A proper drop box should be discreet, inexpensive, and capable of running the tools necessary for a penetration test. There are many devices well-suited to the task, but for the purposes of writing this tutorial, I used a Raspberry Pi 3 model B+.
I chose to use Offensive Security’s prebuilt Kali 2019.4 ARM image for Raspberry Pi, flashing the
.img file to the MicroSD card according to the official instructions from the Raspberry Pi foundation.
If you intend to do any wireless pentesting, you’ll also want to pick up a good, inexpensive wireless USB device, like this one, which supports packet injection and monitor mode.
Once your Pi is assembled and Kali is installed to the MicroSD card, connect it to a TV, mouse and keyboard, and power it on. After a moment, you’ll be greeted with the login screen. Log in as
root with the password
Once the Kali desktop has loaded, open a command prompt with
Ctrl+Alt+T, then enter the following command:
systemctl set-default multi-user.target
This command instructs the system to boot to a text-based console instead of a graphical interface by default. Next, we’ll want to enable the SSH daemon on the device:
update-rc.d -f ssh remove
update-rc.d -f ssh defaults
mkdir /etc/ssh/kali_default_keys mv /etc/ssh/ssh_host_* /etc/ssh/kali_default_keys/
sudo service ssh restart
update-rc.d -f ssh enable 2 3 4 5
root@kali:~# cat <<EOF > /etc/motd > > Red-Team Drop Box: BOX-001 > Property of Pentest Company Incorporated > EOF
Once this is complete, plug in an Ethernet cable for internet access, then reboot the Pi. The system should boot into a text console:
Kali GNU/Linux Rolling kali tty1 kali login: root Password: Last login: Wed Dec 4 19:10:47 UTC 2019 on tty1 Linux kali 4.19.81-Re4son-v7+ #1 SMP Wed Nov 6 10:16:47 AEDT 2019 armv7l Red-Team Drop Box: BOX-001 Property of Pentest Company Incorporated root@kali:~#
As before, log in as
root with password
toor. We should change that password, shouldn’t we? Use the
passwd command to do this:
root@kali:~# passwd New password: [your new password] Retype new password: [your new password] passwd: password updated successfully
Be sure to pick a good password!
Next, we need to update and upgrade the OS:
root@kali:~# apt update && apt upgrade -y Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB] Hit:2 http://http.re4son-kernel.com/re4son kali-pi InRelease ... 102 packages can be upgraded. Run 'apt list --upgradeable' to see them. Reading package lists... Done ...
When prompted for input, I accepted the default values. Installation took a while to complete, so I got some coffee and talked with my cats. (They had plenty to say, but it was incomprehensible.) Once the upgrade was complete, I rebooted the system again, then logged in as
root with the new password.
Finally, I used the
ip a command to get the device’s IP address, so that I could finish the installation and configuration from my laptop:
root@kali:~# ip a ... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b8:27:eb:e0:e6:ad brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global dynamic eth0 ...
Wonderful! At this point, we’ve got a fully-capable Kali pentesting system. Now, we need to configure it to work as a drop box.