Kali and R-PIStep aside Windows and Intel ... this new world belongs to Linux and ARM. The days of x86 (yuk!) are receding and the command line is King again! The Raspberry Pi (R-PI) is a fantastic device and I've used it with Ubuntu for my demonstrations. I now have a whole lot of new demonstrations coming up, and they are going to be much more in-depth that they have in the past. Along with this we have a few new research project which go into great depth on capturing wireless packets. And, things are just moving closer to the hardware, so we need a test system which we can control more than a desktop system. So I decided to build a Pen Testing infrastructure with the R-PI, where I can get all the tools I need, within a proper Linux infrastructure. I've kinda given up trying to get work arounds with Windows for my Python code, so Linux is the only solution, and Kali is the only one that makes sense for in-depth testing. First, you download the standard image for Pi 3 (kali-2.1.2-rpi2.img.zx which, with Unarchiver, expands to kali-2.1.2-rpi2.img). On my Macbook, I then pointed my dd utility to write the SD card with Kali: billbuchanan@MacBook-Pro-3:~$ diskutil list /dev/disk2 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: FDisk_partition_scheme *31.9 GB disk2 1: Windows_FAT_32 NO NAME 64.0 MB disk2s1 2: Linux 7.3 GB disk2s2 billbuchanan@MacBook-Pro-3:~$ umount /dev/disk2 umount: /dev/disk2: not currently mounted You can see we have 32GB on the disk. Then the scary bit: dd if=kali-2.1.2-rpi2.img of=/dev/disk2 bs=1m It takes a while to format for 32GB (10-15 minutes), but just press Ctrl-T and you'll see where it is. In my case, I used /dev/rdisk2 (a raw disk write), which is faster for accesses. When pressing Ctrl-T you see updates on the status of the disk: 244+0 records in 243+0 records out 254803968 bytes transferred in 11.596012 secs (21973413 bytes/sec) After this you need all the updates: sudo apt-get update && sudo apt-get upgrade And then you don't want to use the HDMI output, so we install VNC server and copy-and-paste: apt-get install tightvncserver apt-get install autocutsel Next it's SSH: apt-get install openssh-server Second, revert to SSH defaults, which will run SSH on boot: update-rc.d -f ssh remove update-rc.d -f ssh defaults cd /etc/ssh/ rm ssh_host_* dpkg-reconfigure openssh-server And then all the Kali packages: apt-get install kali-linux-all I booted up, and with a bit of install of Ubertooth One, and in connecting my Pineapple Wif adapter, it all worked: A key thing is to get SSH and VNC installed (and to have a handy USB keyboard nearby, to fix boot problems, especially the file system corrupts itself on power off). The new R-PI even has built-in Bluetooth and wifi, but when I turned to a basic pen testing app (nmap), it give me errors: root@kali:~ nmap 192.168.0.1 -e wlan0 Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-19 10:47 UTC WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument) WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument) Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.90 seconds The problem is that the Broadcom chip on-board the R-PI has a bug, and gives an error from the kernel. I tried so many updates for this, but gave up, so, I popped in my trusty Realtek USB device: and scanned for it: root@kali:~ lsusb Bus 001 Device 004: ID 0bda:8176 Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub and by magic it worked: root@kali:~ nmap 192.168.0.1 -e wlan1 Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-19 10:56 UTC Nmap scan report for myrouter.net (192.168.0.1) Host is up (0.025s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp filtered ssh 23/tcp filtered telnet 53/tcp open domain 80/tcp open http 1900/tcp open upnp 49152/tcp open unknown MAC Address: XX:XX:XX:XX:XX:XX Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds And it was all systems go for SSH and VNC: And you have so much control in analysing Bluetooth packets with the Ubertooth One device: Now if we connect the Alfa Network card: And test with airmon-ng: root@kali:~ airmon-ng PHY Interface Driver Chipset null wlan0 ?????? Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter phy0 wlan1 ?????? Broadcom 43430 phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070 root@kali:~ airmon-ng start wlan2 Found 4 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 175 NetworkManager 363 wpa_supplicant 491 dhclient 609 dhclient PHY Interface Driver Chipset null wlan0 ?????? Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter phy0 wlan1 ?????? Broadcom 43430 phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070 (mac80211 monitor mode vif enabled for [phy1]wlan2 on [phy1]wlan2mon) (mac80211 station mode vif disabled for [phy1]wlan2) We can see we are now monitoring on wlan2mon, and to test: root@kali:~ airodump-ng wlan2mon CH 5 ][ Elapsed: 1 min ][ 2017-02-19 12:10 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID XX:FC:AF:XX:XX:XX -44 39 893 24 1 22e WPA ZZZZZ XX:A1:XX:XX:XX:XX -49 34 0 0 11 54e WPA2 CCMP PSK ZZZZZ XX:D3:XX:XX:XX:XX -65 46 0 0 6 54e WPA2 CCMP PSK ZZZZZ XX:21:XX:XX:XX:XX -90 3 1 0 13 54e WPA2 CCMP PSK ZZZZZ BSSID STATION PWR Rate Lost Frames Probe (not associated) XX:XX:XX:XX:XX:XX -44 0 - 1 0 10 ZZZZZ XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -1 0e- 0 0 46 XX:XX:XX:XX:XX:XX XX:XX:XX:2B:XX:XX -20 0e- 0e 0 836 We can now grab the four way handshake with: airodump-ng -c 1 --bssid XX:FC:AF:XX:XX:XX -w psk wlan2mon This reads for the required BSSID on Channel 1, and will create a file which begins with psk, and has a .cap extension. The output here is: CH 1 ][ Elapsed: 18 s ][ 2017-02-19 21:38 ][ WPA handshake: XX:FC:AF:XX:XX:XX BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID XX:FC:AF:XX:XX:XX -30 0 215 3077 90 1 54e WPA2 CCMP PSK ZZZZZ BSSID STATION PWR Rate Lost Frames Probe XX:FC:AF:XX:XX:XX XX:XX:XX:XX:XX:XX 3 -22 0e- 1e 0 2569 Next we create a list of passwords in password.lst. We can then analyse the cap files with: aircrack-ng -w password.lst -b XX:FC:AF:XX:XX:XX psk*.cap This gives the results of (where some details have been removed): Aircrack-ng 1.2 rc4 [00:00:00] 2/1 keys tested (28.31 k/s) Time left: 0 seconds 200.00% KEY FOUND! [ ------- ] Master Key : 5C ------------------- 0C 3A ------------------- 53 Transient Key : 6A ------------------- EB 4D ------------------- 72 7A ------------------- 87 80 ------------------- 21 EAPOL HMAC : C0 ------------------- 95 And it works perfectly. The one problem, though, is that you don't have space for the full install of Kali, so just run gparted and increase the partition (I have increased to 30GB here): Before the partition expansion (for a 32GB SD card): root@kali:~# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/root 6992908 6952000 0 100% / devtmpfs 469728 0 469728 0% /dev tmpfs 474048 0 474048 0% /dev/shm tmpfs 474048 12604 461444 3% /run tmpfs 5120 0 5120 0% /run/lock tmpfs 474048 0 474048 0% /sys/fs/cgroup tmpfs 94808 4 94804 1% /run/user/113 tmpfs 94808 0 94808 0% /run/user/0 And after it we see the expansion: root@kali:/# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/root 30244272 7106868 21829232 25% / devtmpfs 469728 0 469728 0% /dev tmpfs 474048 0 474048 0% /dev/shm tmpfs 474048 24500 449548 6% /run tmpfs 5120 0 5120 0% /run/lock tmpfs 474048 0 474048 0% /sys/fs/cgroup tmpfs 94808 4 94804 1% /run/user/113 tmpfs 94808 0 94808 0% /run/user/0 Then we should be good to install all the tools with: apt-get install kali-linux-full After this we should end up with all the normal Kali tools: Installing OpenWRTSo, what do you choose for setting up your wi-fi infrastructure? Well, it's the best bargain that you can get on Amazon ... and don't be fooled with those wi-fi access points with bells-and-whistles ... the best device to buy is a Linksys WRT56GL (the L is for Linux): Within a few minutes with the correct firmware, it transforms itself from a device that can't reserve IP addresses, to a full-blown Linux device: You basically plug your R-PI into a switch port and connect the Internet connection to your local Internet router, and you have Internet access and a local network (as you'll have many updates to install): It now has full login facilities over SSH, and so many more options for its OpenWrt infrastructure. One must thank Cisco for their great work on this device. With a bit of a squeeze on the crypto method: billbuchanan@MacBook-Pro-3:~/Downloads$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] [email protected]'s password: BusyBox v1.15.3 (2010-04-06 04:14:37 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M Backfire (10.03, r20728) -------------------------- * 1/3 shot Kahlua In a shot glass, layer Kahlua * 1/3 shot Bailey's on the bottom, then Bailey's, * 1/3 shot Vodka then Vodka. --------------------------------------------------- root@OpenWrt:~# cd / root@OpenWrt:/# ls bin etc mnt proc root sys usr www dev lib overlay rom sbin tmp var root@OpenWrt:/# ifconfig br-lan Link encap:Ethernet HWaddr 14:91:82:6C:8B:47 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:638230 errors:0 dropped:0 overruns:0 frame:0 TX packets:1785265 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:65779030 (62.7 MiB) TX bytes:1878021757 (1.7 GiB) eth0 Link encap:Ethernet HWaddr 14:91:82:6C:8B:47 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2328037 errors:0 dropped:0 overruns:0 frame:0 TX packets:2258657 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1945441297 (1.8 GiB) TX bytes:1769946959 (1.6 GiB) Interrupt:4 eth0.0 Link encap:Ethernet HWaddr 14:91:82:6C:8B:47 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:527362 errors:0 dropped:0 overruns:0 frame:0 TX packets:1627185 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:31705393 (30.2 MiB) TX bytes:1682368093 (1.5 GiB) eth0.1 Link encap:Ethernet HWaddr 14:91:82:6C:8B:47 inet addr:192.168.0.33 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1800669 errors:0 dropped:0 overruns:0 frame:0 TX packets:631472 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1871830464 (1.7 GiB) TX bytes:75622109 (72.1 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:624 (624.0 B) TX bytes:624 (624.0 B) wl0 Link encap:Ethernet HWaddr 14:91:82:6C:8B:49 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:133504 errors:0 dropped:0 overruns:0 frame:102074 TX packets:185871 errors:44 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:40484685 (38.6 MiB) TX bytes:208829188 (199.1 MiB) Interrupt:2 Base address:0x5000 And in a few minutes, after installing SSH on the R-PI, it's Linux again: billbuchanan@MacBook-Pro-3:~/Downloads$ ssh -l root 192.168.1.101 [email protected]'s password: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Feb 27 09:08:49 2017 from 192.168.1.244 root@kali:~# ls Desktop Documents Downloads Music Pictures Public Templates Videos GPIOWe can use the I/O interface to control a radio controller: For this we just install the Python library: pip install RPi.GPIO Here is some sample code for turning an electrical socket on and off: import RPi.GPIO as GPIO from time import sleep import time state=False start=time.time() i=1 # set the pins numbering mode GPIO.setmode(GPIO.BOARD) # Select the GPIO pins used for the encoder K0-K3 data inputs GPIO.setup(11, GPIO.OUT) GPIO.setup(15, GPIO.OUT) GPIO.setup(16, GPIO.OUT) GPIO.setup(13, GPIO.OUT) # Select the signal to select ASK/FSK GPIO.setup(18, GPIO.OUT) # Initialise K0-K3 inputs of the encoder to 0000 GPIO.output (11, False) GPIO.output (15, False) GPIO.output (16, False) GPIO.output (13, False) i=1 while True: raw_input('Enter...') if (i==1): print "sending code 1111 socket 1 on" GPIO.output (11, True) GPIO.output (15, True) GPIO.output (16, True) GPIO.output (13, True) time.sleep(0) # Enable the modulator GPIO.output (22, True) # keep enabled for a period time.sleep(0.5) # Disable the modulator GPIO.output (22, False) else: print "sending code 1110 socket 1 off" else: print "sending code 1110 socket 1 off" GPIO.output (11, True) GPIO.output (15, True) GPIO.output (16, True) GPIO.output (13,False) time.sleep(0) # Enable the modulator GPIO.output (22, True) # keep enabled for a period time.sleep(1) # Disable the modulator if (i==1): i=2 else: i=1 continue DemoThe following is a demo for Wi-fi testing: |