VNC to access Kali Linux on Raspberry Pi

Simple HowTo for a secured remote graphical HMI access on Kali 2 installed on Raspberry Pi 3. Probably also works for other Linux Distribution and hardware as well.

Article published on 30 May 2016

by Emeric Nasi


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I wrote this how-to because I lastly decided to install and run Kali Linux from a Raspberry Pi. I wanted to install VNC and I found it quite complicated to get the information I needed to be able to do so in a secure and nice way.

I. Prerequisites

First you need to have a running Kali or other Debian based Linux distribution installed on Raspberry PI. I personally installed Kali 2 on Raspberry Pi 3. For that look at instruction on the Kali Official Documentation
The device must be connected to the Internet to install the required packages and be network accessible to the PC or phone where you install the VNC client.
SSH server must be available and running on the Raspberry Pi. The Raspberry Pi will act as SSH and VNC server.
I used Xubuntu as the client OS but any other are possible provided they support SSH tunneling and you can install a VNC client.

Warning: As stated by Kali Official Documentation all Kali Arm images are configured with the same SSH host key. The host keys must be changed by running:

Also you should use certificate authentication for SSH or at least change the default password (toor) for the Kali root user.

II. Install TightVNC

II.1 Required packages

Install TightVNC server package:
apt-get install tightvncserver
Install Autocutsel package to enable cut&paste between client and server:
apt-get install autocutsel

II.2 First run

We will make a first run of VncServer to generate configuration files and VNC password.
vncserver :1
We started an X session on display port 1, note that by default vncserver will attempt to start on display 0 which is already taken by the started Kali session used for local access
The first time you run vncserver, it prompts for a password (8 char max). Thats when you realize VNC sessions are not linked to Linux user authentication but relies on a single password (one of VNC insecurity problems)! You can later change that password using the vncpasswd command.
We can check the VNCserver is running by issuing the netstat -tupln command:

Port 5901 is VNC connection port, 6001 is X server for VNC.

II.3 Client access

On the client machine, first install a VNC client such as xtightvncviewer.
apt-get install xtightvncviewer
To connect to the server use the command:
xtightvncviewer <server_ip>:1
You may notice that the remote HMI is not responsive and really slow. To remediate to that, you can use some options to optimize the connection:
xtightvncviewer <server_ip>:1 -compresslevel 9 -quality 4 -depth 8

II.4 Configuration

We will configure VNC startup script to enable cut and paste. For that edit the file /.vnc/xstartup and add autocutsel line as below.

You can restart your VNC server and check it is working.

III. VNC over SSH

As mention on TightVNC man page, the problem about Xvnc is that it is not secure. As they write: “It’s recommended to restrict network access to Xvnc servers from untrusted network addresses. Probably, the best way to secure Xvnc server is to allow only loopback connections ... and to use SSH tunneling for remote access to the Xvnc server.”

III.1 Localhost only VNC server

We want all our traffic to go through an SSH tunnel. So we will ensure VNC related ports are not accessible on the network.
We have to start VNC server with next options:
vncserver :1 -geometry 1280x800 -depth 16 -localhost -nolisten tcp
The -locahost option will ensure VNC port 5901 is listening only on local interface, the -nolisten tcp option will disable the port 6001(X Server will not listen on the network).

Now our listening connections are:

III.2 SSH Tunnel

We will create an SSH tunnel by issuing the next command on client machine:
ssh -L 5901:localhost:5901 -N -f <distant_user>@<server_ip>
This command means SSH will listen on local port 5901 on client machine. Any connection to this port will be tunneled to port 5901 or the remote VNC server via SSH (port 22).

Now to connect to our raspberry pi VNC server we use the command:
xtightvncviewer localhost:1 -compresslevel 9 -quality 4 -depth 8

Note: So we have now to enter two passwords, first the distant user password, next the VNC password, it is much more secure. Not sure if that counts as double authentication though :-) !

IV. Enable at boot

IV.1 Startup script

This startup script is an adaptation of the one proposed by raspberrypi.org to enable the SSH tunneling.

You can test this script by issuing service vncboot start to start VNC server and service vncboot stop to stop it.

IV.2 Enable at startup

To enable the script at machine boot:

Now enjoy your remote access, and have fun!