قالب وردپرس درنا توس
Home / Tips and Tricks / Setting Up Network Implants with a Cheap SBC (Single-Board Computer) «Zero Byte :: WonderHowTo

Setting Up Network Implants with a Cheap SBC (Single-Board Computer) «Zero Byte :: WonderHowTo



With a cheap computer smaller than the Raspberry Pi, an attacker could create a remote hacking device. The device can be connected to a target router without the knowledge of another and allows the hacker to perform a variety of network-based attacks from anywhere in the world.

As the name implies, network implants are small physical devices (such as Raspberry Pi) that can be discretely connected to computers and routers. These devices are usually implanted without someone's knowledge and camouflaged to fit into the environment.

Similar to Hak5's LAN Turtle, this attack requires a physical device in the destination network or router. Without port forwarding, firewall exceptions or interaction with router settings, the device will automatically connect to the Internet. The device acts as a Remote Access Tool (RAT), allowing an attacker to manipulate data across the network and on all connected devices.

Instead of a commercial product that's typically $ 200 in retail, I'm using I'll show how a hacker can set up a cheap single-board computer (SBC) similar to the infamous Raspberry Pi.

The SBC featured in this article is the Orange Pi Zero, also known as OPi Zero. However, there are other options. The OPi Zero is a small board with a Cortex-A7 CPU and 51

2 MB of memory. That may not sound like a lot of RAM, but it's more than enough to run man-in-the-middle attacks, advanced Nmap scans, and brute-force attacks, while hosting a Wi-Fi hotspot and scoring for remote access is running. It's a small, lightweight computer, but still powerful.

Image of tokyoneon / Null Byte

The Orange Pi Zero can be purchased from Amazon for $ 19.99 (USD) or through outlets like AliExpress. There are also the Orange Pi Zero H2, the Orange Pi Zero Plus 2 and the Orange Pi Zero Plus H5. You can view the full Orange Pi shop on Amazon.

Recommended on Amazon: Orange Pi Zero 512 MB + Protective Case in White

Why not use the Raspberry Pi?

It is quite possible to use the ] Raspberry Pi 3 Model B + – a great SBC with superior CPU and RAM compared to the Orange Pi Zero. Likewise, the Raspberry Pi Zero costs less than $ 20 and is just as small as the Orange Pi Zero. The latter, however, was chosen for several reasons.

  • Price : The Orange Pi Zero offers a great CPU at a great price. The Raspberry Pi 3 B + is slightly more expensive than the Orange Pi Zero, which makes the Raspberry Pi slightly less available. After installing the SBC on the target router, it may not be recoverable (depending on the scenario) or detected and confiscated by a person on the network. If lost during a penetration test, the loss is not as severe.
  • Ethernet : The attack is based on an SBC with an Ethernet port that connects directly to the target router. The Raspberry Pi Zero is small and inexpensive, but does not have an Ethernet port. Although there is Gigabit Ethernet over USB 2.0, this means that you are buying an Ethernet to USB adapter.
  • Performance : The benchmarks performed with the Raspberry Pi 3 B +, the Raspberry Pi Zero and the Orange Pi Zero are relatively meaningful. The Orange Pi Zero outperforms the Raspberry Pi Zero on every test and is comparable in price. In most cases, the Orange Pi Zero ran similarly (or better) than the Raspberry Pi 2 (see below).
Image by MickMake / YouTube

With the Orange Pi Zero we get the performance of a Raspberry Pi 2 and older priced at the Raspberry Pi Zero. Actually, as far as the hardware specifications are concerned, the Raspberry Pi 3 B + is over the top for what is needed. In fact, the NanoPi NEO-LTS – which is even smaller than the Orange Pi Zero – will probably perform well in this type of attack.

Prerequisites

This item requires the following components:

Image of tokyoneon / zero byte

Requirements for the destination router

Not every router is an inactive candidate for network implant attacks , Older routers or high-security network environments may present special challenges.

by tokyoneon / Null Byte

Step 1: Download the Orange Pi Armbian image.

After purchasing all the hardware components and setting up the destination router, you can start building the Orange Pi Zero for this attack. Download the image Armbian Orange Pi Zero, which is available on the website. In Kali this can be done with the command wget .

  ~ $ wget & # 39; https: //dl.armbian.com/orangepizero/Debian_stretch_next.7z'

--2019-04-12 22: 04: 50-- https://dl.armbian.com/orangepizero/Debian_stretch_next.7z
Resolving dl.armbian.com (dl.armbian.com) ... 193.40.101.96
Connecting to dl.armbian.com (dl.armbian.com) | 193.40.101.96 |: 443 ... connected.
HTTP request sent, response expected ... 302 Temporarily postponed
Location: https://dl.armbian.com/orangepizero/archive/Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.7z [following]
--2019-04-12 22: 04: 55-- https://dl.armbian.com/orangepizero/archive/Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.7z
Reusing an existing connection to dl.armbian.com:443.
HTTP request sent, response expected ... 200 OK
Length: 262124041 (250M) [application/x-7z-compressed]
Save as: "Debian_stretch_next.7z"

Debian_stretch_next.7z 100% [====================================================>] 249.98 M 283 KB / s in 16 m 26 s

2019-04-12 22:21:22 (260 KB / s) - "Debian_stretch_next.7z" saved [262124041/262124041]

The 7z format is a type of compressed file type (eg ZIP). The Debian image can be extracted with the command 7z . If 7z is not installed, use the following command.

  ~ $ apt-get install p7zip-full -V

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following additional packages will be installed:
p7zip (16.02 + dfsg-6)
Suggested packages:
p7zip-rar (16.02-3)
The following NEW packages will be installed:
p7zip (16.02 + dfsg-6)
p7zip-full (16.02 + dfsg-6)
0 updated, 2 reinstalled, 0 removed and 0 not updated.
Requires 1,540 kB of archives.
After this process, 5,780 KB of additional space will be used.
Would you like to continue? [Y/n]

Then extract the image ( x ).

  ~ $ 7z x Debian_stretch_next.7z

7-Zip [64] 16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21
p7zip Version 16.02 (locale = de_DE.UTF-8, Utf16 = on, HugeFiles = on, 64-bit, 3 CPUs Intel (R) Core (TM) i7-8700 CPU at 3.20 GHz (906EA), ASM, AES -NI)

Search the drive for archives:
1 file, 262124041 bytes (250 MiB)

Extract archive: Debian_stretch_next.7z
-
Path = Debian_stretch_next.7z
Type = 7z
Physical size = 262124041
Header size = 297
Method = LZMA2: 25
Fixed = +
Blocks = 1

Everything is OK

Files: 4
Size: 1124093008
Compressed: 262124041 

Use the command ls to display the extracted image. Note the file "Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img". This file is used to install Debian on the microSD card for the Orange Pi Zero.

  ~ $ ls -l

-rwxrwx --- 1 root root 1124073472 Feb 10 07:59 Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img
-rwxrwx --- 1 root root 833 February 10 7:59 am Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img.asc
-rwxrwx --- 1 root root 18579 February 10 07:59 armbian.txt
-rwxrwx --- 1 root root 262124041 13 Apr 05:58 Debian_stretch_next.7z
-rwxrwx --- 1 root root 124 Feb 10 07:59 sha256sum.sha 

Step 2: Write the Operating System to the MicroSD Card

Insert the microSD card into the computer running Kali becomes. If you received a microSD card with a microSD to SD card adapter, use it in the SD slot of your computer. Otherwise, you may need one or a microSD card reader that you can connect via USB. Immediately after connecting the microSD card to the computer, open a terminal and use the dmesg command to display information about the microSD card.

  ~ $ dmesg

[   31.283694] USB 2-1: New SuperSpeed ​​Gen 1 USB device number 2 with xhci_hcd
[   31.340852] usb 2-1: New USB device found, idVendor = 0bda, idProduct = 0306, bcdDevice = 1.17
[   31.340859] USB 2-1: New USB Device Strings: Mfr = 1, Product = 2, SerialNumber = 3
[   31.340864] USB 2-1: Product: USB3.0 Card Reader
[   31.340868] usb 2-1: Manufacturer: Realtek
[   31.340872] USB 2-1: Serial Number:
[   31.426677] USB memory 2-1: 1.0: USB mass storage device detected
[   31.429196] scsi host3: usb-storage 2-1: 1.0
[   31.429381] usbcore: registered new interface driver usb-storage
[   31.441631] usbcore: new interface driver uas registered
[   32.450075] scsi 3: 0: 0: 0: Generic Direct Access - USB3.0 CRW-SD 1.00 PQ: 0 ANSI: 6
[   32.458690] scsi 3: 0: 0: 1: Generic Direct Access - USB3.0 CRW-SD 1.00 PQ: 0 ANSI: 6
[   32.459431] sd 3: 0: 0: 0: Attached SCSI generic sg2 type 0
[   32.459991] sd 3: 0: 0: 1: Attached SCSI generic sg3 type 0
[   32.468754] sd 3: 0: 0: 0: [sdb] 31116288 512-byte Logic Blocks: (15.9 GB / 14.8 GiB)
[   32.471278] sd 3: 0: 0: 0: [sdb] Write protection is disabled
[   32.471279] sd 3: 0: 0: 0: [sdb] Mode Sense: 2f 00 00 00
[   32.473801] sd 3: 0: 0: 0: [sdb] Write Cache: Disabled, Read Cache: Enabled, does not support DPO or FUA
[   32.477495] sd 3: 0: 0: 1: [sdc] Attached SCSI Removable Disk
[   32.526834] sdb: sdb1 sdb2
[   32.536433] sd 3: 0: 0: 0: [sdb] Attached SCSI Removable Disk 

Note the drive letter sd X assigned to the microSD card, in my case sdb2. This assignment is required for the following command dd which copies the IMG file from the first step to the microSD card. Replace the "X" in sdX for the information of your card.

  ~ $ dd if = / path / to / Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img of = / dev / sdX bs = 512k status = progress

1119354880 bytes (1.1 GB, 1.0 GiB) copied, 53 s, 21.1 MB / s
2144 + 0 records in
2144 + 0 records off
1124073472 bytes (1.1 GB, 1.0 GiB) copied, 97.1421 s, 11.6 MB / s 

After completing dd, open the file manager and eject the microSD card properly.

Step 3: Connect the Orange Pi Zero to your router.

Remove the microSD card from the computer and insert it into the Orange Pi Zero. The Orange Pi Zero can not be deployed to the target router by default because it does not yet contain a weapon. First connect it (via Ethernet) to a router that you control. Then wait about five minutes for the Orange Pi Zero to fully boot for the first time.

Image by tokyoneon / Null Bytes

Step 4: Identifying the IP Address of the Orange Pi Zero

The IP Address of the Orange Pi Zero may not be displayed immediately because there is currently no desktop interface or convenient interaction. However, Nmap can be used by another device on the same router (such as Kali) to quickly locate the IP address of the Orange Pi Zero. Use the options -T (time template) and -sn (ping) to search the entire network for active hosts.

  ~ $ nmap -T4 -sn 192.168.1.1/24

Starting Nmap 7.70 (https://nmap.org) on ​​13/04/2013 at 06:30 UTC
Nmap Scan report for 192.168.0.165
The host is active (0.00063s latency).
MAC address: XX: XX: XX: XX: XX: XX (unknown)
Nmap Scan report for 192.168.0.1
Host is up.
Nmap finished: 256 IP addresses (2 hosts) scanned in 4.75 seconds 

As we can see, a device was reported on 192.168.0.165 . Use the following SSH command to identify this device as Orange Pi Zero.

Step 5: Orange Pi Zero SSH

The default SSH password is "1234", but users must reset their password and create a new account after logging in for the first time.

  ~ $ ssh -p 22 root@192.168.0.165

The authenticity of host & # 39; 192.168.0.165 (192.168.0.165) & # 39; can not be determined.
The fingerprint of the ECDSA key is SHA256: PE6127Kvx + twOLWK90mJDUQSUggH5ujh3h8liuLCR7w.
Do you really want to continue the connection (yes / no)? Yes
Warning: & # 39; 192.168.0.165 & # 39; (ECDSA) permanently added to the list of known hosts.

root@192.168.0.165s Password:
You must change your password immediately (root forced)
___ _____ _____
/ _  _ __ __ _ __ __ _ ___ | _  (_) | __ / ___ _ __ ___
| | | | "__ / _" | "_  / _` | / _  | | _) | | / // _  & # 39; __ / _ 
| | _ | | | | (_ | | | | | (_ | | __ / | __ / | | / / | __ / | (_) |
 ___ / | _ |  __, _ | _ | | _ |  __, |  ___ | | _ | | _ | / ____  ___ | _ |  ___ /
| ___ /

Welcome to ARMBIAN 5.75 stable Debian GNU / Linux 9 (Stretch) 4.19.20-sunxi
System load: 0.08 0.09 0.07 Operating time: 7 min
Memory Usage: 12% of 493 MB IP: 192.168.0.165
CPU temperature: 43 ° C
Consumption of /: 6% of 15G

New at Armbian? First check the documentation: https://docs.armbian.com
Change password for root.
(current) UNIX password:
Enter a new UNIX password:
Retype the new UNIX password: 

Follow the instructions in the terminal window – the process is fairly straightforward. The new account is never used, but this process can not be skipped. The values ​​for name, room number and telephone number can be left blank.

  Create a new user account. Press  to cancel

Please enter a username (eg your first name): orangepi
Try to add user to orangepi
Add user `orangepi & # 39; ...
Add new group `orangepi & # 39; (1000) ...
Adding a new user "orangepi" (1000) to the group "orangepi" ...
Home directory `/ home / orangepi & # 39; is created ...
Copy files from `/ etc / skel 'to ...
Enter a new UNIX password:
Enter the new UNIX password again:

passwd: Password successfully updated
Change the user information for orangepi
Enter the new value or press Enter as default
Full name []:
Room number []:
Working telephone []:
In-House Telephone []:
Other []:
Is the information correct? [Y/n] y

Dear orangepi, Your account orangepi has been created and is sudo enabled.
Please use this account immediately for your daily work.

root @ orangepizero: ~ # 

Step 6: Update the Orange Pi Zero

Then use the following command to update the system. You may need to install some outdated packages.

During this process, the SSH connection may be blocked or interrupted, which is due to the fact that the openssh-server and wpasupplicant packages are being updated. Do not turn off the Orange Pi Zero during this time. The SSH connection may be restored by itself. Be patient here.

  root @ orangepizero: ~ # apt-get update && apt-get dist-upgrade

Read package lists ... Done
Create dependency tree
Status information is read ... Done
Upgrade is calculated ... Done
The following packages are being updated:
Base files (9.9 + deb9u7 => 9.9 + deb9u8)
dirmngr (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4)
gnupg (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4)
gnupg-agent (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4)
gnupg2 (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4)
gpgv (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4)
libc-bin (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
libc-dev-bin (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
libc-l10n (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
libc6 (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
libc6-dev (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
libnss-myhostname (232-25 + deb9u8 => 232-25 + deb9u11)
libntfs-3g871 (1: 2016.2.2AR.1 + dfsg-1 => 1: 2016.2.2AR.1 + dfsg-1 + deb9u1)
libpam-systemd (232-25 + deb9u8 => 232-25 + deb9u11)
libssl1.0.2 (1.0.2q-1 ~ deb9u1 => 1.0.2r-1 ~ deb9u1)
libsystemd0 (232-25 + deb9u8 => 232-25 + deb9u11)
libudev1 (232-25 + deb9u8 => 232-25 + deb9u11)
libxapian30 (1.4.3-2 + deb9u2 => 1.4.3-2 + deb9u3)
Locales (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
Multiarch support (2.24-11 + deb9u3 => 2.24-11 + deb9u4)
ntfs-3g (1: 2016.2.22AR.1 + dfsg-1 => 1: 2016.2.2AR.1 + dfsg-1 + deb9u1)
openssh-client (1: 7.4p1-10 + deb9u4 => 1: 7.4p1-10 + deb9u6)
openssh-server (1: 7.4p1-10 + deb9u4 => 1: 7.4p1-10 + deb9u6)
openssh-sftp-server (1: 7.4p1-10 + deb9u4 => 1: 7.4p1-10 + deb9u6)
systemd (232-25 + deb9u8 => 232-25 + deb9u11)
systemd-sysv (232-25 + deb9u8 => 232-25 + deb9u11)
tzdata (2018i-0 + deb9u1 => 2019a-0 + deb9u1)
udev (232-25 + deb9u8 => 232-25 + deb9u11)
wget (1.18-5 + deb9u2 => 1.18-5 + deb9u3)
wpasupplicant (2: 2.4-1 + deb9u2 => 2: 2.4-1 + deb9u3)
30 updated, 0 reinstalled, 0 removed and 0 not updated.
Requires 22.1 MB of archives.
After this process, 24.6kb of extra space will be used.
Would you like to continue? [Y/n]

If the connection does not recover automatically after a few minutes, press Ctrl + c to exit the terminal. Then use SSH to return to the device and rerun the commands apt-get to make sure everything is installed correctly.

Shut down the Orange Pi Zero when this process is complete. Wait at least two minutes for the device to shut down properly.

  root @ orangepizero: ~ # shutdown now 

Turn on the Orange Pi Zero again by unplugging and plugging in the USB power adapter and turning SSH back on.

Step 7: Configure the Orange Pi Zero for Remote Access

Now the Orange Pi Zero needs to be remotely accessible, preferably from anywhere in the world. When considering how to set this up, some solutions came to mind. There are OpenVPN and Ngrok-like services that connect to the Orange Pi Zero. However, I think using Tor as well as configuring the Orange Pi Zero as a Wi-Fi hotspot is more fun.

The first (recommended) method requires Tor. Tor and SSH can be paired to provide remote access to the Orange Pi Zero from anywhere in the world without having to configure port forwarding on the destination router.

For the second method (as a backup solution), the Orange Pi Zero must be configured to work as a Wi-Fi hotspot. An attacker near the Orange Pi Zero Wi-Fi hotspot can connect to the network and to SSH in the device.

Both methods can be configured at the same time without conflicts. I recommend setting Tor as the main method for remote connection to the Orange Pi Zero and the Wi-Fi hotspot as a backup solution if the router did not enable DHCP or the Tor process aborts for some reason. [19659018] Option 1: Install Tor

On the Orange Pi Zero, add the Tor project repository to your APT repository list with the following command echo .

  root @ orangepizero: ~ # echo -e "deb https://deb.torproject.org/torproject.org $ (lsb_release -sc) main  ndeb-src https://deb.torproject.org/torproject. org $ (lsb_release -sc) main "> / etc / apt / sources.list.d / tor.list 

Then download the signature key of the Tor project and import it into the APT keyring.

  root @ orangepizero: ~ # wget -O- https: / /deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -

--2019-04-13 07: 32: 06-- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
Deb.torproject.org is resolved (deb.torproject.org) ... 95.216.163.36
Connection to deb.torproject.org (deb.torproject.org) | 95.216.163.36 |: 443 ... produced.
HTTP request sent, response expected ... 200 OK
Length: 19665 (19K) [text/plain]
Save as: "STDOUT"

- 100% [===================================>] 19.20K 52.4KB / s in 0.4s

2019-04-13 07:32:21 (52,4 KB / s) - written on stdout [19665/19665]

OK 

The OK output should occur when the signature key has been added to the keychain. Next, update APT with the following command apt-get .

  root @ orangepizero: ~ # apt-get update

Ign: 1 http://cdn-fastly.deb.debian.org/debian stretch InRelease
Hit: 2 http://security-cdn.debian.org stretch / update InRelease
Hit: 3 http://cdn-fastly.deb.debian.org/debian stretch-updates InRelease
Hit: 4 http://cdn-fastly.deb.debian.org/debian stretch-backports InRelease
Hit: 5 http://cdn-fastly.deb.debian.org/debian stretch release
Get: 7 https://deb.torproject.org/torproject.org stretch InRelease [4,965 B]
Get: 8 https://deb.torproject.org/torproject.org stretch / main sources [1,253 B]
Get: 9 https://deb.torproject.org/torproject.org stretch / main armhf Packages [3,482 B]
9,700 B in 40s (241 B / s)
Package lists are read ... Done 

Install Tor with the following command.

  root @ orangepizero: ~ # apt-get install tor deb.torproject.org-keyring torsocks

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
deb.torproject.org keyring (2018.08.06)
libevent-2.0-5 (2.0.21-stable-3)
libzstd1 (1.1.2-1)
gate (0.3.5.8-1 ~ d90.stretch + 1)
Torsocks (2.2.0-1 + deb9u1)
0 updated, 5 reinstalled, 0 removed and 0 not updated.
Requires 2,082 kB of archives.
After this process, 4,845K of additional space is used.
Would you like to continue? [Y/n]

Gate starts automatically. Quit it temporarily while the following commands are running:

  root @ orangepizero: ~ # systemctl stop tor 

Add the following "HiddenServiceDir" and "HiddenServicePort" lines to the Tor configuration file under / etc / tor / torrc added. This can be achieved with the following command echo :

  root @ orangepizero: ~ # echo -e "HiddenServiceDir / var / lib / tor / orangepi /  nHiddenServicePort 22 127.0.0.1:22" >> / etc / tor / torrc 

Quickly verify that the command completed successfully. Use tail to read the bottom lines of the torrc file.

  root @ orangepizero: ~ # tail / etc / tor / torrc

HiddenServiceDir / var / lib / tor / orangepi /
HiddenServicePort 22 127.0.0.1:22[19659042<ToregeneratethenewaddressrestarttheTorprocesswiththecommand systemctl . 

  root @ orangepizero: ~ # systemctl restart tor 

The onion address (ie the hostname) can be identified using the command cat to read the hostname file.

  root @ orangepizero: ~ # cat / var / lib / tor / orangepi / hostname

kclikhrwriz4cpxli4paiyzoft7lviv2z6jxd7uyoxesrpxpsve2feqd.onion 

To make sure the Tor process starts each time you turn on the Orange Pi Zero, enable it with systemctl

Synchronize the status of tor.service with the sysV service script using / lib / systemd / systemd-sysv-install.
Run from: / lib / systemd / systemd-sysv-install enable tor

Install in Kali on your computer also tor and torsocks .

  ~ $ apt-get update & apt-get install torsocks

Get: 1 https://kali.download/kali kali-rolling InRelease [30.5 kB]
Get: 2 https://kali.download/kali kali-rolling / main amd64 packages [17.1 MB]
17.1 MB in 49s (350 kB / s)
Read package lists ... Done
Read package lists ... Done
Create dependency tree
Status information is read ... Done
Tor is already the latest version (0.3.5.8-1).
torsocks is already the latest version (2.3.0-2).
0 updated, 0 reinstalled, 0 removed and 0 not updated. 

That's all there is to do. From this point on, the Orange Pi Zero at this onion address can be accessed while connected to a destination router. In Kali, the following command ssh can be used to connect to the Orange Pi Zero.

  ~ $ torsocks ssh -p 22 root @ kclikhrwriz4cpxli4paiyzoft7lviv2z6jxd7uyoxesrpxpsve2feqd Hotspot 

In my tests, Wi-Fi hotspot functionality was somewhat unreliable. The DHCP service on the Orange Pi Zero seems to have failed. Daher müssen die Geräte statisch konfiguriert sein und die SSH-Verbindungen scheinen immer noch zu blockieren oder unerwartet zu brechen. Während der Authentifizierung beim Orange Pi Zero-Hotspot kann das verbundene Gerät nicht Zugang zum Internet haben. Diese Probleme sind zweifellos eine Einschränkung der Wi-Fi-Hardware des Orange Pi Zero. Dies sind jedoch keine Gründe, die Verwendung des Orange Pi Zero als WLAN-Hotspot zu vermeiden. Es kann immer noch als letzte Möglichkeit dienen, eine Remoteverbindung zum SSH-Server von Orange Pi Zero herzustellen, falls der Tor-Prozess aus unbekannten Gründen nicht mehr funktioniert. Eine instabile, unzuverlässige Wi-Fi-Verbindung zum Gerät ist immer noch besser als gar keine Schnittstelle.

Alternativ können Sie Kali als Wi-Fi-Hotspot verwenden und den Orange Pi Zero so konfigurieren, dass er eine Verbindung zum Gerät herstellt zuverlässig. Diese Konfiguration geht über den Umfang des Artikels hinaus und wurde nicht getestet. Sie sollten diese Methode selbst ausprobieren.

Um Orange Pi Zero als Hotspot einzurichten, installieren Sie die erforderlichen Abhängigkeiten für dnsmasq .

 root @ orangepizero: ~ # apt-get install dnsmasq dnsmasq-base

Paketlisten lesen ... Fertig
Abhängigkeitsbaum erstellen
Statusinformationen werden gelesen ... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  dnsmasq-base
Empfohlene Pakete:
  DNS-Root-Daten
Die folgenden NEUEN Pakete werden installiert:
  dnsmasq dnsmasq-base
0 aktualisiert, 2 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Benötigt 409 kB an Archiven.
Nach diesem Vorgang werden 817 KB zusätzlicher Speicherplatz verwendet.
Wollen Sie fortfahren? [Y/n]

Die drahtlose Schnittstelle wird höchstwahrscheinlich ein generisches "wlan0" sein. Verwenden Sie jedoch den Befehl ip um die Schnittstellen aufzulisten.

 root @ orangepizero: ~ # ip addr

4: wlan0:  mtu 1500 qdisc mq state DOWN group default qlen 1000
    link / ether XX: XX: XX: XX: XX: XX brd ff: ff: ff: ff: ff: ff 

Die wlan0-Schnittstelle erscheint als vierte Schnittstelle auf meinem Orange Pi Zero. Verwenden Sie den Schnittstellennamen "wlan0" im folgenden Befehl.

Nmcli ist ein Befehlszeilentool zum Erstellen, Anzeigen, Bearbeiten, Löschen, Aktivieren und Deaktivieren von Netzwerkverbindungen sowie zum Steuern und Anzeigen des Netzwerkgerätestatus. Mit diesem Tool wird der WLAN-Hotspot des Orange Pi Zero über die Befehlszeile erstellt. Alle folgenden nmcli -Befehle können ohne Änderung einer einzelnen Zeile kopiert und eingefügt werden.

 root @ orangepizero: ~ # nmcli con add type wifi ifname wlan0 con-name Hotspot autoconnect yes ssid OrangePi

Verbindung &#39;Hotspot&#39; (ae7c3d23-b5f3-424c-8a43-41bf6161978f) erfolgreich hinzugefügt. 

Mit diesem Befehl wird die Basiskonfigurationsdatei für den Wi-Fi-Hotspot erstellt. Ändern Sie anschließend den Wireless-Modus mit dem folgenden Befehl:

 root @ orangepizero: ~ # nmcli con modify Hotspot 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared 

Ändern Sie die Sicherheit Geben Sie WPA-PSK ein.

 root @ orangepizero: ~ # nmcli con modify Hotspot wifi-sec.key-mgmt wpa-psk 

Legen Sie ein sicheres Kennwort fest, um den Hotspot zu schützen. In meinem Beispiel wird zu Demonstrationszwecken ein einfaches "orangepi" -Kennwort verwendet.

 root @ orangepizero: ~ # nmcli con modify Hotspot wifi-sec.psk "orangepi" 

Setzen Sie den Wi-Fi-Hotspot zurück, indem Sie ihn zuerst deaktivieren (down) .

 root @ orangepizero: ~ # nmcli con down Hotspot

Verbindung &#39;Hotspot&#39; erfolgreich deaktiviert (aktiver D-Bus-Pfad: / org / freedesktop / NetworkManager / ActiveConnection / 7) 

Dann erneut aktivieren (up).

 root @ orangepizero: ~ # nmcli con up Hotspot

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)

Use the ip addr command again to verify the wlan0 interface acquired an IP address.

root@orangepizero:~# ip addr

4: wlan0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.1/24 brd 10.42.0.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever

Notice the 10.42.0.1/24 address. When devices connect to the Wi-Fi hotspot, they should allocate the 10.42.0.2, 10.42.0.3, and 10.42.0.4 addresses.

The Wi-Fi hotspot should now be visible to devices in the area (shown below). Remember, devices connecting to the Wi-Fi hotspot must be statically configured. UserLAnd and Tmux users can follow the below Android example. Kali users can scroll further down to find instructions.

Option 1: Android Devices

To start, select the "OrangePi" hotspot in the Wi-Fi settings. Enter the "orangepi" password that was previously configured.

Tap the "Advanced options" dropdown. Change the IP settings to "Static." Set the IP address to "10.42.0.2," the Gateway to "10.42.0.1," the Network prefix length to "24," and the DNS 1 to "10.42.0.1" as well. The DNS 2 value can remain blank. Then, hit the "Connect" button. After a few seconds, the device should connect and report "Connect, no internet" — this is to be expected.

Open Tmux or a UserLAnd distribution and connect to the SSH server running on the Orange Pi Zero.

~$ ssh -p 22 root@10.42.0.1

Again, this is an idle solution for quickly connecting the Orange Pi Zero in the event the Tor process stops working. This would allow for some remote administration that doesn&#39;t require completely retrieving the Orange Pi Zero.

Option 2: Kali Linux

Kali can also be configured to statically connect to the "OrangePi" Wi-Fi hotspot for remote administration. Start by opening the Network Connections window. This example uses XFCE4, but GNOME users should be able to follow along. Select the "Add a new connection" button.

Select the "Wi-Fi" connection type, and click the "Create" button.

Set the SSID to match the Orange Pi Zero&#39;s Wi-Fi name (e.g., "OrangePi") and choose the "wlan0" interface that should automatically connect to the hotspot when it&#39;s in the proximity of the Kali machine.

Open the Wi-Fi Security tab and change the Security type to "WPA & WPA2 Personal." Then, enter the "orangepi" password.

Open the IPv4 Settings tab and change the Method to "Manual." Then, click the "Add" button and use the following 10.42.0.X IP address, Netmask, and Gateway.

Click the "Save" button, and Kali should automatically connect to the OrangePi hotspot. This can be verified using the below ip command.

~$ ip addr

4: wlan0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 256 maxmtu 2304 numtxqueues 4 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet 10.42.0.2/24 brd 10.42.0.255 scope global noprefixroute wlan0
       valid_lft forever preferred_lft forever
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Lastly, open a terminal and SSH into the Orange Pi Zero.

~$ ssh -p 22 root@10.42.0.1

The authenticity of host &#39;10.42.0.1 (10.42.0.1)&#39; can&#39;t be established.
ECDSA key fingerprint is SHA256:PE6127Kvx+twOLWK90mJDUQSUggH5ujh3h8liuLCR7w.
Are you sure you want to continue connecting (yes/no)? Ja
Warning: Permanently added &#39;10.42.0.1&#39; (ECDSA) to the list of known hosts.
root@10.42.0.1&#39;s password:
  ___                               ____  _   _____
 / _  _ __ __ _ _ __   __ _  ___  |  _ (_) |__  /___ _ __ ___
| | | | &#39;__/ _` | &#39;_  / _` |/ _  | |_) | | / // _  &#39;__/ _ 
| |_| | | | (_| | | | | (_| |  __/ |  __/| |  / /|  __/ | | (_) |
 ___/|_|  __,_|_| |_|__, |___| |_|   |_| /_______|_|  ___/
                       |___/

Welcome to ARMBIAN 5.75 stable Debian GNU/Linux 9 (stretch) 4.19.20-sunxi
System load:   0.20 0.05 0.02   Up time:       54 min
Memory usage:  14 % of 493MB    IP:            192.168.0.165 10.42.0.1
CPU temp:      48°C
Usage of /:    7% of 15G

Last login: Sat Apr 13 16:13:13 2019 from 127.0.0.1

root@orangepizero:~#

Step 8: Install Hacking Tools

The Orange Pi Zero is just about ready for deployment at this point. With two methods of remote access set up, hacking tools can now be installed in the operating system.

It helps to preemptively decide which kinds of attacks will be performed on the target network. Tools can always be installed while connected to the target router, but it&#39;s usually better to minimize the amount of data being used by the device. An apt-get command, for example, might put a spike in the router&#39;s bandwidth and/or make other user&#39;s connected to the router suspicious.

Some recommended, essential tools are screengitand nmap. Screen is a great multiplexer that can help with a broken or unstable SSH connection. Git is used to install hacking tools found on GitHub. And Nmap because, well, it&#39;s Nmap. Network reconnaissance is vital.

Some older versions of sqlmapniktomedusaand mitmproxy can be found in the Debian repositories, but not quite as many tools as Kali-natives will hope to expect. Other hacking tools will have to be installed with Git and from source.

root@orangepizero:~# apt-get install screen git nmap

Reading package lists... Done
Building dependency tree
Reading state information... Done
git is already the newest version (1:2.11.0-3+deb9u4).
screen is already the newest version (4.5.0-6).
The following additional packages will be installed:
  libblas-common libblas3 libgfortran3 liblinear3 liblua5.3-0 libpcap0.8
Suggested packages:
  liblinear-tools liblinear-dev
Recommended packages:
  ndiff
The following NEW packages will be installed:
  libblas-common libblas3 libgfortran3 liblinear3 liblua5.3-0 libpcap0.8 nmap
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,648 kB of archives.
After this operation, 24.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]

That concludes the Orange Pi Zero setup for network implant attacks. In my next article, I&#39;ll talk about performing attacks while on the target network with tools like Patator, Bettercap, and Routersploit, as well as some advanced Nmap recon with NSE scripts.

Until next time, you can follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.

Cover photo and screenshots by tokyoneon/Null Byte




Source link