Kali Linux NetHunter内核编译指南
]0x00 前言
近年来随着各种HVV活动的兴起,各种新的概念层出不穷。其中就有近源渗透这个概念。 黑客行走江湖,哪儿能没有些趁手的兵器装备呢? 相信很多人都曾梦想过拥有一台黑客专属手机,走到哪儿黑到哪儿。那么现实中这样的手机存在吗?答案是肯定的!NetHunter就能满足你所有的需求! Kali Linux NetHunter是由Offensive-Security团队打造的基于Android平台的渗透测试环境。 通过使用Kali Linux NetHunter我们可以使用诸如外接无线网卡破解WiFi,模拟BadUSB设备进行HID攻击,外接USB蓝牙适配器进行蓝牙攻击……等各种近源渗透活动。 在Kali Linux NetHunter官网我们可以查阅官方支持的设备型号列表。
对读者的要求
如果你会玩安卓刷机且手机型号恰好被官方支持,那么直接按照 官方教程一步步来就好。 如果很不幸你的手机不被官方所支持但你会玩Linux且懂一些安卓开发以及C语言方面的知识想给自己的手机适配NetHunter,那么本篇教程就带你如何给一台不被官方支持的手机适配Kali NetHunter。
开始前的准备
· 一台能解锁BootLoader且内核源码开源的安卓手机 · 一台高性能x86_64 PC
内核源码的选择
交叉编译工具链的选择
对于较老版本的内核(3.18.x以下)的一般是使用Google GCC4.9 对于较新版本的内核(4.4.x以上)的建议使用Clang来编译 对于Google gcc编译器,使用以下命令下载 64位:
32位:
对于Clang编译器,使用以下命令下载 Google官方Clang:
Proton-clang:
如何查找自己手机的内核源码
对于已经开源内核源码的手机来说,一般只需要在GitHub上搜索关键字就能找到适合你的内核源码 一般搜索的关键字为android_kernel_<设备厂商名>_<设备CPU代号名> 或者kernel_<设备厂商名>_<设备CPU代号> 又或者kernel_<设备厂商名>_<设备代号> 举个例子来说,我的设备是 小米Redmi 4X,设备厂商是 xiaomi,CPU代号是 MSM8937,设备代号是 santoni那么就可以在GitHub上搜索关键字android_kernel_xiaomi_msm8937或者kernel_xiaomi_santoni或者kernel_xiaomi_msm8937来找对应设备的内核源码。 这里还要注意的一点是所选取的内核源码尽量要与当前手机所使用的ROM Android版本对应,比如如果手机所使用的ROM是LineageOS的那就去找LineageOS所对应的内核源码,且分支也要一一对应。 当然你也可以选择在 XDA论坛寻找其他第三方优秀作者提供的内核源码。
0x01 环境准备
我这里使用VMware虚拟机安装Kali Linux系统来进行演示
VMware Workstation Pro虚拟机 下载链接
ADB-FASTBOOT工具 for Linux 下载链接
0x02 系统设置设置更新源
更新系统
1 |
apt update && apt upgrade -y && apt full-upgrade -y && reboot |
0x03 安装编译依赖
1 2 3 4 5 6 7 |
apt install -y curl wget vim git ccache automake flex lzop bison gperf \ build-essential zip zlib1g-dev g++-multilib libxml2-utils bzip2 libbz2-dev \ libbz2-1.0 libghc-bzlib-dev squashfs-tools pngcrush schedtool dpkg-dev \ liblz4-tool make optipng maven libssl-dev pwgen libswitch-perl \ policycoreutils minicom libxml-sax-base-perl libxml-simple-perl bc \ libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev \ libgl1-mesa-dev xsltproc unzip device-tree-compiler kmod python3 python3-pip |
0x04 下载交叉编译工具链
0x05 下载内核源码
0x06 编译内核设置环境变量
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
export ARCH=arm64 export SUBARCH=arm64 export KBUILD_BUILD_HOST=kali export KBUILD_BUILD_USET=root export LOCALVERSION=-NetHunter export PATH=”/root/proton-clang/binPATH” mkdir out args=”-j$(nproc –all) \ ARCH=arm64 \ SUBARCH=arm64 \ O=out \ CC=clang \ CROSS_COMLILE=aarch64-linux-gnu- \ CROSS_COMPILE_ARM32=arm-linux-gnueabi- \ CLANG_TRIPLE=aarch64-linux-gnu- \ AR=llvm-ar \ NM=llvm-nm \ OBJCOPY=llvm-objcopy \ OBJDUMP=llvm-objdump \ STRIP=llvm-strip “ |
打入补丁
这里根据你的内核版本选择对应内核版本的补丁(patches) 我这里内核是4.9所以选择4.9内核的补丁
生成defconfig
1 2 |
make ${args} mrproper make ${args} santoni_treble_defconfig |
图形化配置内核选项
以下内容不同版本内核可能会有所不同,以实际情况为准!
1 |
make ${args} menuconfig |
1 2 3 4 5 6 7 |
首先进入”Gerenal Setup” 选择到”Local version – append to kernel release” 清空里面所有内容 然后取消勾选”Automatically append version information to the version string” 接着选中”Default hostname”,输入”kali” 接着勾选”System V IPC” 然后返回上一级菜单 |
如图所示
1 2 3 4 5 6 7 8 |
接着进入到”Enable loadable module support” 勾选以下几个选项: “loadable module support” “Forced module loading” “Modules unloading” “Forced module unloading” “Module versioning support” 然后返回上一级菜单 |
如图所示
1 2 3 4 5 6 7 8 9 10 |
接着进入到”Networking support” -> “Bluetooth subsystem support” -> “Bluetooth drivers support” 勾选以下几个选项: “HCI USB driver” “Broadcom protocol support” “Realtek protocol support” “HCI UART driver” “HCI BCM203x USB driver” “HCI BPA10x USB driver” “HCI BlueFRITZ! USB driver” 然后返回上一级菜单 |
如图所示
1 2 3 4 5 6 7 8 |
勾选以下几个选项: “Bluetooth Classic (BR/EDR) features” “RFCOMM protocol support” “RFCOMM TTY support” “BNEP protocol support” “HIDP protocol support” “Bluetooth Low Energy (LE) features” 然后返回上一级菜单 |
如图所示
1 2 3 4 5 6 7 |
进入到”Wireless” 勾选以下几个选项: “nl80211 testmode command” “use statically compiled regulatory rules database” “cfg80211 wireless extensions compatibility” “Generic IEEE 802.11 Networking Stack (mac80211)” “Enable mac80211 mesh networking (pre-802.11s) support” 然后返回上一级菜单 |
如图所示
1 2 3 4 5 6 7 |
接着进入到”Device Drivers” -> “Network device support” -> “USB Network Adapters” 勾选以下几个选项: “USB RTL8150 based ethernet device support” “Realtek RTL8152/RTL8153 Based USB Ethernet Adapters” “ASIX AX88xxx Based USB 2.0 Ethernet Adapters” “ASIX AX88179/178A USB 3.0/2.0 to Gigabit Ethernet”. 然后返回上一级菜单 |
如图所示
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
接着进入到”Wireless LAN” 勾选以下几个选项: “Atheros/Qualcomm devices” “Atheros HTC based wireless cards support” “Linux Community AR9170 802.11n USB support” “Atheros mobile chipsets support” “Atheros ath6kl USB support” “MediaTek devices” “MediaTek MT7601U (USB) support” “Ralink devices” “Ralink driver support” “Realtek devices” “Realtek 8187 and 8187B USB support” “Realtek rtlwifi family of devices” “RTL8723AU/RTL8188[CR]U/RTL819[12]CU (mac80211) support” “Include support for untested Realtek 8xxx USB devices (EXPERIMENTAL)” “ZyDAS devices” “USB ZD1201 based Wireless device support” “ZyDAS ZD1211/ZD1211B USB-wireless support” “Wireless RNDIS USB support”
在”Ralink driver support”中勾选以下几个选项: “Ralink rt2500 (USB) support” “Ralink rt2501/rt73 (USB) support” “Ralink rt27xx/rt28xx/rt30xx (USB) support” “rt2800usb – Include support for rt33xx devices” “rt2800usb – Include support for rt35xx devices (EXPERIMENTAL)” “rt2800usb – Include support for rt3573 devices (EXPERIMENTAL)” “rt2800usb – Include support for rt53xx devices (EXPERIMENTAL)” “rt2800usb – Include support for rt55xx devices (EXPERIMENTAL)” “rt2800usb – Include support for unknown (USB) devices”
在”Realtek rtlwifi family of devices” 中勾选 “Realtek RTL8192CU/RTL8188CU USB Wireless Network Adapter” 然后返回主菜单 |
如图所示
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
进入到”Device Drivers” -> “Multimedia support” 勾选: “Digital TV support” “Software defined radio support” “Media USB Adapters”
在”Media USB Adapters”中 勾选: “Airspy” “HackRF” “Mirics MSi 2500” 然后拉到最下面,取消勾选 “Autoselect ancillary drivers (tuners, sensors, i2c, spi, frontends)” 取消勾选 “I2C Encoders, decoders, sensors and other helper chips” 内所有选项 取消勾选 “Customize TV tuners” 内除了 “Rafael Micro R820T silicon tuner” 以外所有选项 在 “Customise DVB Frontends” 内取消勾选除了: “Realtek RTL2830 DVB-T” “Realtek RTL2832 DVB-T” “Realtek RTL2832 SDR” 以外所有的选项 然后返回主菜单 |
如图所示
1 2 3 4 5 6 7 |
进入到”Device Drivers” -> “HID support” 勾选: “Battery level reporting for HID devices” “/dev/hidraw raw HID device support” “User-space I/O driver support for HID subsystem” “Generic HID driver” 勾选”Special HID drivers” “USB HID support” “HID over I2C transport layer” 内所有选项 然后返回上一级菜单 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
接着进入到”Device Drivers” -> “USB support” 勾选: “Support for Host-side USB” “OTG support” “USB Modem (CDC ACM) support” “USB Wireless Device Management support” “USB Mass Storage support” “USB Serial Converter support”
在”USB Serial Converter support” 中勾选: “USB Serial Console device support” “USB Generic Serial Drive” “USB Serial Simple Drive” “USB Winchiphead CH341 Single Port Serial Driver” “USB CP210x family of UART Bridge Controllers” “USB FTDI Single Port Serial Driver” “USB Prolific 2303 Single Port Serial Driver”
在”USB Gadget Support”中勾选: “USB functions configurable through configfs” “Generic serial bulk in/out” “Abstract Control Model (CDC ACM)” “Object Exchange Model (CDC OBEX)” “Network Control Model (CDC NCM)” “Ethernet Control Model (CDC ECM)” “Ethernet Control Model (CDC ECM) subset” “QCRNDIS” “RNDIS” “RMNET_BAM” “Ethernet Emulation Model (EEM)” “Mass storage” “Function filesystem (FunctionFS)” “MTP gadget” “TP gadget” “Accessory gadget” “Audio Source gadget” “Uevent notification of Gadget state” “MIDI function” “HID function” “USB Diag function” “USB Serial Character function” “USB CCID function” “USB QDSS function” 接着返回主菜单,退出并保存配置 |
如图所示
保存配置
1 |
make ${args} savedefconfig |
编译内核
1 |
make ${args} 2>&1 | tee kernel.log |
编译内核模块
1 |
make ${args} INSTALL_MOD_PATH=”.” INSTALL_MOD_STRIP=1 modules_install |
0x07 构建NetHunter-Kernel-Installer内核包下载Kali官方构建脚本
编辑机型列表
1 2 3 |
mkdir -p /root/kali-nethunter-project/nethunter-installer/devices/ touch /root/kali-nethunter-project/nethunter-installer/devices/devices.cfg vim /root/kali-nethunter-project/nethunter-installer/devices/devices.cfg |
按照[color=var(–link-color)] 官方教程,添加以下内容并保存
1 2 3 4 5 6 7 8 9 10 |
# Xiaomi Redmi4X for crDroid Android 11 [santoni] author = “DroidKali” arch = arm64 version = “v1.0” flasher = anykernel modules = 1 slot_device = 0 block = /dev/block/bootdevice/by-name/boot devicenames = santoni,Redmi4x |
创建机型对应的文件夹
1 |
mkdir -p /root/kali-nethunter-project/nethunter-installer/devices/eleven/santoni/modules/system/lib/modules |
复制所需要的文件
1 2 3 4 |
cp out/arch/arm64/boot/Image.gz-dtb /root/kali-nethunter-project/nethunter-installer/devices/eleven/santoni rm -rf out/lib/modules/${make kernelversion}-NetHunter/source rm -rf out/lib/modules/${make kernelversion}-NetHunter/build cp -r out/lib/modules/${make kernelversion}-NetHunter /root/kali-nethunter-project/nethunter-installer/devices/eleven/santoni/modules/system/lib/modules/ |
生成NetHunter-Kernnel-Installer安装包
1 2 |
cd /root/kali-nethunter-project/nethunter-installer/ python3 build.py -d santoni –eleven –kernel |
0x08 下载ADB-FASTBOOT工具包
0x09 刷入内核安装包重启到Recovery模式
刷入内核刷机包
1 |
adb sideload kernel-nethunter-eleven-santoni-20210905_111235.zip |
0x10 相关链接
您的支持就是我最大的动力! |