# Kali Linux on Amazon EC2

# What will you learn?

* How to create Amazon EC2 instance
* How to secure your instance from unauthorized connections
* How to configure Kali Linux for your preferences in few minutes

At the end of this guide you will have a working Kali installation, accessible via SSH only for you.

***
# Contents
1. [What will you learn?](#what-will-you-learn)
* [Create AWS account](#create-aws-account)
* [Create EC2 instance](#create-ec2-instance)
* [Connect to EC2 instance](#connect-to-ec2-instance)
* [Kali configuration](#kali-configuration)
* [Conclusion](#conclusion)
* [Additional readings](#additional-readings)
***

# Create AWS account

For this project, we are going to use the AWS EC2 instance within the AWS Free Tier account (it is more than enough).

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626086462853/LE-_iA0ae.png)

> Learn in details what is in scope of free license and what are its limitations on [AWS Free Tier](https://aws.amazon.com/free/).

Creating the account:

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626086673186/bK0m3H3UNN.png)

During creation of the account, you will be asked to add a credit card (or payment provider) details. If you will be charged only when you exceed your Free Tier quota.  Considering this, resources that AWS EC2 Free Tier has, are sufficient to run the instance continuously for a whole month.

> Well, it depends on how you are using your EC2s, but I'm running there only single EC2 instance for this project. Just be careful with transfer - last month [I was participating](https://blog.cyberethical.me/hack4lem-2021) in Hack4Lem hackathon and next month I was charged $1.32 - not much for a ~2-3GB incoming data - but be warned.

# Create EC2 instance

EC2 is an [Amazon Elastic Compute Cloud](https://aws.amazon.com/ec2). You can think about like a virtual machine in the cloud, that is managed by Amazon. This is an example of Infrastructure-as-a-Service ([IaaS](https://aws.amazon.com/types-of-cloud-computing/)) because Amazon is responsible for managing hardware and networking, but users of EC2 are the ones responsible for OS, middleware, runtime, data and application.

## Set data location

When you are logged in, the first things to do is to set a location, where your EC2 instance will be provisioned. This is done via a global setting that applies to all resources created in AWS (this can be changed later, of course)

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626110822051/Sr87ILrrd.png)

This project will be accessible only by me, so I'm choosing geolocation that is closest to my network provider - Frankfurt.

## Configure instance

To create the EC2 instance, search "EC2" in the search bar on top of the portal and click it to navigate to the EC2 dashboard.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626109927450/PMg6Ko8iwN.png)

Now select _Launch Instance_ and again in the dropdown.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626113820347/By6HSwXkG.png)

> Notice that gray text reminds you about location of the instance that is being created

On this screen, search for latest Kali image and select it.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626694244108/lz6xHfWNa.png)

> Rember to choose "Free tier eligible" when possible to avoid charges.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626114851057/ayeEy_rD4.png)

Ensure `t2.micro` is selected and click _Next: Configure Instance Details_.


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626114952667/3iNGezb3U.png)

Leave defaults and click _Next: Add Storage_.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626694371857/NdhfxyVQE.png)

Leave defaults and click _Next: Add Tags_.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626115011864/famhbSqxh.png)

Here you can add some tags to help you identify for machine later - not a necessity in this project, but very useful in bigger setups. Click _Next: Configure Security Group_

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626116354443/zPArV_pAaI.png)

This is a crucial step, because of which we skipped the "Create and launch" button a few steps before. We are going to allow connections to the EC2 only to your IP. This is made by choosing "My IP" from the Source dropdown.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626115335589/aa1nWBabq.png)

Because we need only SSH connection to the Attack Box only SSH have to be opened and configured as below.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626694630501/2yFZN0j2w.png)

Go to the final step and make sure you have chosen "Free tier eligible" options and your access is configured only for your IP. Click _Launch_.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626694755856/Hfg-ns4EK.png)

Before an instance is provisioned, you will be asked to choose/generate SSH key, so you can connect safely to your instance. Make sure you will store your private key safely. Think about it as a key to your house - you don't share it, you don't leave it in public spaces.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626116572358/wab5so7LB.png)

Finally, click _Launch Instances_ and wait for you EC2 to be available.

> On final screen you can jump to billing preferences options and ensure that you have _Receive Free Tier Usage Alerts_ option checked.
> ![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626694859923/6CYEPw47b.png)
> ![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626694947037/7x1mSh72o.png)

# Connect to EC2 instance

> 🔔 `CyberEthical.Me` is maintained purely from your donations - consider one-time sponsoring with the [Sponsor](/sponsor) button or 🎁 [become a Patron](https://www.patreon.com/cyberethicalme) which also gives you some bonus perks.

To check if instance is ready to make connections, on the EC2 Dashboard select _Instances_

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626116847930/Y2W_BlhVW.png)

Here you should see that the instance is running and see its public IP. This is the IP you will be connecting to using SSH client.

> It is possible to use one of the three other methods, but each of them requires installing some additional software on the box (like `ec2-instance-connect`) and adidtional configuration. Becasuse we are going to use this Kali installation for pentesting and ethical hacking exercises, we should rely on secure SSH connection. Web browser managers poses more problems with shortcuts and response times and working via SSH is a great exercise for future challenges (my personal opinion). If you are still interested find this [Set up EC2 Instance Connect Manual](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html#ec2-instance-connect-setup-security-group)

You will be using the `kali ` username, unless the other user is specified on the [Kali's Default Credentials](https://www.kali.org/docs/introduction/default-credentials/) page.

## Via Windows Subsystem for Linux

WSL comes with already SSH client preinstalled. So to connect to your EC2 instance, just type this command in command line

```
ssh -i <privatekey.pem> kali@<public IP> 
```
If you don't have WSL configured on your system - there is no point to do such only to get SSH connection. This is where comes most widespread used SSH client. Putty.

## Via PuTTY

Download both `putty.exe` and `puttygen.exe` from [the download page](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html).

### Prepare private key

First we have to convert `*.pem` private key to `*.ppk` format supported by PuTTY. Run the `puttygen.exe` and make sure RSA is selected in the bottom panel.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626701048337/zOEBeaQW5.png)

Then _Load_, switch to _All files_ view and choose your private key.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626701147247/xfbyH_dyw.png)

You should see the following message

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626701172941/zN9hbQU7t.png)

> If you want to protect privae key with a password, fill the passphrase fields before going further

Click _Save private key_

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626701337695/aLrCYUJ96.png)

> If you didn't enter the passphrase, ignore warning about saving private key without password

Choose a location for `*.ppk` file and save it. Now it is ready to use with PuTTY.

### Connect to EC2 instance

Launch PuTTY, enter in the `Host Name` the `kali@<public IP>` details of your EC2 instance, ensure port 22 and SSH is used.


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626702677808/bfvykvzRY.png)

Go to _Connections_ settings and enter 600 seconds between `keepalive` signals.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626702157866/QiO5ROn1k.png)

> Defualt session timeout on the AWS is 20 minuts.

Go to _Connections/SSH/Auth_ and choose `*.ppk` key to authenticate sessions.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626702461691/WDyWOPV1a.png)

Now to save these configuration details for later use, go back to _Session_, type name for the session and click _Save_.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626702599231/XXb1r6zp_.png)

Now you can click _Open_.

PuTTY console will open, and it will ask if you want to add the host to the trusted hosts. I am choosing _Accept_

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626702785290/wZhdiaEBm.png)

And that's it. If everything was done correctly, you should be welcomed by the Kali message and bash prompt.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626702908056/VRdKGjIlV.png)

# Kali configuration

## Update distro and packages

Paste the following instructions to update both system and packages.

```sh
sudo apt update &&
sudo apt dist-upgrade -y &&
sudo apt autoremove -y &&
sudo apt autoclean
```
You will probably be asked about adding users to `kismet` group. Add current `kali` user.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626704255134/t9nDd8m1Cc.png)

> [Kismet](https://tools.kali.org/wireless-attacks/kismet) is an _ 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system_ that comes preinstalled in Kali.

## Hide welcome message

Hide it as was suggested in welcome message by creating `.hushlogin` file in profile

```
touch ~/.hushlogin
```

## Resize font

For me, default 10 points is definitely too small. This has to be changed in PuTTY before connection is made. So enter `exit` command and open PuTTY again. Load the saved session and go to _Window/Appearance_. In the _Font settings/Change_ select desired size (I keep mine at 18), click _OK_ and don't forget to save profile in _Session/Saved Sessions/Save_.

Now when connecting you should have bigger window and font.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626725235125/MU49xMhjy.png)

## Extend shell profile

Solution for this is posted by me on [Unix StackExchange](https://unix.stackexchange.com/a/645541/467228), but I'm copying here the quick version.

For this, we have to create new file in home directory, paste there your aliases, bindings, etc. Then reference that file in `.zshrc`. 

> Do not do this in `.bashrc` because Kali since 2020.4 uses `zsh` instead `bash`. You can verify that by grepping `/etc/passwd`: `$ cat /etc/passwd | grep kali`

```
$ nano ~/.shell_aliases
```

Place here all you aliases and bash functions. You can take as an example, my [.shell_aliases](https://github.com/KamilPacanek/configs/blob/master/kali-rearm/.shell_aliases). <kbd>Ctrl</kbd> + <kbd>S</kbd>, <kbd>Ctrl</kbd> + <kbd>X</kbd> to save and exit.

Then edit `.zshrc`

```
$ nano ~/.zshrc
```

Paste this at the end of file

```sh
if [ -f ~/.shell_aliases ]; then
    . ~/.shell_aliases
fi
```
Changes will be applied after session restart or immediately after

```
$ source ~/.zshrc
```

## Bind word movement

This one took me a while to figure out, so I'm giving you my setup of you also have the issue with <kbd>Ctrl</kbd> + <kbd>←</kbd>, <kbd>Ctrl</kbd> + <kbd>→</kbd>.

> By default in any terminal and Windows <kbd>Ctrl</kbd> and arrow keys allow to navigate text **by word**. For my case, when I connect to Kali via PuTTY, it wasn't respected. I've searched through some topics at [Stackoverflow](https://superuser.com/questions/103069/putty-ssh-ctrlcursor-keys-dont-work-skip-to-previous-next-word), tried putting keybindings at different locations - and it didn't work.

If you have the same issue and advices found on the [forums](https://superuser.com/questions/103069/putty-ssh-ctrlcursor-keys-dont-work-skip-to-previous-next-word) doesn't work, here is the solution.

First, get the ASCII codes for the mentioned key combinations. When `showkey` opens, type <kbd>Ctrl</kbd> + <kbd>←</kbd>, <kbd>Ctrl</kbd> + <kbd>→</kbd> **and** <kbd>←</kbd>, <kbd>→</kbd>. Note down each code.

```
$ showkey --ascii
```

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626731263995/6UjoOJRqp.png)

In my example 

| Keystroke| ASCII Code |
|---|---|
|<kbd>Ctrl</kbd> + <kbd>←</kbd> |`^[OD`|
|<kbd>Ctrl</kbd> + <kbd>→</kbd>| `^[OC`|
|<kbd>←</kbd>| `^[[D`|
|<kbd>→</kbd>| `^[[C`|

Now, type the following in the `.shell_aliases` file created before

```
bindkey '^[OD' backward-word
bindkey '^[OC' forward-word
```

Recompile the profile by typing

```
$ source ~/.zshrc
```

Now try navigating word by word. Voilà!

> Well, in my example by performing these action what happend is that hitting arrow key jums backward/forward by single word and <kbd>Ctrl</kbd> combination moves character by character. I still don't know how it happened. But remedy was using arrow ASCII codes for `bindkey` (so opposite what you think should be).
```
bindkey '^[[D' backward-word
bindkey '^[[C' forward-word
```

# Conclusion

> Like what you see? Join the [Hashnode.com](/join) now. Things that are awesome:

>✔ Automatic GitHub Backup

>✔ Write in Markdown

>✔ Free domain mapping

>✔ CDN hosted images

>✔ Free in-built newsletter service

> By using my link you can help me unlock the ambasador role, which cost you nothing and gives me some additional features to support my content creation mojo.

Now we have Kali installation working on remote - so accessible anywhere with connection to the Internet (as long as we config the IP address in the AWS Console).

You can find additional files to customize your Kali on my [GitHub](https://github.com/KamilPacanek/configs/tree/master/kali-rearm) - for example, tools list that I'm using and shell installer.

# Additional readings

> 📌 Follow the `#CyberEthical` hashtag on the social media

> 🎁 Become a Patron and [gain additional benefits](https://www.patreon.com/cyberethicalme)

> 👉 Instagram: [@cyber.ethical.me](https://www.instagram.com/cyber.ethical.me/)

> 👉 LinkedIn: [Kamil Gierach-Pacanek](https://www.linkedin.com/in/kamilpacanek)

> 👉 Twitter: [@cyberethical_me](https://twitter.com/cyberethical_me)

> 👉 Facebook: [@CyberEthicalMe](https://facebook.com/CyberEthicalMe)




