Build A Raspberry Pi Dropbox

I have created a script to automate all of this so this writeup is obsolete

https://github.com/jdksec/RpiPentestingDropbox

First download and install Raspbian onto a SD card. there are loads of guides on how to do this.

I chose the light version which is perfect for making something speedy and I did not want it bloated with a lot of GUI stuff I did not want.

Win32 Disk imager is my preference as you can write over the entire SD card in one hit. Other Linux methods work just as well.

Insert the card, boot the pi and login with the username and password pi:raspbian

Change your password to something strong

sudo su (Become root)

passwd pi #set a strong password

passwd root #set a stong password

Now make sure you have ssh listening on your “attacker machine”

service ssh start

Install openssh-server

apt-get install openssh-server

# Regenerate the keys

dpkg -i openssh-server

Now you want to enable root login and have it ready every time it boots

ifconfig #to get your current IP

raspi-config

Select “5 Interfacing Options

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99c4380fd55.png

Then select ssh and enable it

Reboot the pi and try to login with your current ip.

Now that is working you need configure autossh

sudo su (Become root)

apt-get install autossh

useradd -m -s /sbin/nologin piusername

su – piusername -s /bin/bash

ssh-keygen

(Dont set a passphrase)

Now you need to create a user on your attacker machine for the pi to connect to.

useradd -m -s /bin/bash localusername

passwd localusername #set a very secure password as this will be open

Ensure you can login via your localhost.

ssh localusername@127.0.0.1

Once that is verified move to the next step.

You need to copy over your ssh id to the remote server.

The ideal way to do this is to add it manually (copy and paste via ssh) although you can use the following:

ssh-copy-id piusername@192.168.0.15

Seeing as I was logged in via ssh I copied and pasted my id into a newly created authorized_keys file in /root/.ssh/

Make sure the permissions are all good.

chmod 600 /root/.ssh/*

Also ensure you allow root login.

echo “PermitRootLogin yes” >> /etc/ssh/sshd_config

There are several ways to create a startup file but I prefer to create a new systemd service as this has proven the most reliable.us

Steps to do that are as follows:

nano /etc/systemd/system/autossh.service

Create the following file

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99cc0734551.png

Now run the following commands

systemctl daemon-reload

systemctl start autossh.service

systemctl status autossh.service

If you see this then you are good to go to the next step

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99cd98ecbe0.png

Now enter the following command on your attacker machine.

ssh root@127.0.0.1 -p 2222

If you can login then you are good to go. The machine will create a reverse tunnel whenever the autossh.service is started.

The last command you need to run to enable autossh on boot is:

systemctl enable autossh.service

Providing all the above worked without errors (There may be some depending on your configuration) reboot the machine and wait until you can ssh into the pi.

ssh root@127.0.0.1 -p 2222

Installing Tools

Once that is up and running you can start installing your tools, most of these are easy and work out of the box some are more difficult and I have detailed them below.

If you want a list of the basic tools I installed they are below:

apt-get install nmap wifite cutycapt screen locate

Metasploit Install

This was a bit of a nightmare as it will not work out of the box with this old raspberry pi, if it does not work for you be prepared to google your errors.

You need to install a load of tools and dependencies to get this up and running so I am already missing Kali but I will press ahead and get it working as I want this on the machine.

I managed to strip it down to the following

cd /opt

git clone https://github.com/rapid7/metasploit-framework.git

Now install some stuff

apt-get -y install build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev git-core postgresql curl ruby nmap gem bundler

Most of these will already be installed

Before you can move on and install metasploit you need a few other bits, the following worked for me (you may need to tweak it)

apt-get install libsqlite3-dev

# if that does not work

gem install sqlite3 -v ‘1.3.13’

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99dcbb68344.png

The next command takes ages and appears to do nothing (it warns you) but give it time.

gem install nokogiri -v ‘1.8.2’

After about 9 months you should see this:

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99da239039e.png

Once they are installed we can “try”

bundle install

You will get a warning about running bundler as root and a recommendation to install bundler via gem but I carried on regardless as this is just a test.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99de5f72f11.png

At this point the pi became unresponsive so its a good time to test out the autossh viability.

I pulled the powercable to give it a hard reset and plugged it in and within 40 seconds I had a ssh connection.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e101cfce6.png

Considering the last response from bundler I decided to update it.

gem install bundler

This took a while on a fresh boot but we are nearly there.

Now it is actually working

This installed and seemed to work so lets see how the raspberry pi handles msfconsole.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e451bfbce.png

Wow it was faster than I thought and took about 45 seconds

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e5a745ee7.png

Lets test it out with a rev shell, it looks like it is working so far.

Create one with msfvenom on your attacker machine

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e793db527.png

Set up a listener

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e7cd6d996.png

Execute the shell

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e84b39545.png

Watch your listener for a shell

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e86ede455.png

It works.

Looks like the latest exploits are installed as well so we can move on to the next tool.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99e8eb0ec1b.png

Modify .bashrc with the following command to make it run in any dir. or you can add it to your bin.

(FYI I tweaked my .bashrc at this point to make my console stand out)

echo alias “msfconsole=’/opt/metasploit-framework/msfconsole'” >> ~/.bashrc

source ~/.bashrc

Test it works

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99f2fc317d7.png

Also add msfvenom to your .bashrc for easy shells

echo alias “msfvenom=’/opt/metasploit-framework/msfvenom'” >> ~/.bashrc

source ~/.bashrc

Creating other methods of access.

Now we want to add a few other shells incase we are unable to get autossh out of the firewall to make sure you can access the machine.

We will use python as the arm architecture does not play well with msfvenom

Reverse HTTPs python shell (Port 80):

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5ae90ddba.png

Reverse HTTPS python shell:

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ae21c5a85f.png

Reverse python HTTPS shell via port 53

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9adfbb1b284.png

Now create the following file on your attacker machine called meterpreter.rc.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5a2aa3d92.png

Run the .rc file with the below command:

msfconsole -q -r meterpreter.rc

Check your shells work

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ae2d6af472.png

Shells received.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ae45bab424.png

These are pretty handy if you have some local tools you want to run against the host or if you want to pivot with metasploit.

Now create three services in /etc/systemd/system with the following contents.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c52f09b047.png

Start each of the services to make sure they work.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5463da760.png

Enable your services to start at boot.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c54b28f14d.png

Exit meterpreter and start your handlers from scratch.

msfconsole -q -r meterpreter.rc

Reboot the pi and you should see three shells come back.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c5bcadf990.png

Now we have four ways for our pi to call back to us.

Another method which may be easier is to create a cronjob.

Create the following file Shells.sh

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c639694fdc.png

Make the file executable

chmod +x Shells.sh

Open crontab with

crontab -e

Add the following entry:

@reboot /bin/bash /root/Shells.sh

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c63e50fc0d.png

Exit and save the pi and reboot.

Open your listener again and after a while you should see your shells come back.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9c64a5cebf6.png

Searchsploit

git clone https://github.com/offensive-security/exploit-database.git /opt/exploit-database

Not sure why you would not have this on your local machine but it always helps

Make searchsploit executable and test it.

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99ed186ef24.png

It works so add it to your .bashrc file

Be careful not to overwrite it

echo alias “searchsploit=’/opt/exploit-database/searchsploit'” >> ~/.bashrc

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99eff96ee52.png

Type the following:

source ~/.bashrc

Check it works outside of the exploitdb folder

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99f0796dc99.png

Python.

So Raspbian comes with python installed.

First we will install pip (Easy python installs)

apt-get install python-pip

You can add your tools via pip as you need them but just for a demo. (this was already installed)

python -m SimpleHTTPServer 81

Lets see what we can host internally

http://sicurolab.com/wp-content/uploads/2018/03/img_5a99fb0d36438.png

Ok happy with that, not my best fake website but you get the idea.

Nishang

cd /opt/

git clone https://github.com/samratashok/nishang.git

Best powershell reverse shell I have found so far which you can host via python.

This combined with a bash bunny is really handy.

Unicorn

Another amazing powershell tool you want on this machine

cd /opt/

git clone https://github.com/trustedsec/unicorn.git

Responder

cd /opt/

git clone https://github.com/SpiderLabs/Responder.git

Very good tool

Empire

Another tool to add which will be useful for internal tests.

cd /opt

git clone https://github.com/adaptivethreat/Empire.git

cd Empire/setup

apt-get install python-m2crypto

pip install pyminifier

./install.sh

Once installed you should see this:

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9ac6ba404da.png

Social Engineer Toolkit

Another great tool most of the dependencies are already installed

cd /opt

git clone https://github.com/trustedsec/social-engineer-toolkit.git

cd social-engineer-toolkit

python setup.py install

Setup should end like this:

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9b09f464633.png

Now set is installed:

http://sicurolab.com/wp-content/uploads/2018/03/img_5a9b0a31ef977.png