Recounting Recent: Kali NetHunter

After fixing a couple of my old broken android phones, playing around with unlocking the boot-loader, rooting them and installing custom ROM’s I decided to optimize an android for use with Kali NetHunter.

Monitor mode on NetHunter. Detecting two access points with WEP encryption in my neighborhood. These could be cracked in like 8-30 minutes.

Kali Linux NetHunter is an open source android penetration testing platform. Check out Offensive Security’s NetHunter page for more information.

https://www.kali.org/kali-linux-nethunter/

NetHunter has versions available for many android devices. Nexus, OnePlus, Galaxy, Gemini, LG, HTC, some Sony’s and the list goes on. If trying this out make sure to do ample research on the device you are considering because CPU chipset varies on the same android phones between carriers. The wiki on gitlab lists the supported devices.

https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project/wikis/home

Also pay attention to the WiFi chipset because only a few inboard WiFi chips can be used for monitor mode, otherwise the phone will need an external adapter for WiFi penetration. To use the inboard chips we’ll have to modify the kernel and firmware but even if using an external adapter be sure to verify compatibility.

https://gitlab.com/kalilinux/nethunter/build-scripts/kali-nethunter-project/wikis/Wireless-Cards\

I went with the Hawaii Nexus 6P as it supports inboard monitoring mode and Offensive Security sold me with their description for it. Also being able to get one on ebay for 50 something dollars is pretty compelling when some of the other options are still hundreds. (*note the following is all specific to the Hawaii Nexus 6P)

I reinstalled NetHunter while writing this post. These instructions are pretty good, it’s the installation.txt file from:

https://build.nethunter.com/contributors/re4son/angler/

Kali boot animation

A few notes to simplify the process.

You need android sdk platform tools fastboot from android studio. Downloading all the files above into the sdk platform tools folder will simplify a lot so that you don’t need to include paths to run fastboot or paths for the files to flash.

If you have issues with the shell script just look within the scripts and ran each command from the shell.

You need to download the twrp recovery image separately, just google the img name.

You will need a usb connected external storage for step 5 because the 6P has no SD card slot.

https://www.cyanogenmods.org/forums/topic/how-to-root-lineage-os-13-14-1-marshmallow-nougat-rom/

An add-on for the lineageOS in order to enable root-access to apps is also needed which can be downloaded from the link above. Flash the add-on and then enable developer options and you can grant root access to apps.

flashing Kali

https://forum.xda-developers.com/

XDA developers forum is the best resource I’ve found for all of this. You can find support and instructions for all the other possible devices on their forum as well.

Recounting Recent: Docker Swarm on Raspberry Pi cluster

This is a docker swarm on a cluster of raspberry pi’s running OpenFaaS. FaaS stands for Functions as a Service, from Wikipedia it is “a category of cloud computing services that provides a platform allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.” Allowing developers to execute code in response to events without having to build out the typical infrastructure.

From Alex Ellis the creator of OpenFaas, “The idea is to make it as simple possible to create a function that is built for, deployed to and run on Docker Swarm or Kubernetes, while providing a workflow that integrates directly with the Docker ecosystem.”

6 raspberry pi 4’s with pimoroni blinkt, gigabit switch, Anker power supply

This allows us to turn anything into a serverless function that runs through Docker Swarm on Linux or Windows. It allows us to upload functions, modular chunks of code, into the cloud and execute independently.

The Pimoroni Blinkt LED’s on the raspberry’s allow for a visual display of the load on each, above is a demo of this scaling up.

Below is a demo of the LED’s showing a rolling update.

And then scaling the service back down to zero.


Headless Raspberry Pi setup

A headless setup allows us to use the raspberry over the network without a monitor, keyboard or mouse. We can install a more lightweight operating system without a GUI (graphical user interface). Saving on hardware costs and the machines resources. The headless Linux install I’m using is based on Debian and designed specifically for Raspberry Pi hardware. You can download it here:

https://www.raspberrypi.org/downloads/raspbian/

The headless variant as of writing this is Buster Lite. After downloading we need to flash the image onto a microSD card for the raspberry. The easiest way to do this is with balenaEtcher which can be downloaded here:

https://www.balena.io/etcher/

Etcher automatically unmounts the card so after flashing the image remove then replace the microSD card. To enable SSH you need to create a file entitled SSH on the root partition of the SD named ‘boot’. On mac or Linux you can do this in the command line by navigating to the boot partition and then using command ‘touch ssh’ which will create a file of that name if it does not already exist:

touch ssh

If you are connecting to the pi via Ethernet cable you can skip this next step.

To connect via wifi you need to create another file in the boot partition named:

wpa_supplicant.conf

With contents:

country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="your_real_wifi_ssid"
    scan_ssid=1
    psk="your_real_password"
    key_mgmt=WPA-PSK
}

Change the country code, ssid and psk (pre-shared key) to your own. The password is only stored here in plain text upon first boot, the Pi will move this file automatically.

Recounting Recent: Hardening the Raspberry Pi

Adding an ‘ssh’ file to a fresh flash on Raspbian enables Secure Socket Shell on its first boot. This ‘headless’ control over the network doesn’t need a mouse, keyboard or monitor and lets us use a light weight operating system.

The defaults on Raspbian are username: pi and password: raspberry, it’s a good idea to change these.

To SSH into our pi we need to know the IP address. Logging into your router and checking the devices list is an easy way to do so. It can often be reached by browsing to page:

http://192.168.0.1

If you haven’t changed your routers login credentials I strongly suggest that you do so. The defaults can be found located on your router or online.

The IP address of the pi can also be determined using nmap to scan the subnet set to -T4 for greatest speed:

nmap -sV -T4 192.168.0.0/24

Once we know our pi’s IP address we can connect to it via ssh. On windows we may need to install a client to do this, PuTTY.exe is the most commonly used. On Mac or Linux devices SSH clients are installed by default and should run out the box from command line with:

ssh [email protected]

Of course substituting whatever our pi’s IP address actually is. We will then be prompted for a password which is ‘raspberry’ by default. We can then use the command ‘passwd’ to change the password for our default user pi.

I prefer to set my own password for the root account and then relock root as well as disallowing remote root login unless I need it for something. To do so:

sudo passwd root

By default the pi account has passwordless sudo, we can change this by editing the file /etc/sudoers.d/010_pi-nopasswd to be ‘pi ALL=(ALL) PASSWD: ALL’

sudo nano /etc/sudoers.d/010_pi-nopasswd

pi ALL=(ALL) PASSWD: ALL

cntl + x, y, enter

Since we’re running the pi headlessly we can use the command ‘sudo raspi-config’ to change the host name, change the memory split to the gpu to 16, verify/change our locality, enable predictable network names and a bunch more.

It’s a good idea to create a new user and lock user pi although changing to ssh key based authentication is secure regardless. Just to note deleting user pi rather than locking it can cause some issues. If creating a new user it will need to be added to groups:

sudo adduser new-user-name-here

sudo usermod -aG groups-here-seperated-by-commas,sudo,adm new-user-name-here

Then logout of pi into the new user, lock pi, lock root.

sudo passwd -l pi

sudo passwd -l root

For ssh key authentication we need to generate keys if we haven’t before. We can do so on our machine(not ssh’d into the pi) with the following command (for a 4096 bit key):

ssh-keygen -t rsa -b 4096

Then we can add them to the pi with:

ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

Disabling password based access to the raspberry prevents anyone without the key from being able to connect. To do so edit /etc/ssh/sshd_config and make sure the password authentication line reads PasswordAuthentication no.

sudo nano /etc/ssh/sshd_config

We can then reboot the pi to make sure all our changes take effect with ‘sudo reboot’