Exercise 4-4: Custom Kali Linux ARM Install

Zen Walkthrough – Exercise 4, Chapter 4 – Custom Kali Linux ARM Install

In the previous exercise, we performed a standard ARM install. As you saw, the results were less than thrilling. Although we don’t cover this in the book, we think it’s valuable that you see how to build a custom image. You can walk through this exercise with any supported ARM device, but we will use a Raspberry Pi3. Check out the list of supported ARM hardware. We will build a custom Kali ARM image containing:

A minimum set of packages.
No desktop environment (headless).
A static IP address on eth0 so we don’t have to hunt for our Pi
Tools like ifconfig installed.
SSH service starts at boot, with your public SSH key preinstalled.

Go ahead, hit Show Answer. This is a walkthrough, after all.

Download and install the build scripts, build dependencies, and cross compiler.

mkdir /root/arm-stuff
cd /root/arm-stuff

1 2	mkdir /root/arm-stuff cd /root/arm-stuff

Next, we need a cross-compiler for armhf. This package contains pre-built versions of Linaro GCC and Linaro GDB, a gdbserver (a program that allows you to run GDB on a different machine than the one which is running the program being debugged), a system root (with all the headers and libraries to link programs against) and manuals under share/doc:

git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7

1	git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7

Kali will need the files under bin/ for the build:

export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin

1	export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin

Next, the real magic. We will grab the Kali Linux ARM build scripts. We use these to build our official Kali Linux ARM images at http://www.kali.org/downloads.

git clone https://github.com/offensive-security/kali-arm-build-scripts
cd ~/arm-stuff/kali-arm-build-scripts

1 2	git clone https://github.com/offensive-security/kali-arm-build-scripts cd ~/arm-stuff/kali-arm-build-scripts

Next, install the required dependencies. This will take a few minutes:

./build-deps.sh

1	./build-deps.sh

Next, edit the ARM build script, and change your required fields. We are editing the Raspberry Pi3 Kali ARM script. It’s got nexmon built in: a C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more.

In our case we can remove desktop, most of tools and extras. Additionally, we want to set up the Raspberry Pi IP address to be a static IP so we can SSH to it later on. Of course, SSH should start at boot time, and have our public key.

nano rpi3-nexmon.sh

1	nano rpi3-nexmon.sh

First, we will comment out the desktop and extras sections, and make changes to the tools and services sections:

#desktop="fonts-croscore fonts-crosextra-caladea fonts-crosextra-carlito gnome-theme-kali gtk3-engines-xfce kali-desktop-xfce kali-root-login lightdm network-manager network-manager-gnome xfce4 xserver-xorg-video-fbdev xserver-xorg-input-evdev xserver-xorg-input-synaptics"
#tools="aircrack-ng ethtool hydra john libnfc-bin mfoc nmap passing-the-hash sqlmap usbutils winexe wireshark net-tools"
tools="aircrack-ng nmap hostapd"
#services="apache2 openssh-server"
services="openssh-server"
#extras="iceweasel xfce4-terminal wpasupplicant python-smbus i2c-tools python-requests python-configobj python-pip"

#desktop="fonts-croscore fonts-crosextra-caladea fonts-crosextra-carlito gnome-theme-kali gtk3-engines-xfce kali-desktop-xfce kali-root-login lightdm network-manager network-manager-gnome xfce4 xserver-xorg-video-fbdev xserver-xorg-input-evdev xserver-xorg-input-synaptics"

#tools="aircrack-ng ethtool hydra john libnfc-bin mfoc nmap passing-the-hash sqlmap usbutils winexe wireshark net-tools"

tools="aircrack-ng nmap hostapd"

#services="apache2 openssh-server"

services="openssh-server"

#extras="iceweasel xfce4-terminal wpasupplicant python-smbus i2c-tools python-requests python-configobj python-pip"

We will also make changes to the packages section, leaving out desktop and extras:

#packages="${arm} ${base} ${desktop} ${tools} ${services} ${extras}"
packages="${arm} ${base} ${tools} ${services}"

1 2	#packages="${arm} ${base} ${desktop} ${tools} ${services} ${extras}" packages="${arm} ${base} ${tools} ${services}"

Further down we will pull eth0 off of dhcp and set a static address:

auto eth0
        iface eth0 inet static
        address 192.168.1.12
        netmask 255.255.255.0
        gateway 192.168.1.1
EOF

auto eth0

iface eth0 inet static

address 192.168.1.12

netmask 255.255.255.0

gateway 192.168.1.1

EOF

The changes we’ve made can be shown in another way with the diff tool, which compares files. Here we see a before-and-after. White lines show lines that match between the files (but have been moved in this case because we’ve inserted some lines). Red lines show deletions, and green lines show additions. Note that in this diff, we have deleted configuration lines instead of commenting them:

Once the changes are made, we can run the build script with a nifty identifier (a lame “1.0” in this example). Note that this can take over an hour, based on your CPU, memory and bandwidth:

./rpi3-nexmon.sh 1.0

1	./rpi3-nexmon.sh 1.0

Once this is finished, you should have three files:

root@kali:~/arm-stuff/kali-arm-build-scripts# ls -l rpi3-nexmon-bh-1.0/
total 553496
-rw-r--r-- 1 root root        91 Aug  5 12:14 kali-1.0-rpi3-nexmon.img.sha256sum
-rw-r--r-- 1 root root 566765348 Aug  5 12:23 kali-1.0-rpi3-nexmon.img.xz
-rw-r--r-- 1 root root        94 Aug  5 12:23 kali-1.0-rpi3-nexmon.img.xz.sha256sum

root@kali:~/arm-stuff/kali-arm-build-scripts# ls -l rpi3-nexmon-bh-1.0/

total 553496

-rw-r--r-- 1 root root 91 Aug 5 12:14 kali-1.0-rpi3-nexmon.img.sha256sum

-rw-r--r-- 1 root root 566765348 Aug 5 12:23 kali-1.0-rpi3-nexmon.img.xz

-rw-r--r-- 1 root root 94 Aug 5 12:23 kali-1.0-rpi3-nexmon.img.xz.sha256sum

Now, you can burn the ISO to an SD to test the image. As always, be sure to select the correct device ID. In our case, it happens to be /dev/sdb. This can take 20 minutes or more, when run from a properly configured VM:

root@kali:~# cd /root/arm-stuff/kali-arm-build-scripts/rpi3-nexmon-bh-1.0/
root@kali:~/arm-stuff/kali-arm-build-scripts/rpi3-nexmon-bh-1.0# ls
kali-1.0-rpi3-nexmon.img.sha256sum  kali-1.0-rpi3-nexmon.img.xz  kali-1.0-rpi3-nexmon.img.xz.sha256sum
root@kali:~/arm-stuff/kali-arm-build-scripts/rpi3-nexmon-bh-1.0# xzcat kali-1.0-rpi3-nexmon.img.xz | dd of=/dev/sdb bs=1M

root@kali:~# cd /root/arm-stuff/kali-arm-build-scripts/rpi3-nexmon-bh-1.0/

root@kali:~/arm-stuff/kali-arm-build-scripts/rpi3-nexmon-bh-1.0# ls

kali-1.0-rpi3-nexmon.img.sha256sum kali-1.0-rpi3-nexmon.img.xz kali-1.0-rpi3-nexmon.img.xz.sha256sum

root@kali:~/arm-stuff/kali-arm-build-scripts/rpi3-nexmon-bh-1.0# xzcat kali-1.0-rpi3-nexmon.img.xz | dd of=/dev/sdb bs=1M

Next, boot up the Kali Pi. You should find it at 192.168.1.12, and ssh should be open. Oh, and bonus! ifconfig works!

← Previous Topic