The Raspberry Pi has some unique features that are very powerful and easily accessible for a Hacking Kit. In particular, Pi is a joke and its components cost the price of a LEGO kit.
So, Raspberry being highly discreet, small, thin and easy to hide and of course most important, runs Kali Linux natively (without any adaptations or VMs).
It is very flexible and able to run a range of hacking tools, from badge cloners to scripts to cracking Wi-Fi networks.
Additionally, the low footprint and power consumption of the Raspberry Pi means that it is possible to run the device for a solid day or two on external battery pack USBs.
What you will learn:
- Use Raspberry Pi for remote attacks
- Use Kali Linux on Raspberry Pi 3
- Build a remote hacking kit with Raspberry Pi 3 and Kali Linux.
What you should know:
- Notions about Raspberry Pi
- Notions about Kali Linux
- Notions about remote connections.
With more than 10 million units sold, Raspberry Pi can be bought in cash for just US$ 30. This makes it very difficult to identify who is behind a Raspberry Pi attack.
Raspberry Pi Attacks
First, it is important that you control your expectations reasonably by choosing an RPi as your hacking platform, not least because it is not a supercomputer capable of processing large data capacities or reaching unusual limits for normal computers.
Raspberry Pi works exceptionally well as a platform for Wireless attacks. Due to its small size and a lot of system-based tools such as Kali Linux, it is the ideal weapon for Wi-Fi reconnaissance and attack. Our Kali Build will also carry out auditing attacks on Wi-Fi networks and Wired.
Necessary Equipment for Raspberry Pi and Kali Linux
Here’s the list of components for our project and why we need them.
Raspberry Pi 3 Kit: used platform, which manages and coordinates all the components used. As described above, we will use it to support Linux-based operating systems with high customization power and limited only by the creativity of the user;
Wi-Fi Command and Control Card (C2): to automatically connect the Raspberry Pi to an Access Point (AP). Like a Hotspot from your phone or home network, for example. This allows you to control the Raspberry Pi from long distances via SSH or VNC. Fortunately, Raspberry Pi 3 has a wireless card integrated into the system, in case of a Raspberry Pi 2 it is necessary to include a Wi-Fi adapter;
Wi Wi-Fi Attack Card: must be compatible with Kali Linux, more specifically, it must be a card with support for Monitor mode, so it can be used to sniff networks. It can be either Long or Short Distance, this varies from your need;
SD Card with System Image: will host the Operating System and brain of the desired environment. Creating custom image cards allows you to swap the functions of our Raspberry Pi quickly by simply swapping out SD cards or components;
Computer: will be used for various tasks, from the creation of the Builds on the SD Card to the remote control.
Power Supply: necessary to keep Pi connected.
Ethernet cable (optional): It will depend on the type of attack you plan to make.
Bluetooth keyboard (optional): useful for interacting with Pi, especially when you want to use it via the HDMI cable on the TV.
Protective Case (optional): by default, all Raspberry Pis need a case to protect it.
Raspberry Pi 3 kit
Consideration for the Attacks
First we must take into account that we are operating this Raspberry Pi in two primary forms. In our initial configuration the Raspberry Pi is connected to a screen via HDMI with inputs through a Mouse and Wireless Keyboard, already in the Tactical Configuration, you will use a Laptop or Smartphone to access the Raspberry Pi remotely via SSH.
And of course, wherever you want to go, you’ll need a Wi-Fi Access Point to connect remotely to Pi.
There are many ways to configure Kali Linux to run on a Raspberry Pi. Some of them include Touch Screen configuration, others are entirely via Command Line (SSH) and others use an internal wireless card to allow remote access through a hotspot.
However, this is only a reasonably basic configuration because of the different C2 scenarios that exist
1. Download the Kali Linux Image to Raspberry Pi:
At the official Kali website2, or t the Offensive Security web site3, there is a download link of the original image according to the PI version, whether it’s Pi 2 or Pi 3, make sure you choose the right one for your hardware.The following image shows the Kali Linux Custom ARM Images available for download:
2.Record the Image (ISO) on the SD Card:
As recommended in the installation tutorial of ISOs in Raspberry Pi, you can use softwares like Yumi4 (Windows), Etcher5 (Linux) or ApplePiBacker6
3. Installing Kali Linux on Raspberry Pi:
By default, the Kali Linux installation for the Raspberry Pi is optimized for the memory and ARM processor of the Pi device. We have found that this works fine for specific penetration objectives.
If you attempt to add too many tools or functions, you will find that the performance of the device leaves a lot to be desired, and it may become unusable for anything outside a lab environment.
A full installation of Kali Linux is possible on RaspberrPi using the Kali Linux meta-packages, which is beyond the scope of this article. For use cases that require a full installation of Kali Linux, we recommend you use a more powerful system.
Once the image is downloaded, you will need to write it to the microSD card. If you are using a Linux or Mac platform, you can use the “dd” builtin utility from the command line. If you are using a Windows system, you can use the Win32 Disk Imager utility.
Raspberry Pi 3 connections schema
4. Combining Kali Linux and Raspberry Pi
The Kali Linux Raspberry Pi image is optimized for the Raspberry Pi. When you boot up your Raspberry Pi with your Kali Linux image, you will need to use “root” as the username and “toor” as the password to log in. We recommend you immediately issue the
We recommend you immediately issue the “passwd” command once you log in to change the default password.
Most attackers know the Kali Linux default login, so it is wise to protect your Raspberry Pi from unwanted outside access. The following screenshot shows the launch of the “passwd” command to reset the default password:
Reseting the default password.
When you issue the “startx” command, your screen might go blank for a few minutes. This is normal. When your X Windows (GUI) desktop loads, it will ask you whether you would like to use the default workspace or a blank one.
Select the default workspace. After you make your selection, the desktop might attempt to reload or redraw. It may be a few minutes before it is fully loaded. The following screenshot shows the launch of the “
After you make your selection, the desktop might attempt to reload or redraw. It may be a few minutes before it is fully loaded. The following screenshot shows the launch of the “startx” command:
The first thing that you need to do is upgrade the OS and packages. The upgrade process can take some time and will show its status during the process. Next, you need to make sure you upgrade the system to the X Windows (GUI) environment.
Many users have reported that components are not fully upgraded unless they are in the X Windows environment.
Access the X Windows environment using the “startx” command prior to launching the “apt-get upgrade” command. The following screenshot shows the launch of the “apt-get update” command:
Apt-get update command.
The following screenshot shows the launch of the “apt-get upgrade command”:
Apt-get upgrade command.
Here are the steps you need to follow to open the Kali Linux GUI:
✓ Ensure you are in the X Windows desktop (using startx);
✓ Open a terminal command;
✓ Enter the “apt-get update” command;
✓ Enter the “apt-get upgrade” command;
✓ Enter the “sync” command;
✓ Enter the “sync” command;
✓ Enter the “reboot” command.
After you have upgraded your system, issue the “sync” command (as a personal preference, we issue this command twice).
Reboot the system by issuing the “reboot” command. In a few minutes, your system should reboot and allow you to log back into the system. Issue the “startx” command to open the Kali Linux GUI. The following screenshot shows the launch of the “sync” and “reboot” commands:
Sync and reboot commands.
You will need to upgrade your systems using the “apt-get update” and “apt-get upgrade” commands within the X Windows (GUI) environment.
Failure to do so may cause your X Windows environment to become unstable.mAt this point, you are ready to start your penetration exercise with your Raspberry Pi running Kali Linux.
5. Preparing for the Attack
The Kali Linux ARM image, Raspberry Pi and Kali Linux Basics, has already been optimized for a Raspberry Pi. We found however that it is recommended to perform a few additional steps to ensure you are using Kali Linux in the most stable mode to avoid crashing the Raspberry Pi. The steps are as follows:
- The first recommended step is to perform the OS updates as described, Raspberry Pi and Kali Linux Basics. We won’t repeat the steps here, so if you have not updated your OS, update it, Raspberry Pi and Kali Linux Basics, and follow the instructions.
- The next step you should perform is to properly identify your Raspberry Pi. The Kali Linux image ships with a generic hostname. To change the hostname, use the vi editor (although feel free to use any editor of your choice; even if you are a fan of nano, we won’t judge you much) with the “vi /etc/hostname” command as shown in the following screenshot:
Vi /etc/hostname command.
The only thing in this file should be your hostname. You can see from our example that we are changing our hostname from Kali to Raspberry Pi as shown in the following screenshot:
Vi /etc/hostname command.
You will need to edit the “/etc/hosts” file to modify the hostnames. This can also be done using the vi editor. You need to confirm whether your hostname is set correctly in your hosts file. The following screenshot shows how we changed our default hostname from Kali to Raspberry Pi.
Changing the default hostname from Kali to Raspberry Pi.
Make sure you save the files after making edits. Once saved, reboot the system. You will notice the hostname has changed and will be reflected in the new command prompt.
6. Setting up Wireless Cards:
Once you connect your Wi-Fi adapter, you should first verify that the system shows it is functioning properly. You can do this by issuing the “iwconfig” command in a terminal window as shown in the following screenshot:
You should see a wlan0 interface representing your new wireless interface. The next step is to enable the interface. We do this by issuing the “ifconfig wlan0” command followed by the up keyword as shown in the following screenshot:
Ifconfig wlan0 command
At this point, your wireless interface should be up and ready to scan the area for wireless networks. This will allow us to test the wireless card to make sure it works, as well as evaluate the wireless spectrum in the area. We will do this by issuing the “iwlist” wlan0 scanning” command as shown in the following screenshot:
iwlist wlan0 scanning command.
The “iwlist wlan0 scanning” command will show the SSID and the MAC address associated with the access points found in the area. You can see in the following screenshot that we scanned a Wireless Lab network and it has a MAC address of 0E:18:1A:36:D6:22. You can also see the Wi-Fi channel the AP is transmitting on, which is Channel 36.
Wi-Fi channel 36.
We have now set up wireless on our Raspberry Pi running Kali Linux.
7. Setting up the SSH Service
The Secure Shell (SSH) gives you full access to the Kali Linux operating system on a Raspberry Pi from a remote location.
It is the most common way to manage Linux systems using a command line. Since the Kali Linux GUI is not needed for most penetration testing exercises, we recommend that you use SSH or command-line utilities whenever possible.
We found some installations of Kali Linux have SSH enabled while others may need you to install the OpenSSH server.
You should first verify whether the SSH service is installed. Type in the service “–status-all” command to check whether the SSH service is running. If you see “+” as shown in the following screenshot, you are good to go. If you see a “-“ sign, then you will need to install the OpenSSH server:
OpenSSH Server enabled
To install the OpenSSH server, open a command-line terminal and type “apt-get install openssh-server” to install the SSH services. You will need to start the SSH services by issuing the “service ssh start” command as shown in the following screenshot:
Service ssh start command.
Once you enable the SSH service, you should enable the SSH service to start running after a reboot. To do this, first remove the run level settings for SSH using the “update-rc.d -f ssh remove” command as shown in the following screenshot:
Update-rc.d -f ssh remove command.
Next, load SSH defaults by using the “update-rc.d -f ssh” defaults command as shown in the following screenshot:
Update-rc.d -f ssh defaults command.
Now you should have SSH permanently enabled on your Kali Linux system. You can reboot the system at any time without needing to reconfigure the system to run SSH.
8. Setting up Auto Login for Remote Operation:
Sometimes it will be necessary to log into the system instantly, without needing any other steps, for this we will create a user with root access to the system by typing
# useradd -m eliasanderson -G sudo -s /bin/bash
If you have not configured a password, configure it by entering the password you want (in our case we use the password “eliasanderson”), as follows:
Now we will deactivate the login screen to avoid any problems when playing with our wooden block, typing:
# nano /etc/lightdm/lightdm.conf
After that, delete the “#” that remain before the lines “autologin-user=root” and “autologin-user-timeout=0”. So, close the nano saving the changes and, after, typing the command:
# nano /etc/pam.d/lightdm-autologin
Changing the value “auth required” to “###auth required”.
9. Automating Attacks
Let’s add 3 scripts in Crontab to run at intervals of 1 to 10 minutes in order to automate attacks. To do this, we need to open the /etc/crontab file and add the following parameters to its end:
*/1 * * * * root sh /etc/init.d/script_rsync
*/1 * * * * root sh /etc/init.d/script_connect
*/10 * * * * root sh /etc/init.d/script_attack
In the “rsync” script we will make it sync the data generated by Raspberry Pi to our VPS (Command & Control).
Thus, we analyze the generated files without having to use the Raspberry Pi processing feature, so that it is only used for the attack and collection of the reports. So, let’s create a folder where reports will be generated and sent to Command & Control.
apt install rsync –y
chmod 777 /opt/dados
Script command to send generated reports from Raspberry Pi to Command & Control.
In the “connect” script we created a connection from Raspberry Pi to Command & Control via SSH tunnel to ports 443 and 53.
Some corporations have ports 443 and 53 ports for Internet browsing of their servers, so we will use those ports to have Command & Control will send additional commands that are not in the attack script thus doing a better penetration test and analysis of the environment being tested.
Should any machine in the victim’s network be vulnerable to intrusion, Command & Control will perform an attack using the Pivoting technique, which basically uses the infected machine to perform a deeper hacking.
Script command for tunneling Command & Control SSH access to Raspberry Pi.
In the script “attack” we have a command to identify the IP that the Raspberry Pi received and thus analyze the whole network from the received IP.
Script command for identifies the IP received by the network and performs a network scan for vulnerable services and open ports and generates the result to be sent to Command & Control
We can also perform the following types of attacks:
✓ DNS Spoofing;
✓ Man-In-The-Middle (MITM);
✓ Attack Wireless Network.
Another script that will initialize next to the system will be an iptables rule. Let’s protect the Raspberry Pi against attacks from the network that it has inserted, and let only Command & Control have access to it.
update-rc.d -f script_iptables enable 2 3 4 5
IPTables roles for protect the Raspberry Pi.
Save, then type reboot into the terminal to restart Raspberry Pi and begin testing.
As soon as Raspberry Pi receives an ip from the network, it will close a tunnel with the VPS and the Command & Control terminal, we will give a simple command:
ssh root@localhost –p 443
ssh root@localhost –p 53
Command & Control receiving connection, so that we can enter into Raspberry Pi and perform attacks.
We wait 10 minutes, and so we will receive the report of the results of the network scanner in Command & Control that will be saved at /opt/dados.
In this article, we covered options for purchasing hardware and how to assemble a Raspberry Pi. We discussed recommended hardware accessories such as microSD cards and Wi-Fi adapters so that you are able to complete the steps given in this article.
Once we covered purchasing the proper hardware, we walked you through our best practice procedure for installing Kali Linux on a Raspberry Pi.
This included the detailed procedure to format and upgrade Kali Linux as well as the common problems that we ran into with possible remediation tips. At the end of this article, you should have a fully working Kali Linux installation, updated software, and everything running on your Raspberry Pi for a basic setup.
You also learned how to customize a Raspberry Pi running Kali Linux as a remote hacking platform. So, we also covered best practices to tune the performance and to limit the use of GUI tools using command-line configurations.
One major point covered was how to set up a remote C&C server to offload all possible tasks from the Raspberry Pi as well as exporting data. This included establishing communication between the Raspberry Pi and the C&C server.
We did this using SSH, HTTPS, and other types of tunnels. We also covered how to deal with placing a Raspberry Pi behind a firewall and still being able to manage it using reverse shell tunneling back to the C&C server.
The tests performed serves as a support for remote attacks, and can be used by professionals, researchers and network enthusiasts to learn practical ways of hacking in the corporate or academic field. It also serves as a guide to good security practices in Wi-Fi networks.
Original Source & Credits :
Thauã C. Santos – Systems Analyst. Full Stack Engineer
Renato B. Borbolla – Pen Tester, N1n3 Malware Author, Computer Forensics consultant
Deivison P. Franco -Information Security Researcher and Consultant. IT Auditor and Penetration Tester.