Oneplus 6 Kali Nethunter
Martta
In this post I will share my experience installing the rooted version of Offensive Security's NetHunter onto a OnePlus 7T mobile phone and provide detailed procedures. For those unaware, NetHunter is the mobile version of Kali Linux. If you are unaware of Kali Linux or NetHunter, I encourage you to learn more about it before diving into this tutorial.
As some background on my motivations for installing NetHunter, I wanted to assess the functionality that would be available on a mobile device as this had obvious benefits from a social engineering perspective during a pentest. What I discovered after installing NetHunter is that it didn't quite live up to my expectations, though had I done more thorough research on NetHunter prior to install my expectations would have been set appropriately.
The main issue is that even if you successfully install a rooted version of NetHunter, you will still need an external WiFi card and external Bluetooth card if you wish to perform wireless/bluetooth monitoring or attacks from your phone. Walking around with a WiFi antenna sticking out your phone isn't as inconspicious as we would like from a social engineering standpoint, plus the power coming out of your phone's USB port isn't likely to power your external WiFi card to any signal stength comparable to the phone itself or to its use with a laptop. According to the NetHunter website, the Nexus 5 supports monitoring functionality using the native adapters in the phone, which to me would be the whole point of using a phone for pentesting. However, other benefits of NetHunter are available though admittedly many of those are available in the rootless version.
That all said, this tutorial was created in an effort to provide more information to the community in hopes that more developers will take up the OnePlus 7T NetHunter support. I will also make an attempt to explain some of the concepts I learned through my research as most of the information on NetHunter and other tutorials on similar topics assume the reader has experience in rooting/flashing custom ROMs on Android devices. I found many resources online frustrating void of context. A few words mentioning that you must flash Magisk with TWRP and NetHunter with Magisk only makes sense if you know the purpose of those tools and how to use them. My hope is this writeup will help beginners to understand the NetHunter install process, even if you're strugging with the install on a different device from the OnePlus 7T.
Before diving in, let's put up some disclaimers. While the NetHunter image itself is listed as supported for the OnePlus 7T and this tutorial uses the official releases from the Offensive Security website, we'll be using software components developed by the opensource community, including TWRP which does not officially support the 7T as of writing.
On to some general warnings. In this tutorial, you will completely blow away all the data on your OnePlus 7T multiple times. Backup any data on your phone you wish to keep before performing any steps.
Also, please note that this tutorial utilizes tools provided by the community at the XDA Developers' Forum that are not officially supported by Offensive Security, TWRP, or OnePlus. You will be installing this software on your phone and a Windows device with the highest privilges possible. As with all software you install, it is your responsibility to ensure these components do not contain malicious logic that may harm your systems or your client's systems. I'm not vouching for any software listed below. Information provided here is for educational purposes only and Auspicious Security or the author will not be held responsible for any consequences that may result from these instructions.
There are a couple different USB drivers we will need.
- OxygenOS (OOS) USB drivers
- Fastboot USB drivers
- Qualcomm USB drivers
In the event that your device is stuck in a boot-loop or otherwise bricked you can recover it using the built-in Snapdragon recovery functionality. I recommend performing this step prior to the install as it will 1) set the phone to the common starting point in which this tutorial was developed and 2) prove (to yourself) that you can recover the phone from being completely bricked, before that happens and this becomes your only option (and for whatever reason you can't get the Qualcomm drivers to work with your Windows 10 device). However, if you are already running version 10 of Oxygen OS on your device and feeling auspicious, you can skip this step and return to it if you have problems with the install or brick your device.
Power off your OnePlus device. We now need to boot the device into the processor's recovery mode. To do this, with the device powered off, hold the Volume+ and Volume- buttons for about 5 seconds. Then, still holding those buttons, connect the laptop via USB data cable. Windows 10 should chime indicating something USB related was plugged into it, though the phone will not provide any feedback and the screen will remain off.
Now for the first dangerous step that comes with a warning. We will need to enable test driver signing in Windows which will allow the unsigned driver within the MsmDownloadTool (hotdogb_14_O.22_210127.zip) to run. Malicious code in drivers has the ability to install some nasty stuff on your machine so take the usual precautions when running potentially malicious code.
Navigate to your unzipped hotdogb_14_O.22_210127 folder and launch the MsmDownloadTool V4.0.exe application. It will need to run with administrative privileges. This application is used to flash your device back to a stock OS and will relock the bootloader.
I had issues with the Sha256 check" option enabled so uncheck this box (feel free to try the installation with this checked. If it doesn't work, uncheck it). Note the location of the Start button, but don't press it yet. You will press Start once the device is successfully connected.
Now to prep the device and ourselves for the next steps. Read through these instructions so you understand the process before attempting it, as you'll have only a few seconds to get the device into the correct mode for flashing. If you followed the instructions above to check the driver, you will need to turn on your phone and turn it off. If you have trouble shutting down from Qualcomm Recovery Mode, try holding Volume+, Volume-, and Power buttons simultaneously until your device restarts.
Ensure your device is shut down. Connect your USB data cable to the Windows 10 USB port (I only had success with a particular USB port). Do not connect the cable to your phone just yet (disconnect the USB cable from your phone if it is already connected).
Once the download is completed your phone should reboot into the Oxygen OS 10 setup screen. Go through these screens and setup your device. At this point, there is no point to setup a Mobile Network, WiFi, or other settings as we'll be blowing away this data again later.
Your bootloader is locked by the manufacturer and is locked following the execution of the unbrick utility as described above. The bootloader is important as it protects the Android Operating System from loading unsigned code which helps to avoid nasty rootkits from subverting the phone. In order to root your phone and install any sort of custom OS, you'll need to unlock your bootloader.
Before we get to unlocking the bootloader, let's setup the Android SDK Platform Tools on your Windows 10 device so we can interact with our phone via ADB and Fastboot. I'll continue these instructions on Windows 10, but if you prefer to use these tools on Linux or Mac, they should work as long as you can figure out the drivers. Download the latest Android SDK Platform Tools from the Android site and unzip the folder somewhere convenient.
Connect your phone to your Windows 10 device via the USB data cable. Open a command prompt and navigate to your platform-tools folder. Type the following command to start the ADB (Android DeBug) server on your computer:
Fun fact: you can also boot your OnePlus 7T into Fastboot mode by turning it off and holding down the Volume+, Volume- and Power buttons simultaneously. From the Fastboot menu, use Volume+/Volume- to select different boot options. For me, using ADB is more elegant but this key combo may come in handy for you at some point.
There should still be one entry listed. If you don't see any device listed, this is likely a USB fastboot driver issue. There is a signature issue with the USB drivers included with the OnePlus 7T that I ran into. You can verify if this is your issue by manually updating the driver from Device Manager and selecting the location: C:\Program Files (x86)\OnePlus USB Drivers. The driver installation will fail with the following error.
To troubleshoot, check the post -developers.com/t/guide-fix-device-not-showing-up-in-fastboot-mode-windows-10.4194491/ for troubleshooting this driver signature error. You'll have to reboot your computer in Advanced Startup so that Windows ignores driver signatures, which will allow you to install the Fastboot driver. Again, this is dubious but at least the drivers came directly from your OnePlus phone and not some random website.
Your device will reboot and from now on you'll be privvy to receiving a warning about the bootloader being unlocked at every boot. Unlocking the bootloader wipes the device so once booted you'll need to setup the Android OS again. Again, skip setting up mobile networks or WiFi as we're going to blow away those settings yet again.
c80f0f1006