[Qubes-OS] Creating a WiFi pen-testing VM

One of the excellent qualities he has Qubes-OS is the ability to create virtual spaces dedicated to a specific task, such as: pentesting.

In this article I'm going to describe How to create a standalone VM for Pentesting purpose.


1.- Create the VM first, and assign a WiFi card to it:

[dom0]$ qvm-create wififun --standalone --label yellow
[dom0]$ qvm-prefs -s wififun memory 800 # ensure at least this mem at startup
[dom0]$ qvm-prefs -s wififun kernel none # use own copy of kernel and modules
[dom0]$ qvm-pci -a wififun

It's important doesn't use the Wifi interface in other VM instance, for this reason is recomended use a external Wifi card. To planning your HDD Storage capacity, the standalone VM copy the whole root filesystem, thus It would eat about 5GB of your disk.

Architecture standalone VM for Pentesting purposes.

2.- Start the new VM and install it. The prerequisite software there, starting with downloading the reasonably new compat-wireless sources, together with the required injection patches, and then building and installing the new kernel modules.

In this case, the example is using a compact-wireless card, for this reason the following lines include this source to built and prepare de system:

[wififun]$ wget

[wififun]$ wget
[wififun]$ wget
[wififun]$ wget

[wififun]$ sudo yum install kernel-devel patch gcc

[wififun]$ tar xjf compat-wireless-2011-07-14.tar.bz2
[wififun]$ cd compat-wireless-2011-07-14
[wififun]$ patch -p1 < ../channel-negative-one-maxim.patch
[wififun]$ patch -p1 < ../mac80211-2.6.29-fix-tx-ctl-no-ack-retry-count.patch
[wififun]$ patch -p1 < ../mac80211.compat08082009.wl_frag+ack_v1.patch

[wififun]$ make
[wififun]$ sudo make unload
[wififun]$ sudo make install

3.- Reboot VM to ensure that all the patched drivers will get properly loaded on each VM boot:

[dom0]$ qvm-run --shutdown --wait wififun
[dom0]$ qvm-run -a wififun gnome-terminal

If the wifi driver is load properly, then go on:

4.- Prepare the wifi security tools and resolve the problems like any Linux System, you can use dmesg log to debug any problem. For example:

[wififun]$ sudo bash
[wififun]# yum install aircrack-ng dnsmasq
[wififun]# airmon-ng start wlan0
[wififun]# iptables -F INPUT
[wififun]# iptables -F FORWARD
[wififun]# echo “1” > /proc/sys/net/ipv4/ip_forward

You don't need to add any explicit masquerading rules, as they are applied by default on Qubes VMs. Edit the /etc/dnsmasq.conf, so that it contains at least the following:


5.- Start dnsmasq daemon -- we will use it for providing DHCP to our fake AP:

[wififun]# /etc/init.d/dnsmasq start
[wififun]# airbase-ng -e free_wifi mon0

6.- Configure the at0 interface and check it (make sure it matches what you wrote into dnsmasq.conf):

[wififun]# ifconfig at0 up
[wififun]# tcpdump -i at0

Please note that as your wififun VM is a regular Qubes VM, it is automatically connected to the default Net VM, which in turn provides networking to it. That's why it is so easy to create a fully functioning fake AP

Some Issues:

Catch#1When you start a driver domain late after system boot, so after some days of uptime and extensive use of VMs, Xen might not be able to allocate enough continues (in terms of MFNs) memory for a driver domain.

The work around is to close as many VMs as possible before starting such driver domain, and then also reducing, for a moment, the amount of memory assigned to Dom0:

[dom0]$ xm mem-set 0 1600m

and starting the driver domain should be fine.

Catch#2Some network cards, notably Express Cards, might not work well with the 3.0.4 pvops kernel that we use in all VMs by default. try to use the xenlinux kernel in your WiFi fun VM:

[dom0]$ sudo qvm-dom0-update kernel-qubes-vm-
[dom0]$ cp /var/lib/qubes/vm-kernels/* /var/lib/qubes/appvms/wififun/kernels/
[dom0]$ qvm-prefs wififun -s kernelopts "swiotlb=force"

[wififun]$ sudo yum install kernel-devel-

And rebuild the compat-wireless, unload, install modules, and then load drivers again.

FuenteThe Invisible Things Labs

No hay comentarios :

Publicar un comentario en la entrada