Full Report
Kali Linux has released version 2024.4, the fourth and final version of 2024, and it is now available with fourteen new tools, numerous improvements, and deprecates some features. [...]
Analysis Summary
# Tool/Technique: Kali Linux 2024.4 Release Artifacts
## Overview
This summary details the new tools, features, and changes introduced in the Kali Linux 2024.4 distribution release. Kali Linux is a Debian-based distribution designed for penetration testing, security auditing, and ethical hacking. The release focuses on adding new security tools, updating core components (like Python), and ending support for i386 architecture builds.
## Technical Details
- Type: Tool/Distribution Update
- Platform: Linux (x86-64 architecture remains fully supported; i386 builds deprecated)
- Capabilities: Provides an updated suite of penetration testing tools, kernel, desktop environment, and system component updates.
- First Seen: Release of Kali Linux 2024.4 (Date not explicitly stated, but implied late 2024).
## MITRE ATT&CK Mapping
This summary covers tools and distribution changes, which map broadly to the adversary’s toolkit and operational environment setup, primarily under **Resource Development** and **Execution**. Many of the included tools will map to various adversary tactics.
Example Tool Mappings (using `bloodyad` and `chainsaw` as examples):
- **Defense Evasion**
- T1027: Obfuscated Files or Information
- **Discovery**
- T1087: Account Discovery
- T1018: Remote System Discovery (For domain enumeration tools)
- **Execution**
- T1059: Command and Scripting Interpreter (For Python execution environments)
## Functionality
### Core Capabilities
The release introduces 14 new tools focused on various security tasks:
1. **bloodyad**: Active Directory privilege escalation framework.
2. **certi**: Tool for querying Active Directory Certificate Services (ADCS) and discovering templates.
3. **chainsaw**: Rapidly searches and hunts through Windows forensic artifacts.
4. **findomain**: Domain recognition solution for attack surface discovery.
5. **hexwalk**: Hex analyzer, editor, and viewer.
6. **linkedin2username**: Generates username lists based on company data from LinkedIn.
7. **mssqlpwner**: Tool to interact with and exploit MSSQL servers.
8. **openssh-ssh1**: SSH client supporting the legacy SSH1 protocol.
9. **proximoth**: Tool for detecting vulnerabilities related to control frame attacks (likely wireless/Bluetooth).
10. **python-pipx**: Utility to execute binaries from Python packages in isolated environments (replacement for system-wide pip installs).
11. **sara**: RouterOS Security Inspector.
12. **web-cache-vulnerability-scanner**: Go-based CLI tool for testing web cache poisoning vulnerabilities.
13. **xsrfprobe**: Advanced toolkit for auditing and exploiting Cross-Site Request Forgery (CSRF/XSRF).
14. **zenmap**: Frontend for Nmap.
### Advanced Features
- **Default Python Change**: Python 3.12 is now the default. Installing global packages via `pip` is discouraged/disallowed by default to prevent conflicts with `apt`. `python-pipx` is provided as a replacement for isolated environment execution.
- **Raspberry Pi Imager Support**: Ability to pre-configure settings (hostname, credentials, Wi-Fi, SSH keys) directly in the Imager before writing to microSD cards.
- **Desktop Environment**: Upgraded to GNOME 47, including new accent color customization for window and shell widgets.
- **Architecture Deprecation**: Official builds and images for the i386 (32-bit) architecture are discontinued, following Debian's lead. Note: i386 packages remain available in the repository for use on x86-64 systems via APT or Docker.
- **SSH Deprecation**: SSH DSA keys are now deprecated.
## Indicators of Compromise
(Indicators primarily relate to the tools *included* in the distribution, not malicious artifacts generated by the release itself.)
- File Hashes: N/A (Vast number of tools change with each release)
- File Names: `bloodyad`, `certi`, `chainsaw`, `findomain`, etc. (Names of the 14 new tools)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Systems using the new distribution will exhibit behaviors associated with running standard penetration testing tasks.
## Associated Threat Actors
Kali Linux is used by:
- Cybersecurity Professionals
- Ethical Hackers
- Penetration Testers
- Red Teams
- **Adversaries** (who leverage these tools for offensive operations)
## Detection Methods
Detection focuses on the operationalization of the included tools rather than the distribution itself.
- Signature-based detection: Signatures for known binaries/scripts within the toolset (e.g., known payload structures generated by `xsrfprobe` or network scanning fingerprints from `zenmap`).
- Behavioral detection: Monitoring for structured reconnaissance on AD via `bloodyad` or intensive artifact searching via `chainsaw`.
- YARA rules: N/A for the release components specifically.
## Mitigation Strategies
- **System Hardening**: Ensure systems are patched to resist vulnerabilities targetable by the new tools (e.g., Web Cache Poisoning, ADCS exploitation).
- **Principle of Least Privilege**: Users should not run system-level package management operations as root/administrator.
- **Python Environment Control**: Utilize `pipx` for isolated installs instead of system-wide `pip` commands.
- **Architecture Management**: Ensure migration planning is complete for any legacy systems relying on i386 (though this affects *building* images, not usually runtime usage on modern hardware).
- **SSH Configuration**: Configure servers to disallow DSA key authentication entirely.
## Related Tools/Techniques
- **nmap**: Zenmap is the frontend for nmap.
- **Active Directory Exploitation Frameworks**: Tools that perform privilege escalation on AD, such as BloodHound or PowerView (related to `bloodyad`).
- **Forensic Analysis Tools**: Similar to `chainsaw` for searching Windows events/artifacts.