Raspberry Pi: Physical Backdoor Part 2
In my last post I introduced how to use ncat to connect to your Pi remotely, but what's the point to if you can't actually hack? This tutorial I'm gonna show you how to use very simple tools for a much bigger purpose. With that said, boot up our Pi and lets wreck havoc.
I should say that this is a experimental concept, but I've been testing this theory several times and should work. Now, the first step is to figure out the router Ip address. I know you can use either Kismet or Aircrack, but for some reason Aircrack isn't working on my Pi, I suspect the wireless card isn't supported, and Kismet is much to complicated for the level of skill for these mini tutorials. Of course this is a problem, but I have thought up another unusual method to get the job done. I have looked at the tools that I have and that work on my Pi. I noticed something, Nmap can scan a network and send back the operating system of every system. Why does this has to do with anything? Nmap scan with the -O flag tells us almost any operating system. With that being said lets open up a terminal and Type:
nmap -sS -O (Ip/24)
As you can see here we added the -O flag and I should note that the Ip should be your Raspberry Pi since that's one that you know currently,but you could also use just a zero. This type of scan will do the usual scan except this time our results will show the OS also. The Ip of the router should have the OS of one of the routers that exist, for example:
Note the Ip address of the router. This scan is only the basics and if you want you can add different flags like '-T'. Knowing which flags to use is crucial.
Now that we have the Ip of the router, open up Sparta or if not installed yet, type:
apt-get install Sparta
Add in 'sudo' at the beginning if you aren't in root.
Sparta is in my opinion a script kiddie tool (I prefer nmap), but there's one feature that we need. Sparta automatically takes a picture of the current page that is up on the system and displays it. This is extremely handy when gathering information on the system. I should note that when I ran Sparta against my home router, a picture of my router's homepage was screenshotted and displayed a ton of information just from the homepage. This is the purpose of why we're using Sparta. With that being said, double click on the left side that has a white box that has a message displayed (I can't think of it at the top of my head right now) and another box should pop up asking you for the Ip, do not add /24 to the end of the Ip. Make sure both of the boxes are checked at the bottom and click 'add to host'. Now sit back and let Sparta do its magic.
Eventually it will be done with its scans and it will tell you in the open terminal that automatically opens up when you open the Sparta tool. Once a message tells you that you are done, go back to the gui and on the right box there should be tabs at the top. Click the one that says screenshot (usually on port 80) and if successful a screenshot is displayed showing you the router's homepage.
I know there's probably a easier method, but that's not my point. My point is to show that even tools for one purpose can be used for a completely different purpose than what was intended. With that being said, please give me feedback and suggestions but give me some lovins also. Please and thanks. :)