How to verify the integrity and authenticity of a Kali Linux OVA image

You downloaded an image to install Kali Linux and you want to make sure that this file is an integral and authentic copy? This post is for you!

You have downloaded an image to install Kali Linux1 as a virtual machine (VM) on your hypervisor and you want to make sure that this file is an integral and authentic copy? If the answer to this question is yes, keep reading! In this blog entry, I will describe how to verify the integrity and authenticity of a Kali Linux OVA image with Windows 10.

There are two ways to install Kali Linux on a virtual machine. The first is to create a new VM and manually configure it on the hypervisor2. Once this is done, the Kali ISO image3 needs to be attached to the virtual CD-ROM and then the VM can be booted. The second method is to import a copy of an existing virtual machine into the hypervisor. Such copy is distributed as an OVA4 package, which is an archive file that contains metadata for the VM – such as name or hardware requirements – and at least one disk image, among other things. Before importing the OVA image into the hypervisor, we need to make sure that this file wasn’t damaged during the download and perhaps more importantly that this is an authentic copy. This process is what I present next.

The first step of this process is to download the OVA image. In order to do this, go the official website of Offensive Security5: https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/. Here you should choose the OVA image compatible with your hypervisor. As I use VirtualBox6, I downloaded the VirtualBox 64-bit file. While downloading, take note of the checksum (SHA256Sum) written next to the file that you selected:

OVA images and SHA256Sums on offensive-security.com

The next step is to open the Windows PowerShell and cd7 into the directory where you saved the OVA image. Here run the following command (modify it with the name of the file that you downloaded): Get-FileHash kali-linux-2020.3-vbox-amd64.ova -Algorithm sha256. If everything worked well, you should see something like this:

Get the hash from the OVA file

The alphanumeric string under the column Hash is the information we need to compare to the SHA256Sum that we took note of before in this tutorial. As I’m lazy – and thus efficient 😀 – I did this with the Python Shell (see Screenshot below; modify the command with your checksum data). If the result of running this command is True, you are ready to go8:

  1. The Penetration Testing Distribution: https://www.kali.org/
  2. You have to pick the machine type (Debian 64 bit), the RAM size (at least 2GB), the number of CPUs (at least 2), and the size of the hard disk (at least 30GB) manually.
  3. An ISO image is an archive file that contains an identical copy of an operative system.
  4. OVA stands for Open Virtualization Format.
  5. Offensive Security is the company behind Kali Linux.
  6. https://www.virtualbox.org/
  7. cd stand for change directory.
  8. Note that this process can be used to verify a Kali ISO image as well.

One thought on “How to verify the integrity and authenticity of a Kali Linux OVA image”

  1. Thanks. Here is a PowerShell-only option:

    PS> certutil -hashfile .\kali-linux-2021.3-vbox-amd64.ova sha256

    PS> “1956ab337923095d4213ade006938ac58e3d67b209b9647410e8d85e6eaac409” -eq “1956ab337923095d4213ade006938ac58e3d67b209b9647410e8d85e6eaac409”.ToLower()

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *