances to version 9.6 and removing the PostgreSQL 9.5 software packages.
For the purposes of the course though, PostgreSQL works just fine without changes. Ignore this warning and continue with the Metasploit database configuration as described in the course.
If you are building a full pen test workstation for regular use, follow the instructions in the warning message.
These are the issues that I have found and fixed so far. There may be others that you find while using the course. If so, please let me know.