Building a Raspberry Pi 4 Ethical Hacking platform using The
Pentesters Framework and DietPi.
I’ve been playing with using different hacking tools and Operating Systems with the Pi 4. In this article I cover installing The Pentesters Framework on a RPi 4 running DietPi.
DietPi is a very lightweight Debian OS for the Raspberry Pi. The Pentesters Framework by TrustedSec is an Ethical Hacking installation script that automatically installs and updates over 250 modules/ tools. It would be great if they would work together on a Raspberry Pi 4. The good news is that is does – With a couple tweaks.
I cover installing and using The Pentesters Framework on Raspberry Pi in my latest book. So, I am not going to go into great detail on using the tools in PTF. I just want to cover actually installing it on DietPi.
NOTE: You will need a Raspberry Pi 4, and at the minimum a 32 GB MicroSD card if you want to install all of the PTF tools. Don’t have a Pi 4? Seeed is currently offering free shipping for orders over $119 with a Raspberry Pi 4 4GB.
Write the image to a MicroSD card, balenaEtcher works great!
Insert the MicroSD card into your Pi, attach peripherals and
lastly connect power (always connect power last). When DietPi boots up you will
be presented with some options.
Pick any software install options you want, then
“Go install software”
Requested software and updates will be installed
Reboot when finished
I just run through it quickly the first time to get the
latest OS updates. Note the CPU temp warning, it’s a Pi 4, it runs hotter than
a Pi 3.
To install an “X” Desktop or any other included software,
There are a ton of add-on software options under “Software Optimised”.
For example, if you want a graphical desktop, pick the X-Desktop you want and
then the “Go install software” option. You can also setup your login
preferences from this menu – auto login, desktop login, etc.
All we really need here is to install Python. Then we need
to make a small config file tweak and finally install PTF.
From the DietPi-Software menu, go to “Software Additional”
and install Python:
Cursor down to Python Pip, hit the space bar to
You will return to the main menu.,
Cursor down and select “Go >> Start Installation”
Reboot when finished
We need to install git:
Open a terminal and enter, “apt install
Next we need to comment out a line in the ‘/etc/hosts’ file
or the PTF install will error out.
Comment out the “::1 localhost IPv6 localhost” line
That’s it! We can now proceed with the standard PTF install:
Type “show modules” to see all available modules. You can install individual ones if you wish. If you have a large memory card (32 Gb), you can install all of them.
To install all tools, enter “use modules/install_update_all“
Reboot when finished
The install will take a very long time, especially if you
install all of the modules. After install, all tools will be located in
category themed directories under the ‘/pentest’ directory, as seen below:
Many of the tools can be run from anywhere, but some tools require you to change into its install directory for it to work properly. This is usually ‘/pentest’, but some run from ‘/usr/share’ as well. Check it out, there are a ton of very good tools at your disposal, like “Sniper”:
And there you have it. Again, I go into much deeper detail in my book about using PTF on a Pi, I just wanted to show how it could be installed on DietPi. If you want to learn a lot more about using Raspberry Pi for Ethical hacking check out my latest book – Security Testing with Raspberry Pi
This is a partial sample chapter from my latest “Security Testing with Raspberry Pi” book – The full chapter (chapter 4) is over 20 pages long and includes how to use several of the installed Kali Linux tools.
In this chapter we
will cover installing Kali Linux on a Raspberry Pi 3b+. We will also see how to
run several Kali tools on this platform. As I assume the reader has used Kali
Linux before, the goal is to show how to get up and running quickly on a
Raspberry Pi, not necessarily to show how to run each individual tool. Most of
the tools work just like they would in a full PC install of Kali. Though some
of the tools, like Hashcat, apparently don’t have ARM compatible binaries and
are not included in the Kali Pi version.
Navigate to the
Kali ARM images and then select the Raspberry Pi branch. Download the version of
Raspberry Pi for the Pi that you have. I used a Pi3b+ for this chapter, so I
downloaded the Kali Linux Raspberry Pi 3 64-bit image. If you have a Pi 4,
you must download the Pi 4 version of Kali.
Once the image is downloaded, all you need to do
is write it you your SD Ram card.
Etcher works great:
Insert your memory
card into the Pi, attach keyboard, mouse, network line, and video cable.
Lastly, plug in the power cord. The Pi will boot up and give you a graphical
Login with User: root, Password: toor
At the “Welcome to
the first start of the panel” message, click on “Use default config”. You will then be presented with the Kali
Desktop. Take a second and familiarize yourself with it. You will notice it is
slightly different looking than the regular Kali Desktop, as it is using a
different desktop environment. Xfce is used as the default Pi interface as it
is a lightweight and fast desktop. But it is the same Kali underneath that you know
Click the “Applications”
button to see the tools menu. They are pretty sparse at the moment; we will fix
that soon. There are a couple house keeping things we need to do first.
The first thing we will want to do is regenerate
the SSH security keys.
Open a Terminal
mv ssh_host_* default_keys/
In a couple seconds
we should have new SSH security keys.
In the current
version of Kali for the Pi, root login is permitted by default. This is fine
for our lab, but this is something you would want to change in “/etc/ssh/sshd_config” if you were going
to use this for regular purposes. You will also want to change the root
password using the “passwd” command.
The SSH server is
already started by default in the Kali Pi install, so all we need is the IP
address of Kali. If you are an old time Linux user like me you will probably
still use Ifconfig, the old “deprecated” commands are easier to use and look
nicer in my opinion, (have to love change, lol) though you are supposed to use
the “ip” command now.
Enter, “ip a” to see all the network
addresses or “ip -4 a” to only see the ip 4 address.
Now you can just SSH or use Putty like we
did in the previous chapter to connect remotely to the Kali system.
The Kali-Pi image
comes pre-installed with some tools already installed. They were called the
“top 10” in an earlier release of Kali and include Metasploit, nmap, Recon-NG, etc. The rest of the Kali tools can be downloaded
via Kali “Metapackages”. Metapackages are security tool packages
grouped by function. If you have a 16 GB or greater SDRam card, and a lot of
patience, you can install the full Kali Linux install. If you didn’t need all
of these tools, you could install just the Wireless tools (kali-linux-wireless)
or the Web Application Assessment tools (kali-linux-web), depending on your
All the available Metapackages are listed
on the Kali Metapackages website:
simple, in a terminal just enter, “apt install” along with the
metapackage that you want. You basically have 2 options; you can install the
full package or individual tool packages. The only drawback to option 2 is that
some of the necessary “helper” tools may not be installed and you may need to
install them manually.
If you want the
full Kali install:
apt install kali-linux-full
includes all the tools from a normal Kali Linux install. This will take a very
long time to install, so be patient.
If you want to
install a specific category of tools:
Depending on what
you want to do with your Kali install, a good choice is the Wireless tools. The
wireless package includes numerous tools including ones for Wi-Fi, Bluetooth
& SDR. You can see what packages are included by using the following
apt-cache show kali-linux-wireless |grep Depends
If these are the
tools that you want, then proceed with the install:
apt install kali-linux-wireless
Whichever option you pick, the new tools will
show up in the Kali menu after the install:
option seems to take hours, be patient, and reboot when it is finished.
The downloaded tools are the SAME tools that you would receive on the regular Kali install. These aren’t watered down versions or anything like that. I have run into a couple tools that didn’t work, or seemed to be missing, but it is a rare occurrence. If it works in the regular Kali install, chances are you can do the same thing, the same way, in the Raspberry Pi version. So, after that long install, let’s play!
The credit card sized Raspberry Pi has been a hit with makers for years, it is amazing how many different ways you can use these devices. What many don’t know is that they are also a great tool for use in the security field.
The RPi can run many of the popular Ethical Hacking tools and operating systems. The small size and portability of the Pi makes it a perfect tool for Red Teams and Pentesters.
For example, the RPi makes for great pentesting “Drop Boxes”, small scanning remote access tools left behind on a client’s website during a test. But that is just one use, thanks to P4wnP1, the Pi can also be used as a very powerful and live customizable HiD attack tool. They can even be used as surveillance cameras.
In my book, I cover how to install and use many of the top security tools on the Raspberry Pi.
How to install Kali Linux on a RPi, installing security tools on Raspbian, how to use Warberry Pi – a drop box like system, even how to setup your Pi to act like a security camera, and much, much more!
Like my previous books, the first thing covered is setting up a test lab with vulnerable targets. You will see how to use the RPi to scan test systems for vulnerabilities. I also cover how to use the RPi as an actual test target so you hone your ethical hacking skills without breaking the bank.
This book basically takes off where “Basic Security Testing with Kali Linux” ends and shows you how to use a Pi as a functional security tool. Though not a beginner, “How to use a Pi” book, I use step-by-step tutorials for those new to ethical hacking and the Raspberry Pi.
What about the Raspberry Pi 4? The book now includes notes for those who want to use the brand new Pi 4. As the Pi 4 was just released, many of the operating systems and tools are not 100% functional yet with the Pi 4. But you can install Kali Linux on the Pi 4, and use many of the popular security tools in Raspbian. Functionality will increase as time goes on and as tools are updated to work with the Pi 4.
I get asked a lot how to get
started in the computer security field and how to become an author. I figured I
would try to cover both questions in one article. This will probably be a
“living document” with things being added or changed as time goes on. If you any
questions, please let me know.
Learn the Craft
As with the normal IT field, the security field changes
almost every day, so it is good to constantly be a student. There are a lot of
outlets to learn from:
Local security groups have regular meetings
SANS classes are a great place to build your
career, they also have free webinars
Pentester’s Academy, Cybrary
Youtube – Irongeek’s channel is awesome!
There are tons of technical books & classes
available from publishers like Packt, O’Reilly, etc.
Capture the Flag practice sites &
Magazines, like Hakin9, Pentest Magazine, etc.
There are also numerous Security Certifications
you can pursue
Technical Schools, Colleges
Google is your friend!
As mentioned earlier, most security professionals have a blog, or video channel, check them out. For example, City College of San Francisco Security Professor Sam Bowne offers a lot of his class material to the public.
Follow & Network
Find people in the field that do what you want to do and follow their social media accounts, check out their books, blogs, watch their training or conference videos. Get connected with local security groups – there are multiple groups available, ISSA & OWASP are just a couple. The security groups are normally very open to new comers and those willing to learn.
Many (not all) security leaders are willing to help people
new to the field if they ask good questions. But realize they are very busy and
may not answer if you ask a question that you could have easily Googled.
Start a Blog
Write about what you like, what you are learning, what interests you. On my blog I simply wrote about the new things that I was learning as I explored cyber security. It wasn’t long before I had a very popular security news site contact me and ask me to write regular posts for them.
From there I was contacted by a top security magazine and asked to write articles for them. After I wrote for them for a while, I was asked to join their “beta test” team, a group of individuals that tech review articles and classes for the publisher. Around the same time, I was contacted by a book publisher and asked to be on their tech review team.
Even though I am pretty busy now with writing my own books and training material I am still on the tech review team for both publishers. It is a great opportunity to help out people new to the field and provides a great chance to meet & network with other like-minded security professionals.
Get Real-world Experience
I am all for people moving from other IT jobs into the security field. I think the previous experience dealing with hardware, software and people really helps. I started in the IT field ages ago and worked up through the ranks. I think I have held or performed about every IT job possible, lol.
Things have changed a lot in the security field since then. It is pretty well formed now, and with the proper education/ experience it is possible to get an entry level security job. When I started in security everything was new and pretty fluid.
I was one of our city’s first Microsoft MCSE’s. I learned everything I could about server security and support. Later, I dived into Ethical Hacking after the IT field started going through some changes in NY. Even though I was well versed in networking, servers, Linux, and corporate IT security, many of the techniques were very foreign to me, and eye opening.
I’ll never forget the day that I had an interview with one of the top server support companies in an adjacent city. It was when I was trying to explain what ARP attacks were to their top server guy, and the “what in the world are you talking about” look on his face, that I realized that there was a huge need for Ethical Hacking training.
I have performed security research and consulting now for years and really enjoy it. It is kind of funny, having military knowledge, being a weightlifter & martial artist, along with a security trainer has really opened up some very interesting client opportunities for me. I would really advise – be yourself!
Write for a Magazine
If you have been established in the field for some time, and want to try to take the jump from a blogger or trainer to published author, go for it! If you have never published before I would highly recommend approaching a magazine publisher first.
Magazines like Hakin9 are always looking for new authors, and it is a great way to “test the water” to see how your articles are received. It is also great for marketing as it will put your material in front of a lot of people worldwide.
When you submit an article for publishing it is reviewed by their tech review team, and you are given feedback as to whether the article is a fit for publishing. The article tech review process will also provide you with invaluable feedback on any technical issues or improvements needed with the article. If you are turned down, take to heart the review feedback, make changes and try again!
Write a Book!
Writing for a book publisher is similar, but a more involved
process. Usually the publishers are looking for specific themed books to be
written, so they want authors with that experience, and will want you to write
along with their topic. Some book publishers have tight deadlines, so you
should be prepared to invest a lot of time into working with the publisher. The
publisher will normally have a specific format that they want you to use, and
as you complete each chapter, it will be submitted to a tech review team for
Use great pictures! A picture is worth a thousand words –
Screenshots are always helpful, use large high contrast fonts (bold white text
on black works great), and make sure the picture clearly shows what you are
trying to do and that the text is easy to read. For example, don’t use a
screenshot of the entire desktop when just a snip of the terminal line will do.
For technical procedures, write down every step that you do
to produce the desired results. When done, go back over the procedure just
using what you have written down to make sure it includes all of the steps and
more importantly, that it actually works!
Use layman, non-technical terms as often as possible. The
best teachers can break down very technical procedures into common language
that is easily understood. Still interested in writing for a book publisher?
Reach out to them! Packt & NoStarch Press have “write for us” type
webpages, or you can try the “contact us” links on the other publisher’s
What if you want to write a book, but don’t want to write on a topic provided to you by a publisher? Services like Amazon’s Kindle Direct Publishing allows you to be your own publisher.
Self-publishing is a great option, but I will warn you from experience, it is a huge time sink – be prepared to set a lot of life aside to get this done. Book publishers provide you with a pre-existing format, editing & art services, and marketing. If you self-publish you will be doing all of this yourself, or will be paying for someone to do some or all of the steps for you.
Get a good editor, better yet, get three! I have been blessed with the help of an exceptional main editor. You have to love someone with multiple Doctorate degrees. Everything I write is run by him, and his input has been invaluable over the years. It is good though to have multiple people review your chapters for both technical and grammar issues.
Just remember, no matter what, mistakes will always make it through to the final book, so have a plan to deal with corrections. An errata/updates website for the book is always a good idea.
Plan your book covers – you will need graphics and a good
layout for your book covers. Hire a graphics designer or do this yourself if
you have the appropriate skills. But the book covers are usually something that
are overlooked in self-publishing, until the last minute. It is good to work on
them early and get them squared away, you can always tweak them later.
As you write, you will have self-doubts, and want to give
up, this is normal, and usually the strongest when you start, at the mid-point
and in the final crunch period. Believe in yourself and persevere, you will
thank yourself when you are finished!