Pi-Top Kali – The Purchase

In the last update on this project, I went over the thought process that led to my decision to purchase the pi-top 2 kit.  Today, I’ll cover how the purchase, order tracking, and shipping tracking went.

I went to the site to place my order, since the AdaFruit reseller didn’t have this style available, yet.  The order itself was mostly straight forward, but the site had a few issues.  I chose to place the purchase as a “guest” because I didn’t see any need in creating an account with them.  My intent was to purchase this device, and then I had no reason to return.  There are only a few “modules” or add ons available through their site, and none of them really appealed to me, so this should have been a one and done deal.  I put in my credit card information, and then had to fill out some profile information such as name, address, and so on.

The first problem I ran into was the phone number field.  It was a required field, but no matter how I plugged in my phone number, it said “this number must be a valid international number,” (paraphrasing.)  There was a little flag icon next to the phone number field, but clicking it didn’t do anything.  It finally let me put in a number that was just 7 digits long, which I knew wasn’t correct, but didn’t care since the rest of the information was correct, and it wasn’t my intent to have to come back to the site after this purchase.

The purchase went through, and I got an order number.  I checked my email, and indeed, I had an order confirmation email, as well.  While reading the order confirmation, I ran across this statement:

Any inquiries about your order? Have any other questions for us? Visit our support page or contact us at support@pi-top.com, quoting your order number.

I read the support page link, and it stated that I would need an account if I wanted order tracking.  This was not mentioned during the order process prior to placing my order as a guest.  The instructions indicated that I should create the account “with the same email address as I used to place my order.”  I did so.  The profile page was not filled in all the way, so I went in and included the same information… name, address, phone number, and so on.

This time, the phone number field’s “flag” let me select the United States to indicate my country of origin.  There is a separate drop down field (both on the order page, and on the profile page for the account I had just set up) that asks for your country.  It would have made much more sense if the phone number field had keyed off of that, instead of requiring the kludgey flag clickbox thing, but it is what it is.

The next problem I ran into is that the order number did not show on this new account page.  I waited until the next day in case the linking might take some time.  When I didn’t see order information the next day, (Friday) I sent an email to the support email listed in the order confirmation email I had received.  This created yet another account that I had to set a password on, and the person that responded took two or three hours to respond.  Their question was to ask for which email I had used to order the package.  I felt this was an odd request, since I had used that same email to open my support request, but I sent a response within a minute of receiving this update, and waited.

I got no response the rest of that day.  I used the ticket system page itself to provide one more update as a “just in case my email reply didn’t go through” trigger, but still heard nothing over that weekend.  I just assumed that they were closed over weekends, and waited for Monday to roll back around in hopes of another update.

There were no status updates waiting for me Monday morning, so I sent another update request, since it should have been about noon U.K. time when I checked.  A couple of hours later, and I did get an update.  The update never did explain why the order status wasn’t showing on that account I set up, but it did include the tracking information, which is what I really wanted.  The package was already on a truck and out for delivery, so the shipping was very fast.

Based on my experiences, I can recommend that others create an account BEFORE purchasing, and be signed in DURING purchase of the kit.  I can’t guarantee that this will get you order tracking, but it has a better chance of it than the route I took.  All in all, the support experience wasn’t “great” but it was fast delivery (Ordered Thursday evening/Received Monday Afternoon,) and they did get me the tracking information before it was delivered.  Would I recommend this purchase?  So far, yes.

Pi-Top Kali – The Idea

As recently mentioned, I’ve been working on a few projects of late.  In preparation for an OpenSSH based class I might offer, I found myself wanting to offer a shorter class on OpenBSD’s VMM/VMD virtual machine hypervisor system.  In researching this VMM/VMD system, one of my tests involved booting a linux live disk.  I chose Kali for this.  Getting it to boot wasn’t straight forward, due to the lack of a graphics KVM style console.  The VMM/VMD hypervisor uses serial connections to the guest operating systems, so I had to find all of the bells and whistles to pass to the Kali boot loader to make it boot to a usable login prompt.

Secondary to the above, and partially why Kali was chosen, is the fact that my GCIH is half its lifetime old.  It’s a 4 year certification, and I’ve had it for 2 years, now.  I got a reminder that renewal is coming up, and I began the refresher research on what’s involved in keeping this certification maintained through the renewal process.  One option is to take another SANS course, and get a new certificate from it.  While I would love to do this at some point, their courses are very expensive.  I also have an itch to try a different certification provider, and one of those stands out above the rest, to me.  I’ve decided I will likely go for the PWK (Pentesting With Kali) class from Offensive Security, and take the OSCP (Offensive Security Certified Professional) exam and certification.  This certification has “teeth” in that you don’t memorize a question/answer pool in order to answer a bunch of questions that are similar, but not exactly the same.  Instead, they give you about 48 hours (2 days) for the total exam.  The first day is to do an actual penetration test of a 5 machine environment, and the second day is to give you time to do a professional quality write up/report of the pentest as if you were presenting the report to a client.  The cost is within reason, and my family supports me in this endeavor.  To that end, Kali is on my radar as a “use this frequently” system this year.

I have several options for running Kali moving forward, and I will cover many of them as I go on this journey.  I will eventually go over running it in virtual machine environments up to and including VMware Workstation, Oracle VirtualBox, as a ProxMox guest, and of course, through the serial console as an OpenBSD VMM/VMD guest.  I may or may not get around to covering running it as a live bootable USB stick, or as a physical install to a typical x86_64 laptop.  All of these are things I’m looking at, but the first thing I’ll cover is installation and use on a Raspberry Pi.

I’ve made a few attempts at using Kali on a Raspberry Pi before.  I had trouble getting the TFT displays working satisfactorily, and I benched those projects due to the level of hassle and my own time constraints.  I knew that when I circled back around to this idea, I’d want a bigger screen than either of those TFT displays offered.  I want the device to be portable enough that I can take it almost anywhere and set up shop, but I need a display that gives me enough work space to actually … work.

The smallest display I was willing to look at was the 7 inch displays available, but my wife has a 7 inch tablet, and it’s only a little larger than a modern day smart phone.  My latest failed Kali attempt was on my own tablet, where Kali Nethunter never seemed to get installed properly no matter how many times I went through the process.  I like this screen size, and there are a few 10 inch displays available.  I almost settled on a device that used one of these when I discovered that there is actually a kit that turns a Raspberry Pi into a laptop form factor.

The two versions of the kit available on AdaFruit are the first version of this product.  One is green, and one is grey, but the kit itself is otherwise the same.  The project site has an updated “pi-top 2” design, which moves the trackpad down below the keyboard, and gives room for the keyboard to be full size, which works better for me.  I never liked trackpads in general, because I tend to brush the thing while I’m typing, but I’m sure I’ll work around this limitation somehow.  This case is also green, with no grey option available.  I would prefer grey, but I can live with the green case as long as it is as functional as I hope it will be.

After all of the research I’ve done, I have decided on the pi-top as my next Kali attempt.  I’ve made the purchase for the pi-top 2 style case, and will cover the experience of how the order/tracking went, unboxing, setting it up, running the pi-top polarisOS that comes with it, and getting Kali installed and running on the new machine.

The order arrived today, but the write up for that will be next week.

Back from the ether – sort of

UnixSecLab fell off without warning or explanation last quarter.  There were several factors involved in this sudden disappearance, but I won’t list them all.  Some were family related, and some were “hey everyone, I have a cool new project in the works, and I want to announce it to the world in a big way when its done” related.  So here’s the skinny on what was relevant for last quarter that I didn’t report.

  • The first big project I started was for a class on OpenSSH.  I’m working on breaking down the man pages, re-organizing them into related / relevant sections, and writing up a presentation on each section to go into deep detail on even the most esoteric settings, plus discuss security implications of some of the potentially dangerous ones.  This has been bouncing around in my head for a while, and is part of why one of my first organized series of posts was SSH Start to Finish Architecture.  This project tapered off over the quarter due to the above mentioned family issues, and the inspiration for a smaller product offering…
  • The smaller second project was to develop a class on OpenBSD’s virtual machine hypervisor.  The VMM/VMD class idea was due to how new this software is to the OpenBSD ecosystem, and the lack of documentation on its use and set up outside of (the excellent) man pages.  The man pages do make it seem straight forward to use, but one of my first hurtles was getting an off the cuff live Linux CD running.  I chose Kali (since I’m also doing security related stuff on the side unrelated to the OpenSSH class I intend to use this for.)  The first hurtles involved figuring out how to make Kali boot to a root prompt in multi-user mode without getting hung up on trying to load the graphics.  It’s not a VMM/VMD issue, it’s a Linux boot options issue I had to research.
  • Since I started both of those (still in progress) projects, Michael W. Lucas has put a brand new edition of SSH Mastery into sponsorship, and I’ve learned that there may be another author working on a book about the OpenBSD hypervisor software.  This author’s Twitter is @pb_double.
  • Hak5 announced a new device that I will want to cover a bit near the end of the year, as well.  The Packet Squirrel is a nifty hardware man-in-the-middle device that has a switch similar to the Bash Bunny so that you can set it to different modes on the fly without having to reprogram it every time you want to use it.  It comes with three pre-programmed modes, including a raw tcpdump mode, an OpenVPN mode, and a DNS spoof mode.  Some setup is required for the last two.
  • I got a notice that my GCIH certification will expire in two years.  I knew this already, but it reminded me that I need to get some continuing education credits, and possibly look for a new certification, as well.  The SANS institute’s on demand classes are a steep price for an individual, and while obtaining a new SANS/GIAC cert would meet all of the requirements to renew the GCIH, I’m looking at other options.  One of those is the Offensive Security Certified Professional.  This is the cert for their PWK class (Penetration testing With Kali.)  From what I’ve been reading, it’s a rigorous class with a lab full of 50+ target machines, and the certification exam is a 5 machine live pentest.  A little under 24 hours are spent testing these machines, and then another 24 hours are given to finish and submit a report on findings.  I’m strongly leaning this direction.
  • Since I’m leaning that direction, I need to brush up on my offensive skills a bit.  I found an article that covers a bit on how to prepare for the OSCP.  It has some suggested links to online capture the flag sites, as well as some general advice and resources on brushing up.  The last two days I’ve done two full CTF machines from Over The Wire, and it was a lot of fun.  I completed Bandit and Leviathan.
  • Another new find (for me) is an online security training site that doesn’t cost anything for the classes.  Cybrary.it has a lot of good content, from what I can gather thus far, and it’s worth a look if you’re on a budget and trying to get a foothold into this space.

The posts will still be a little sporadic for a bit, but we’re back, and we’re going to catch up on some lost work.  I’ll share some tidbits of things I’ve learned while doing the CTFs (without doing any walkthroughs or mentioning any specific machines) as well as try to wrap up some of the dangling series posts from last year.

Happy New Year (2018) and thanks for sticking with us during the information drought!