Turn your Raspberry Pi into a remote hacking tool
Using a few scripts, Calvin Robinson is going to turn a Zero W into a ‘RubberDucky’ pentesting tool.
“Not only are we going to turn a Raspberry Pi Zero W into a USB device capable of running Ducky scripts, we’re also going to gain remote access to the target machine.”
RubberDucky USB devices are great penetration-testing tools. This device is plugged into a target computer, and the USB drive tricks the computer into thinking it’s an HID keyboard device in order to gain privileged access. Keyboards naturally provide a user with unrestricted access to the computer, in ways that a USB stick wouldn’t normally be able to.
Pre-configured ‘Ducky’ scripts are then run on the target machine to prank the user or provide unauthorised remote access. Not only are we going to turn a Raspberry Pi Zero W into a USB device capable of running Ducky scripts, we’re also going to gain remote access to the target machine in order to select which scripts we’d like to run, and gain shell access on the target PC.
For the sake of this tutorial, we’re assuming the target is running Windows and we — the attacker — are running a variant of Linux, but Rubber Duckys essentially work on any operating system. Scripts are available for Windows, Linux and OS X.
1 PREPARATION — THE HARDWARE
In order to get our Raspberry Pi set up as a USB device, we’ll need: A long USB cable with power adaptor A USB hub (for connecting multiple USB devices at the same time) A USB Ethernet adaptor and Ethernet cable (to gain internet access without having to mess around with Wi-Fi settings) A Mini HDMI-to-HDMI cable and a monitor to connect your Pi to A standard USB keyboard A microSD card If you really want your Pi to look like a USB device, take a look at the N-O-D-E case ( github.com/N-O-D-E/ Dongle). Some soldering may be required. If you’re not using the N-O-D-E, you’ll need a small USB to Micro-USB cable for connecting the Pi to your target PC.
2 PREPARATION — THE SOFTWARE
Download the latest version of Raspbian Stretch Lite, and some software to write the image onto your microSD card — we recommend Etcher for this.
Once you’ve got Raspbian Stretch Lite installed, plug in a monitor and keyboard and boot your Pi. You can also use SSH for this step, if you can find the IP address of your Pi by checking your router or by using a network sniffer such as Angry IP Scanner. Once in, the default login details will be username: pi password: raspberry
Next up, we’ll need to install git and download a clone of P4wnP1, which is the toolset that turns our Pi into a USB device.
3 INSTALLATION — GIT-CLONING P4WNP1
Just run the following lines one by one: mkdir ~/P4wnP1 cd ~/P4wnP1 sudo apt-get install git git clone --recursive https://github.com/mame82/ P4wnP1
./install.sh
Grab a cup of tea, as installation may take some time. Once complete, note down the Wi-Fi name, key and SSH access displayed on the screen. We can of course change these later.
4 TEST THE CONNECTION
Now that everything is set up, we should have a basic working P4wnP1 USB device. Before we set up our payload and customise our settings, it’s good to test that everything is working. We’ll need two computers for this, one to be used as a target and the other for our remote control ‘attacker’.
Plug the Pi into a target machine — which must be a working computer that is turned on — using the Pi’s middle USB port (the one for data, not power). You should notice a couple of things: the target machine will display discrete pop-ups saying ‘Setting up a device’ followed by ‘Device is ready’. At the moment, this new USB device will be called ‘P4wnP1 by MaMe82’ but we can change that later. On the attacker’s machine, we should see a new Wi-Fi network called P4wnP1, which means all is working as intended.
5 CUSTOMISE YOUR USB PI
Now that the Pi is up and running, we’ll want to either plug it back into a screen and keyboard, as we did earlier, or connect remotely over SSH at the address we noted down (172.24.0.1). Change directory into ~/P4wnP1 and run nano setup.cfg. Here, you’ll see a whole range of settings, but ignore these for now as they’ll mostly be overwritten by our payload config. What we want to do next is scroll to the end of the document and uncomment our payload of choice. For this tutorial, we’ll be using hid_ back door_ remote. txt, which enables all the fancy RubberDucky functionality. Be sure to comment out the network_only.txt payload with a #. Save and exit.
6 SETUP YOUR PAYLOAD
Change directory to payloads and nano-edit the appropriate config file, in this case hid_backdoor_remote. Here you may want to change several settings, but most importantly WIFI_ACCESSPOINT_NAME and WIFI_ACCESSPOINT_PSK, which are of course the SSID and password required to remotely connect to your USB Pi.
There are some rather interesting settings in this payload, namely the reachback connection or AutoSSH. This will enable the Pi device to automatically connect to a server of your choosing, via SSH, to essentially provide a backdoor tunnel.
7 HACK VIA WI-FI
While the AutoSSH functionality is fantastic, particularly for out-ofsight or long-range remote hacking, for the purposes of this tutorial we’re going to stick with line-of-sight and/or short-range remote hacking via a local Wi-Fi connection.
Pop the Pi into a target machine and connect remotely via SSH to pi@172.24.0.1. A more discrete way of doing this, rather than using a laptop for attacking, could be to use an Android mobile phone with a Terminal/SSH client installed. Once connected, type “help” for a list of commands.
8 BASIC USE
By default, P4wnP1 shell will say ‘client not connected’. To gain remote access to the target machine, we’ll