Pocket Pentesting Kit

Pocket Pentesting Kit

How to use and build a pocket penetration testing kit with Raspberry and Kali Linux.

Having a small and portable pentesting setup can be useful some times, so I wanted to build one for myself.

What you will need:

  • Raspberry Pi (2 or above) or another supported ARM board (I'll be using a raspberry pi 3)
  • Wifi Dongle (like the RALINK 2870) or something like the Alfa Awus1900 (for better range)
  • Optional: Another Wifi Dongle (just if your raspberry does not have wifi built-in)
  • Optional: USB GPS Receiver (I'm using the GN208G) for wardriving
  • SD Card
  • Power bank

NOTE: make sure that the Wifi Card that you get for pentesting supports monitor mode. Both Ralink 2870 and Alfa Awus 1900 have that feature.

Setting up Kali

First download the correct ARM Kali image for your device from the Kali Website(I recommend a 32bit image) and flash your SD card.

To flash the SD Card I'm using Balena Etcher.

After flashing just bootup your device and we need to do some initial configurations. If you're not using a monitor and keyboard, you can just plug the PI to your home network using ethernet and ssh into it.

To ssh into the system try:

ssh kali@kali.lan

or do a quick scan of your network using nmap to find the ip:

nmap -sn -sV -T4


Nmap scan report for kali.lan (
Host is up (0.016s latency).

Log in with kali default credentials.

Setup steps for a new Kali Install


sudo kalipi-config

then choose advanced options and then select expand file system.

You can also setup a lot of settings like wifi, timezone, hostname with kalipi-config but I'll cover how to do it in the terminal.

set timezone, in my case I used "Europe/London":

timedatectl set-timezone Europe/London

update system (this can take a while):

sudo apt-get update && sudo apt-get upgrade -y

Optional: Change default SSH keys

cd /etc/ssh/
mkdir default_kali_keys
mv ssh_host_* default_kali_keys/

This will move your default keys to the new folder... Regenerate the keys (this may take some time ...):

dpkg-reconfigure openssh-server

Verify ssh key hashes are different:

md5sum ssh_host_*
Compare new key hashes to the hashes below)
cd default_kali_keys/
md5sum *

Change default username, hosts, hostname and password

Change login username:

usermod -l [your_new_login_name] kali

For the hostname I like to use something that doesn't catch someone's eye, like asusE402BA or HP382811UX.

sudo hostnamectl set-hostname [hostname_you_want_to_use]

and change kali to hostname_you_want_to_use:       kali    localhost
::1             localhost ip6-localhost ip6-loopback
fe00::0         ip6-localnet
ff00::0         ip6-mcastprefix
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

When changing the hostname we all also need to update the hosts file in /etc/hosts, you can do it by running the following command:

sudo nano /etc/hosts

change password to something random and big (ex: asdFAdasdasdADADa!#1SDFAd*?12DALKDç )

sudo passwd

Change default ssh port

Change the default ssh port for something of your liking:

sudo nano /etc/ssh/sshd_config 
Port 2222

Setup Access through Wifi

As this is a portable setup we need to ssh into our PI through wifi, this can be done in two ways:

  1. The raspberry creates an Access Point on boot, and you connect to it from your mobile phone
  2. You create an hotspot on your mobile phone and the raspberry will automatically connect to it on boot

I prefer the second option, and that's what I will be doing.

Configuring wifi credentials

Open the wpa-supplicant configuration file in nano: sudo nano /etc/wpa_supplicant.conf

And add your wifi network and password, where ssid is the name of your network/hotspot, and psk is your wifi password.

Go to the bottom of the file and add the following:


The password can be configured either as the ASCII representation, in quotes as per the example above, or as a pre-encrypted 32 byte hexadecimal number. You can use the wpa_passphrase utility to generate an encrypted PSK. This takes the SSID and the password, and generates the encrypted PSK. With the example from above, you can generate the PSK with wpa_passphrase MyHotspotName. Then you will be asked for the password of the wireless network (in this case testingPassword). The output is as follows:


Now we can update your wpa_supplicant.conf with the psk encrypted information above, I prefer this approach as your wifi password is not saved in plain text.

As of this moment, you can reboot kali, turn on your hotspot (i use my mobile) and ssh into it using any terminal app on iOS or Android.

Optional: Installing AWUS1900 drivers RTL8814AU

As I'm using the Alfa Awus1900 wifi card, I'll be needing to install the drivers, if you're using the same card as me, these are the steps you need to follow.

First install the necessary tools:

sudo apt-get install -y linux-headers-$(uname -r) build-essential dkms git libelf-dev

Then clone the driver repo and enter repo:

git clone https://github.com/morrownr/8814au.git
cd 8814au

Execute the script for raspberry pi 32 bits (or just edit the MAKEFILE to update the ARCH accordingly):


Run the install script:

sudo ./install-driver.sh

After finishing it will ask to reboot, just say yes.

After the reboot, just run:


you should see two interfaces, with wlan1 being the Awus1900:

wlan1     unassociated  Nickname:"WIFI@RTL8814AU"
          Mode:Managed  Frequency=2.412 GHz  Access Point: Not-Associated
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

lo        no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=31 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

eth0      no wireless extensions.

If you need to instal ralink drivers you can do:

sudo apt-get install firmware-ralink # for ralink

Wifi Pentesting

First make sure your device is detected, otherwise you will need to install the correct drivers for it (just search something like linux/kali your_wifi_card driver):

$ lsusb
Bus 001 Device 005: ID 1546:01a8 U-Blox AG [u-blox 8]
Bus 001 Device 006: ID 0bda:8813 Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac Wireless Adapter

Here we can see that both Alfa Awus1900 card and USB GPS receiver are detected.

By default linux will use your wlan0 adapter to connect to wifi, make sure your wlan1 is the wifi card you want to use for pentesting.

You can do this in several ways, this command fetches the driver used for the wireless adapter, it should match what you're expecting.

ethtool -i wlan0 | grep driver
driver: brcmfmac

Another way is just using ifconfig and checking if wlan0 has a inet ip, and making sure that wlan1 does not.

$ ifconfig

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::ba27:ebff:fee8:4551  prefixlen 64  scopeid 0x20<link>
        ether b8:26:eb:e3:71:60  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 1374 (1.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22  bytes 3117 (3.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether be:7e:7a:c5:fa:6c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

and you can also use iwconfig as mentioned before.

Note: Again, if you cannot see all your cards, make sure you have the drivers installed.

Change mac address

Before doing a pentest always change your mac address, i'm using wlan1 as mentioned before, it is the interface i'm using and it represents to the Alfa Awus1900 card.

Check current mac :

macchanger -s wlan1

change mac for the interface you're using for pentesting, always do this before pentesting (adjust accordingly to wlan0 or wlan1):

ifconfig wlan1 down
macchanger -r wlan1
ifconfig wlan1 up

change your mac to a specific mac:

ifconfig wlan1 down
macchanger -m 00:d0:70:00:20:69 wlan1
ifconfig wlan1 up

Scanning networks

first we need to put the wifi interface in monitor mode:

sudo ifconfig wlan1 down
sudo iwconfig wlan1 mode monitor
sudo ifconfig wlan1 up

and to revert to managed mode:

ifconfig wlan1 down  
iwconfig wlan1 mode managed  
ifconfig wlan1 up

OR use airmon-ng for to put wlan1 in monitor mode:

sudo airmon-ng start wlan1

In some cases, when an interface is set to monitor mode, its name changes from wlan1 to wlan1mon, pay attention to that and adjust the commands below if necessary.

running sudo airmon-ng start wlan1 outputs:

Found 5 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

  PID Name
  376 dhclient
  466 NetworkManager
  542 wpa_supplicant
  550 dhclient
  617 wpa_supplicant

PHY	Interface	Driver		Chipset

phy0	wlan0		brcmfmac	Broadcom 43430
phy1	wlan1		88XXau		Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac

run airmon-ng check kill to fix any issues.

scan for networks with airodump-ng:

sudo airodump-ng wlan1
 CH  1 ][ Elapsed: 12 s ][ 2021-06-27 20:36

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 AC:12:CF:51:33:40  -34        5        0    0   6  360   WPA2 CCMP   PSK  Vodafone
 92:12:CF:51:33:40  -34        5        0    0   6  324   WPA2 CCMP   MGT  <length:  0>
 88:A2:DF:01:63:B0  -62       24        0    0   2   54   WPA  CCMP   PSK  Vodafone-0062B4
 5E:02:DF:C1:03:50  -62       37        0    0   6   54   WPA2 CCMP   PSK  <length:  6>
 44:02:4F:61:43:F0  -63       19        0    0   7   54        CCMP   PSK  Vodafone-2.4Ghz
 4A:02:4F:61:43:F0  -63       21        0    0   7   54        CCMP   PSK  Vodafone-Guest
 24:A2:3F:F1:53:50  -77       10       13    0  10   54   WEP  WEP         Lord Voldemodem
 4A:02:4F:81:B3:40  -78        2        0    0   8   54        CCMP   PSK  Vodafone-Guest2
 00:02:9F:81:B3:60  -82       10        1    0   1   54   WPA2 CCMP   PSK  Grey Fox
 CC:12:AF:31:B3:F0  -79        9        0    0   6   54   OPN              LAN of Milk & Honey
 CC:22:2F:31:A3:E0  -82       13        0    0   6   54   WPA2 CCMP   PSK  Prohibited Area
 00:02:9F:81:B3:60  -80       12        0    0   1   54   OPN              MEO-WiFi
 00:02:9F:D1:B3:70  -80        4        0    0  11   54   OPN              MEO-WiFi
 00:02:9F:D1:B3:70  -80        5        2    0  11   54   WPA2 CCMP   PSK  MEO-CF13BA
 CC:12:AF:31:B3:F0  -82        9        1    0   6   54   WPA2 CCMP   PSK  MEO-3FAS12
 A0:D2:0F:41:B3:90  -82        3        0    0   9   54   WPA  CCMP   PSK  NOS_Internet_0000
 58:F2:8F:41:43:00  -82        6        0    0   5   54   WPA  CCMP   PSK  Prohibited Area

you can dumping IVS by running the following command:

sudo airodump-ng --ivs --bssid 24:A4:3C:F8:5B:54 --channel 10 -w "Lord Voldemodem" --output-format ivs wlan1

get familiar with:

Useful links:

IMPORTANT: DO NOT DO ANYTHING ILEGAL!!! In several countries you can go to jail for cracking and connecting to a network without authorization!

War Driving

Wardriving is the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using a laptop or smartphone. Software for wardriving is freely available on the internet. Warbiking, warcycling, warwalking and similar use the same approach but with other modes of transportation.

You can easily create a database of the wifi networks in your area, saving their SSID and GPS location, as their security protocols.

I do not endorse this, but this can be used to track people, as your wifi modem (for example, from your phone) is constantly broadcasting the wifi networks it has saved in memory (like your home wifi name) asking if their are in range. So with this, if a mobile asks you for a SSID you already have in your DB, now you know where that person lives/works... which is basically what Google and Facebook does.

By wardriving you can contribute to this project called WiGLE: Wireless Network Mapping.


Install an interface daemon for GPS receivers, gpsd:

sudo apt-get install gpsd

now you can record all the data from airodump-ng with gps data:

# to view
sudo airodump-ng wlan1 --gpsd

# to save to file with kismet format:
sudo airodump-ng wlan1 --gpsd --output-format kismet --write capture


Using a hotspot to tether your device will pollute your results with that SSID showing up everywhere. Using screen and turning off your hotspot until you need to reconnect will avoid this. If your Pi dies while writing Kismet data to root, it will very likely corrupt the OS and need to go Fsck itself before it can be used autonomously again. Make sure to shut down your Pi, or have a "safe kill" button to properly shut down your Pi after a recon run if you can't log in via SSH.