Finally! After all these years the powers that be have enabled non-root user by default. This means logging in at
root/toor is long gone. The default user is now
kali/kali, as is the
sudo password. Yet, no different than the prior, this is very insecure, even for a testing or lab environment. So, let's change it!
First, we will want to create a new user. To do this, make sure you're logged in as kali/kali, and run the command:
sudo adduser <username>
You will be asked a series of questions following this command, none of them are required, so you can fill them out if you want.
Next, you need to add this new user to the sudo group if you need the ability to execute commands as root. The command to run is:
usermod -aG sudo username
At this point, your new user is ready to go! You can delete the original kali user if you want, if so, log into your new account and:
sudo deluser --remove-home kali
This will remove the original kali account and it's home directory. If you get a message that user is being used by a process run:
sudo kill -9 <processnumber>
Now, all that's left to do is to change the default root pw of
kali. To do so we need to switch to root:
When you authenticate with
kali you will be presented with a root shell. To change this password enter the command:
Enter a new password and you're finished. Kali is now configured with a new user account and a secure root password.
Kali Single Installer Image
Kali is now offered in a single image; previously Off-Sec was offering up individual images for each desktop environment (gnome, KDE, XFCE, etc). They've streamlined that, and now you can select which you would like when installing:
Kali-Undercover has also received some improvements, mostly to help it seem even more Windows-esque. You can read more about Kali-Undercover here.
Kali 2020.1 has also added some new tools! To get started with these, pull them down using
cloud-enum is a simple cloud enumeration tool. Nice to have this in the command line, though it is not passive like some other web-based tools are.
emailharvester scrapes search engines and social media sites and pulls any email addresses from the domain you specifiy.
phpggc is "PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically." I wasn't aware of this tool before writing this article. It looks incredibly useful. Will write something up on it in the future if so. More about this tool here.
sherlock is another username search tool, kinda like OSRFramework. This one is very quick and seems to pull accurate results with little false positives (from what I've tested).
splinter was the last tool mentioned to be added, though I cannot locate what this tool is as it will not install from
apt, I might be missing something tho :-/
Python 2 End Of Life
Ding dong the witch is dead as of Jan 1st, 2020. Off-Sec is removing tools that haven't been updated to Python3, seems they want to find suitable replacements for tools as they move forward instead of a mass purge all at once.
Arm and Nethunter images also went under some changes, and some icons within the OS have been updated as well.
That's pretty much everything for this quarter! I've missed a few of these update posts, but life beckons from time to time. Nonetheless, hopefully this was helpful to some. I included the very beginner friendly tutorial at top as I want to start including information for all levels of reader.
Offensive-Security's Kali 2020.1 changelog here