The world is full of vulnerable computers. As you learn how to interact with them, it will both be tempting and necessary to test out newfound skills on a real target. Raspberry Pi image designed for practicing and taking your hacking skills to the next level.
Many of us are hands-on learners, and the best way to learn a skill is to try a real understanding;
With hacking constantly in the news and on the national radar, they are less and less understanding when dealing with issues of computer intrusion.
The solution is a computer. As a hacker, the solution is a computer inside which is deliberately vulnerable and specially made for attacking. So where do you get this vulnerable computer? Do you have some interesting vulnerabilities? Ten years ago, what exactly did you practice hacking older systems.
Since Zero Byte is a White has hacking community, it's essential to have every opportunity to practice lawfully and safely as we learn to break things. The Raspberry Pi is a cheap, flexible computer that can run a wide variety of popular software and backend applications;
So why not just run it on your laptop in a virtual machine? I've always been hesitated to unleash the fury on a virtual machine inside my precious hacking laptop. Virtual machines can be used to start the process of bombing your mom's HP versus the virtual machine could be destroying the computer.
Physical separation is desirable, but until recently, it was rather expensive to buy another computer for testing when a free VM is available. Now, for $ 35, you can get hacking safe and legal targets thanks to the InfoSec community!
Australian security researcher Re4son runs Whitedome Consulting, a site with custom Raspberry Pi images developed in support of both cyber security learning and active penetration testing. So he builds things with the Raspberry Pi that blue teams see hovering in their darkest nightmares. Re4son's Damn Vulnerable pi image caught my eye after relying on his "Re4son Kernel" to solve many problems running on the Pi Zero W.
The Damn Vulnerable Pi image is a perfect companion to an offensive Kali Linux build, simulating a target computer running vulnerable services for you to destroy. Although we want to use the "dv-pi" tool to control our DV-Pi over SSH from any laptop or smartphone for the sake of simplicity and compatibility.
Re4son's DV-Pi comes with the following features:
- 3 GB image ready to go with all common TFT screens.  Re4son Kali-Pi Kernel 4.4 with touch screen support.
- Supports Raspberry Pi 0 / 0W / 1/2/3.
- Tool (re4son-pi-tft-setup) to set up all common touchscreens, enable auto logon, etc.
- Command line tool (dv-pi) for headless operation.
- Each image comes with one vulnerability to get in and one vulnerability to get root.
- Each image has two proof. txt
What You'll Need
Step 1: Prepare the Image & SD Card
To begin, we'll need Re4son's DV-Pi image. You can find it on his blog here. We'll start with the "easy-ish" image
After downloading the DV-Pi image, unarchive the image and select your favorite disk image burning software, because we'll be burning the image to SD card.
At this point, you'll need to insert the SD card that you want to run the DV-Pi on into your laptop. I recommend using no less than 8GB microSD cards.
In Etcher, select the .img file you downloaded and unarchived, and burn it to the SD card;
Step 2: Load Your SD Card & Connect Ethernet
After you're finished burning the OS onto the card, load the card into your Raspberry Pi and connect it via Ethernet to your network. Plug in the power, and you'll see the DV-Pi start up. So you can connect it to the HDMI display and make sure everything is working correctly. It should look exactly like this:
After the Pi is booted, you should be able to scan your network with arp-scan or Fing network scanner from your laptop or phone to discover the Pi's IP address. In this case, the device name is "dv-pi3."
Step 3: SSH Into the DV Pi
Armed with the IP address, we can now SSH into the Raspberry Pi. You can scan the Pi's IP address with the Fing Network Scanner
You can SSH into the Pi via ssh pi @ [ip address here]
The password will be "raspberry."
Once you SSH in, you will have access to the DV-Pi's administrative controls! SSH connection.
Step 4: Check Status & Start the DV-Pi
To check the current status of our Damn Vulnerable Pi, we can use the dv-pi tool helpfully included by Re4son. To check to see if the DV-Pi is running and vulnerable, enter the following:
This is the current status of the device. Initially, it should be off / not vulnerable.
Ready to start hacking? To start the DV-Pi's vulnerable applications, you'll need to run:
Then authenticate with the password "raspberry" in the terminal.
Once your DV-Pi is set up, you're ready to start hacking it. To prove you gained access, a fake "customer database" of credit card info is included to simulate exfiltrating real data and provide some excitement upon succeeding. Re4son runs a fantastic blog and responds to questions and questions on his builds.
Zero Byte & the Community
After speaking with Re4son about how useful his images for our community, he's updated the images to support all versions of the Raspberry Pi including the new Pi Zero W. Wi-Fi tools are easy-to-use methods for wireless security techniques.
If there's interest, please mention in the comments and we'll start taking community requests for features and look into giveaways for ours community!
Stay tuned for tutorials on the DV-Pi and other DV images on the Pi Zero W, and for Re4son's Wi-Fi focused DV-Pi. Twitter or Instagram.