Kali Linux on Hetzner Cloud
When running an external pentest, having a Kali machine on a different location than your (home) office can be helpful. When I do some testing, I regularly use a VM at Hetzner Cloud because of the descent speed and (per hour) pricing. 🔐
Of course it’s possible to mount a Kali Linux ISO image, reboot your server and do a clean Kali Linux install, but that involves configuration, multiple reboots, partitioning and IPv6 address configurations problems.
This is nice for a few times, but not every time, and it’s also hard to automate. So I did some experimenting with converting a Debian box, that spins up in seconds at Hetzner, to a Kali box.
Adding a normal user
After the deployment, I always start with the creation of a normal user and add my public SSH key to its authorized_keys file so I don’t have to login with root every time.
adduser <username>
usermod -aG sudo <username>
Adding the Kali apt repositories
apt update
apt install wget gnupg dirmngr
wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import
# And/or from the keyserver
gpg --keyserver hkp://keyserver.ubuntu.com --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
gpg -a --export ED444FF07D8D0BF6 | sudo apt-key add -
apt update
apt -y upgrade
apt -y dist-upgrade
apt -y autoremove --purge
# Now install some Kali packages
apt -y install kali-linux-headless
# apt -y install kali-linux-everything
I used the kali-linux-headless for now, but as you can see below, there are more options.
After installation, reboot your machine and you will have a nice Kali box at your disposal.
Remote desktop support
Sometimes a graphical interface on your Kali box can be helpful. No worries XRDP got that covered. The initial installation and configuration is quite easy.
The installation can also be found here:
[!info] Setting up RDP with Xfce | Kali Linux Documentation
Kali Linux is supported on many different devices and systems. On some of those systems, you may only get a bare bones install and occasionally may not have direct access to a GUI such as with WSL. One simple way to get access to a GUI for Kali is by installing Xfce and setting up RDP.
https://www.kali.org/docs/general-use/xfce-with-rdp/
apt update
apt dist-upgrade
apt install -y kali-desktop-xfce xrdp xorgxrdp
# Change the default RDP port
sed -i 's/port=3389/port=3390/g' /etc/xrdp/xrdp.ini
# Enable XRDP service
sudo systemctl enable xrdp --now
# Start and check the XRDP service
systemctl start xrdp
systemctl status xrdp
After starting or restarting the XRDP service, we should this status at the service.
From now on it’s possible to connect to your Kali Linux machine with the Remote Destop Connection app on your Windows computer. And because it’s just like RDP, other RDP clients should also work fine with this.
Some extra things
Take a snapshot
Create a snapshot at the Hetzner console when you have a “perfect” Kali setup. With this snapshot it’s very easy to create a now machine that is exactly the same. Be aware that the cost of the diskspace of this snapshot will be added to your invoice,
Don’t forget to refresh the SSH host keys after creating a new machine from a snapshot with the following commands:
rm -v /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
systemctl restart ssh
After refreshing the keys, you should get a warning when you connect to this machine again to warn you that the key are different.
Disable root logins with SSH
Make sure you disable root to login with ssh directly.
Use a firewall
Setup a firewall at Hetzner, allow only access that you need. Don’t forget to disable it for some tasks that don’t like a firewall and want you to hack naked.
Install the kali-tweaks tool
Tweaking and hardening with kali-tweaks tool.
sudo apt install kali-tweaks
Set a correct hostname
Set the hostname correctly with hostnamectl and the /etc/hosts file.
sudo hostnamectl set-hostname your-hostname
Reboot the server after changing this.