Raspberry Pi Single Board Computers are used very frequently in security. The small and inexpensive units work very well for this function. One of the most popular usage cases is to install Kali Linux and use them directly as hacking stations or configure them as stealthy Pentest Drop Boxes. They can also be used as very cheap security lab training systems. What many don’t know is that you can easily use the default Raspberry Pi Operating System (Pi OS) as the base to build your Pi based security testing platform. Most of the conversion and tool installation can be done with one script - The PenTesters Framework. In this article, we will see how the PenTesters Framework can be used on a Raspberry Pi 400 to install over 300 commonly used security testing tools.
What are Raspberry PIs?
Raspberry Pis are Single Board Computers that are extremely popular in the maker field because of their small size, capabilities and cheap price. The smallest Raspberry PI, the Pi 0w2 is about the size of a stick of gum, and costs $15 USD. The Pi 4b is about the size of a credit card and costs start at $35 USD. The Pi 400, the new addition to the Raspberry Pi family, is an all-in-one keyboard unit that basically contains a modified Pi 4b inside. You can get the Pi 400 in a kit, with mouse, power supply, memory card and an introduction on how to use the Raspberry Pi book for around $100 USD.
A collection of Raspberry Pis running an assortment of Security Tools - Kali Linux, P4wnP1 ALOA, PTF
The Pis are popular in the maker field because you can attach and control an almost unlimited variety of sensors and motors to them. Raspberry Pis are popular in the security field, because you can run a full graphical desktop install of Kali Linux on all of them. What many don’t know is that you are not limited to Kali Linux. You can easily install over 300 security testing tools on a Pi using the base Pi Operating System and The PenTesters Framework.
*NOTE: There is a massive demand for Raspberry Pi boards now, so stock is very limited. Your best chance for getting one is to order the Pi 400 Kit (they have manufacturing priority right now) from one of the Authorized Resellers. It should ship in about a week and you won’t have to pay the ridiculous prices you see on Amazon or Ebay…
Install and Update Raspberry Pi OS
Let’s start our journey by installing the Raspberry Pi Operating System (Pi OS) on a Raspberry Pi 400. You can use a Raspberry Pi 4 or 400 for this chapter, they are basically the same logically. If you purchased a Pi 400 Kit, then you already have Pi OS installed on your memory card, and you can skip to the Installing PTF section. If not, we will quickly cover installing Pi OS. If installing the OS from scratch, I highly recommend using a 32GB card so you will have space for all the PTF tools.
Surf to the Raspberry Pi download page:
Then download the Pi OS version that you want to use. There are several to choose from.
We will be using the “Pi OS with Desktop” or you could use the Pi OS Lite if you prefer. There is also a 64-Bit Version of Pi OS available, for the newer models. Whichever you choose, it is always good to verify the download’s SHA-256 hash. If you download the Torrent version with qBittorrent, it should automatically verify the hash. This guarantees that you get a non-modified version of the file.
Once the file is downloaded, simply insert your MicroSD Memory card into your desktop computer’s MicroSD interface. The memory card will show up as a removable drive in Windows:
Now, just write the image to the drive. I use balenaEtcher (Etcher) for writing Pi images, it is very easy to use and does a terrific job. If the download image is compressed, most of the Pi Images are .zip or .7z, you may want to decompress it first. Etcher can do this on the fly, but it is a lot slower.
- Download (https://www.balena.io/etcher/), install and run Etcher
- Select your download image, make sure the drive is the correct one and click “Flash!”
Etcher will then write the image to the memory card:
When it is finished writing, just eject the card, insert it into the Pi, attach all your peripherals, and lastly connect power to the Pi - Always apply power last! On first boot, the file system will be resized to take up the entire drive and reboot. It will then boot to the Pi OS desktop.
On the second boot, it will present you with a quick setup screen.
You will set the following information:
- Geographical location (very important)
- Password (also very important!)
- Video settings
- WiFi Settings
It will then prompt you to update the system software and reboot. When this finishes, you will be all set to use the Raspberry Pi OS Desktop.
Once Pi OS is installed and updated, the next step is to install PTF.
Installing the PenTesters Framework
Tool Author: David Kennedy, TrustedSec
Tool Website: https://www.trustedsec.com/tools/pentesters-framework/
GitHub Site: https://github.com/trustedsec/ptf
PTF Walkthrough Video: https://vimeo.com/137133837
We can quickly install security tools on Pi OS using the PenTesters Framework (PTF). The PTF is a Python script that installs a collection of commonly used pentesting tools on Debian, Ubuntu and Arch Linux based distributions. As Pi OS is based on Debian, PTF works on a Raspberry Pi 3/4/400/Pi0W2 - though I don’t recommend a full install or running the brute force tools on a Pi0W2. Many of the tools in PTF work on the Raspberry Pi without modification, though some of the installed tools will not run on a Pi as they require i386 based architecture.
PTF installs the category of pentesting tools that you choose into the “/pentest” directory on your Raspberry Pi. You can then access and run the installed tools from the Pi OS Terminal. The install takes a while to run, especially if you are doing a full PTF install. But when it is finished, you have a Kali Linux like platform that has many of the most commonly used tools running right on Pi OS!
I highly recommend the reader watch the PTF Walkthrough Video provided by the tool author (link at beginning of section). As this video covers many of the PTF topics, we will move through this quickly. PTF is made up of modules by category. You can install individual PTF modules or all of them. If you want to perform a full install of PTF, you will need a 32 GB memory card. A full install can also take several hours on a Pi.
From a Raspberry Pi OS terminal:
- sudo su
- apt install python3-pip
- git clone https://github.com/trustedsec/ptf/
- cd ptf
- pip install -r requirements.txt
Now to start PTF:
- Enter, “./ptf”
- At the “ptf>” prompt, type, “show modules”
You will see a list of all the available modules for PTF. You can install each module individually. If you have a 32GB memory card, you can install them all.
Installing Individual Modules
Each module category has an “install_update_all” command. So, to install just the tools for one module, say, the Exploitation tools, you would use:
- use modules/exploitation/install_update_all
Installing all the Modules & Tools
Only for the patient - this can take several hours (some have reported up to eight hours on a Pi 4!) If you have the time and memory, you can install all the tools. Only run this locally, don’t even try running this through SSH, the connection will die, repeatedly:
- use modules/install_update_all
- Then type, “yes” to install all available modules
A lot of the popular security tools are included in PTF, you can also add new or custom tools (discussed in the PTF Walkthrough video). We will look at just a couple of the standard tools, and show a few usage examples. But first, the install will take a really long time, so it would be a good time to get up and find something else to do for a while. Go get some coffee, or take a nap, lol! Just check on it periodically, you may need to allow it to install something as the install progresses.
After several hours, literally, you will see this:
- “exit” and Reboot when finished
After reboot, open a terminal. Most of the installed tools will be located in category directories under the ‘/pentest’ directory, as seen below:
Many of the tools can be run from anywhere, but some tools require you to change into its install directory for it to work properly. This is usually ‘/pentest’, but some run from ‘/usr/share’ as well. In this article, we will only cover a handful of tools installed by PTF. I advise the reader to take a few minutes and explore the install tools directories to find out all the tools available in PTF.
Next, we will look at several tools from the different modules.
Scanning with NMAP
Nmap is the go-to tool for network scanning. It easily scans a network and can return what systems are up, what ports are open and what services they are running. It can also be used as an attack tool using nmap scripts. We will take a quick look at all of these features. For a target, I just used a Metasploitable2 VM – I know it is older, but it is quick and easy to set up and it provides everything we need for our tests. Simply just download the Metasploitable2 VM (https://sourceforge.net/projects/metasploitable/), open it in VMware and set the network settings needed for your environment.
*WARNING – Metasploitable2 is extremely vulnerable. Always have a hardware firewall between your Metasploitable2 VM and any other network or the Internet
If it is not running, start up your Metasploitable2 VM.
In a Pi OS Terminal window:
- Type, “nmap -h” for options
For a fast port scan, just type the nmap command followed by the target’s IP address:
- nmap [Metasploitable2_IP]
This will show that the target is up and will display any open TCP ports:
As you can see, Metasploitable2 has many open ports to target!
We can try to get service version information by adding the “-A” command:
- nmap -A [Metasploitable2_IP]
This command will take a bit longer to run, but will display OS and service software versions, if it can.
You can also add the “-v” verbose or “-vv” very verbose switches to have even more information returned to you.
We could also scan for just a single port if we wanted using “-p”.
- nmap [Metasploitable2_IP] -p 21
This shows that FTP port 21 is open.
We could scan for a range of ports if we wanted, simply add additional port numbers, separated by a comma, as seen in the next screenshot.
You could add in the “-A” again to get service information about these ports:
We could also try a Brute Force attack using an nmap script:
- nmap --script ftp-brute -p21 [Metasploitable2_IP]
After a few minutes:
If you look closely at the bottom of the screenshot you will see “user:user - Valid credentials”. From the screenshot, you can see that nmap attempted 3811 username & password combinations and was able to successfully login using the username and password of “user”. Though brute force attacks are fun to run, they generate a lot of noise and are usually picked up pretty quickly by Network Security Monitoring (NSM) systems.
If we were to peek at network traffic using Wireshark while the attack was running, we would see this:
Nmap created a lot of FTP traffic, as it tried to login again and again, using different usernames and passwords. If we looked at an individual FTP login attack in Wireshark, we would see this:
Nmap continues to do this until either it finds a valid login response, or runs out of usernames/ passwords to try. There are many tools that you can use for scanning and/or brute forcing. We will look at some of these next.
SpooNMAP
Tool Website: https://github.com/trustedsec/spoonmap
SpooNMAP is a wrapper app created by the authors of the PTF. They basically created an automated scanning tool that combines NMAP and the popular large scale scanning tool MassScan. Throw in IDS evasion techniques and service discovery and you have a winner.
- Before running SpooNMAP you need to enter targets into the “ranges.txt” file located at “/pentest/intelligence-gathering/spoonmap”.
You can use single addresses (ex. 172.24.1.218) or a range of addresses (ex. 172.24.1.0/24), one per line. Enter your target IP address(es) into the “ranges.txt” text file.
- Now, just run SpooNMAP:
- Pick the type of port scan you want (small, medium, large, etc.)
- SpooNMAP will then ask you several questions about the scan, pick what is relevant to your network. The defaults are usually sufficient.
SpooNMAP will then run a target scan by port, using Masscan first, and then NMAP.
When finished, a brief overview is listed and an XML report file is stored in the SpooNMAP directory.
Metasploit’s FTP scanner
What if we wanted to scan an entire network, and only look for systems running certain services? One way we could do this is with Metasploit’s scanners. Metasploit comes with a large number of scanners installed.
To view them:
- In a terminal, enter “msfconsole” to start Metasploit
- Then type “use auxiliary/scanner” and hit “tab” twice:
We can use any of these tools to scan our target network for information. Let’s scan our test network for running FTP servers and also do a version detection. We can do so using the “auxiliary/scanner/ftp/ftp_version” scanner.
- Enter, “use auxiliary/scanner/ftp/ftp_version”
- Next, “set RHOSTS 172.24.1.200-220” (use a range that will include your target range)
- And finally, “run”
We use the FTP_Version scanner in Metasploit and set it to scan all systems from 172.24.1.200 -172.24.1.220. You could set the range to any that you like, or an individual target. When this module runs, you should see something like the screen below:
Metasploit scanned a range of network addresses and successfully detected the vsFTP 2.3.4 service running on our Metasploitable machine. We recovered valid FTP login credentials in the previous topic, we could use these to see if we can login to an individual FTP server, or all FTP servers(!) using the “scanner/ftp/ftp_login” module.
- Enter, “back”
- And then, “use auxiliary/scanner/ftp/ftp_login”
You can type, “show options” if you want, to see what options you can fill in. You could set the RHOSTS option to a range of systems if you wanted to try to log into all FTP servers in that range. For this example, we will just use our single system.
- set RHOSTS [Metasploitable2_IP]
- set USERNAME user
- set PASSWORD user
- run
Login successful! If we had numerous FTP servers running on the same network, we could try the creds against the entire network by simply changing the RHOSTS value to a range of addresses and then re-running the module.
This is shown in the next screenshot.
This was just a quick example from Metasploit, take some time and check out the other scanner modules. Just “use” the module and then type “show options” to see what you need to set. Once your options are set, then run them as we did with this module. Metasploit is extremely powerful and has a lot of features. I cover it in much more depth in my other books. Let’s take a look at some other automated attack type tools.
Brutex
Tool Author: xer0dayz
Tool Website: https://github.com/1N3/BruteX
Brutex is an automated attack tool that attacks all ports using a Username/Password combination brute force attack. We will use the Metasploitable2 system and target the SMB port 445.
- In a terminal, enter, “cd /pentest/exploitation/brutex”
- Then, “sudo brutex [Metasploitable2_IP] 445”
After a few seconds, you should see:
You can also attack multiple ports/services by combining them with a comma:
- sudo brutex [Metasploitable2_IP] 22,23
The command above will cause Brutex to target the SSH and Telnet ports, and in a short time, you should see the results below:
This tool has a lot more options and functionality. For example, you can do OS detection, IDS evasion and also perform a sweep type attack like we did with Metasploit. Take a few minutes and read through the tool’s help screen to learn about its full capabilities.
Sn1per
Tool Author: xer0dayz
Tool Website: https://github.com/1N3/Sn1per
Sn1per is one of my favorite scanning and testing tools. It is another automated attack tool from the same author as BruteX, but this tool has many more features. The professional version (licensed product, not included in PTF) has become a go-to tool for many professional pentesters.
If Sn1per is not installed, in a Terminal, enter:
- git clone https://github.com/1N3/Sn1per
- cd Sn1per
- sudo bash ./install.sh
To run:
- enter, “sudo sniper -t [Metasploitable2_IP] -b”
The “-t” tells Sn1per what target to attack, and the “-b” switch enables brute force attacks. That’s all you will need. Sn1per will then begin a completely automated and tailored attack against the target. It will check to see what ports are open, then attempt specific attacks against those ports, based on vulnerabilities or service versions detected. As they say, “the proof is in the pudding”, which you can see in the screenshot below, it works very well – Sn1per found a vulnerability, exploited it, and dropped us into a remote shell with the target.
It will seem to pause at this point, but you indeed have a remote shell with the target. All you need to do is type “sessions -I 1” at the prompt, then type, “whoami” and the remote system will respond as “root”.
As seen below:
Any commands you enter will be run on the target system and you will see the result. For example, we could pull the “/etc/passwd” and “/etc/shadow” files, get the users and password hashes and crack them using John the Ripper.
Cracking passwords is pretty straightforward, I cover how to do this in depth in my “Advanced Security Testing with Kali Linux” book. You probably wouldn’t want to use the Pi to crack passwords though, you want something with a very powerful graphics card for password cracking.
Type “exit” to exit the remote shell. You will then return to Sn1per, which will continue to attack other services. This will continue until Sniper has run all of its tests and scans.
Conclusion
In this article, we covered how to install and use the PenTesters Framework on a Raspberry Pi. The Raspberry Pi platform is so inexpensive and flexible, it makes a great addition to any security team’s tool chest. We only covered a few tools from the PenTesters Framework, remember there are over 300 to play with! I highly advise the reader to take time and check it out thoroughly. In addition, this article was actually an adapted chapter from my latest book, “Security Testing with Raspberry Pi, Second Edition”. In the book, I delve much deeper into using the Raspberry Pi platform for security. If you liked this article, and want more, check it out on Amazon.com!
About the Author
Daniel W. Dieterle, aka “CyberArms”, has been in the computer industry for over twenty years, and currently is a Security Author, Researcher & Consultant. He is an Internationally Published Author that just released his eighth book, “Security Testing with Raspberry Pi, Second Edition”. He is also working on his next book, a complete overhaul of his original, “Basic Security Testing with Kali Linux”, which will be available next year. Daniel runs two tech blogs - cyberarms.wordpress.com & DanTheIOTMan.com, and is very active as a mentor, helping those new to the security field.
