Pocket Pentesting Kit
How to use and build a pocket penetration testing kit with Raspberry and Kali Linux.
Having a small and portable pentesting setup can be useful some times, so I wanted to build one for myself.
What you will need:
- Raspberry Pi (2 or above) or another supported ARM board (I'll be using a raspberry pi 3)
- Wifi Dongle (like the RALINK 2870) or something like the Alfa Awus1900 (for better range)
- Optional: Another Wifi Dongle (just if your raspberry does not have wifi built-in)
- Optional: USB GPS Receiver (I'm using the GN208G) for wardriving
- SD Card
- Power bank
NOTE: make sure that the Wifi Card that you get for pentesting supports monitor mode. Both Ralink 2870 and Alfa Awus 1900 have that feature.
Setting up Kali
First download the correct ARM Kali image for your device from the Kali Website(I recommend a 32bit image) and flash your SD card.
To flash the SD Card I'm using Balena Etcher.
After flashing just bootup your device and we need to do some initial configurations. If you're not using a monitor and keyboard, you can just plug the PI to your home network using ethernet and ssh into it.
To ssh into the system try:
ssh kali@kali.lan
or do a quick scan of your network using nmap to find the ip:
nmap -sn -sV 192.168.1.0/24 -T4
outputs:
...
Nmap scan report for kali.lan (192.168.1.173)
Host is up (0.016s latency).
...
Log in with kali default credentials.
Setup steps for a new Kali Install
run:
sudo kalipi-config
then choose advanced options and then select expand file system.
You can also setup a lot of settings like wifi, timezone, hostname with kalipi-config but I'll cover how to do it in the terminal.
set timezone, in my case I used "Europe/London":
timedatectl set-timezone Europe/London
update system (this can take a while):
sudo apt-get update && sudo apt-get upgrade -y
Optional: Change default SSH keys
cd /etc/ssh/
mkdir default_kali_keys
mv ssh_host_* default_kali_keys/
This will move your default keys to the new folder... Regenerate the keys (this may take some time ...):
dpkg-reconfigure openssh-server
Verify ssh key hashes are different:
md5sum ssh_host_*
Compare new key hashes to the hashes below)
cd default_kali_keys/
md5sum *
Change default username, hosts, hostname and password
Change login username:
usermod -l [your_new_login_name] kali
For the hostname I like to use something that doesn't catch someone's eye, like asusE402BA or HP382811UX.
sudo hostnamectl set-hostname [hostname_you_want_to_use]
and change kali to hostname_you_want_to_use:
127.0.0.1 kali localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
When changing the hostname we all also need to update the hosts file in /etc/hosts, you can do it by running the following command:
sudo nano /etc/hosts
change password to something random and big (ex: asdFAdasdasdADADa!#1SDFAd*?12DALKDç )
sudo passwd
Change default ssh port
Change the default ssh port for something of your liking:
sudo nano /etc/ssh/sshd_config
Port 2222
Setup Access through Wifi
As this is a portable setup we need to ssh into our PI through wifi, this can be done in two ways:
- The raspberry creates an Access Point on boot, and you connect to it from your mobile phone
- You create an hotspot on your mobile phone and the raspberry will automatically connect to it on boot
I prefer the second option, and that's what I will be doing.
Configuring wifi credentials
Open the wpa-supplicant configuration file in nano:
sudo nano /etc/wpa_supplicant.conf
And add your wifi network and password, where ssid is the name of your network/hotspot, and psk is your wifi password.
Go to the bottom of the file and add the following:
network={
ssid="MyHotspotName"
psk="testingPassword"
}
The password can be configured either as the ASCII representation, in quotes as per the example above, or as a pre-encrypted 32 byte hexadecimal number. You can use the wpa_passphrase utility to generate an encrypted PSK. This takes the SSID and the password, and generates the encrypted PSK. With the example from above, you can generate the PSK with wpa_passphrase MyHotspotName. Then you will be asked for the password of the wireless network (in this case testingPassword). The output is as follows:
network={
ssid="MyHotspotName"
#psk="testingPassword"
psk=c726e486f5e81e756114e7bc004cd87581f52ea5c791349511cd73c41500a077
}
Now we can update your wpa_supplicant.conf with the psk encrypted information above, I prefer this approach as your wifi password is not saved in plain text.
As of this moment, you can reboot kali, turn on your hotspot (i use my mobile) and ssh into it using any terminal app on iOS or Android.
Optional: Installing AWUS1900 drivers RTL8814AU
As I'm using the Alfa Awus1900 wifi card, I'll be needing to install the drivers, if you're using the same card as me, these are the steps you need to follow.
First install the necessary tools:
sudo apt-get install -y linux-headers-$(uname -r) build-essential dkms git libelf-dev
Then clone the driver repo and enter repo:
git clone https://github.com/morrownr/8814au.git
cd 8814au
Execute the script for raspberry pi 32 bits (or just edit the MAKEFILE to update the ARCH accordingly):
./raspi32.sh
Run the install script:
sudo ./install-driver.sh
After finishing it will ask to reboot, just say yes.
After the reboot, just run:
iwconfig
you should see two interfaces, with wlan1 being the Awus1900:
wlan1 unassociated Nickname:"WIFI@RTL8814AU"
Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated
Sensitivity:0/0
Retry:off RTS thr:off Fragment thr:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
lo no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=31 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
eth0 no wireless extensions.
If you need to instal ralink drivers you can do:
sudo apt-get install firmware-ralink # for ralink
Wifi Pentesting
First make sure your device is detected, otherwise you will need to install the correct drivers for it (just search something like linux/kali your_wifi_card driver):
$ lsusb
Bus 001 Device 005: ID 1546:01a8 U-Blox AG [u-blox 8]
Bus 001 Device 006: ID 0bda:8813 Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac Wireless Adapter
Here we can see that both Alfa Awus1900 card and USB GPS receiver are detected.
By default linux will use your wlan0 adapter to connect to wifi, make sure your wlan1 is the wifi card you want to use for pentesting.
You can do this in several ways, this command fetches the driver used for the wireless adapter, it should match what you're expecting.
ethtool -i wlan0 | grep driver
driver: brcmfmac
Another way is just using ifconfig and checking if wlan0 has a inet ip, and making sure that wlan1 does not.
$ ifconfig
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.20.10.4 netmask 255.255.255.240 broadcast 172.20.10.15
inet6 fe80::ba27:ebff:fee8:4551 prefixlen 64 scopeid 0x20<link>
ether b8:26:eb:e3:71:60 txqueuelen 1000 (Ethernet)
RX packets 8 bytes 1374 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 3117 (3.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether be:7e:7a:c5:fa:6c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
and you can also use iwconfig as mentioned before.
Note: Again, if you cannot see all your cards, make sure you have the drivers installed.
Change mac address
Before doing a pentest always change your mac address, i'm using wlan1 as mentioned before, it is the interface i'm using and it represents to the Alfa Awus1900 card.
Check current mac :
macchanger -s wlan1
change mac for the interface you're using for pentesting, always do this before pentesting (adjust accordingly to wlan0 or wlan1):
ifconfig wlan1 down
macchanger -r wlan1
ifconfig wlan1 up
change your mac to a specific mac:
ifconfig wlan1 down
macchanger -m 00:d0:70:00:20:69 wlan1
ifconfig wlan1 up
Scanning networks
first we need to put the wifi interface in monitor mode:
sudo ifconfig wlan1 down
sudo iwconfig wlan1 mode monitor
sudo ifconfig wlan1 up
and to revert to managed mode:
ifconfig wlan1 down
iwconfig wlan1 mode managed
ifconfig wlan1 up
OR use airmon-ng for to put wlan1 in monitor mode:
sudo airmon-ng start wlan1
In some cases, when an interface is set to monitor mode, its name changes from wlan1 to wlan1mon, pay attention to that and adjust the commands below if necessary.
running sudo airmon-ng start wlan1 outputs:
Found 5 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
376 dhclient
466 NetworkManager
542 wpa_supplicant
550 dhclient
617 wpa_supplicant
PHY Interface Driver Chipset
phy0 wlan0 brcmfmac Broadcom 43430
phy1 wlan1 88XXau Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac
run airmon-ng check kill to fix any issues.
scan for networks with airodump-ng:
sudo airodump-ng wlan1
CH 1 ][ Elapsed: 12 s ][ 2021-06-27 20:36
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AC:12:CF:51:33:40 -34 5 0 0 6 360 WPA2 CCMP PSK Vodafone
92:12:CF:51:33:40 -34 5 0 0 6 324 WPA2 CCMP MGT <length: 0>
88:A2:DF:01:63:B0 -62 24 0 0 2 54 WPA CCMP PSK Vodafone-0062B4
5E:02:DF:C1:03:50 -62 37 0 0 6 54 WPA2 CCMP PSK <length: 6>
44:02:4F:61:43:F0 -63 19 0 0 7 54 CCMP PSK Vodafone-2.4Ghz
4A:02:4F:61:43:F0 -63 21 0 0 7 54 CCMP PSK Vodafone-Guest
24:A2:3F:F1:53:50 -77 10 13 0 10 54 WEP WEP Lord Voldemodem
4A:02:4F:81:B3:40 -78 2 0 0 8 54 CCMP PSK Vodafone-Guest2
00:02:9F:81:B3:60 -82 10 1 0 1 54 WPA2 CCMP PSK Grey Fox
CC:12:AF:31:B3:F0 -79 9 0 0 6 54 OPN LAN of Milk & Honey
CC:22:2F:31:A3:E0 -82 13 0 0 6 54 WPA2 CCMP PSK Prohibited Area
00:02:9F:81:B3:60 -80 12 0 0 1 54 OPN MEO-WiFi
00:02:9F:D1:B3:70 -80 4 0 0 11 54 OPN MEO-WiFi
00:02:9F:D1:B3:70 -80 5 2 0 11 54 WPA2 CCMP PSK MEO-CF13BA
CC:12:AF:31:B3:F0 -82 9 1 0 6 54 WPA2 CCMP PSK MEO-3FAS12
A0:D2:0F:41:B3:90 -82 3 0 0 9 54 WPA CCMP PSK NOS_Internet_0000
58:F2:8F:41:43:00 -82 6 0 0 5 54 WPA CCMP PSK Prohibited Area
you can dumping IVS by running the following command:
sudo airodump-ng --ivs --bssid 24:A4:3C:F8:5B:54 --channel 10 -w "Lord Voldemodem" --output-format ivs wlan1
get familiar with:
Useful links:
IMPORTANT: DO NOT DO ANYTHING ILEGAL!!! In several countries you can go to jail for cracking and connecting to a network without authorization!
War Driving
Wardriving is the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using a laptop or smartphone. Software for wardriving is freely available on the internet. Warbiking, warcycling, warwalking and similar use the same approach but with other modes of transportation.
You can easily create a database of the wifi networks in your area, saving their SSID and GPS location, as their security protocols.
I do not endorse this, but this can be used to track people, as your wifi modem (for example, from your phone) is constantly broadcasting the wifi networks it has saved in memory (like your home wifi name) asking if their are in range. So with this, if a mobile asks you for a SSID you already have in your DB, now you know where that person lives/works... which is basically what Google and Facebook does.
By wardriving you can contribute to this project called WiGLE: Wireless Network Mapping.
gpsd
Install an interface daemon for GPS receivers, gpsd:
sudo apt-get install gpsd
now you can record all the data from airodump-ng with gps data:
# to view
sudo airodump-ng wlan1 --gpsd
# to save to file with kismet format:
sudo airodump-ng wlan1 --gpsd --output-format kismet --write capture
Note:
Using a hotspot to tether your device will pollute your results with that SSID showing up everywhere. Using screen and turning off your hotspot until you need to reconnect will avoid this. If your Pi dies while writing Kismet data to root, it will very likely corrupt the OS and need to go Fsck itself before it can be used autonomously again. Make sure to shut down your Pi, or have a "safe kill" button to properly shut down your Pi after a recon run if you can't log in via SSH.