Wednesday, November 30, 2016

Installing Kali Linux on a Raspberry Pi

I installed Kali Linux the other day on my RPi2. It was very easy but I had to go back and forth to figure out a few things so I thought I would put all my thoughts and steps in this post.

For those of you unfamiliar with Kali Linux, it's a Penetration Testing platform that runs Linux and can be installed on a variety of devices.

To download Kali Linux for the Raspberry Pi go here:

Scroll down until you see the image for your particular Raspberry Pi. I have a Rpi3 so i downloaded that image.

Once you've downloaded the image you will need to install the image on an SD card. The RPi 3 uses a micro SD card so what I've done is I bought a Micro SD card that has an adapter and then inserted that SD adapter into a USB adapter that will accept the SD card. I then plug it into my computer.

They have several ways to install the image (Windows, Linux, OS X, USB, etc). I will explain Windows and Linux.


To install the image using windows you must first extract the image from the archive file you downloaded. I use WinRAR but you can use whatever you are most comfortable with.

After you unzip the image you should format your SD card. I use SD Formatter which can be found HERE

You can accept the defaults and hit format. Be sure you are formatting the drive letter associated with your SD card:

After you've formatted the SD card you will now need to write the image to the SD card using Win32 Disk Imager. I usually download it from sourceforge. Wherever you download it from just make sure its a trusted site.

Once you've downloaded Win32 Disk Imager open it up and select the image you extracted earlier and be sure that under Device it shows the correct drive letter for your SD card.Once you have all of that in place press Write.

Be patient. It could a while for it to write the image. Mine took around 20 minutes. 

Once it's done writing the image, safely eject the SD card from your computer, put it in the RPi and power it on.

Once its done you should do a few more things which I will explain after the Linux tutorial


First you will need to install and extract the image. 

After you extract the image you will use the dd command to write the image to the SD card. In my case, I had a USB adapter that I put my SD card into and plugged it into my USB slot. 

Once your OS detects the SD card (either by USB, SD Card reader, etc) you must find out where it's mounted. The easiest way to do this is to run the command fdisk -l. This should list your SD card. Since I used a USB, mine was located at /dev/sdb. 

Yours may be different, especially if you are using an integrated SD card reader. Just be sure to know where its mounted otherwise you could wipe your hard drive(s) or another USB drive that connected to your computer.

Once you are certain that you have the correct info you want to run this command (make sure you are in the directory with your image file):

dd if=kali-2.1.2-rpi2.img of=/dev/sdb bs=512k

be sure to substitute the image name with the name of the image you downloaded as well as the device (in my case my SD card was located at /dev/sdb)

It could like a while for the image to write on the SD Card. Mine took about 20 minutes. 

Once the image is written, safely eject the SD card and put it in the RPi and power it on.


Once you have the image installed on an SD card (no matter which install you used) and the RPi is powered on and Kali is booted you should do a few things.

The first thing I do is run sudo apt-get update and then sudo apt-get upgrade. This will update Kali with any new updates. This step could take 30 minutes or more.

Once that's done you will want to expand the SD card to use all available space (by default it only creates a 6GB partition and doesnt expand).

I got the info from THIS site but I will post what I did below. You need to download the raspi-config and use the tool to expand the partition.

Run these commands:

sudo wget

sudo apt-get install gdebi

sudo gdebi raspi-config_201560322_all.deb

Once the package is downloaded and installed, run the raspi-config program to expand the partition:

sudo raspi-config

You will want to select the option to expand the file system (should be the first option) and then reboot. Some people are saying that it didn't work or that it messed up their partition. I tried it and it worked. 

The last thing you want to do once you are using all available space is to install all the Kali Tools (optional of course). To do this run the following command:

sudo apt-get install kali-linux-full

This will take a long time as I believe it downloads a few gigs worth of packages. You will also need to babysit it since at certain points it will ask for user input (ie, mySQL password, etc).

You also want to make sure you change you SSH keys since all the arm images use the same pre-configured keys:

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart

Sunday, November 27, 2016

Backing up Plex Media Server (PMS)

For those of you that have a Plex Server you know that a ton of data is held on the computer that hosts the server software. Thankfully, from what I have seen, you only need to backup two things:

  1. Registry Key
  2. Plex Media Server Folder

Excellent, but where are these located? 

The registry key is located at:

   HKCU\Software\Plex, Inc.\Plex Media Server

The Plex Media Server folder is located at:
  %localappdata%\Plex Media Server

I created a simple batch file to copy the registry key and folder to a NAS device on my home network. 

Here is the batch file:

@echo off

reg export "HKCU\Software\Plex, Inc.\Plex Media Server" p:\plex.reg /y

"c:\Program Files\WinRAR\rar.exe" a -r "d:\pms\pms-%date:/=-%" "%localappdata%\Plex Media Server"

robocopy d:\pms\ p:\ /E /R:1 /W:1

del d:\pms\*.* /q
I export the registry key and then zip the Plex Media Server folder to my hard drive and then copy it to the NAS device. I then delete the file from my local hard drive.

A few things to keep in mind:

  1. The Plex Media Server folder can be pretty large. Mine was a little over 6GB.
  2. The updates folder inside the Plex Media Server Folder can be quite large. Mine had over 2GB of files and they are safe to delete. 
  3. Zipping the folder can take around 20-30 minutes. 

Once i created the batch file I created a Scheduled task to run every Sunday at midnight.

Saturday, November 5, 2016

Powershell Malware

I've been wanting to post about this subject for a while now but haven't had the chance. Hopefully I can give everyone some info on this subject.

First, what is Powershell Malware? Simply put, its powershell commands that go out and download powershell scripts that install keyloggers, takes screenshots, copies clipboard data and downloads more code.

From what I can tell, this is the life cycle of powershell malware:

  1. A user clicks a link or otherwise gets a piece of malware on their computer starts the process
  2. It creates a value called ComputerID under HKCU\Software\Microsoft\Windows\CurrentVersion.
  3. It will then create a value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  4. Some of the malware will create scheduled tasks so that even if you delete those values the scheduled task will recreate them
  5. In domain environments it creates or adds to a GPO so that these values are sent to all the computers in the domain and also creating scheduled tasks.

Here is what it looks like (I removed the full Base64 string):

Invoke-Expression(New-Object IO.StreamReader((New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('rV............

To figure out what they're doing, substitute "Write-Host" for the "Invoke-Expression" at the beginning and run it, and you get the following (again, I took out the Base64 code and replaced it with dots):

Set-ItemProperty -Force -Path HKLM:Software\Microsoft\Windows\CurrentVersion -Name ComputerID -Value  "......................."; Set-ItemProperty -Force -Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run -Name Powersh
ellActiveDirectoryValue"`"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`" -c `"`$x=`$((gp HKLM:Software\Microsoft\Windows\CurrentVersion ComputerID).ComputerID);powershell -Win Hidden -enc `$x`""

The above is the powershell malware creating the values with the commands in Base64.

At this point in time when it executes those commands it goes to a website to download the other scripts that will create key loggers, screen shots, copy clipboard data, etc. It would look something like this:


The port above is 9002 but it can be any port or just HTTPS.

The poweshell scripts it downloads seem to be from PowerSploit. I wont link here but you can Google it or find more info on Github. 

The worse part about this whole thing is that it will bypass all of your security measures. I mean, for the most part, who is blocking powershell commands? As Administrator we use them all the time on all of our systems. Since it's just downloading files most web filtering will let it through. 

So how do you stop it? A couple things but not much (as far as I know at this point and time)
  1. Use AppLocker to put Powershell in constrained language mode. 
  2. Enable Powershell logging and (if possible) centrally collect it
  3. Whitelist know scripts and dont let anything lese run powershell scripts. This can be done with AppLocker
  4. Block port that you don't need
If I find any more info I will post it.


I want to thank Tanner Kinkead, for helping me decipher the code and filling in the missing pieces for me as well as the suggestions above on how to help prevent it.

User unable to login to RDP Farm after you re-enable them?

We had a strange issue. We had a user leave and since we knew when she was leaving i set the account to expire at a certain date. A couple d...