Hi everyone. I decided that it is time to start using my own blog, not only to keep track of the things I do, but also to share my knowledge on specific subjects. This project took a LOT of time as I kept running into roadblocks, but fortunately, I managed to install Kali NetHunter on my old OnePlus 3. If you find this guide useful, please consider donating to support my work.
You are free to follow along and try it yourself, BUT I AM NOT RESPONSIBLE FOR ANY DAMAGE THAT YOU DO TO YOUR PHONE, NOR WHAT YOU CHOOSE TO DO WITH KALI NETHUNTER. Now that this is out of the way, let’s start!
Kali NetHunter?
Kali NetHunter is a free & Open-source Mobile Penetration Testing Platform for Android devices, based on Kali Linux.1
Currently, Kali NetHunter is supposed to work with the OnePlus 3 on the latest OSS (9.0.6) and an old version of LineageOS (v17.1)2. Unfortunately, after many attempts I couldn’t get it to work with LineageOS.
Some of the tools you can find are1:
- DuckHunter HID
- Metasploit Payload Generator
- NMap Scan
- MAC Changer
- …
Requirements
Since this version of Kali NetHunter is supposed to be installed on top of OSS 9.0.6, this will work for any OnePlus 3 phone with and any ROM. You will need to download the following files:
- OSS 9.0.6
- TWRP
- I used v3.2.3-0. I tried newer versions, but had problems (
twrp-3.2.3-0-oneplus3.img
)
- I used v3.2.3-0. I tried newer versions, but had problems (
- Kali NetHunter
- Download the
OnePlus 3 (AnyKernel Pie 9.0)
- Download the
- Magisk
- I used v22.0 (
Magisk-v22.0.apk
) - Rename this file from Magisk-v22.0.apk to Magisk-v22.0.zip3
- I used v22.0 (
- Universal DM-Verity, ForceEncrypt, Disk Quota Disabler
- Download from the link on the first post from the thread
- Do not change the name of this file as it has “magic” properties. It should be “Disable_Dm-Verity_ForceEncrypt_11.02.2020.zip”
I recommend creating a new folder and dumping all of these files inside. You can name whatever you want, but just for reference, I will be calling mine nethunter
. Do not decompress any of the files. I also recommend reading the official NetHunter docs.
Unlocking the bootloader
Thankfully, OnePlus was very kind and let us unlock the bootloader from the phone settings. These steps should be similar to various versions of Android, but might vary slightly.
- Go to “Settings”
- Go to “About Phone”
- Tap 10 times on the “Build Number”. A message should pop saying that you have unlocked the developers options
- Go back and select
- At the bottom you should have the “Developers Options”, click on it
- Locate the “Unlock bootloader” option and toggle it on
If this is your first time unlocking the bootloader, every time you now turn on the phone, you will be greeted by an annoying message. Don’t be alarmed.
Install custom recovery (TWRP)
- If you already have TWRP installed, skip this step.
I recommend doing this using the fastboot
tool on the command line. You need to install adb and fastboot for your OS. The easiest way of doing this would be to install Android Studio since it has all the tools that you need. If you are struggling with this step, please refer to other online resources, since there are plenty.
Now it’s time to boot your phone into the bootloader. To do this, first, turn off your phone, wait a couple of seconds, then press Volume Up button and the Power Button at the same time until the phone powers up. When you get to the bootloader, connect your phone to the computer and open a command line window and navigate to the nethunter
folder. Then type:
fastboot flash recovery twrp-3.2.3-0-oneplus3.img
When this process completes, use the volume keys on your phone to navigate the menu and select “Recovery mode”. Press the power button.
You should be greeted by your new custom recovery! You may now proceed to the next step.
Install OS
Please READ the whole thing before starting. It is very important that you follow every step, so you don’t have to come back later. The order of the files do matter4:
- Turn off your phone and wait a couple of seconds
- Reboot to Recovery by pressing the Volume Down button and the Power Button at the same time until the phone powers up
- Go to “Options”, select the third tab and untick “Enable screen timeout”. I had the phone unresponsive a few times because of the screen going to sleep
- Go back until you get to the main menu again
- Go to “Wipe”
- Click on “Advanced Wipe”, tick every option except “USB-OTG” and swipe to format everything. Wait for it to finish
- Go back until you get to the main menu again
- Connect your phone to the computer and transfer all files to the internal storage. Wait for it to finish copying
- Go to “Install”
- Select the “OnePlus3Oxygen16_OTA*.zip” file and press “More zips”
- Select the “Magisk-v22.0.zip” and press “More zips”
- Select the “DisableDm-Verity_ForceEncrypt*.zip” and press “Install”
- Swipe to confirm and wait for the process to finish
- Press the “Reboot System” button
- If prompted to install the TWRP App, select “Do Not Install”
First boot
This step is important to make sure that everything is working properly. It may take a couple of minutes to boot for the first time, so please, be patient. If you get stuck in a bootloop on the OnePlus Logo, you may have done something wrong and may try to redo the previous steps.
When you first get to Android, follow the instructions on screen to set up you phone. When you finish, you should be greeted by the main screen.
- Swipe up to go to the apps and select
magisk
. - Follow the instructions on screen.
- When prompted to open Magisk, click “Open”
- You will be prompted to reboot your phone. Please do so.
- When you are back into Android, it is time to proceed to the last step!
Install Kali NetHunter
- Reboot to Recovery
- Go to “Mount” and tick “System”
- Go back to the main menu
- Go to “Advanced” and then “File Manager”
- Navigate to system > app
- Locate and click on Drive
- Click on the folder icon on the bottom right and delete the folder
- Repeat steps 6 and 7 for “Maps” and “YouTube”
- Go back to the main menu
- Go to “Mount” and untick System
- Go back to the main menu
- Go to “Install”
- Select the “nethunter-*.zip” file and press “Install”
- Swipe to confirm and wait for the process to finish. This process takes a long time, I recommend plugging your phone to the wall.
- Press “Reboot to system” and pray!
NetHunter update
If everything went right, you should be greeted by a new boot animation and a new wallpaper!
First things first, open the Play Store.
Go to the Play Protect settings and make sure you untick all options
Now, open the NetHunter Store.
Make sure to download and install all updates available.
You are done! I have an extra step for you, but it is completely optional. Have fun with your new toy!
Extra step - Debloat
You don’t really need to do anything else. However, I chose to debloat my phone from Google and OnePlus. This step is optional, and I don’t recommend doing it if you are not comfortable with it. Before doing this, however, I downloaded and installed F-Droid to have a working store.
Download the Universal Android DeBloater and follow the instructions on the repository. For reference, I selected these options:
I also uninstalled the “Community” app from OnePlus and disabled both “GMail” and the “Play Store”.
Conclusion
This was a 2-day project for me, but, hopefully, it can be a 1-hour affair for you. If you are interested in pentesting I believe it is extremely exciting to have such a tool in your pocket. Of course, it has limitations, but the amount of software available is quite impressive. Unfortunately, it is out-of-scope for this post to teach how to use Kali NetHunter, but you have lots of resources online from where you can learn and study.
If you have any comments or suggestions, please do so in the comment section below. Thank you for your time and see you on the next post!
[dan@danvj-pt ~]$ sudo shutdown now