Disguised Raspberry Pi that can Hack your Network

I’ve been playing around with a Raspberry Pi on and off for a while now. The credit card sized, fully functional computer can do many things, including being transformed into a security testing tool!

There is a great article on TunnelsUp.com that demonstrates disguising a Raspberry Pi computer as a power plug and configuring it to connect out to a control server using SSH. Basically making it into something like the popular Pwnie Plug device.

When assembled, the device looks like a any other power adapter that clutters our power hungry offices. Except this one allows someone on the outside of the building to connect into the building, possibly allowing them to perform attacks against your infrastructure.

Though the author mentions just using “A Linux OS” on the PI, using something like this and placing Kali Linux on it would make it a very powerful (and affordable) attack/ security testing platform. Kali is the latest version of the Backtrack penetration testing platform, is loaded with security tools and works exceptionally well on a Raspberry Pi.

Very cool project, this should jog the creative mind of penetration testers and hopefully be a warning to IT departments to keep an eye out for rogue devices such as this.

Hacking Wi-Fi Networks with Fern, Kali and a Raspberry Pi

Fern Wifi Cracker 1

Wouldn’t it be cool to be able to test wireless network security using your Raspberry Pi? Well, thanks to Kali Linux, you can! With Kali you can scan for Wi-Fi networks and even perform active penetration testing using your $35 Raspberry Pi.

I just finished up another article for Hakin9 Magazine. In the article I covered using a Raspberry Pi to crack Wi-Fi security from install to basic pentesting.

With Kali you can use all the normal command line airmon-ng tools that you can use on a regular Linux machine. Fern is nice because it adds a graphical interface to the airmon-ng tools making things so much easier.

Let’s take a quick look at Fern:

(NOTE: As always, these techniques are for IT teams and computer security testers, never attack or attempt to access a network that you do not own or have permission to access.)

From the main menu (see picture above) just select your wireless card, then scan for access points. As they are found Fern lists them under the WEP or WPA Button.

Fern Wifi Cracker Detected

Clicking the associated button will display a list of the access points found. Then just select the one you want to test. You now have two attack options. You can select the Reaver WiFi Protected Setup (WPS) attack and a normal Association Key dictionary brute force attack :

Fern Wifi Cracker Detected 2

Fern works very well and is actually pretty responsive when run on a Raspberry Pi.

With the Pi being so small and cheap, this opens up some interesting options for professional penetration testers, especially when paired with a USB Wi-Fi adapter and a battery back.

For a lot more information on computer security, including bypassing the most common Wi-Fi security techniques, check out my new step-by-step tutorial book, “Basic Security Testing with Kali Linux”.

Year in Review – Top Cyber Arms Posts for 2011

Happy New Year everyone!

I just wanted to thank everyone for another successful year here at CyberArms. Over the year, we talked about some of the hottest news in security and learned some new techniques through the latest hands-on tutorials. I figured what better way to celebrate our year together than to list the top ten articles from 2011, chosen by you, our visitors!

The following articles are the most popular for last year, ranked by page views:

Backtrack 4: Penetration Testing with Social Engineering Toolkit
Backtrack 4 has included a program that you do not hear much about in the main stream security media. But, it is a penetration testers dream. Under the penetration menu is a program called the Social Engineering Toolkit (SET). If social engineering attacks for penetration testers could be made any simpler, I do not know how.

Backtrack 4: How to use Metasploit Training Class
This, by far, is some of the best training videos I have seen on Metasploit. It is a taped security conference from the ISSA Kentuckiana Chapter and is billed by Adrian Crenshaw as being “more Metasploit than you can stand!”

How to Spy on Another Person’s Browser: Man-in-the-Middle Attacks
Today, I want to look at the “Remote Browser Attack” feature of Ettercap. This basically allows you to remotely spy on a target PC and a copy of the website they are visiting will be displayed on your computer.

Cracking 14 Character Complex Passwords in 5 Seconds
Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So,  I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning.

Cracking WPA Protected Wi-Fi in 6 Minutes using the Cloud
Well, according to recent reports, security researcher Thomas Roth says with his brute force program he was able to break into a WPA-PSK protected network in about 20 minutes. And with recent updates to the program, the same password would take about 6 minutes!

NTLM Passwords: Can’t Crack it? Just Pass it!
Let me explain, if you can retrieve the LM or NT hashes from a computer, you do not need to crack them. There is really no need. Sometimes you can simply take the hash as-is and use it as a token to access the system. This technique is called “Pass the Hash”.

What to do When a Website Won’t let you Leave
Usually it is a “Do you really want to leave?” or “Click here to install our anti-virus program”. Here is the bad news. Clicking on the “accept”, “ok” or even the “no” or “cancel” button could be a security issue. It may install something that you don’t want. Also, clicking the red “X” on the popup window to close it may not work, or it may be the same as clicking “accept”. Yeah, I know, hackers and spammers are evil.

How to Log into Windows without the Password
So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted.  At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.

GPU Crackers make Seven Character Passwords Inadequate
“Right now we can confidently say that a seven-character password is hopelessly inadequate – and as GPU power continues to go up every year, the threat will increase.”

Memory Forensics: How to Pull Passwords from a Memory Dump
We now have a list of where several key items are located in the memory dump. Next, we will extract the password hashes from the memory dump. To do this we need to know the starting memory locations for the system and sam keys. We look in the dump above and copy down the numbers in the first column that correspond to the SAM and SYSTEM locations. Then output the password hashes into a text file called hashs.txt.

IN CONCLUSION

2011 was a great year for both CyberArms and me personally. I had an amazing opportunity last year to be a technical editor for Vivek Ramachandran’s “Backtrack 5 Wireless Penetration Testing Beginner’s Guide”. Vivek is a great teacher, if you are interested in Wireless security at all, check out his book, or his website SecurityTube.net.

I have also recently become an article reviewer and soon to be article contributor for the uber popular IT security magazine “Hakin9“. Hakin9 is one of the most popular computer security magazines in the world. I have followed the magazine for a while now, so it is an honor to be a part of the process.

If you have a business opportunity that you think I might be interested in, please feel free to contact me at cyberarms(at)live.com. I love the security field, research and writing and am always looking for new opportunities.

Thanks so much, and I wish you and your families a blessed and prosperous new year!