Alert! Always make certain you are downloading Kali Linux from official sources and be sure to verify the SHA1 checksums against our official values. It would be easy for a malicious entity to modify a Kali installation to contain malicious code and host it unofficially.

Official Kali Linux Images

ISO Files

Kali Linux is available as a bootable ISO in both 32 and 64-bit formats.

VMware Images

Kali is available as a pre-made VMware virtual machine with VMware Tools installed. The VMware image is available in a 32-bit PAE format.

ARM Images

Due to the nature of the ARM architecture, it is not possible to have a single image that will work across all ARM devices. We have Kali Linux ARM images available for the following devices:

  • rk3306 mk/ss808
  • Raspberry Pi
  • ODROID-U2/U3
  • MK802/MK802 II
  • Samsung Chromebook/li>
  • Samsung Galaxy Note 10.1 (NOT 2014)
  • HP ARM Chromebook
  • Beaglebone Black
  • Cubieboard2
  • Cubox
  • Cubox-i
  • Genesi EfikaMX
  • Mini-X
  • ODROID-XU
  • ODROID-XU3
  • CompuLab Trimslice
  • CompuLab Utilite Pro

Verifying SHA1 Checksums of Downloaded Images

When you download an image, be sure to download the SHA1SUMS and SHA1SUMS.gpg files that are next to the downloaded image (i.e. in the same directory on the server).

Ensure the Origin of the SHA1SUMS File

Before verifying the checksums of the image, you must ensure that the SHA1SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA1SUMS.gpg. Kali’s official key can be downloaded in one of two ways:

$ wget -q -O - http://archive.kali.org/archive-key.asc | gpg --import
# or
$ gpg --keyserver subkeys.pgp.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6

Once you have downloaded both SHA1SUMS and SHA1SUMS.gpg, you can verify the signature as follows:

$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu Mar 7 21:26:40 2013 CET using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <devel@kali.org>"

If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop the process and review whether you downloaded the images from a legitimate Kali mirror. If the SHA1SUMS file is the one provided by Kali, then you can verify that the image downloaded has the required checksum. You can either generate the checksum and do a manual comparison with what’s listed in SHA1SUMS or use a tool that knows how to verify those checksums. TODO: explain how to use GPG on OS X and Windows. See https://www.torproject.org/docs/verifying-signatures.html.en for inspiration.

Verifying SHA1 Checksums on Linux

With a manual comparison:

$ sha1sum kali-linux-1.0-i386.iso
796e32f51d1bf51e838499c326c71a1c952cc052 kali-linux-1.0-i386.iso
$ grep kali-linux-1.0-i386.iso SHA1SUMS
796e32f51d1bf51e838499c326c71a1c952cc052 kali-linux-1.0-i386.iso

By using sha1sum -c:

grep kali-linux-1.0-i386.iso SHA1SUMS | sha1sum -c
kali-linux-1.0-i386.iso: OK

Verifying SHA1 Checksums on OSX

With a manual comparison:

$ shasum kali-linux-1.0-i386.iso
796e32f51d1bf51e838499c326c71a1c952cc052 kali-linux-1.0-i386.iso
$ grep kali-linux-1.0-i386.iso SHA1SUMS
796e32f51d1bf51e838499c326c71a1c952cc052 kali-linux-1.0-i386.iso

Verifying SHA1 Checksums on Windows

Windows does not have the native ability to calculate SHA1 checksums so you will need a utility such as Microsoft File Checksum Integrity Verifier or Hashtab to verify your download.