The Slightly Disgruntled Scientist

...now 7% more viral!


A Hybrid Kali/Debian Wheezy Live Distro

| Comments

There are two things that I particularly love doing: security auditing, and tinkering with live distributions. It is very intriguing to see exactly how weak or strong your own electronic devices are against various attacks, and sometimes very contrary to expectations.

This is, of course, an extension of my usual love of seeing exactly what new and strange things I can get my old electronic devices to do, which brings us to live distributions. Live distros are simply operating systems designed to work from removable media, usually across multiple, different devices. For example, I once turned an old laptop into an ethernet/wireless bridge for my games console, by creating a live distro that ran off a USB stick. Boot with the USB stick: it’s a bridge! Without the USB: it’s my old laptop again! This gets even better if you’re dealing with embedded systems, systems with no permanent storage, etc.

(Live distros are also a gateway drug to stateless distributions, which are absolutely fascinating for repeatable engineering processes, testing, compliance, etc.)

Kali is Amazing

Given these two interests, it’s amazing that I hadn’t heard about Kali Linux until last week. Kali is a Debian-based OS, primarily designed for live usage, that is all about security testing.

So what?

Anyone who has ever tried security testing from their main OS knows what a pain it can be. Patch these drivers. Downgrade these packages. Install this thing from git. Oh no it sprayed random files all over your meticulously managed distro lol oops sorry not sorry…

But Kali gives you a nice, safe live distro, complete with patched drivers, recent kernels, up-to-date software, etc. Run it, mess around, hack on whatever, check to see if the router you bought from that dodgy shop in Ultimo patched a nasty WPS vulnerability, then reboot back into your normal day-to-day OS.

I felt like a ninja. In a tuxedo. WITH POISON DARTS.

There Was But One Problem…

…and that was, Kali didn’t work too well on my machine. When using the virtual consoles (accessed by ctrl+alt+f1), I would have missed or repeated keystrokes. I couldn’t do serial debugging when running under Qemu. There were extra utilities that I wanted to install, and some cruft that I wanted to remove. Then I discovered that Kali actually provides instructions and repositories for building your own Debian-based live image.

At this point I’m just drunk on sheer technological possibility.

I’ve used live-build a lot before, and it’s a wonderful tool. Its major drawback is that it’s a fast-moving target, and Kali seems to be a little behind. Using the instructions on the website proved problematic with the version of live-build (4 point something) in Debian Wheezy (which is what I use for packaging and certain kinds of tinkering).

When I tried simply using live-build with the Kali repos as the main package source (as per their git repo), the live-config hooks didn’t run, which meant the live user wasn’t set up, the serial console wasn’t available, and so on.

Hybrid Time

I decided to take a different approach: to try building a normal Debian Wheezy live image instead, with the Kali repos included as extra repositories. The Kali updates to specific packages would be installed where they supercede the Wheezy ones (or I could use APT pinning), and I could have fine-grained control over what got installed or use Kali’s metapackages if I wanted.

I called the result Dart (re. my ninja comment above), and it seemed to work… sort of.

It worked in that I got a live image with some of Kali’s tools installed. Unfortunately, some of them didn’t work like they did on Kali’s ISO image.

Reaver Issues

The most reproducible example I could find (of tools not working the same) is Reaver, a tool for checking vulnerabilty to weaknesses in the Wifi Protected Setup (WPS) feature.

Under Kali’s ISO it associated with the access point just fine and proceeded to crunch through PINs for hours (although I never let it run long enough to see what the result was):

root@kali:~# service network-manager stop
[ ok ] Stopping network connection manager: NetworkManager.
root@kali:~# killall wpa_supplicant
root@kali:~# ifconfig wlan0 down
root@kali:~# airmon-ng start wlan0 ${CHAN}


Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
3692    dhclient


Interface   Chipset     Driver

wlan0       Unknown     rtl8723be - [phy0]
                (monitor mode enabled on mon0)

root@kali:~# iwconfig wlan0 channel ${CHAN}
root@kali:~# iwconfig mon0 channel ${CHAN}
root@kali:~# reaver -i mon0 -e "${ESSID}" -b ${BSSID} -c ${CHAN} -vv -S

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 64:70:02:A0:D5:17
[+] Associated with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01235678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK

…etc. But under my live image, it couldn’t complete the WPS transaction and repeatedly loses association:

root@dart:~# service network-manager stop
network-manager: unrecognized service
root@dart:~# killall wpa_supplicant
wpa_supplicant: no process found
root@dart:~# ifconfig wlan0 down
root@dart:~# airmon-ng start wlan0 ${CHAN}

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
5953    dhclient


Interface   Chipset     Driver

wlan0       Unknown     rtl8723be - [phy0]
                (monitor mode enabled on mon0)

root@dart:~# iwconfig wlan0 channel ${CHAN}
root@dart:~# iwconfig mon0 channel ${CHAN}
root@dart:~# reaver -i mon0 -e "${ESSID}" -b ${BSSID} -c ${CHAN} -vv -S

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from 64:70:02:A0:D5:17
[+] Associated with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[!] WARNING: Failed to associate with 64:70:02:A0:D5:17 (ESSID: Jeff Winger's Wireless Hairdryer)

This is on the same machine, with the same router (a TP-LINK TD-W8960N with fully updated firmware), sitting right next to the computer (so I know it’s not signal level). The wireless adapter is a RTL8723BE — notorious for working poorly under Linux, but the fact that my first attempt worked suggests that this isn’t the problem.

I had thought that perhaps the router was locking out my second attempt simply due to order, but trying it again a day later I don’t see anything different. In both cases the wash utility could see that WPS was enabled and not locked (which was consistent with what the router told me).

I am aware that there’s a trick you can do with aireplay-ng -1 ... and reaver ... -A to maintain association, but that doesn’t actually help here. And, more to the point, it wasn’t necessary on Kali, so what’s different?

The version of Reaver is the same (1.4-2kali9), and custom building a package from SVN head doesn’t help either. The kernel is slightly different (3.18.3-1~kali4 on Kali’s ISO, 3.18.6-1~kali1 on my image), but injection still works (according to aireplay-ng).

I don’t know what else might be different. I can’t find any other configuration tweaks or suchlike that might affect this.

Kali Metapackage Problems

To this point I’d been carefully selecting individual Kali packages to suit my needs and adding them to config/includes.chroot/package-lists/kali.linux.chroot. I figured I might be able to solve my problems by installing some of Kali’s metapackages, so first I tried:

kali-linux
kali-linux-wireless

Didn’t help. So then I tried going for broke and just adding kali-linux-full. Surprise surprise, that caused exactly the same problem as building an image directly from the Kali repositories! None of the live-config hooks were run, so I couldn’t log in to my live image!

What Next?

So at this point… I’m stumped. I’d like to stay with my Wheezy based image if possible, but it really looks like there’s an incompatibility between Kali and Wheezy’s live-build tool. But I still find it very strange that reaver (and certain other tools) work on one image but not another, even though the package itself (and, as far as I could tell, most of the dependencies) is the same.

So if anyone has any suggestions on how to debug this further, I would love to hear them!

Progress: Jessie/Kali

A while later I figured out how to get a Kali/Jessie hybrid working. It took me a long time because using live-build on Jessie to build Jessie is, in fact, broken. Several of the live-config components don’t actually work, and there is no mention of this on the Debian bug tracker, mailing lists nor forums.

There is also the fact that one Kali package, winexe, is uninstallable on Jessie due to an absent Samba library. This was easy to work around by building an equivs dummy package (since I don’t use winexe).

Eventually I got a Jessie/Kali live distro up and running…

Still Stuck

…but alas, Reaver still refuses to work.

In fact, if anything, it works worse. (Although that’s probably due to a known issue with newer versions of libpcap0.8.)

Comments