Disguised Raspberry Pi that can Hack your Network

I’ve been playing around with a Raspberry Pi on and off for a while now. The credit card sized, fully functional computer can do many things, including being transformed into a security testing tool!

There is a great article on TunnelsUp.com that demonstrates disguising a Raspberry Pi computer as a power plug and configuring it to connect out to a control server using SSH. Basically making it into something like the popular Pwnie Plug device.

When assembled, the device looks like a any other power adapter that clutters our power hungry offices. Except this one allows someone on the outside of the building to connect into the building, possibly allowing them to perform attacks against your infrastructure.

Though the author mentions just using “A Linux OS” on the PI, using something like this and placing Kali Linux on it would make it a very powerful (and affordable) attack/ security testing platform. Kali is the latest version of the Backtrack penetration testing platform, is loaded with security tools and works exceptionally well on a Raspberry Pi.

Very cool project, this should jog the creative mind of penetration testers and hopefully be a warning to IT departments to keep an eye out for rogue devices such as this.

Hard Drive Hacking – Hardware Backdoor even if Drive Wiped!

Hard Drive Hack

With all eyes on the Vegas security conferences, some amazing news comes out of OHM2013, a security conference in The Netherlands. At the show a security researcher demonstrated how a hacker could re-program the firmware on a hard drive to maintain a backdoor, and apparently the attack would still work even if the hard drive was erased and reformatted!

This week at a European security conference a security researcher demonstrated an attack that would allow a hacker to access and modify the Flash Firmware on a hard drive and program it to protect his access.

Firmware is code stored on a special flash-able chip on the drive. The built in code tells the drive how to work, how to read and write data. It is flashable (can be reprogrammed) so the manufacturer can release updates to the firmware. Most people never re-flash or update their hard drive firmware.

At the security conference, the presenter demonstrated how the attack works. He ran the program to modify the firmware on a drive. He pretended his access was detected and the administrator password was reset.

The firmware was programmed to look for a special trigger code, a special website address perhaps, that once the hard drive cache sees, it grabs the password file the next time it is accessed and changes the password back to what the hacker set it to.

And it worked!

So basically, if the hard drive firmware is compromised by a hacker, they could change it to allow them to have access to the compromised system again, even if the entire drive was erased and re-formatted.

Crazy stuff.

For more information, including a step by step explanation and proof of concept code, check out Spritesmods.com.

Owning Firefox & Chrome Browsers using Kali and BeEF

The internet can be a very unfriendly place, especially for older operating systems like Windows XP. In this post we will take a look at exploiting Windows XP browsers using BeEF, the Browser Exploitation Framework.

It has been a long time since I have done a post on BeEF, about three years in fact, but after going through a great Web Application and XSS security class, I figured it was time to brush it off again. I was very pleased to find that a ton of new features (called commands) have been added to BeEF since I last used it, dramatically increasing its functionality.

Granted a lot of the attacks in BeEF no longer work against Windows 7 with the latest browsers, but it seems that Windows XP systems are still very vulnerable to many of the browser attacks, even when using the latest browsers.

So let’s see what BeEF can do against a Windows XP system.

First we need to start the Exploitation Framework. In Kali, just open a terminal and type:

Running BeEF

This starts the BeEF server and shows you the web address to open the graphical user interface and a couple sample pages that you can use to hook browsers:

Browser Exploitation Main Screen

Just surf to to view the user interface and login with the username and password of ‘beef’:

BeEF Login

You will now be greeted with the BeEF control panel:

Beef Control Panel

Listed under the “Getting Started” section you will see links for two test pages that you can use to play with hooking browsers. I like the “Advanced version” as it looks like a real webpage.

On our XP system running the latest Firefox browser, if we surf to the “Malicious” demo page that BeEF creates, we will see this screen:

 WinXP Firefox 22

Or this if we are using Chrome:

XP with Chrome

The page shows some delicious looking beef, and nothing really seems awry. But what the user can’t tell, is that this particular webpage contained a hook. A malicious program that allows an attacker to hook the browser and, well, pretty much take over complete control of the browser.

As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack.

When machines are hooked, they show up in the BeEF control panel:

Browser Hooked

Now that we have the system listed in the control panel, we simply click on the system we want to attack and then pick from the numerous attacks listed in the commands section:

BeEF Commands

Using these commands we can grab information from the victim’s browser, or even change what they see. For example, if we want to try to Social Engineer them and grab their Facebook credentials we can go to the Social Engineering tab and click “Pretty Theft”.  And then ‘Execute’.

On the victim’s browser a pop up will appear:

fake facebook login

Oh no! My Facebook timed out!

If the user fills in their creds and hits Log in, this appears in the BeEF control panel:

fake facebook login cred grab

Or we could try to grab credit card numbers with this Amazon looking attack:

Amazon Credit 1

BeEF can do much more than just send pop-ups. You can grab the HTML of the webpage that the victim is on:

Beef Get Page HTML

And then change any links on the page in realtime, without the user ever knowing, to point to wherever  you want the victim to go. Here is a look at the webpage source after changing all the links on the page to point to the Dallas Cowboys website:

Href change

Of course an attacker wouldn’t normally send them to a sports site, but most likely a website that was, say, a complete spoof of Amazon or Facebook.

You can also send custom Javascript, or even tie it in with Metasploit to attempt to get a remote shell.

As you can see, an attacker having control over the browser can be very bad.

The attacks are color coded as to the chance that they might work. But I did notice that some attacks that were marked red did in fact work, while some marked green did not.

I also noticed that newer browsers seemed to stop some of the attacks, but XP was still pretty open as to what would work against it.

I tried these attacks against a Windows 7 system and nothing was displayed:

Windows 7 No connection

A hook was created, but only lasted for about a second or two before it was dropped.

The best mitigation against this type of attack is to use the latest Windows OS and browser versions. If you can, update or replace your Windows XP systems, especially if they are used online. The base security in Windows 7 and 8 is much better than WinXP. Finally always run a script blocker like “NoScript”, and don’t click on or open links and attachments in unsolicited email and social media messages.