Cfrtjryk

When I opened wireshark (fresh install of live usb kali with persistence) for the first time it complained about me being root. This is what I found in googling it:

Yes it's recommended and advisable not to run such tools in super user or high permission account. Giving root to such tools can go sideways should the tool malfunction. You can create a non-super user account or non root account and that should fix the error dialog. Also, the tool should still work when that error dialog shows up, It just warns you of the privileges you are assigning to the tool.

https://null-byte.wonderhowto.com/forum/problems-with-wireshark-as-root-user-kali-0169494/

But when I create a user and try to log out as root, I get stuck in an autologin loop as root. I also saw elsewhere that most of the tools in Kali require root permissions (I figured I'd just sudo everything. I started in ubuntu years ago and have become so used to sudo I prefer it to root account).

But my question is: which is the proper way of doing things in Kali? Creating a sub-account and disabling the log in (thus, my sub question is how?) or disabling the warnings in wireshark. What can go wrong with wireshark if you run it in root ?

And finally: is this some kind of hazing ritual with Kali? (Bill Labanovic jokes in his book on python that installing pip is a kind of hazing ritual for new programmers in python. I thought maybe this is like that).

UPDATE: Even when I find a way to log in as non-root (by waiting for the screen to lock and selecting a different user) I can't run wireshark because I don't have the permissions! And I can't seem to figure out a way to run wireshark with permissions without resorting to cli!

Update2: I am not new to linux. By a "fresh install of live usb with persistence" I mean I just set up a live usb stick with kali linux and configured persistence following tutorials like this.

The error message in wireshark is this one. Most of the tutorials I found online are about disabling the warning.

I have set up a sudoer account but every time I boot Kali or attempt to log out of Kali, I go through the boot process and the last item is always something along the lines of 'Started up User Manager for UID 0.', as in root. How do I disable this?

Update3: I'm going to clarify my question: what is the normal, correct way of doing this in Kali. According to the meta question on Kali questions, Kali doesn't even have proper apt support. So I'm afraid to go following the directions Draconis posted, because it requires installing special libraries. I'm not trying to run Kali as a production environment or a normal desktop (I have it on a flash drive), I'm just trying to use some tools in it to pentest my server (I am totally new to pentesting, and even though pentesterlab says not to bother using Kali, but just use the distro you're already comfortable in, I didn't want to go installing wireshark and a bunch of other tools in my desktop distro--I figured I'd start learning the basics of pentesting in Kali with pre-rolled tools. Perhaps this was a mistake). I did figure out how to log out as root: it requires using the lock screen button. Sounds amateur not to know that, but I'm not used to gnome and I spend more time in cli than not. I run an ubuntu server and mostly use my bunsenlabs box to mess around with mysql databases and write python scripts with vim. And it seems funny to me that I can't log out as root without getting stuck in an autologin loop.

I am not new to linux. But I have been using, for the past 10 years off and on, somewhat easier distros (ubuntu, crunchbang, and now bunsenlabs. Have even dipped my toes into slackware and fedora). But for a tool that I figured was meant to be started up on a flash drive, there's an awful lot of configuration that has to happen before I can even get started using wireshark. This doesn't make sense to me. There is no way that a pentester goes and sets up special accounts to run wireshark every time he boots his flash drive (given most people, I would imagine, wouldn't even bother setting up persistence).

So my question is: is it thoroughly normal to run wireshark as root in Kali Linux when running it from a flash drive? If it is not, what is the typical way of doing things in Kali?

There are a few different important points here. But the first one is, Kali is not a good first Linux distribution to start off with. If you're not familiar with account permissions, and especially if you don't want to use the command line, then Kali isn't right for you. I'd recommend Ubuntu instead. Anything you can do in Kali, you can also do in Ubuntu (once you install the right packages and tools), and it actually has a learning curve as opposed to Kali's "learning sheer vertical cliff".

(OP, you say you've been using Ubuntu for years, so this warning isn't intended for you. But it's worth saying anyway for other people who find this question.)

Second of all, Kali is designed to run pretty much everything as root. Which isn't a very good security practice! Some versions of Wireshark come with a warning:

WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.

But if you're using Kali, it's assumed that:

• You know what you're doing, and you know why running as root in general is a bad idea, and so you're going to make sure that


• Even root isn't going to have the power to do anything really bad (because e.g. you're definitely not running this on the production server full of sensitive information)

As far as what could go wrong, Wireshark has quite a lot of different "dissectors" to analyze incoming traffic. Because there are so many, and they're so complicated, it's hard to be sure none of them will glitch out when given specially-crafted packets. At best, this could make Wireshark crash. At worst, it could allow arbitrary code execution. And arbitrary code execution as root is very bad.

The recommended way of using Wireshark, without letting it run as root, involves giving its dumpcap executable two extra capabilities: CAP_NET_ADMIN (allowing it to control network interfaces) and CAP_NET_RAW (allowing it to access raw packets). Full details on this are outside the scope of this question, but this article explains how to do that.

Unfortunately, manipulating capabilities does require using the command line. If you're not comfortable with that, then Kali probably isn't right for you: it's built for command line use first and foremost.

I won't repeat same things again about "root" or "non-root" users. For your reference, I destroyed once a linux machine, because of my mistake on a bad piping of find + rm, while running everything as root : it can definitely happen to anyone.

For running Wireshark as root in Kali 2.0, you need to open your favorite text editor (vi, vim, nano, gedit, leafpad, geany, sublime text or whatever you prefer) and edit /usr/share/wireshark/init.lua by changing the line :

dofile(DATA_DIR.."console.lua")

to

--dofile(DATA_DIR.."console.lua")

Save and close: job done. You can now run wireshark-gtk as root.