From f6ab96ade4403a5699bc8c62552cc2bf17de1f40 Mon Sep 17 00:00:00 2001 From: Neowutran Date: Sat, 23 May 2020 19:29:04 +0200 Subject: [PATCH] [Kali] migitagion against dependency hell between Qubes repository and Kali repository --- os-guides/pentesting/kali.md | 56 +++++++++++------------------------- 1 file changed, 17 insertions(+), 39 deletions(-) diff --git a/os-guides/pentesting/kali.md b/os-guides/pentesting/kali.md index d0ff945..b74af7b 100644 --- a/os-guides/pentesting/kali.md +++ b/os-guides/pentesting/kali.md @@ -37,7 +37,7 @@ If you need to install custom kernel modules (wifi drivers, …) you need to use The steps can be summarized as: 1. Install Qubes stable Debian template -2. Upgrade the template to Debian testing release +2. Add `testing` and `securitytesting` Qubes repositories 3. Add the Kali repository 4. Update the template @@ -45,7 +45,8 @@ Get Kali Linux PGP key ----------------------- **CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures]. This website cannot guarantee that any PGP key you download from the Internet is authentic. -Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. +In order to obtain a trusted fingerprint, check its value against multiple sources. +Then, check the keys you download against your trusted fingerprint. This step is required since by (security) default TemplateVM do not have a direct Internet connectivity. Users understanding the risks of enabling such @@ -54,7 +55,7 @@ access can change this configuration in firewall settings for the TemplateVM. 1. Retrieve the Kali Linux PGP key using a DisposableVM. ```shell_session -$ gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 +$ gpg --keyserver hkps://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 $ gpg --list-keys --with-fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 $ gpg --export --armor 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 > kali-key.asc ``` @@ -76,52 +77,30 @@ These instructions will show you how to upgrade a Debian TemplateVM to Kali Linu # qubes-dom0-update ``` -2. Start your Debian template - -```shell_session -$ qvm-start debian- -$ qvm-run -a debian- gnome-terminal -``` - -3. Update it - -4. And then close it - -```shell_session -$ qvm-shutdown debian- -``` - -5. Clone `debian-X` template +2. Clone `debian-X` template ```shell_session $ qvm-clone debian- kali-rolling ``` -6. Check the name of currently used repository in `/etc/apt/sources.list` and current testing [Debian release][Debian-releases]. Update repository list accordingly +3. Check the name of currently used repository in `/etc/apt/sources.list.d/qubes-r.list` and current testing [Debian release][Debian-releases]. Update repository list accordingly ```shell_session -# sed -i 's///g' /etc/apt/sources.list # sed -i 's///g' /etc/apt/sources.list.d/qubes-r.list ``` e.g. in this example we update `buster` stable repository to `bullseye` testing repository ```shell_session -# sed -i 's/buster/bullseye/g' /etc/apt/sources.list # sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/qubes-r.list ``` - -For installation based on Debian 10 stable, please note that the security repository of Debian testing has [recently been renamed][Debian-security-naming-convention] from `/update` to `-security`. To account for that change, execute the following command. -```shell_session -# sed -i 's%bullseye/updates%bullseye-security%g' /etc/apt/sources.list -``` +4. Enable the QubesOS `testing` and `securitytesting` repositories -5. Update the template +In `/etc/apt/sources.list.d/qubes-r.list`, enable the 'testing' and 'securitytesting' repository. +We do that to reduce the 'dependency hell' between Qubes repository and Kali repository. -**Note:** During execution of the update, carefully read list of packages to be removed. If it contains `qubes-*` packages, terminate operation and try to resolve `qubes-*` packages missing dependencies first. - -6. Copy the Kali PGP key from the DisposableVM to the new template: +5. Copy the Kali PGP key from the DisposableVM to the new template: ```shell_session $ qvm-copy kali-key.asc @@ -129,7 +108,7 @@ $ qvm-copy kali-key.asc The DisposableVM can now be turned off. -7. Add the Kali PGP key to the list of keys trusted to authenticate packages: +6. Add the Kali PGP key to the list of keys trusted to authenticate packages: ```shell_session # cat /home/user/QubesIncoming/dispXXX/kali-key.asc | apt-key add - @@ -137,18 +116,17 @@ $ qvm-copy kali-key.asc This command should return: `OK`. -8. Add the Kali repository +7. Replace Debian repositories with Kali repository ```shell_session -# cat < /etc/apt/sources.list.d/kali.list -# Kali Linux repository -deb https://http.kali.org/kali kali-rolling main non-free contrib -EOF +# echo 'deb https://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list ``` -9. Update the template +8. Update the template -10. Ensure a terminal can be opened in the new template. +**Note:** During execution of the update, carefully read list of packages to be removed. If it contains `qubes-vm-dependencies` package, terminate operation and try to resolve missing dependencies first. For other `qubes-*` packages, it is up to you to decide if you need them. + +9. Ensure a terminal can be opened in the new template. ```shell_session $ qvm-run -a kali-rolling gnome-terminal