Skip to main content
Custom Kali Virtual Machine

All Audiences: Learn how to set up the Kali virtual machine

Updated this week

HackerOne Gateway’s Virtual Machine is based on the latest version of Kali Linux. It enables penetration testing teams to thoroughly test internal networks and targets. It seamlessly integrates with the HackerOne Gateway VPN and requires minimal setup.

Prerequisites

HackerOne Customer

  • An internal network not “air-gapped” (with access to the internet). See External Connection below for more

  • A Windows machine in the internal network on which to deploy the VM

  • Hyper-V and related services installed on the Windows machine

External Connection

If isolating the testing machine is unavoidable, please inform HackerOne staff as soon as possible. This will impact launch timelines and impose limitations on the pentesting team.

At a minimum, the testing machine will need to request and receive traffic from external sources to install the tools required to carry out the penetration test and update dependencies. This includes Kali Linux, Debian, and GitHub. During testing, ethical hackers and pentesters may require access to additional tools as information and context are gained during testing. Should they require this, please provide HackerOne staff with a process for hackers to request this.

Additional Requirements (Handled by HackerOne Staff)

  • An active HackerOne program, most commonly a HackerOne Pentest.*

  • Gateway V2 enabled for the program.*

  • Cloudflared internal testing enabled.*

*Included for visibility only. HackerOne customers and testing team members do not need to take any action.

Penetration Testers

  • The WARP client must be installed on their local machine.

  • They must have a remote desktop protocol (RDP) client installed.

    • HackerOne recommends Microsoft Remote Desktop, VNC viewer, or similar, as the Remote Desktop is based on xRDP.

If the machine where WARP and RDP will be installed is not in the Cloud, physical access may be required.

Kali Linux Virtual Machine

The latest HackerOne Gateway VM uses Kali Linux version 2024.1.

  • Kali in VHDX format, tested with Hyper-V

    • In addition to the latest updates and default tools, the installation also includes:

      • Cloudflared pre-installed.

      • Additional commonly used tools.

  • 5 predefined user accounts:

    • kali, hackerone, pentester1, pentester2, pentester3
  • Accounts can elevate to admin/root as required.

  • Accessible via SSH (default port) and RDP (port 3391) using the internal IP (e.g., 192.168.100.2)

Note: For internal network penetration tests, admin/root is required. An exception may be if the penetration test is objective-based and aims to determine whether the testing team can achieve higher access levels starting from a lower-level role (assumed breach).

Distribution and Deployment

Distribution

The Kali Linux Virtual Machine will be provided via a temporary link to a HackerOne S3 bucket.

It is provided as a VHDX file, allowing the creation of a virtual machine according to specifications. For the best testing results, HackerOne recommends provisioning resources to run the virtual machine to be as performant and practical as possible.

Related passwords, such as those for the users, will be shared using the credential management feature available on our platform.

Minimum Requirements

  • RAM: 8 GB or more.

  • Disk: 50 GB or more.

  • Graphics: A 1920x1080 (1080p) resolution is strongly preferred. Alternatively, please provide a resolution as close to 1080p as possible.

  • CPU: Minimum quad-core or 8-core processors are strongly recommended.

Along with the virtual machine, HackerOne will provide the initial credentials for the five accounts using a secure method.

Deployment

The method of VM deployment on top of Hyper-V, including networking configuration and machine creation, is up to the customer. However, you can refer to the following parameters used for testing:

New-VM `
-Generation 2 `
-Name "$Name" `
-MemoryStartupBytes <YOUR MEMORY AMOUNT>MB `
-SwitchName "<YOUR SWITCH NAME>" `
-VHDPath ".\kali-linux-2024.1-hyperv-amd64.vhdx"

Set-VM -Name "$Name" -Notes "$Description"
Set-VM -Name "$Name" -EnhancedSessionTransportType HVSocket
Set-VMFirmware -VMName "$Name" -EnableSecureBoot Off
Set-VMProcessor -VMName "$Name" -Count <YOUR PROCESSOR NUMBER>
Enable-VMIntegrationService -VMName "$Name" -Name "Guest Service Interface"

In the case above, we have used a NAT Network. Deploying the machine with a bridged network interface is preferable to increase compatibility with all testing tools.

Instructions for HackerOne Customers

Basic Setup

Once the Kali VM is up and running on Hyper-V, you’ll need to assign the Internal IP to the machine, verify connectivity, authenticate Cloudflared, and create the tunnel.

  1. Assign the Internal IP to the Machine (if not assigned by DHCP/not available):

    1. In Kali, open the UI and manually assign the IP settings (only for the initial configuration).

    2. ​Configuration example:

      1. IPv4 Settings

      2. IP: 192.168.100.2

      3. Netmask: 24

      4. Gateway: 192.168.100.1

      5. DNS Servers: 8.8.8.8, 8.8.4.4​

    3. Note: Adding your internal DNS server to this list helps prevent the pentesters from having to manually modify their /etc/hosts file.

  2. Verify internet connectivity:

    1. Ensure the internet is accessible from the VM.​

  3. Authenticate Cloudflared and create the tunnel:

    1. In the HackerOne platform, go to Program > Gateway > Internal testing, as shown in the image below.
      Note: Make sure your HackerOne Technical Engagement Manager enables Cloudflared internal testing; see the Prerequisites section.


  4. Upon success, the page will display instructions tailored to your preferred environment.

  5. In the VM, paste and run the command found at the bottom of the page:

    sudo cloudflared service install <REDACTED TOKEN> 

  6. You should find the following output:

    2024-07-23T13:02:31Z INF Using Systemd 

    2024-07-23T13:02:32Z INF Linux service for cloudflared installed successfully

  7. The tunnel configuration and related routes will appear to you as the following:

  8. Make sure the Cloudflared status is: HEALTHY

  9. Provide each member of the testing team with:

    1. The IP associated with the VM

    2. Their credentials, obtained from the program under the credentials section (username is pentesterX, where X is a digit, for example: pentester1)​

  10. To check whether the tunnel connection is correctly set up, please verify with your penetration testing team after confirming they’ve gone through the steps outlined below.

If you face issues with the connection, please contact your HackerOne Technical Engagement Manager or Solutions Architect.

Please note the tunnel statuses are described here: Cloudflared tunnel status.

Additional Steps

The following steps are advised or required in some circumstances.

  • Change all five accounts' passwords:

    • passwd <username>
    • Since a testing team member may need to open and close the connection several times, we do not advise enforcing temporary passwords.​

If there are more than three members of the testing team, you’ll need to create more accounts:

  • Add user:

    useradd -m <username>
  • Set a password:

    passwd <username>
  • Set user group to sudo:

    usermod -a -G sudo <username>
  • Set the shell:

    chsh -s /bin/bash <username>

Instructions for Pentesters

After the customer installation of the HackerOne VM is complete, the testing team will need to follow these instructions to gain and confirm access in preparation for testing:

  1. Get the Cloudflare team name domain for the HackerOne program. Instructions here.

  2. Log in to WARP - As described in Configure Client for a Specific Program​

  3. Turn the WARP client on​

  4. Retrieve from the customer the following information:

    1. Internal IP associated with the VM

    2. The credentials associated with you, obtained from the program under the credentials section. This will likely be pentester1, pentester2, or pentester3 unless the predefined user accounts were updated.​

  5. If the VM machine is correctly running, you should be able to see it

    1. Don’t rely on ping as the ICMP protocol on WARP is not reliable yet

    2. Use nmap instead:

      sudo nmap 192.168.100.2​
  6. Connect via SSH:

    1. ssh pentester1@192.168.100.2​​
  7. Connect via RDP; the example below is using Microsoft Remote Desktop on a Mac

    1. PC name:

      192.168.100.2:3391
    2. User account: Ask when required

    3. Leave the rest as default

Did this answer your question?