With a cheap computer smaller than the Raspberry Pi, an attacker could create a remote hacking device. The device can be connected to a target router without the knowledge of another and allows the hacker to perform a variety of network-based attacks from anywhere in the world.
As the name implies, network implants are small physical devices (such as Raspberry Pi) that can be discretely connected to computers and routers. These devices are usually implanted without someone's knowledge and camouflaged to fit into the environment.
Similar to Hak5's LAN Turtle, this attack requires a physical device in the destination network or router. Without port forwarding, firewall exceptions or interaction with router settings, the device will automatically connect to the Internet. The device acts as a Remote Access Tool (RAT), allowing an attacker to manipulate data across the network and on all connected devices.
Instead of a commercial product that's typically $ 200 in retail, I'm using I'll show how a hacker can set up a cheap single-board computer (SBC) similar to the infamous Raspberry Pi.
The SBC featured in this article is the Orange Pi Zero, also known as OPi Zero. However, there are other options. The OPi Zero is a small board with a Cortex-A7 CPU and 51
The Orange Pi Zero can be purchased from Amazon for $ 19.99 (USD) or through outlets like AliExpress. There are also the Orange Pi Zero H2, the Orange Pi Zero Plus 2 and the Orange Pi Zero Plus H5. You can view the full Orange Pi shop on Amazon.
Recommended on Amazon: Orange Pi Zero 512 MB + Protective Case in White
Why not use the Raspberry Pi?
It is quite possible to use the ] Raspberry Pi 3 Model B + – a great SBC with superior CPU and RAM compared to the Orange Pi Zero. Likewise, the Raspberry Pi Zero costs less than $ 20 and is just as small as the Orange Pi Zero. The latter, however, was chosen for several reasons.
- Price : The Orange Pi Zero offers a great CPU at a great price. The Raspberry Pi 3 B + is slightly more expensive than the Orange Pi Zero, which makes the Raspberry Pi slightly less available. After installing the SBC on the target router, it may not be recoverable (depending on the scenario) or detected and confiscated by a person on the network. If lost during a penetration test, the loss is not as severe.
- Ethernet : The attack is based on an SBC with an Ethernet port that connects directly to the target router. The Raspberry Pi Zero is small and inexpensive, but does not have an Ethernet port. Although there is Gigabit Ethernet over USB 2.0, this means that you are buying an Ethernet to USB adapter.
- Performance : The benchmarks performed with the Raspberry Pi 3 B +, the Raspberry Pi Zero and the Orange Pi Zero are relatively meaningful. The Orange Pi Zero outperforms the Raspberry Pi Zero on every test and is comparable in price. In most cases, the Orange Pi Zero ran similarly (or better) than the Raspberry Pi 2 (see below).
With the Orange Pi Zero we get the performance of a Raspberry Pi 2 and older priced at the Raspberry Pi Zero. Actually, as far as the hardware specifications are concerned, the Raspberry Pi 3 B + is over the top for what is needed. In fact, the NanoPi NEO-LTS – which is even smaller than the Orange Pi Zero – will probably perform well in this type of attack.
This item requires the following components:
- Orange Pi Zero : It can be easily purchased at Amazon for $ 19.99 (USD). Again, the Orange Pi Zero can be replaced with a Raspberry Pi 2 or older, if money and availability are not an issue. Note, however, that all commands and instructions in this article are for the Orange Pi Zero. Keep this in mind when using a Raspberry Pi instead.
- Ethernet Cable : A short, 6-inch Ethernet cable is idle for this attack. The idea is to hide the Orange Pi Zero behind the router. A longer Ethernet cable sticking out of the router is probably too obvious. A shorter Ethernet cable can be wrapped or stowed for better concealment.
- USB Charging Cable : Powering the Orange Pi Zero requires a short 6-inch USB to Micro USB cable. Most modern routers have one or more USB ports on the back, which can power the device. Alternatively, a power bank or a five-volt power supply can be used if they are easy to hide. Any microSD card larger than 8 GB is sufficient for most scenarios. The operating system only allocated 1.1 GB in my tests. After installing many hacking tools and packages, the microSD card has more than 7 GB available.
- MicroSD Card Reader : If your microSD card comes with a microSD to SD card adapter and you have an SD slot on your computer, that's all you need. Otherwise you will need an adapter or a microSD card reader via USB. We need a way to connect the microSD to the computer so that the operating system can be loaded.
- Protective Case / Case (optional) : It may be desirable to enclose the Orange Pi Zero in a protective case that may be made of plastic. It is more discreet and harmless for less-informed people discovering it behind the router , For most people, a black cube is probably not as scary as a plain single-board computer. The addition of a sticker labeled "Do not remove IT" may also be important for social engineering goals to believe that the device was placed there by network administrators.
Requirements for the destination router
Not every router is an inactive candidate for network implant attacks , Older routers or high-security network environments may present special challenges.
- USB port available : As mentioned earlier, a router with an available USB port is ideal for powering the Orange Pi Zero while it is in use. Power banks can be used when no USB ports are open. In my test with a portable 3350 mAh battery, the Orange Pi Zero stayed on for 10 hours under medium / high load.
- Available Ethernet Port : The attack is based on an available Ethernet port on the router. On busy networks, all Ethernet ports may be busy. In this scenario, the Orange Pi R1, which has two Ethernet ports, can be used as a kind of man-in-the-middle Ethernet attack, much like Hak5's Packet Squirrel.
- DHCP enabled : DHCP is required The Orange Pi Zero automatically receives an IP address when connected to the router. Most routers run a DHCP service, and any device connected to Ethernet can be assigned an IP address. In hardened, high-security environments, such as banking and enterprise, more advanced static or authenticated configurations may be required. Since these scenarios are beyond the scope of this article, you should first test this on routers that support DHCP.
Step 1: Download the Orange Pi Armbian image.
After purchasing all the hardware components and setting up the destination router, you can start building the Orange Pi Zero for this attack. Download the image Armbian Orange Pi Zero, which is available on the website. In Kali this can be done with the command wget .
~ $ wget & # 39; https: //dl.armbian.com/orangepizero/Debian_stretch_next.7z' --2019-04-12 22: 04: 50-- https://dl.armbian.com/orangepizero/Debian_stretch_next.7z Resolving dl.armbian.com (dl.armbian.com) ... 18.104.22.168 Connecting to dl.armbian.com (dl.armbian.com) | 22.214.171.124 |: 443 ... connected. HTTP request sent, response expected ... 302 Temporarily postponed Location: https://dl.armbian.com/orangepizero/archive/Armbian_5.75_Orangepizero_Debian_stretch_next_126.96.36.199z [following] --2019-04-12 22: 04: 55-- https://dl.armbian.com/orangepizero/archive/Armbian_5.75_Orangepizero_Debian_stretch_next_188.8.131.52z Reusing an existing connection to dl.armbian.com:443. HTTP request sent, response expected ... 200 OK Length: 262124041 (250M) [application/x-7z-compressed] Save as: "Debian_stretch_next.7z" Debian_stretch_next.7z 100% [====================================================>] 249.98 M 283 KB / s in 16 m 26 s 2019-04-12 22:21:22 (260 KB / s) - "Debian_stretch_next.7z" saved [262124041/262124041]
The 7z format is a type of compressed file type (eg ZIP). The Debian image can be extracted with the command 7z . If 7z is not installed, use the following command.
~ $ apt-get install p7zip-full -V Read package lists ... Done Create dependency tree Status information is read ... Done The following additional packages will be installed: p7zip (16.02 + dfsg-6) Suggested packages: p7zip-rar (16.02-3) The following NEW packages will be installed: p7zip (16.02 + dfsg-6) p7zip-full (16.02 + dfsg-6) 0 updated, 2 reinstalled, 0 removed and 0 not updated. Requires 1,540 kB of archives. After this process, 5,780 KB of additional space will be used. Would you like to continue? [Y/n]
Then extract the image ( x ).
~ $ 7z x Debian_stretch_next.7z 7-Zip  16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 p7zip Version 16.02 (locale = de_DE.UTF-8, Utf16 = on, HugeFiles = on, 64-bit, 3 CPUs Intel (R) Core (TM) i7-8700 CPU at 3.20 GHz (906EA), ASM, AES -NI) Search the drive for archives: 1 file, 262124041 bytes (250 MiB) Extract archive: Debian_stretch_next.7z - Path = Debian_stretch_next.7z Type = 7z Physical size = 262124041 Header size = 297 Method = LZMA2: 25 Fixed = + Blocks = 1 Everything is OK Files: 4 Size: 1124093008 Compressed: 262124041
Use the command ls to display the extracted image. Note the file "Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img". This file is used to install Debian on the microSD card for the Orange Pi Zero.
~ $ ls -l -rwxrwx --- 1 root root 1124073472 Feb 10 07:59 Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img -rwxrwx --- 1 root root 833 February 10 7:59 am Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img.asc -rwxrwx --- 1 root root 18579 February 10 07:59 armbian.txt -rwxrwx --- 1 root root 262124041 13 Apr 05:58 Debian_stretch_next.7z -rwxrwx --- 1 root root 124 Feb 10 07:59 sha256sum.sha
Step 2: Write the Operating System to the MicroSD Card
Insert the microSD card into the computer running Kali becomes. If you received a microSD card with a microSD to SD card adapter, use it in the SD slot of your computer. Otherwise, you may need one or a microSD card reader that you can connect via USB. Immediately after connecting the microSD card to the computer, open a terminal and use the dmesg command to display information about the microSD card.
~ $ dmesg [ 31.283694] USB 2-1: New SuperSpeed Gen 1 USB device number 2 with xhci_hcd [ 31.340852] usb 2-1: New USB device found, idVendor = 0bda, idProduct = 0306, bcdDevice = 1.17 [ 31.340859] USB 2-1: New USB Device Strings: Mfr = 1, Product = 2, SerialNumber = 3 [ 31.340864] USB 2-1: Product: USB3.0 Card Reader [ 31.340868] usb 2-1: Manufacturer: Realtek [ 31.340872] USB 2-1: Serial Number: [ 31.426677] USB memory 2-1: 1.0: USB mass storage device detected [ 31.429196] scsi host3: usb-storage 2-1: 1.0 [ 31.429381] usbcore: registered new interface driver usb-storage [ 31.441631] usbcore: new interface driver uas registered [ 32.450075] scsi 3: 0: 0: 0: Generic Direct Access - USB3.0 CRW-SD 1.00 PQ: 0 ANSI: 6 [ 32.458690] scsi 3: 0: 0: 1: Generic Direct Access - USB3.0 CRW-SD 1.00 PQ: 0 ANSI: 6 [ 32.459431] sd 3: 0: 0: 0: Attached SCSI generic sg2 type 0 [ 32.459991] sd 3: 0: 0: 1: Attached SCSI generic sg3 type 0 [ 32.468754] sd 3: 0: 0: 0: [sdb] 31116288 512-byte Logic Blocks: (15.9 GB / 14.8 GiB) [ 32.471278] sd 3: 0: 0: 0: [sdb] Write protection is disabled [ 32.471279] sd 3: 0: 0: 0: [sdb] Mode Sense: 2f 00 00 00 [ 32.473801] sd 3: 0: 0: 0: [sdb] Write Cache: Disabled, Read Cache: Enabled, does not support DPO or FUA [ 32.477495] sd 3: 0: 0: 1: [sdc] Attached SCSI Removable Disk [ 32.526834] sdb: sdb1 sdb2 [ 32.536433] sd 3: 0: 0: 0: [sdb] Attached SCSI Removable Disk
Note the drive letter sd X assigned to the microSD card, in my case sdb2. This assignment is required for the following command dd which copies the IMG file from the first step to the microSD card. Replace the "X" in sdX for the information of your card.
~ $ dd if = / path / to / Armbian_5.75_Orangepizero_Debian_stretch_next_4.19.20.img of = / dev / sdX bs = 512k status = progress 1119354880 bytes (1.1 GB, 1.0 GiB) copied, 53 s, 21.1 MB / s 2144 + 0 records in 2144 + 0 records off 1124073472 bytes (1.1 GB, 1.0 GiB) copied, 97.1421 s, 11.6 MB / s
After completing dd, open the file manager and eject the microSD card properly.
Remove the microSD card from the computer and insert it into the Orange Pi Zero. The Orange Pi Zero can not be deployed to the target router by default because it does not yet contain a weapon. First connect it (via Ethernet) to a router that you control. Then wait about five minutes for the Orange Pi Zero to fully boot for the first time.
The IP Address of the Orange Pi Zero may not be displayed immediately because there is currently no desktop interface or convenient interaction. However, Nmap can be used by another device on the same router (such as Kali) to quickly locate the IP address of the Orange Pi Zero. Use the options -T (time template) and -sn (ping) to search the entire network for active hosts.
~ $ nmap -T4 -sn 192.168.1.1/24 Starting Nmap 7.70 (https://nmap.org) on 13/04/2013 at 06:30 UTC Nmap Scan report for 192.168.0.165 The host is active (0.00063s latency). MAC address: XX: XX: XX: XX: XX: XX (unknown) Nmap Scan report for 192.168.0.1 Host is up. Nmap finished: 256 IP addresses (2 hosts) scanned in 4.75 seconds
As we can see, a device was reported on 192.168.0.165 . Use the following SSH command to identify this device as Orange Pi Zero.
The default SSH password is "1234", but users must reset their password and create a new account after logging in for the first time.
~ $ ssh -p 22 firstname.lastname@example.org The authenticity of host & # 39; 192.168.0.165 (192.168.0.165) & # 39; can not be determined. The fingerprint of the ECDSA key is SHA256: PE6127Kvx + twOLWK90mJDUQSUggH5ujh3h8liuLCR7w. Do you really want to continue the connection (yes / no)? Yes Warning: & # 39; 192.168.0.165 & # 39; (ECDSA) permanently added to the list of known hosts. email@example.com Password: You must change your password immediately (root forced) ___ _____ _____ / _ _ __ __ _ __ __ _ ___ | _ (_) | __ / ___ _ __ ___ | | | | "__ / _" | "_ / _` | / _ | | _) | | / // _ & # 39; __ / _ | | _ | | | | (_ | | | | | (_ | | __ / | __ / | | / / | __ / | (_) | ___ / | _ | __, _ | _ | | _ | __, | ___ | | _ | | _ | / ____ ___ | _ | ___ / | ___ / Welcome to ARMBIAN 5.75 stable Debian GNU / Linux 9 (Stretch) 4.19.20-sunxi System load: 0.08 0.09 0.07 Operating time: 7 min Memory Usage: 12% of 493 MB IP: 192.168.0.165 CPU temperature: 43 ° C Consumption of /: 6% of 15G New at Armbian? First check the documentation: https://docs.armbian.com Change password for root. (current) UNIX password: Enter a new UNIX password: Retype the new UNIX password:
Follow the instructions in the terminal window – the process is fairly straightforward. The new account is never used, but this process can not be skipped. The values for name, room number and telephone number can be left blank.
Create a new user account. Press
to cancel Please enter a username (eg your first name): orangepi Try to add user to orangepi Add user `orangepi & # 39; ... Add new group `orangepi & # 39; (1000) ... Adding a new user "orangepi" (1000) to the group "orangepi" ... Home directory `/ home / orangepi & # 39; is created ... Copy files from `/ etc / skel 'to ... Enter a new UNIX password: Enter the new UNIX password again: passwd: Password successfully updated Change the user information for orangepi Enter the new value or press Enter as default Full name : Room number : Working telephone : In-House Telephone : Other : Is the information correct? [Y/n] y Dear orangepi, Your account orangepi has been created and is sudo enabled. Please use this account immediately for your daily work. root @ orangepizero: ~ #
Then use the following command to update the system. You may need to install some outdated packages.
During this process, the SSH connection may be blocked or interrupted, which is due to the fact that the openssh-server and wpasupplicant packages are being updated. Do not turn off the Orange Pi Zero during this time. The SSH connection may be restored by itself. Be patient here.
root @ orangepizero: ~ # apt-get update && apt-get dist-upgrade Read package lists ... Done Create dependency tree Status information is read ... Done Upgrade is calculated ... Done The following packages are being updated: Base files (9.9 + deb9u7 => 9.9 + deb9u8) dirmngr (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4) gnupg (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4) gnupg-agent (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4) gnupg2 (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4) gpgv (2.1.18-8 ~ deb9u3 => 2.1.18-8 ~ deb9u4) libc-bin (2.24-11 + deb9u3 => 2.24-11 + deb9u4) libc-dev-bin (2.24-11 + deb9u3 => 2.24-11 + deb9u4) libc-l10n (2.24-11 + deb9u3 => 2.24-11 + deb9u4) libc6 (2.24-11 + deb9u3 => 2.24-11 + deb9u4) libc6-dev (2.24-11 + deb9u3 => 2.24-11 + deb9u4) libnss-myhostname (232-25 + deb9u8 => 232-25 + deb9u11) libntfs-3g871 (1: 2016.2.2AR.1 + dfsg-1 => 1: 2016.2.2AR.1 + dfsg-1 + deb9u1) libpam-systemd (232-25 + deb9u8 => 232-25 + deb9u11) libssl1.0.2 (1.0.2q-1 ~ deb9u1 => 1.0.2r-1 ~ deb9u1) libsystemd0 (232-25 + deb9u8 => 232-25 + deb9u11) libudev1 (232-25 + deb9u8 => 232-25 + deb9u11) libxapian30 (1.4.3-2 + deb9u2 => 1.4.3-2 + deb9u3) Locales (2.24-11 + deb9u3 => 2.24-11 + deb9u4) Multiarch support (2.24-11 + deb9u3 => 2.24-11 + deb9u4) ntfs-3g (1: 2016.2.22AR.1 + dfsg-1 => 1: 2016.2.2AR.1 + dfsg-1 + deb9u1) openssh-client (1: 7.4p1-10 + deb9u4 => 1: 7.4p1-10 + deb9u6) openssh-server (1: 7.4p1-10 + deb9u4 => 1: 7.4p1-10 + deb9u6) openssh-sftp-server (1: 7.4p1-10 + deb9u4 => 1: 7.4p1-10 + deb9u6) systemd (232-25 + deb9u8 => 232-25 + deb9u11) systemd-sysv (232-25 + deb9u8 => 232-25 + deb9u11) tzdata (2018i-0 + deb9u1 => 2019a-0 + deb9u1) udev (232-25 + deb9u8 => 232-25 + deb9u11) wget (1.18-5 + deb9u2 => 1.18-5 + deb9u3) wpasupplicant (2: 2.4-1 + deb9u2 => 2: 2.4-1 + deb9u3) 30 updated, 0 reinstalled, 0 removed and 0 not updated. Requires 22.1 MB of archives. After this process, 24.6kb of extra space will be used. Would you like to continue? [Y/n]
If the connection does not recover automatically after a few minutes, press Ctrl + c to exit the terminal. Then use SSH to return to the device and rerun the commands apt-get to make sure everything is installed correctly.
Shut down the Orange Pi Zero when this process is complete. Wait at least two minutes for the device to shut down properly.
root @ orangepizero: ~ # shutdown now
Turn on the Orange Pi Zero again by unplugging and plugging in the USB power adapter and turning SSH back on.
Step 7: Configure the Orange Pi Zero for Remote Access
Now the Orange Pi Zero needs to be remotely accessible, preferably from anywhere in the world. When considering how to set this up, some solutions came to mind. There are OpenVPN and Ngrok-like services that connect to the Orange Pi Zero. However, I think using Tor as well as configuring the Orange Pi Zero as a Wi-Fi hotspot is more fun.
The first (recommended) method requires Tor. Tor and SSH can be paired to provide remote access to the Orange Pi Zero from anywhere in the world without having to configure port forwarding on the destination router.
For the second method (as a backup solution), the Orange Pi Zero must be configured to work as a Wi-Fi hotspot. An attacker near the Orange Pi Zero Wi-Fi hotspot can connect to the network and to SSH in the device.
Both methods can be configured at the same time without conflicts. I recommend setting Tor as the main method for remote connection to the Orange Pi Zero and the Wi-Fi hotspot as a backup solution if the router did not enable DHCP or the Tor process aborts for some reason.  Option 1: Install Tor
On the Orange Pi Zero, add the Tor project repository to your APT repository list with the following command echo .
root @ orangepizero: ~ # echo -e "deb https://deb.torproject.org/torproject.org $ (lsb_release -sc) main ndeb-src https://deb.torproject.org/torproject. org $ (lsb_release -sc) main "> / etc / apt / sources.list.d / tor.list
Then download the signature key of the Tor project and import it into the APT keyring.
root @ orangepizero: ~ # wget -O- https: / /deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add - --2019-04-13 07: 32: 06-- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc Deb.torproject.org is resolved (deb.torproject.org) ... 184.108.40.206 Connection to deb.torproject.org (deb.torproject.org) | 220.127.116.11 |: 443 ... produced. HTTP request sent, response expected ... 200 OK Length: 19665 (19K) [text/plain] Save as: "STDOUT" - 100% [===================================>] 19.20K 52.4KB / s in 0.4s 2019-04-13 07:32:21 (52,4 KB / s) - written on stdout [19665/19665] OK
The OK output should occur when the signature key has been added to the keychain. Next, update APT with the following command apt-get .
root @ orangepizero: ~ # apt-get update Ign: 1 http://cdn-fastly.deb.debian.org/debian stretch InRelease Hit: 2 http://security-cdn.debian.org stretch / update InRelease Hit: 3 http://cdn-fastly.deb.debian.org/debian stretch-updates InRelease Hit: 4 http://cdn-fastly.deb.debian.org/debian stretch-backports InRelease Hit: 5 http://cdn-fastly.deb.debian.org/debian stretch release Get: 7 https://deb.torproject.org/torproject.org stretch InRelease [4,965 B] Get: 8 https://deb.torproject.org/torproject.org stretch / main sources [1,253 B] Get: 9 https://deb.torproject.org/torproject.org stretch / main armhf Packages [3,482 B] 9,700 B in 40s (241 B / s) Package lists are read ... Done
Install Tor with the following command.
root @ orangepizero: ~ # apt-get install tor deb.torproject.org-keyring torsocks Read package lists ... Done Create dependency tree Status information is read ... Done The following NEW packages will be installed: deb.torproject.org keyring (2018.08.06) libevent-2.0-5 (2.0.21-stable-3) libzstd1 (1.1.2-1) gate (0.3.5.8-1 ~ d90.stretch + 1) Torsocks (2.2.0-1 + deb9u1) 0 updated, 5 reinstalled, 0 removed and 0 not updated. Requires 2,082 kB of archives. After this process, 4,845K of additional space is used. Would you like to continue? [Y/n]
Gate starts automatically. Quit it temporarily while the following commands are running:
root @ orangepizero: ~ # systemctl stop tor
Add the following "HiddenServiceDir" and "HiddenServicePort" lines to the Tor configuration file under / etc / tor / torrc added. This can be achieved with the following command echo :
root @ orangepizero: ~ # echo -e "HiddenServiceDir / var / lib / tor / orangepi / nHiddenServicePort 22 127.0.0.1:22" >> / etc / tor / torrc
Quickly verify that the command completed successfully. Use tail to read the bottom lines of the torrc file.
root @ orangepizero: ~ # tail / etc / tor / torrc HiddenServiceDir / var / lib / tor / orangepi / HiddenServicePort 22 127.0.0.1:22[19659042<ToregeneratethenewaddressrestarttheTorprocesswiththecommand systemctl .
root @ orangepizero: ~ # systemctl restart tor
The onion address (ie the hostname) can be identified using the command cat to read the hostname file.
root @ orangepizero: ~ # cat / var / lib / tor / orangepi / hostname kclikhrwriz4cpxli4paiyzoft7lviv2z6jxd7uyoxesrpxpsve2feqd.onion
To make sure the Tor process starts each time you turn on the Orange Pi Zero, enable it with systemctl
Synchronize the status of tor.service with the sysV service script using / lib / systemd / systemd-sysv-install.
Run from: / lib / systemd / systemd-sysv-install enable tor
Install in Kali on your computer also tor and torsocks .
~ $ apt-get update & apt-get install torsocks Get: 1 https://kali.download/kali kali-rolling InRelease [30.5 kB] Get: 2 https://kali.download/kali kali-rolling / main amd64 packages [17.1 MB] 17.1 MB in 49s (350 kB / s) Read package lists ... Done Read package lists ... Done Create dependency tree Status information is read ... Done Tor is already the latest version (0.3.5.8-1). torsocks is already the latest version (2.3.0-2). 0 updated, 0 reinstalled, 0 removed and 0 not updated.
That's all there is to do. From this point on, the Orange Pi Zero at this onion address can be accessed while connected to a destination router. In Kali, the following command ssh can be used to connect to the Orange Pi Zero.
~ $ torsocks ssh -p 22 root @ kclikhrwriz4cpxli4paiyzoft7lviv2z6jxd7uyoxesrpxpsve2feqd Hotspot
In my tests, Wi-Fi hotspot functionality was somewhat unreliable. The DHCP service on the Orange Pi Zero seems to have failed. Daher müssen die Geräte statisch konfiguriert sein und die SSH-Verbindungen scheinen immer noch zu blockieren oder unerwartet zu brechen. Während der Authentifizierung beim Orange Pi Zero-Hotspot kann das verbundene Gerät nicht Zugang zum Internet haben. Diese Probleme sind zweifellos eine Einschränkung der Wi-Fi-Hardware des Orange Pi Zero. Dies sind jedoch keine Gründe, die Verwendung des Orange Pi Zero als WLAN-Hotspot zu vermeiden. Es kann immer noch als letzte Möglichkeit dienen, eine Remoteverbindung zum SSH-Server von Orange Pi Zero herzustellen, falls der Tor-Prozess aus unbekannten Gründen nicht mehr funktioniert. Eine instabile, unzuverlässige Wi-Fi-Verbindung zum Gerät ist immer noch besser als gar keine Schnittstelle.
Alternativ können Sie Kali als Wi-Fi-Hotspot verwenden und den Orange Pi Zero so konfigurieren, dass er eine Verbindung zum Gerät herstellt zuverlässig. Diese Konfiguration geht über den Umfang des Artikels hinaus und wurde nicht getestet. Sie sollten diese Methode selbst ausprobieren.
Um Orange Pi Zero als Hotspot einzurichten, installieren Sie die erforderlichen Abhängigkeiten für dnsmasq .
root @ orangepizero: ~ # apt-get install dnsmasq dnsmasq-base Paketlisten lesen ... Fertig Abhängigkeitsbaum erstellen Statusinformationen werden gelesen ... Fertig Die folgenden zusätzlichen Pakete werden installiert: dnsmasq-base Empfohlene Pakete: DNS-Root-Daten Die folgenden NEUEN Pakete werden installiert: dnsmasq dnsmasq-base 0 aktualisiert, 2 neu installiert, 0 zu entfernen und 0 nicht aktualisiert. Benötigt 409 kB an Archiven. Nach diesem Vorgang werden 817 KB zusätzlicher Speicherplatz verwendet. Wollen Sie fortfahren? [Y/n]
Die drahtlose Schnittstelle wird höchstwahrscheinlich ein generisches "wlan0" sein. Verwenden Sie jedoch den Befehl ip um die Schnittstellen aufzulisten.
root @ orangepizero: ~ # ip addr 4: wlan0:
mtu 1500 qdisc mq state DOWN group default qlen 1000 link / ether XX: XX: XX: XX: XX: XX brd ff: ff: ff: ff: ff: ff
Die wlan0-Schnittstelle erscheint als vierte Schnittstelle auf meinem Orange Pi Zero. Verwenden Sie den Schnittstellennamen "wlan0" im folgenden Befehl.
Nmcli ist ein Befehlszeilentool zum Erstellen, Anzeigen, Bearbeiten, Löschen, Aktivieren und Deaktivieren von Netzwerkverbindungen sowie zum Steuern und Anzeigen des Netzwerkgerätestatus. Mit diesem Tool wird der WLAN-Hotspot des Orange Pi Zero über die Befehlszeile erstellt. Alle folgenden nmcli -Befehle können ohne Änderung einer einzelnen Zeile kopiert und eingefügt werden.
root @ orangepizero: ~ # nmcli con add type wifi ifname wlan0 con-name Hotspot autoconnect yes ssid OrangePi Verbindung 'Hotspot' (ae7c3d23-b5f3-424c-8a43-41bf6161978f) erfolgreich hinzugefügt.
Mit diesem Befehl wird die Basiskonfigurationsdatei für den Wi-Fi-Hotspot erstellt. Ändern Sie anschließend den Wireless-Modus mit dem folgenden Befehl:
root @ orangepizero: ~ # nmcli con modify Hotspot 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared
Ändern Sie die Sicherheit Geben Sie WPA-PSK ein.
root @ orangepizero: ~ # nmcli con modify Hotspot wifi-sec.key-mgmt wpa-psk
Legen Sie ein sicheres Kennwort fest, um den Hotspot zu schützen. In meinem Beispiel wird zu Demonstrationszwecken ein einfaches "orangepi" -Kennwort verwendet.
root @ orangepizero: ~ # nmcli con modify Hotspot wifi-sec.psk "orangepi"
Setzen Sie den Wi-Fi-Hotspot zurück, indem Sie ihn zuerst deaktivieren (down) .
root @ orangepizero: ~ # nmcli con down Hotspot Verbindung 'Hotspot' erfolgreich deaktiviert (aktiver D-Bus-Pfad: / org / freedesktop / NetworkManager / ActiveConnection / 7)
Dann erneut aktivieren (up).
root @ orangepizero: ~ # nmcli con up Hotspot Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
Use the ip addr command again to verify the wlan0 interface acquired an IP address.
root@orangepizero:~# ip addr 4: wlan0:
mtu 1500 qdisc mq state UP group default qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet 10.42.0.1/24 brd 10.42.0.255 scope global wlan0 valid_lft forever preferred_lft forever inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link valid_lft forever preferred_lft forever
Notice the 10.42.0.1/24 address. When devices connect to the Wi-Fi hotspot, they should allocate the 10.42.0.2, 10.42.0.3, and 10.42.0.4 addresses.
The Wi-Fi hotspot should now be visible to devices in the area (shown below). Remember, devices connecting to the Wi-Fi hotspot must be statically configured. UserLAnd and Tmux users can follow the below Android example. Kali users can scroll further down to find instructions.
To start, select the "OrangePi" hotspot in the Wi-Fi settings. Enter the "orangepi" password that was previously configured.
Tap the "Advanced options" dropdown. Change the IP settings to "Static." Set the IP address to "10.42.0.2," the Gateway to "10.42.0.1," the Network prefix length to "24," and the DNS 1 to "10.42.0.1" as well. The DNS 2 value can remain blank. Then, hit the "Connect" button. After a few seconds, the device should connect and report "Connect, no internet" — this is to be expected.
Open Tmux or a UserLAnd distribution and connect to the SSH server running on the Orange Pi Zero.
~$ ssh -p 22 firstname.lastname@example.org
Again, this is an idle solution for quickly connecting the Orange Pi Zero in the event the Tor process stops working. This would allow for some remote administration that doesn't require completely retrieving the Orange Pi Zero.
Kali can also be configured to statically connect to the "OrangePi" Wi-Fi hotspot for remote administration. Start by opening the Network Connections window. This example uses XFCE4, but GNOME users should be able to follow along. Select the "Add a new connection" button.
Select the "Wi-Fi" connection type, and click the "Create" button.
Set the SSID to match the Orange Pi Zero's Wi-Fi name (e.g., "OrangePi") and choose the "wlan0" interface that should automatically connect to the hotspot when it's in the proximity of the Kali machine.
Open the Wi-Fi Security tab and change the Security type to "WPA & WPA2 Personal." Then, enter the "orangepi" password.
Open the IPv4 Settings tab and change the Method to "Manual." Then, click the "Add" button and use the following 10.42.0.X IP address, Netmask, and Gateway.
Click the "Save" button, and Kali should automatically connect to the OrangePi hotspot. This can be verified using the below ip command.
~$ ip addr 4: wlan0:
mtu 1500 qdisc mq state UP group default qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 256 maxmtu 2304 numtxqueues 4 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.42.0.2/24 brd 10.42.0.255 scope global noprefixroute wlan0 valid_lft forever preferred_lft forever inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute valid_lft forever preferred_lft forever
Lastly, open a terminal and SSH into the Orange Pi Zero.
~$ ssh -p 22 email@example.com The authenticity of host '10.42.0.1 (10.42.0.1)' can't be established. ECDSA key fingerprint is SHA256:PE6127Kvx+twOLWK90mJDUQSUggH5ujh3h8liuLCR7w. Are you sure you want to continue connecting (yes/no)? Ja Warning: Permanently added '10.42.0.1' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password: ___ ____ _ _____ / _ _ __ __ _ _ __ __ _ ___ | _ (_) |__ /___ _ __ ___ | | | | '__/ _` | '_ / _` |/ _ | |_) | | / // _ '__/ _ | |_| | | | (_| | | | | (_| | __/ | __/| | / /| __/ | | (_) | ___/|_| __,_|_| |_|__, |___| |_| |_| /_______|_| ___/ |___/ Welcome to ARMBIAN 5.75 stable Debian GNU/Linux 9 (stretch) 4.19.20-sunxi System load: 0.20 0.05 0.02 Up time: 54 min Memory usage: 14 % of 493MB IP: 192.168.0.165 10.42.0.1 CPU temp: 48°C Usage of /: 7% of 15G Last login: Sat Apr 13 16:13:13 2019 from 127.0.0.1 root@orangepizero:~#
Step 8: Install Hacking Tools
The Orange Pi Zero is just about ready for deployment at this point. With two methods of remote access set up, hacking tools can now be installed in the operating system.
It helps to preemptively decide which kinds of attacks will be performed on the target network. Tools can always be installed while connected to the target router, but it's usually better to minimize the amount of data being used by the device. An apt-get command, for example, might put a spike in the router's bandwidth and/or make other user's connected to the router suspicious.
Some recommended, essential tools are screengitand nmap. Screen is a great multiplexer that can help with a broken or unstable SSH connection. Git is used to install hacking tools found on GitHub. And Nmap because, well, it's Nmap. Network reconnaissance is vital.
Some older versions of sqlmapniktomedusaand mitmproxy can be found in the Debian repositories, but not quite as many tools as Kali-natives will hope to expect. Other hacking tools will have to be installed with Git and from source.
root@orangepizero:~# apt-get install screen git nmap Reading package lists... Done Building dependency tree Reading state information... Done git is already the newest version (1:2.11.0-3+deb9u4). screen is already the newest version (4.5.0-6). The following additional packages will be installed: libblas-common libblas3 libgfortran3 liblinear3 liblua5.3-0 libpcap0.8 Suggested packages: liblinear-tools liblinear-dev Recommended packages: ndiff The following NEW packages will be installed: libblas-common libblas3 libgfortran3 liblinear3 liblua5.3-0 libpcap0.8 nmap 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. Need to get 5,648 kB of archives. After this operation, 24.0 MB of additional disk space will be used. Do you want to continue? [Y/n]
That concludes the Orange Pi Zero setup for network implant attacks. In my next article, I'll talk about performing attacks while on the target network with tools like Patator, Bettercap, and Routersploit, as well as some advanced Nmap recon with NSE scripts.
Until next time, you can follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.