Whinings on BSD, virtualization, and other stuff.

X11 Forwarding with Kali Linux and bhyve

Use Kali GUI tools under bhyve

There's a common saying in any technical field, "Use the right tool for the job." For common information security tasks, many use the toolbox known as Kali Linux. Kali has many different tools for many different tasks, many of which aren't just for information security. Personally, since I use FreeBSD on my laptop, I use Kali as my "goto" Linux OS for when FreeBSD just doesn't cut it, like when there is a tool that is not ported to FreeBSD yet. Since Kali can be used as a live OS, I used to just boot into the live Kali instance on my laptop via a USB stick. One of these tasks was logging into my iXSystems IPMI device on my colocated server. With all the current leg work being done getting pf integrated into iohyve, it's nice to have a backup console just in case I bork my /etc/pf.conf file and lock myself out of SSH. Since iXSystems use primarily SuperMicro boards, I've run into an issue where my FreeBSD laptop cannot handle the SuperMicro IPMI console, because Java (actually IcedTea) assumes I am on Linux, not FreeBSD, so it cannot load the correct libraries. I do believe there are work-arounds for Linux-Java comapatibility in this situation, but when I have access to Kali just a few minutes away, I'd rather go that route. In the following tutorial, I will go into how to use iohyve, a custom pfsetup, and X11 Forwarding to launch graphical applications on a host that is running a Kali virtual machine guest.

Configuring iohyve and pf

Since we will be using SSH X11 Forwarding, the guest and the host need to be on the same network. On my laptop, since I use WiFi most of the time, I have already put all my guests behind a NAT, as outlined in this iohyve tutorial. I'll go into that a little bit here.

The first step is to configure the hard-coded bridge0 device in your /etc/rc.conf file. Since this is not officially supported by the iohyve setup net=[interface] function, we will need to "roll our own" configuration file. Note that we still load the VMM and NMDM kernel modules via the iohyve_flags="kmod=1" line. You can also "roll your own" /boot/loader.conf file and do this manually. Here's the example /etc/rc.conf file:


cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm wlan0 up addm tap0"


This method effectively turns the laptop into a Gateway (IP, forwarding traffic to the iohyve guests. We will define the guest IP's in the /etc/pf.conf file:


set block-policy return
set skip on lo
scrub in

nat on $if from $hyve_fbsd to !$hyve_net -> $pub
nat on $if from $hyve_win to !$hyve_net -> $pub

# default
pass out on $if from $pub to any
block in log on $if

Here we see that I have two guests configured this way. One is a FreeBSD guest that I give the IP address of and the other I will be using for Kali, Note the pub="192.168.XXX.XXX" is the IP address I received via DHCP over WiFi (wlan0 interface). There are also a few other things we configure, but I won't go into why that's done here. I suggest you read Peter N. M. Hansteen's "The Book of PF" if you want to become a pro at using this wonderful firewall software.

Now we need to set up the Kali guest in iohyve. Create it with iohyve create kali 16G and configure with iohyve set kali ram=1024M loader=grub-bhyve description="Kali". Note that we do not set the os property, this is because we will need to do some things in the GRUB command line interface, therefore os=default will need to be set (this is done by default as the name suggests). If you haven't done so already, fetch the Kali ISO with something like iohyve fetch Since we want all the tools in the Kali toolbox, I choose to install the full 64bit version.

Installing Kali Linux

Installing Kali isn't as straight forward as installing "vanilla" Debian in iohyve. Like I said earlier, we will need to dig around in the GRUB command line interface. Before we begin, I'd like to note that I use tmux to open two simultaneous windows (one for running the guest and one for consoling into the guest). You can find more information on the magic of tmux here. Start the installation by running something like this: iohyve install kali kali-linux-2016.1-amd64.iso. In your iohyve console kali terminal, you should see something like:

                             GNU GRUB  version 2.00

   Minimal BASH-like line editing is supported. For the first word, TAB
   lists possible command completions. Anywhere else TAB lists possible
   device or file completions.


Since the Linux Kernel and initrd image are located in the (cd0)/install/ folder, we run this series of commands to get the ISO booted:

                             GNU GRUB  version 2.00

   Minimal BASH-like line editing is supported. For the first word, TAB
   lists possible command completions. Anywhere else TAB lists possible
   device or file completions.

grub> ls (cd0)/install/
gtk/ initrd.gz install.bat vmlinuz
grub> linux (cd0)/install/vmlinuz
grub> initrd (cd0)/install/initrd.gz 
grub> boot

The installation itself is pretty straight forward, and shouldn't be a problem, especially if you have installed a Debian or Debian-based OS before. As long as you gave it enough disk space, you shouldn't run into any issues. Remember to give the install an IP of or the one you are using on your pf setup (I also set the DNS to during this portion of the install). Although iohyve can handle an LVM install, I decided to opt for the standard install to hard disk.

Connecting to the Kali Guest

After installation has completed, you can start the guest by running something like iohyve start kali. The guest should start up and you should see some stuff scroll across the screen in your iohyve console kali terminal. Before we get started, we need to start the SSH service in the Kali guest, as it does not start by default. You may choose to start SSH on startup, but I don't personally because sometimes all you need is the built in "serial" console via bhyve. You can start the service by running: service ssh start. If you have not installed any other users, you will need to enable root logins via SSH to your guest. Via the iohyve console, you can edit your /etc/ssh/sshd_config file and do this by finding the line PermitRootLogin and changing the line to PermitRootLogin yes. Once this is done, you will need to restart the SSH service with service ssh restart.

Now, you can start your X11 forwarding session by running something like ssh -X root@ on your host, in my case, my laptop. Once logged in, you can then run programs that have GUI's under the virtual machine, but through your host's own X11 server. In other words, MAGIC. You can test it by running xclock, firefox &, or zenmap in the SSH session. You can even run burpsuite from the guest!

Remember earlier, I said that I needed Kali to use my iXSystems IPMI? Well, we first need the icedtea-plugin installed. This is as simple as running apt-get install icedtea-plugin from the SSH session and restarting your guest in iohyve. You should then be able to open a Firefox window in your X11 forwarding session (firefox &) and navigating to your IPMI Web Interface and clicking on the console screenshot window.

That's all I have on X11 forwarding for now, but if you want extra credit in a non-existent quiz, you can try to configure XNest and have an entire desktop environment forwarded! (This is not as easy as it sounds, you are warned)


I'm doing something different for this post, and all future posts. I'm going to put a special thanks section at the bottom of each post. A lot of the work I cover on this blog is volunteer work, and is powered by volunteer work. This week, I'd like to thank @da_667 for teaching me that even though it sucks, it's always rewarding to keep fighting the good fight; and I'd like to thank @lattera for listening to and encouraging my weird and sometimes overly ambitious ideas.

Have you thanked someone for their volunteer work recently?

Receive Updates