Tuesday, September 23, 2014

Installing Kali Linux and Snort on a Raspberry Pi

Last week I wrote about building a passive network tap with about $10 in off-the-shelf parts. Building a tap is a nice little project, but what do you do with it? A simple first step is to install Wireshark on a laptop and capture some packets. I wanted something a little more elegant though. Earlier this year I posted an April Fools gag on various uses for a Raspberry Pi ... this time I am putting it to legitimate use.

The Raspberry Pi is a minimalist computer: a processor; a bit of memory; ports for network, video, and sound; an SD card slot for data and operating system storage; a few USB ports to attach additional components; and a micro-USB port to supply power. Altogether a bare-bones Pi costs about $35. You can buy a Pi with a protective case, an SD card, and a power supply for around $50 to $60. I picked up bundle with the Raspberry Pi model B, clear case, and wireless adapter for $49.95, plus a 16 GB SD card for another $10. In truth, I could have gotten by with a smaller SD card, but the software tools I had in mind to use take up some space, and network captures can quickly fill up a drive.

If you've already built a Kali / Snort box, check out another blog post where I show using it to detect malware and phishing scams by monitoring DNS query responses from OpenDNS.

The Pi is just hardware. It does not come with an operating system (in fact, until you add an SD card, it doesn't even have a place to put an operating system), so the next step is to load some software. There are a variety of operating system images available for the Pi, but I had one in particular in mind. Kali Linux, the successor to the highly popular (and highly regarded) BackTrack Linux distribution used by many security professionals and pen testers, is available in an image specifically designed for the Raspberry Pi. The latest revision can be downloaded from http://www.offensive-security.com/kali-linux-vmware-arm-image-download/ (look under Kali Linux Custom ARM Images). We're not in Windows-land either, so you need a way of installing the image. dd is a Unix program for making exact copies of a disk; a Windows port of dd is also available.

Now that we have our software lined up, let's prepare the SD card. I am writing this as it would be done from a Windows PC; the commands are slightly different if done from Linux or a Mac. Typically, SD cards are going to come pre-formatted for Windows, so let's erase the existing formatting. Windows has a built-in tool called diskpart that can be used to manage partitions (essentially what we think of as drive letters). Use diskpart to remove the existing NTFS partition on the SD card. Pay close attention to the physical device you select - if you remove the partition that holds your Windows drive, you'll then wonder why your PC no longer works.

Next, copy the Kali image onto the SD card (you'll need a card reader/writer for this). If you are using dd, the syntax is as follows:

dd bs=1M if=kali_image.img od=SD_Drive_Letter

bs=1M defines the block size used for reading and writing; it is not terribly important for our purpose, but using something larger than the default 512K makes for faster data transfers; kali_linux.img is the full path to your downloaded and extracted Kali image; SD_Drive_Letter is the drive letter your computer has assigned to the SD card. In my case, this was the actual command line:

dd bs=1M if=c:\temp\kali-1.0.9-rpi.img od=e:\

This takes a few minutes to complete, at which time we have a bootable card we can insert into the Pi. However, the Kali image for Pi is designed to fit on a tiny 4GB SD card, while I am using a larger 16GB card. Most of my card is left out of the formatted partition, useless:

root@kali:/# parted
(parted) print all
Model: SD SU16G (sd/mmc)
Disk /dev/mmcblk0: 15.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
(parted) q

Number  Start   End     Size    Type     File system  Flags
 1      512B    64.0MB  64.0MB  primary  fat16        lba
 2      64.0MB  3146MB  3082MB  primary  ext4

There are several ways to extend a Linux partition, but I took the easy route. Another commonly-used operating system image for Raspberry Pi is RasPi, which comes with a utility raspi-config. Raspi-config has a handy "expand_rootfs" option that automatically expands the root partition to fill the available space. To download and use raspi-config, run the following commands from the Pi (wget is a command-line web browser with which we can download files; dpgk is the Debian Linux installer that then installs the packages we downloaded):

wget http://http.us.debian.org/debian/pool/main/t/triggerhappy/triggerhappy_0.3.4-2_armel.deb
wget http://http.us.debian.org/debian/pool/main/l/lua5.1/lua5.1_5.1.5-4_armel.deb
wget http://archive.raspberrypi.org/debian/pool/main/r/raspi-config/raspi-config_20121028_all.deb
dpkg -i triggerhappy_0.3.4-2_armel.deb
dpkg -i lua5.1_5.1.5-4_armel.deb
dpkg -i raspi-config_20121028_all.deb

Next, simply run raspi-config and select "expand_rootfs." There is no confirmation message - it just sets a flag that will take effect on the next reboot. Select Finish, then allow the system to reboot, and the partition has "automagically" expanded to fill the entire SD card:

root@kali:~# parted
GNU Parted 2.3
Using /dev/mmcblk0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print all
Model: SD SU16G (sd/mmc)
Disk /dev/mmcblk0: 15.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      512B    64.0MB  64.0MB  primary  fat16        lba
 2      64.0MB  15.9GB  15.9GB  primary  ext4

At this point we have a perfectly functional mini computer, running the a basic Linux installation. My goal was not to just run a bare-bones Linux computer though, so I now need to install the Kali Linux "metapackage" that has the security and hacking tools I wish to use. Kali.org defines a variety of metapackages for different purposes - forensics, VoIP, wireless, password cracking, etc. I chose to install the kali-linux-full package which has a large selection of tools from each of these domains. In the below example, apt-get update && apt-cache search kali-linux gives me a list of available packages to install, from which I selected the one I wanted. I have bolded the commands I actually executed; the rest is simply output from the first command.

root@kali:/tmp# apt-get update && apt-cache search kali-linux
Hit http://security.kali.org kali/updates Release.gpg
Hit http://http.kali.org kali Release.gpg
Hit http://security.kali.org kali/updates Release
Hit http://http.kali.org kali Release
Hit http://security.kali.org kali/updates/main armel Packages
Hit http://http.kali.org kali/main armel Packages
Hit http://security.kali.org kali/updates/contrib armel Packages
Hit http://http.kali.org kali/contrib armel Packages
Hit http://security.kali.org kali/updates/non-free armel Packages
Hit http://http.kali.org kali/non-free armel Packages
Ign http://security.kali.org kali/updates/contrib Translation-en
Ign http://security.kali.org kali/updates/main Translation-en
Ign http://http.kali.org kali/contrib Translation-en
Ign http://http.kali.org kali/main Translation-en
Ign http://security.kali.org kali/updates/non-free Translation-en
Ign http://http.kali.org kali/non-free Translation-en
Reading package lists... Done
kali-linux - Kali Linux base system
kali-linux-all - Kali Linux - all packages
kali-linux-forensic - Kali Linux forensic tools
kali-linux-full - Kali Linux complete system
kali-linux-gpu - Kali Linux GPU tools
kali-linux-pwtools - Kali Linux password cracking tools
kali-linux-rfid - Kali Linux RFID tools
kali-linux-sdr - Kali Linux SDR tools
kali-linux-top10 - Kali Linux Top 10 tools
kali-linux-voip - Kali Linux VoIP tools
kali-linux-web - Kali Linux webapp assessment tools
kali-linux-wireless - Kali Linux wireless tools
root@kali:/tmp# apt-get install kali-linux-full

With this, I have a fully functional Linux computer with hundreds of hacking and security tools. This being a security toolkit, I need to call out one more step. The default image comes with a preloaded SSH key, much like buying a house where the previous owner may have kept a copy of the key. And much like that house, it would be wise to replace the keys. Fortunately, that is a very simple task. Below I backup the original keys (just in case), then generate a new set of keys.

root@kali:~# cd /etc/ssh
root@kali:/etc/ssh# mkdir ssh_default_keys
root@kali:/etc/ssh# mv ssh_host* ssh_default_keys/
root@kali:/etc/ssh# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

One very useful tool is oddly missing from the Kali Full distribution though: snort. Snort is a (semi) open-source network intrusion detection system, a powerful way to monitor network traffic and create alerts and/or take action based on that traffic. This being Linux, and snort being open-source, it is very simple to install snort (though if you are feeling ambitious or wish to compile snort yourself so it is perfectly optimized for your specific system, there is a great how-to available):

root@kali:/tmp# apt-get install snort

That's it. apt-get finds the source, figures out any dependencies, queues them up, tell you how much disk space it will require, and then asks you to confirm installation. To be fair, there is more to setting up snort than merely installing the package -- and the repository does not always have the latest version of snort (as of this writing, the latest version is, while apt-get installs Noah Dietrich wrote an excellent how-to guide that walks through installing individual components individually and then configuring it, so I won't duplicate that work.

With that, I have laid a foundation for future exploration: I built a simple passive network tap so I could collect data from my network, and I built a Raspberry Pi running Kali Linux to use in assessing my network. In a future chapter I'll explore some of the individual tools, and analyze some packet captures from my home network.

One final note: Linux.com has a handy guide to setting up the wireless network interface. I couldn't write it any simpler than they did, so here's a link to their excellent guide.

With a Raspberry Pi assembled, running Kali Linux and Snort, there are many things you can do. One example is to monitor DNS queries for domains that might indicate a malware-infected client, or that a person on the local network fell for a phishing scam. Read my new blog post for an example (with Snort rules!) of how this might work.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen