Kali as a VM within Qubes OS

[lvx]

I was wondering if anyone had any experience with this setup.  I've been using Qubes OS for a while and figured that it would be the perfect way to create a disposable yet easily accessible Kali instance for pentesting/play.  I'm also using whonix when anonymity is important and was wondering where I should provide Kali it's network connection?

 

By default in Qubes, traffic is routed from sys-net to sys-firewall and then to the qube you're working with.  In Whonix there is an additional VM which provides routing through TOR.

 

I don't have much experience with Kali, but logically it seems like I should just connect it directly to sys-net in order to keep it outside my DMZ and just kill it if it becomes exposed.  Or does it make sense for it to be routed through TOR and filtered by the firewall?  Thoughts?

[digininja]

I know nothing about Qubes but in my opinion, the answer depends on what you want to do with Kali.

• If you are doing any kind of client based pen testing with it then you'll probably want to come from a fixed, static IP so that the client can identify you
• If you are doing things where you want to be anonymous, go through Tor
• Normal browsing and computing, it depends on your paranoia level

[lvx]

Good points, thank you for the thoughtful reply.  Right now this is mostly for testing purposes, so I guess I'll just have to try out a few configurations and see what works best.  I do recall reading something about whonix getting in kali's way on another site, but can't seem to find the thread now.

[digininja]

Kali is just Linux with a lot of security packages so it won't get in the way of Kali but it may affect some of the tools but that would be the case whatever distro they were installed on.

Pick the tools you think you'll be using, install them in a vanilla Kali and in your pimped up version and compare results. My guess would be things like nmap which do special things at layer two with packets might not be happy but something like Nikto pointed at a web app wouldn't care less as long as it's layer seven packets get through.

[barry99705]

There's a few how-to's on Qubes site for setting this up.

[lvx]

digininja - Yeah, that's what I was thinking. Whonix will probably mess with nmap and other similar tools. Luckily it's easy to change the net VM, so with a little trial and error I can find what works. 

barry99705 - I followed those quides when setting up the kali qube and am just in the process of getting all the tools using the katoolin script. :) 

[barry99705]

Just don't forget, networking in Qubes is weird.  So is usb support.

[lvx]

You're not kidding! 

[barry99705]

That's why I stopped using it.  The idea is there, but networking and usb support sucks.

[lvx]

After a few growing pains, I'm actually liking it. :)

Networking isn't any more difficult than any other Linux implementation, you just have more options.  If you want easy, route your VM through sys-net, if you want a decent pre-configured firewall, run it through sys-firewall and if you want anonymity via Tor, route it though sys-whonix.

USB isn't THAT bad.  You can easily assign a USB device to a VM through the gui or commandline on dom0, then it's treated exactly the same in the VM as you would expect in whatever flavour of Linux your template is.

My kali-rolling template is all set now and I created a new pentesting vm to see how the tools work.  I'll start having it connected to sys-whonix and then will either tweak the whonix implementation or scale back to sys-firewall or sys-net.  I have been thinking again that it might actually make more sense to have the pentesting VM residing outside my 'secure' space in any case, and having it hooked up to sys-net will remove the need for so much testing.  Need to give it a bit more thought though.

Currently I have 3 primary VMs loading at startup in addition to dom0 and the system qubes:

'play', using fedora25 template, sys-firewall networking (email, browsing, forum administration)

'work', using fedora25 template, sys-firewall networking (citrix connections for my day job)

'hack', using kali-rolling template (debian 8 template, upgraded to R9, katoolin scripts), sys-firewall networking ()

disposable VM's and/or 'anon' VM's (full whonix implementation) as needed

May check out the Arch and/or Ubuntu templates as well, but the Fedora template gets more regular updates and is supported by the dev.  I'll be spending most of my command line time in debian (kali) anyways. :)

Will probably get the Fedora-minimal template at some point and trim down those network VM's to the bare essentials.

Main downside so far is the insane amount of updates/configuration required to create all of the environments.  Maintaining them shouldn't be too bad though.  Oh, and it's a little slow depending on what I'm doing, but that is to be expected.

Edited December 12, 2017 by lvx
Clarity / Changes to configuration

[lvx]

I may have spoken too soon on the networking front.  Having an extremely frustrating time at the moment.  I'll detail the behaviour a bit in case anyone has ideas.

The original sys-net virtual machine is behaving a little strangely.  Only wifi works, unless I disable wifi in the Network Manager applet and then reboot the computer.  (restarting the vm's doesn't do it)  This isn't a huge issue as I'll be using wifi exclusively at home and I have a workaround to make the wired connection function, but it's odd behaviour.

I've been trying to create a replacement for sys-net as I wanted to see if using the fedora minimal template would give it a lower memory footprint and to see if it would correct the above issues.  Installed all of the recommended packages and can get the wired connection to work, but can't seem to get wifi working.  The 'Enable WiFi' option / checkbox doesn't even appear in the Network Manager applet.  I've compared lspci -k for the new and old VM's and they are both using the same kernel drivers for ethernet and wireless.  

I might give debian a try to see how it runs as sys-net,  but other than that I'm out of ideas.

All that aside,  I have had some success as well.  Created a Mirage unikernel sys-firewall which seems to be working well.  Will create a sys-vpn VM soon using my free account at ProtonVPN as a proof of concept.  Don't have a proper VPN service at the moment, but thinking it might be a good idea to get one. (any recommendations?)

Other than that, getting a little sick of Fedora.  I haven't used RH based linux for so long and am feeling outside my comfort zone.  May switch all of the fedora-25 VM's to Debian or Ubuntu.

Updated the previous post as I've changed my regular VM setup a bit.

Edited December 12, 2017 by lvx
Clarity

[lvx]

May just try doing a clean install with Qubes 4.0 now that I've gotten my feet wet with 3.2

Not really looking forward to reconfiguring everything though. :/