Download Kali Linux Images
We generate fresh Kali Linux image files every few months, which we make available for download. This page provides the links to download Kali Linux in it’s latest release. For a release history, check our Kali Linux Releases page.
| Image Name | Direct | Torrent | Size | Version | |
| Kali Linux 64 bit | ISO | Torrent | 3.1G | ||
| Kali Linux 32 bit | ISO | Torrent | 3.2G | ||
| Kali Linux 64 bit Light | ISO | Torrent | 0.8G | ||
| Kali Linux 32 bit Light | ISO | Torrent | 0.9G | ||
| Kali Linux 64 bit mini | ISO | N/A | 28M | ||
| Kali Linux 32 bit mini | ISO | N/A | 28M | ||
| Kali Linux armel | Image | Torrent | 2.1G | ||
| Kali Linux armhf | Image | Torrent | 2.0G |
Download Kali Linux VMware and VirtualBox images
Are you looking for Kali Linux VMWare or VirtualBox images? The good folks at Offensive Security (who are also the funders, founders, and developers of Kali Linux) have generated alternate flavours of Kali using the same build infrastructure as the official Kali releases. VMWare, VirtualBox and ARM architecture Kali images produced by Offensive Security can be found at the Official Offensive Security Kali Linux ARM and VMWare Images page.
Download Kali Linux Images Securely
When you download an image, be sure to download the SHA1SUMS and SHA1SUMS.gpg files that are next to the downloaded image (i.e. in the same directory on the Kali Linux Download Server). Before verifying the checksums of the image, you must ensure that the SHA1SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA1SUMS.gpg. Kali’s official key can be downloaded like so:
$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
# or...
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
# ...and verify that the displayed fingerprint matches the one below
$ gpg --list-keys --with-fingerprint 7D8D0BF6
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
# or...
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
# ...and verify that the displayed fingerprint matches the one below
$ gpg --list-keys --with-fingerprint 7D8D0BF6
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
Once you have downloaded both SHA1SUMS and SHA1SUMS.gpg, you can verify the signature as follows:
$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu Mar 7 21:26:40 2013 CET using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
gpg: Signature made Thu Mar 7 21:26:40 2013 CET using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop the process and review whether you downloaded the images from a legitimate Kali mirror.
Want an Updated or Custom Kali Image ?
Feeling a little more adventurous? Want to build the latest version of Kali? Want to customize your ISO? Looking for KDE, LXDE, MATE, XFCE and other customizations? This is the option for you. With everything set up correctly, the basic process is as simple as:
apt-get install git live-build cdebootstrap
git clone git://git.kali.org/live-build-config.git
cd live-build-config
./build.sh --distribution sana --verbose
git clone git://git.kali.org/live-build-config.git
cd live-build-config
./build.sh --distribution sana --verbose
Where to Get the Official Kali LinuxImages
ISO Files for Intel-based PCs
In order to run Kali “Live” from a USB drive on standard Windows and Macintosh PCs, you’ll need a Kali Linux bootable ISO image, in either 32-bit or 64-bit formats.
If you’re not sure of the architecture of the system you want to run Kali Linux on, on Linux or OS X, you can run the command
uname -m
at the command line. If you get the response, “x86_64”, use the 64-bit ISO image (the one containing “amd64” in the file name); if you get “i386”, use the 32-bit image (the one containing “i386” in the file name). If you’re on a Windows system, the procedure for determining whether your system is 32- or 64-bit is detailed on Microsoft’s site.
The images are available both as directly downloaded “.iso” files or via torrent files.
Building your own Kali Linux ISO, standard or customized, is a very simple process.
VMware Images
If you want to run Kali Linux as a “guest” under VMware, Kali is available as a pre-built VMware virtual machine with VMware Tools already installed. The VMware image is available in a 64-bit (amd64), 32-bit (i686), and 32-bit PAE (i486) formats.
ARM Images
The hardware architectures of ARM-based devices vary considerably, so it is not possible to have a single image that will work across all of them. Pre-built Kali Linux images for the ARM architecture are available for the wide range of devices.
Scripts for building your own ARM images locally are also available on GitHub. For more details see the articles on setting up an ARM cross-compilation environment, and building a custom Kali Linux ARM chroot.
Verifying Your Downloaded Kali Image
Why do I need to do this?
Before you run Kali Linux Live, or install it to your hard disk, you want to be very sure that what you’ve got actually is Kali Linux, and not an imposter. Kali Linux is a professional penetration testing and forensics toolkit. As a professional penetration tester, having absolute confidence in the integrity of your tools is critical: if your tools aren’t trustworthy, your investigations won’t be trustworthy, either.
Moreover, as the leading penetration testing distribution, Kali’s strengths mean that a bogus version of Kali Linux could do a tremendous amount of damage if it were deployed unwittingly. There are plenty of people with plenty of reason to want to stick very sketchy stuff into something that looks like Kali, and you absolutely don’t want to find yourself running something like that.
Avoiding this is simple:
- only download Kali Linux via the official download pages athttps://www.kali.org/downloads or https://www.offensive-security.com/kali-linux-vmware-arm-image-download/ — you won’t be able to browse to these pages without SSL: encrypting the connection makes it much harder for an attacker to use a “man-in-the-middle” attack to modify your download. There are a few potential weaknesses to even these sources — see the sections on verifying the download with the SHA1SUMSfile and its signature against the official Kali Development team private key for something much closer to absolute assurance.
- once you’ve downloaded an image, and before you run it, always validate that it really iswhat it’s supposed to be by verifying its checksum using one of the procedures detailed below.
There are several methods for verifying your download. Each provides a certain level of assurance, and involves a corresponding level of effort on your part.
- You can simply download an ISO image from an official Kali Linux “Downloads” mirror, calculate the ISO’s SHA1 hash and compare it by inspection with the value listed on the Kali Linux site. This is quick and easy, but potentially susceptible to subversion via aDNS poisoning: it assumes that the site to which, for example, the domain “kali.org” resolves is in fact the actual Kali Linux site. If it somehow weren’t, an attacker could present a “loaded” image and a matching SHA1 signature on the fake web page. See the section “Manually Verify the Signature on the ISO (Direct Download)”, below.
- You can download an ISO image through the torrents, and it will also pull down a file — unsigned — containing the calculated SHA1 signature. You can then use the shasum command (on Linux and OS X) or a utility (on Windows) to automatically verify that the file’s computed signature matches the signature in the secondary file. This is even easier than the “manual” method, but suffers from the same weakness: if the torrent you pulled down isn’t really Kali Linux, it could still have a good signature. See the section “Verify the Signature on the ISO Using the Included Signature File (Torrent Download)”, below.
- To be as close to absolutely certain as possible that the Kali Linux download you’ve obtained is the real thing, you can download both a cleartext signature file and and version of the same file that has been signed with the official Kali Linux private key and use GNU Privacy Guard (GPG) to first, verify that the computed SHA1 signature and the signature in the cleartext file match and second, verify that the signed version of the file containing the SHA1 hash has been correctly signed with the official key.
If you use this more complicated process and successfully validate your downloaded ISO, you can proceed with pretty complete assurance that what you’ve got is the official image and that it has not been tampered with in any way. This method, while the most complex, has the advantage of providing independent assurance of the integrity of the image. The only way this method can fail is if the official Kali Linux private key is not only subverted by an attacker, but also not subsequently revoked by the Kali Linux development team. For this method, see the section on verification using the SHA1SUMS file.
What do I need to do this?
If you’re running on Linux, you probably already have GPG (GNU Privacy Guard) installed. If you’re on Windows or OS X, you’ll need to install the appropriate version for your platform.
- If you’re on a PC running Windows, download and install GPG4Win from here.
- If you’re on a Macintosh running OS X, download and install GPGTools from here. Since Windows does not have the native ability to calculate SHA1 checksums, you will also need a utility such as Microsoft File Checksum Integrity Verifier or Hashtab to verify your download.
Once you’ve installed GPG, you’ll need to download and import a copy of the Kali Linux official key. Do this with the following command:
$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
or the command
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
Your output should look like this:
gpg: key 7D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Verify that the key is properly installed with the command:
gpg --list-keys --with-fingerprint 7D8D0BF6
The output will look like this:
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
You’re now set up to validate your Kali Linux download.
How do I verify my downloaded image?
Manually Verify the Signature on the ISO (Direct download)
If you downloaded the ISO directly from the downloads page, verify it using the following procedure.
On Linux, or OS X, you can generate the SHA1 checksum from the ISO image you’ve downloaded with the following command (assuming that the ISO image is named “kali-linux-1.1.0-amd64.iso”, and is in your current directory):
shasum kali-linux-1.1.0-amd64.iso
The output should look like this:
40a1fd1d4864e7fac70438a1bf2095c8c1a4e764 kali-linux-1.1.0-amd64.iso
The resulting SHA1 signature, “40a1fd1d4864e7fac70438a1bf2095c8c1a4e764”, can be seen to match the signature displayed in the “SHA1SUM” column on the official download page for the 64-bit Intel architecture Kali Linux 1.1.0 ISO image:
Verify the Signature on the ISO Using the Included Signature File (Torrent Download)
If you downloaded your copy of the Kali Linux ISO image via the torrents, in addition to the ISO file (e.g. kali-linux-1.1.0-amd64.iso), there will be a second file containing the computed SHA1 signature for the ISO, with the extension “.txt.sha1sum” (e.g. kali-linux-1.1.0-amd64.txt.sha1sum). You can use this file to verify the authenticity of your download on Linux or OS X with the following command:
grep kali-linux-1.1.0-amd64.iso kali-linux-1.1.0-amd64.txt.sha1sum | shasum -c
If the image is successfully authenticated, the response will look like this:
kali-linux-1.1.0-amd64.iso: OK
IMPORTANT! If you are unable to verify the authenticity of the Kali Linux image you have downloaded as described in the preceding section, do NOT use it! Using it could endanger not only your own system, but any network you connect to as well as the other systems on that network. Stop, and ensure that you have downloaded the images from a legitimate Kali Linux mirror.
Verify the ISO Using the SHA1SUMS File
This is a more complex procedure, but offers a much higher level of validation: it does not rely on the integrity of the web site you downloaded the image from, only the official Kali Linux development team key that you install independently. To verify your image this way for an Intel architecture version of Kali, you will need to download three files from the Kali “Live CD Image” site for the current release (v1.1.0, as of this writing):
- The ISO image itself (e.g. kali-linux-1.1.0-amd64.iso)
- The file containing the calculated SHA1 hash for the ISO, SHA1SUMS
- The signed version of that file, SHA1SUMS.gpg
Before verifying the checksums of the image, you must ensure that the SHA1SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA1SUMS.gpg. If you have not already done so, Kali’s official key can be downloaded and imported into your keychain with this command:
$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
or this command
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
Your output should look like this:
gpg: key 7D8D0BF6: public key "Kali Linux Repository <devel@kali.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
You should verify that the key is properly installed with the command:
gpg --list-keys --with-fingerprint 7D8D0BF6
The output will look like this:
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <devel@kali.org>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
Once you have downloaded both SHA1SUMS and SHA1SUMS.gpg, you can verify the signature as follows:
$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu Mar 7 21:26:40 2013 CET using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
gpg: Signature made Thu Mar 7 21:26:40 2013 CET using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"
If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop and review whether you downloaded the images from a legitimate Kali Linux mirror. The failed verification strongly suggests that the image you have may have been tampered with.
If you did get the “Good signature” response, you can now be assured that the checksum in the SHA1SUMS file was actually provided by the Kali Linux development team. All that remains to be done to complete the verification is to validate that the signature you compute from the ISO you’ve downloaded matches the one in the SHA1SUMS file. You can do that on Linux or OS X with the following command (assuming that the ISO is named “kali-linux-1.1.0-amd64.iso” and is in your working directory):
grep kali-linux-1.1.0-amd64.iso SHA1SUMS | shasum -c
If the image is successfully authenticated, the response will look like this:
kali-linux-1.1.0-amd64.iso: OK
If you don’t get “OK” in response, then stop and review what’s happened: the Kali image you have has apparently been tampered with. Do NOT use it.
Once you’ve downloaded and verified your image, you can proceed to create a bootable “Kali Linux Live” USB drive.
No comments:
Post a Comment