Turn your Raspberry Pi into a re­mote hack­ing tool

Us­ing a few scripts, Calvin Robin­son is go­ing to turn a Zero W into a ‘Rub­berDucky’ pen­test­ing tool.

APC Australia - - Contents -

“Not only are we go­ing to turn a Raspberry Pi Zero W into a USB de­vice ca­pa­ble of run­ning Ducky scripts, we’re also go­ing to gain re­mote ac­cess to the tar­get ma­chine.”

Rub­berDucky USB de­vices are great pen­e­tra­tion-test­ing tools. This de­vice is plugged into a tar­get com­puter, and the USB drive tricks the com­puter into think­ing it’s an HID key­board de­vice in or­der to gain priv­i­leged ac­cess. Key­boards nat­u­rally pro­vide a user with un­re­stricted ac­cess to the com­puter, in ways that a USB stick wouldn’t nor­mally be able to.

Pre-con­fig­ured ‘Ducky’ scripts are then run on the tar­get ma­chine to prank the user or pro­vide unau­tho­rised re­mote ac­cess. Not only are we go­ing to turn a Raspberry Pi Zero W into a USB de­vice ca­pa­ble of run­ning Ducky scripts, we’re also go­ing to gain re­mote ac­cess to the tar­get ma­chine in or­der to se­lect which scripts we’d like to run, and gain shell ac­cess on the tar­get PC.

For the sake of this tu­to­rial, we’re as­sum­ing the tar­get is run­ning Win­dows and we — the at­tacker — are run­ning a vari­ant of Linux, but Rub­ber Duckys es­sen­tially work on any op­er­at­ing sys­tem. Scripts are avail­able for Win­dows, Linux and OS X.


In or­der to get our Raspberry Pi set up as a USB de­vice, we’ll need: A long USB ca­ble with power adap­tor A USB hub (for con­nect­ing mul­ti­ple USB de­vices at the same time) A USB Eth­er­net adap­tor and Eth­er­net ca­ble (to gain in­ter­net ac­cess with­out hav­ing to mess around with Wi-Fi set­tings) A Mini HDMI-to-HDMI ca­ble and a mon­i­tor to con­nect your Pi to A stan­dard USB key­board A mi­croSD card If you re­ally want your Pi to look like a USB de­vice, take a look at the N-O-D-E case ( github.com/N-O-D-E/ Don­gle). Some sol­der­ing may be re­quired. If you’re not us­ing the N-O-D-E, you’ll need a small USB to Mi­cro-USB ca­ble for con­nect­ing the Pi to your tar­get PC.


Down­load the lat­est ver­sion of Rasp­bian Stretch Lite, and some soft­ware to write the im­age onto your mi­croSD card — we rec­om­mend Etcher for this.

Once you’ve got Rasp­bian Stretch Lite in­stalled, plug in a mon­i­tor and key­board and boot your Pi. You can also use SSH for this step, if you can find the IP ad­dress of your Pi by check­ing your router or by us­ing a net­work snif­fer such as An­gry IP Scan­ner. Once in, the de­fault lo­gin de­tails will be user­name: pi pass­word: raspberry

Next up, we’ll need to in­stall git and down­load a clone of P4wnP1, which is the toolset that turns our Pi into a USB de­vice.


Just run the fol­low­ing lines one by one: mkdir ~/P4wnP1 cd ~/P4wnP1 sudo apt-get in­stall git git clone --re­cur­sive https://github.com/mame82/ P4wnP1


Grab a cup of tea, as in­stal­la­tion may take some time. Once com­plete, note down the Wi-Fi name, key and SSH ac­cess dis­played on the screen. We can of course change these later.


Now that ev­ery­thing is set up, we should have a ba­sic work­ing P4wnP1 USB de­vice. Be­fore we set up our pay­load and cus­tomise our set­tings, it’s good to test that ev­ery­thing is work­ing. We’ll need two com­put­ers for this, one to be used as a tar­get and the other for our re­mote con­trol ‘at­tacker’.

Plug the Pi into a tar­get ma­chine — which must be a work­ing com­puter that is turned on — us­ing the Pi’s middle USB port (the one for data, not power). You should no­tice a cou­ple of things: the tar­get ma­chine will dis­play dis­crete pop-ups say­ing ‘Set­ting up a de­vice’ fol­lowed by ‘De­vice is ready’. At the mo­ment, this new USB de­vice will be called ‘P4wnP1 by MaMe82’ but we can change that later. On the at­tacker’s ma­chine, we should see a new Wi-Fi net­work called P4wnP1, which means all is work­ing as in­tended.


Now that the Pi is up and run­ning, we’ll want to ei­ther plug it back into a screen and key­board, as we did ear­lier, or con­nect re­motely over SSH at the ad­dress we noted down ( Change di­rec­tory into ~/P4wnP1 and run nano setup.cfg. Here, you’ll see a whole range of set­tings, but ig­nore these for now as they’ll mostly be over­writ­ten by our pay­load con­fig. What we want to do next is scroll to the end of the doc­u­ment and un­com­ment our pay­load of choice. For this tu­to­rial, we’ll be us­ing hid_ back door_ re­mote. txt, which en­ables all the fancy Rub­berDucky func­tion­al­ity. Be sure to com­ment out the net­work_only.txt pay­load with a #. Save and exit.


Change di­rec­tory to pay­loads and nano-edit the ap­pro­pri­ate con­fig file, in this case hid_back­door_re­mote. Here you may want to change sev­eral set­tings, but most im­por­tantly WIFI_ACCESSPOINT_NAME and WIFI_ACCESSPOINT_PSK, which are of course the SSID and pass­word re­quired to re­motely con­nect to your USB Pi.

There are some rather in­ter­est­ing set­tings in this pay­load, namely the reach­back con­nec­tion or Au­toSSH. This will en­able the Pi de­vice to au­to­mat­i­cally con­nect to a server of your choos­ing, via SSH, to es­sen­tially pro­vide a back­door tun­nel.


While the Au­toSSH func­tion­al­ity is fan­tas­tic, par­tic­u­larly for out-of­sight or long-range re­mote hack­ing, for the pur­poses of this tu­to­rial we’re go­ing to stick with line-of-sight and/or short-range re­mote hack­ing via a lo­cal Wi-Fi con­nec­tion.

Pop the Pi into a tar­get ma­chine and con­nect re­motely via SSH to pi@ A more dis­crete way of do­ing this, rather than us­ing a lap­top for at­tack­ing, could be to use an An­droid mo­bile phone with a Ter­mi­nal/SSH client in­stalled. Once con­nected, type “help” for a list of com­mands.


By de­fault, P4wnP1 shell will say ‘client not con­nected’. To gain re­mote ac­cess to the tar­get ma­chine, we’ll

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.