Raspberry Pi with Kali Linux

I hope you have not missed Raspberry Pi, the single-board computers created for promoting teaching of basic computer science in schools, but have found usage in so many ways.

Raspberry Pi 3B

One such usage is portable ‘hacking stations’ where the Raspberry Pi is operated by an OS for penetration testing, most commonly the Kali Linux distro.

Kali Linux Desktop

For the penetration tester in the field it can be very convenient to have a portable rig that can crack Wi-Fi passwords, spoof networks, audit systems and much more.

The small size of the computer makes it perfect for red teaming where you want stealth and a low footprint “behind enemy lines”.

Remember that it is illegal to break into networks that you don’t own or have permission to analyse. You should only use this knowledge for your own learning, for exercise and sanctioned testing.

Install Kali Linux on Raspberry Pi

This guide is for a Raspberry Pi of model 3B. You’ll need a SD card of at least 8GB size. For the setup you’ll need a monitor, mouse and keyboard.

First download a custom Kali Linux image for Raspberry Pi from here.

Then use a program called etcher to flash the SD card from a laptop.

Make sure the Raspberry Pi boots OK after having put back the SD card.

Great, now you have an evil machine of hacking. What’s next, except putting on a black hoodie and wait for hacker fame? Well, there are a few things you could do to make it even more Hackerman or Mr. Robot.

Housekeeping

Change root password

First thing to do is to change the root password of the device. The default password is known by everyone who can google “Kali Linux default password”, thus better change it.

In the terminal enter passwd and change the password.

Change SSH keys

The next thing you should do is to regenerate the pre-generated SSH keys.

Backup the original keys:

mkdir /etc/ssh/default_keys
mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/

Then generate new keys:

dpkg-reconfigure openssh-server

Create non-priviledge user

You should also create a non-privileged user and then disable root logins (since root comes with great power).

First create a new user:

sudo adduser alice

Then add user to the sudo group to get sudo permissions:

sudo adduser alice sudo

Check that you can log in with the new user and that you can do sudo stuff with it.

Disable root login

After this, you probably want to disable root logins. That is done with a setting in the config file of SSH. Start with backing up that file:

sudo cp /etc/ssh/sshd_config /etc/ssh/backup.sshd_config

Alright now edit it and disable root login.

With sudo nano /etc/ssh/sshd_config, change to:

PermitRootLogin no

Whitelist your non-priviledged user

Then you should whitelist your new user, disabling any other users to use SSH.

sudo nano /etc/ssh/sshd_config

and ensure a line with

AllowUsers alice

is set.

Public Key Authentication

This is not the place an time to go deep into SSH hardening, but I recommend that you at least enable public key authentication.

On your laptop, create a key pair:

ssh-keygen

and name the file after your non-priviledged user.

Then uploaded the public key to the Raspberry Pi:

ssh-copy-id -i alice.pub alice@XXX.XXX.X.XX

Great, now test that you can logon to the server using the private key:

ssh alice@XXX.XXX.X.XX -i alice

Disable password logins

Next step is to disable password logins to the Raspberry. You don’t wan’t anyone to be able to guess or brute-force their way into your device.

sudo nano /etc/ssh/sshd_config

and disable password authentication:

PasswordAuthentication no

Restart SSH to make the changes real:

sudo systemctl restart ssh

For more meat to the bone of SSH hardening, look up this post by the creators of the excellent Lynis project.

Basic stealth

OK, what could you do to increase the stealth of the device? Imagine an exercise where it is the mission of a red team to hide a device of this kind and the job of the blue team is to find it.

Change port

One quick thing we could do is to change the port for our SSH connection. Seeing an open port 22 will make your device shine in the dark.

Edit the SSH configuration again:

sudo nano /etc/ssh/sshd_config

Pick a port that won’t look suspicious, you can surely find one here.

And put it into the config file:

Port 443

For the SSH cli you are able to specify port with -p.

Change MAC-adress

Next thing that you should change is the MAC-address. All MAC addresses of Raspberry devices starts with B8:27:EB. This means that all you have to do to find any Raspberry device on a network is to do a quick ARP scan and filter for such an MAC address.

arp -na | grep -i b8:27:eb'

See for example the DeepMAC project for more abut Hardware Address Forensics.

To see the MAC-adress of your device:

ifconfig

Look for rows starting with ether

To change an adress we first need to install a tool called Macchanger:

sudo apt-get install macchanger

Then turn the interface you want to change MAC-adress for down.

sudo ifconfig eth0 down

Pick a MAC-prefix from this list. I found a new MAC prefix belonging to a range owned by Cisco. Spoofing my MAC-adress in this way makes my Raspberry look a little bit interesting and stand out less on a network.

sudo macchanger -m 00:02:FD:XX:XX:XX eth0

X = redacted

I recommend using a tool like this MAC-adress generator to get random numbers after the prefix. It could look suspicious with an address not looking random, like: 00:02:FD:00:00:00

Then turn the interface on again.

sudo ifconfig eth0 up

Ok, but this MAC-adress is only temporary and will change back to the original setting at reboots. We need to make it permanent.

For that you should create a systemd unit to run Macchanger automatically each time the device starts.

Create and open a systemd unit file:

sudo nano /etc/systemd/system/changemac@.service

Paste the following into the file:

[Unit]
Description=changes mac for %I
Wants=network.target
Before=network.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/macchanger -m 00:02:FD:XX:XX:XX %I
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Remember to set the X:es to hexadecimal digits 😉

Now enable the systemd service so that it runs at boot.

sudo systemctl enable changemac@eth0.service'

For other network interfaces, change the eth0 part.

Reboot and check that it worked.

PS. Credit to the archlinux wiki for the idea of using systemd unit to make MAC-adress changes permanent by setting it at boot-time.