Downloading Kali Linux

Where to Get Official Kali Linux Images

ISO Files for Intel-based PCs

In order to run Kali “Live” from a USB drive on standard Windows and Apple PCs, you’ll need a Kali Linux bootable ISO image, in either 32-bit or 64-bit format.

If you’re not sure of the architecture of the system you want to run Kali on, on Linux or OS X, you can run the command

uname -m

at the command line. If you get the response, “x86_64”, use the 64-bit ISO image (the one containing “amd64” in the file name); if you get “i386”, use the 32-bit image (the one containing “i386” in the file name). If you’re on a Windows system, the procedure for determining whether your architecture is detailed on Microsoft’s website.

The Kali Linux images are available both as directly downloadable “.iso/.img” files or via “.torrent” files.

Building your own Kali Linux ISO, standard or customized, is a very simple process.

VMware Images

If you want to run Kali Linux as a “guest” under VMware, Kali is available as a pre-built VMware virtual machine with VMware Tools already installed. The VMware image is available in a 64-bit (amd64), 32-bit (i686), and 32-bit PAE (i486) formats.

ARM Images

The hardware architectures of ARM-based devices vary considerably, so it is not possible to have a single image that will work across all of them. Pre-built Kali Linux images for the ARM architecture are available for the wide range of devices.

Scripts for building your own ARM images locally are also available on GitHub. For more details see the articles on setting up an ARM cross-compilation environment, and building a custom Kali Linux ARM chroot.

Verifying Your Downloaded Kali Image

Why do I need to do this?

Before you run Kali Linux Live, or install it to your hard disk, you want to be very sure that what you’ve got actually is Kali Linux, and not an imposter. Kali Linux is a professional penetration testing and forensics toolkit. As a professional penetration tester, having absolute confidence in the integrity of your tools is critical: if your tools aren’t trustworthy, your investigations won’t be trustworthy, either.

Moreover, as the leading penetration testing distribution, Kali’s strengths mean that a bogus version of Kali Linux could do a tremendous amount of damage if it were deployed unwittingly. There are plenty of people with plenty of reason to want to stick very sketchy stuff into something that looks like Kali, and you absolutely don’t want to find yourself running something like that.

Avoiding this is simple:

  • only download Kali Linux via the official download pages at or — you won’t be able to browse to these pages without SSL: encrypting the connection makes it much harder for an attacker to use a “man-in-the-middle” attack to modify your download. There are a few potential weaknesses to even these sources — see the sections on verifying the download with the SHA256SUMS file and its signature against the official Kali Development team private key for something much closer to absolute assurance.
  • once you’ve downloaded an image, and before you run italways validate that it really iswhat it’s supposed to be by verifying its checksum using one of the procedures detailed below.

There are several methods for verifying your download. Each provides a certain level of assurance, and involves a corresponding level of effort on your part.

  • You can download an ISO image from an official Kali Linux “Downloads” mirror, calculate the ISO’s SHA256 hash and compare it by inspection with the value listed on the Kali Linux site. This is quick and easy, but potentially susceptible to subversion via a DNS poisoning: it assumes that the site to which, for example, the domain “” resolves is in fact the actual Kali Linux site. If it somehow weren’t, an attacker could present a “loaded” image and a matching SHA256 signature on the fake web page. See the section “Manually Verify the Signature on the ISO (Direct Download)”, below.
  • You can download an ISO image through the torrents, and it will also pull down a file — unsigned — containing the calculated SHA256 signature. You can then use the shasum command (on Linux and OS X) or a utility (on Windows) to automatically verify that the file’s computed signature matches the signature in the secondary file. This is even easier than the “manual” method, but suffers from the same weakness: if the torrent you pulled down isn’t really Kali Linux, it could still have a good signature. See the section “Verify the Signature on the ISO Using the Included Signature File (Torrent Download)”, below.
  • To be as close to absolutely certain as possible that the Kali Linux download you’ve obtained is the real thing, you can download both a cleartext signature file and and version of the same file that has been signed with the official Kali Linux private key and use GNU Privacy Guard (GPG) to first, verify that the computed SHA256 signature and the signature in the cleartext file match and second, verify that the signed version of the file containing the SHA256 hash has been correctly signed with the official key.
    If you use this more complicated process and successfully validate your downloaded ISO, you can proceed with pretty complete assurance that what you’ve got is the official image and that it has not been tampered with in any way. This method, while the most complex, has the advantage of providing independent assurance of the integrity of the image. The only way this method can fail is if the official Kali Linux private key is not only subverted by an attacker, but also not subsequently revoked by the Kali Linux development team. For this method, see the section on verification using the SHA256SUMS file.

What do I need to do this?

If you’re running on Linux, you probably already have GPG (GNU Privacy Guard) installed. If you’re on Windows or OS X, you’ll need to install the appropriate version for your platform.

  • If you’re on a PC running Windows, download and install GPG4Win from here.
  • If you’re on a Macintosh running OS X, download and install GPGTools from here. Since Windows does not have the native ability to calculate SHA256 checksums, you will also need a utility such as Microsoft File Checksum Integrity Verifier or Hashtab to verify your download.

Once you’ve installed GPG, you’ll need to download and import a copy of the Kali Linux official key. Do this with the following command:

wget -q -O – | gpg –import

or the command

gpg –keyserver hkp:// –recv-key 7D8D0BF6

Your output should look like this:

gpg: key 7D8D0BF6: public key “Kali Linux Repository <>” imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Verify that the key is properly installed with the command:

gpg –fingerprint 7D8D0BF6

The output will look like this:

pub   rsa4096 2012-03-05 [SC] [expires: 2021-02-03]
44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
uid           [  full  ] Kali Linux Repository <>
sub   rsa4096 2012-03-05 [E] [expires: 2021-02-03]

You’re now set up to validate your Kali Linux download.

How Do I Verify My Downloaded Image?

Manually Verify the Signature on the ISO (Direct Download)

If you downloaded the ISO directly from the downloads page, verify it using the following procedure.

On Linux, or OS X, you can generate the SHA256 checksum from the ISO image you’ve downloaded with the following command (assuming that the ISO image is named “kali-linux-2016.2-amd64.iso”, and is in your current directory):

shasum -a 256 kali-linux-2016.2-amd64.iso

The output should look like this:

 1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431  kali-linux-2016.2-amd64.iso

The resulting SHA256 signature, “1d90432e6d5c6f40dfe9589d9d0450a53b0add9a55f71371d601a5d454fa0431”, can be seen to match the signature displayed in the “sha256sum” column on the official download page for the 64-bit Intel architecture Kali Linux 2016.2 ISO image:

Kali Linux Downloads

Verify the Signature on the ISO Using the Included Signature File (Torrent Download)

If you downloaded your copy of the Kali Linux ISO image via the torrents, in addition to the ISO file (e.g. kali-linux-2016.2-amd64.iso), there will be a second file containing the computed SHA256 signature for the ISO, with the extension “.txt.sha256sum” (e.g. kali-linux-2016.2-amd64.txt.sha256sum). You can use this file to verify the authenticity of your download on Linux or OS X with the following command:

grep kali-linux-2016.2-amd64.iso kali-linux-2016.2-amd64.txt.sha256sum | shasum -a 256 -c

If the image is successfully authenticated, the response will look like this:

kali-linux-2016.2-amd64.iso: OK
IMPORTANT! If you are unable to verify the authenticity of the Kali Linux image you have downloaded as described in the preceding section, do NOT use it! Using it could endanger not only your own system, but any network you connect to as well as the other systems on that network. Stop, and ensure that you have downloaded the images from a legitimate Kali Linux mirror.


Verify the ISO Using the SHA256SUMS File

This is a more complex procedure, but offers a much higher level of validation: it does not rely on the integrity of the web site you downloaded the image from, only the official Kali Linux development team key that you install independently. To verify your image this way for an Intel architecture version of Kali, you will need to download three files from the Kali “Live CD Image” site for the current release (v2016.2, as of this writing):

  • The ISO image itself (e.g. kali-linux-2016.2-amd64.iso)
  • The file containing the calculated SHA256 hash for the ISO, SHA256SUMS
  • The signed version of that file, SHA256SUMS.gpg

Before verifying the checksums of the image, you must ensure that the SHA256SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA256SUMS.gpg. If you have not already done so, Kali’s official key can be downloaded and imported into your keychain with this command:

wget -q -O – | gpg –import

or this command

gpg –keyserver hkp:// –recv-key 7D8D0BF6

Your output should look like this:

gpg: key 7D8D0BF6: public key “Kali Linux Repository <>” imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

You should verify that the key is properly installed with the command:

gpg –fingerprint 7D8D0BF6

The output will look like this:

pub   rsa4096 2012-03-05 [SC] [expires: 2021-02-03]
44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
uid           [  full  ] Kali Linux Repository <>
sub   rsa4096 2012-03-05 [E] [expires: 2021-02-03]

Once you have downloaded both SHA256SUMS and SHA256SUMS.gpg, you can verify the signature as follows:

$ gpg –verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 16 Mar 08:55:45 2017 MDT using RSA key ID 7D8D0BF6
gpg: Good signature from “Kali Linux Repository <>”
If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop and review whether you downloaded the images from a legitimate Kali Linux mirror. The failed verification strongly suggests that the image you have may have been tampered with.

If you did get the “Good signature” response, you can now be assured that the checksum in the SHA256SUMS file was actually provided by the Kali Linux development team. All that remains to be done to complete the verification is to validate that the signature you compute from the ISO you’ve downloaded matches the one in the SHA256SUMS file. You can do that on Linux or OS X with the following command (assuming that the ISO is named “kali-linux-2016.2-amd64.iso” and is in your working directory):

grep kali-linux-2016.2-amd64.iso SHA256SUMS | shasum -a 256 -c

If the image is successfully authenticated, the response will look like this:

kali-linux-2016.2-amd64.iso: OK
If you don’t get “OK” in response, then stop and review what’s happened: the Kali image you have has apparently been tampered with. Do NOT use it.

Once you’ve downloaded and verified your image, you can proceed to create a bootable “Kali Linux Live” USB drive.

What is Kali Linux ?

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering. Kali Linux is developed, funded and maintained by Offensive Security, a leading information security training company.
Kali Linux was released on the 13th March, 2013 as a complete, top-to-bottom rebuild of BackTrack Linux, adhering completely to Debian development standards.

  • More than 600 penetration testing tools included: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either simply did not work or which duplicated other tools that provided the same or similar functionality. Details on what’s included are on the Kali Tools site.
  • Free (as in beer) and always will be: Kali Linux, like BackTrack, is completely free of charge and always will be. You will never, ever have to pay for Kali Linux.
  • Open source Git tree: We are committed to the open source development model and our development tree is available for all to see. All of the source code which goes into Kali Linux is available for anyone who wants to tweak or rebuild packages to suit their specific needs.
  • FHS compliant: Kali adheres to the Filesystem Hierarchy Standard, allowing Linux users to easily locate binaries, support files, libraries, etc.
  • Wide-ranging wireless device support: A regular sticking point with Linux distributions has been supported for wireless interfaces. We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices.
  • Custom kernel, patched for injection: As penetration testers, the development team often needs to do wireless assessments, so our kernel has the latest injection patches included.
  • Developed in a secure environment: The Kali Linux team is made up of a small group of individuals who are the only ones trusted to commit packages and interact with the repositories, all of which is done using multiple secure protocols.
  • GPG signed packages and repositories: Every package in Kali Linux is signed by each individual developer who built and committed it, and the repositories subsequently sign the packages as well.
  • Multi-language support: Although penetration tools tend to be written in English, we have ensured that Kali includes true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job.
  • Completely customizable: We thoroughly understand that not everyone will agree with our design decisions, so we have made it as easy as possible for our more adventurous users to customize Kali Linux to their liking, all the way down to the kernel.
  • ARMEL and ARMHF support: Since ARM-based single-board systems like the Raspberry Pi and BeagleBone Black, among others, are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, with fully working installations for both ARMEL and ARMHFsystems. Kali Linux is available on a wide range of ARM devices and has ARM repositories integrated with the mainline distribution so tools for ARM are updated in conjunction with the rest of the distribution.

Kali Linux is specifically tailored to the needs of penetration testing professionals, and therefore all documentation on this site assumes prior knowledge of, and familiarity with, the Linux operating system in general. Please see Should I Use Kali Linux? for more details on what makes Kali unique.

Mail Server

001 Welcome
002 What you should know
003 Required setup
004 Components of email delivery
005 Set up Postfix as an SMTP server
006 Send mail with Postfix internally
007 Send mail with Postfix externally
008 Set up and test a Dovecot POP3-IMAP server
009 Test Dovecot from an external client
010 Configure TLS
011 Configure SASL
012 Configure an email client
013 Client software
014 Database considerations
015 Install database tools
016 PostfixAdmin configuration
017 Database creation
018 Create virtual domains
019 Finishing database configuration
020 Setup virtual email accounts
021 Exploring greylisting with Postgrey
022 Spamassassin, ClamAV, and amavisd-new
023 Spam tool installation
024 Spam tool configuration
025 Test spam tools
026 SPF
027 DKIM
029 DANE
030 Next steps

Should I Use Kali Linux?

What’s Different About Kali Linux?

Kali Linux is specifically geared to meet the requirements of professional penetration testing and security auditing. To achieve this, several core changes have been implemented in Kali Linux which reflect these needs:

  1. Single user, root access by design: Due to the nature of security audits, Kali Linux is designed to be used in a “single, root user” scenario. Many of the tools used in penetration testing require escalated privileges, and while it’s generally sound policy to only enable root privileges when necessary, in the use cases that Kali Linux is aimed at, this approach would be a burden.
  2. Network services disabled by default: Kali Linux contains systemd hooks that disable network services by default. These hooks allow us to install various services on Kali Linux, while ensuring that our distribution remains secure by default, no matter what packages are installed. Additional services such as Bluetooth are also blacklisted by default.
  3. Custom Linux kernel: Kali Linux uses an upstream kernel, patched for wireless injection.
  4. minimal and trusted set of repositories: given the aims and goals of Kali Linux, maintaining the integrity of the system as a whole is absolutely key. With that goal in mind, the set of upstream software sources which Kali uses is kept to an absolute minimum. Many new Kali users are tempted to add additional repositories to their sources.list, but doing so runs a very serious risk of breaking your Kali Linux installation.

Is Kali Linux Right For You?

As the distribution’s developers, you might expect us to recommend that everyone should be using Kali Linux. The fact of the matter is, however, that Kali is a Linux distribution specifically geared towards professional penetration testers and security specialists, and given its unique nature, it is NOT a recommended distribution if you’re unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development, web design, gaming, etc.

Even for experienced Linux users, Kali can pose some challenges. Although Kali is an open source project, it’s not a wide-open source project, for reasons of security. The development team is small and trusted, packages in the repositories are signed both by the individual committer and the team, and — importantly — the set of upstream repositories from which updates and new packages are drawn is very small. Adding repositories to your software sources which have not been tested by the Kali Linux development team is a good way to cause problems on your system.

While Kali Linux is architected to be highly customizable, don’t expect to be able to add random unrelated packages and repositories that are “out of band” of the regular Kali software sources and have it Just Work. In particular, there is absolutely no support whatsoever for the apt-add-repository command, LaunchPad, or PPAs. Trying to install Steam on your Kali Linux desktop is an experiment that will not end well. Even getting a package as mainstream as NodeJS onto a Kali Linux installation can take a little extra effort and tinkering.

If you are unfamiliar with Linux generally, if you do not have at least a basic level of competence in administering a system, if you are looking for a Linux distribution to use as a learning tool to get to know your way around Linux, or if you want a distro that you can use as a general purpose desktop installation, Kali Linux is probably not what you are looking for.

In addition, misuse of security and penetration testing tools within a network, particularly without specific authorization, may cause irreparable damage and result in significant consequences, personal and/or legal. “Not understanding what you were doing” is not going to work as an excuse.

However, if you’re a professional penetration tester or are studying penetration testing with a goal of becoming a certified professional, there’s no better toolkit — at any price — than Kali Linux.