Raspberry Pi: Physical Backdoor Part 2

Physical Backdoor Part 2

Raspberry Pi: Physical Backdoor Part 2

In my last post I introduced how to use ncat to connect to your Pi remotely, but what's the point to if you can't actually hack? This tutorial I'm gonna show you how to use very simple tools for a much bigger purpose. With that said, boot up our Pi and lets wreck havoc.


I should say that this is a experimental concept, but I've been testing this theory several times and should work. Now, the first step is to figure out the router Ip address. I know you can use either Kismet or Aircrack, but for some reason Aircrack isn't working on my Pi, I suspect the wireless card isn't supported, and Kismet is much to complicated for the level of skill for these mini tutorials. Of course this is a problem, but I have thought up another unusual method to get the job done. I have looked at the tools that I have and that work on my Pi. I noticed something, Nmap can scan a network and send back the operating system of every system. Why does this has to do with anything? Nmap scan with the -O flag tells us almost any operating system. With that being said lets open up a terminal and Type:

nmap -sS -O (Ip/24)

As you can see here we added the -O flag and I should note that the Ip should be your Raspberry Pi since that's one that you know currently,but you could also use just a zero. This type of scan will do the usual scan except this time our results will show the OS also. The Ip of the router should have the OS of one of the routers that exist, for example:


Note the Ip address of the router. This scan is only the basics and if you want you can add different flags like '-T'. Knowing which flags to use is crucial.


Now that we have the Ip of the router, open up Sparta or if not installed yet, type:

apt-get install Sparta

Add in 'sudo' at the beginning if you aren't in root.

Sparta is in my opinion a script kiddie tool (I prefer nmap), but there's one feature that we need. Sparta automatically takes a picture of the current page that is up on the system and displays it. This is extremely handy when gathering information on the system. I should note that when I ran Sparta against my home router, a picture of my router's homepage was screenshotted and displayed a ton of information just from the homepage. This is the purpose of why we're using Sparta. With that being said, double click on the left side that has a white box that has a message displayed (I can't think of it at the top of my head right now) and another box should pop up asking you for the Ip, do not add /24 to the end of the Ip. Make sure both of the boxes are checked at the bottom and click 'add to host'. Now sit back and let Sparta do its magic.

Eventually it will be done with its scans and it will tell you in the open terminal that automatically opens up when you open the Sparta tool. Once a message tells you that you are done, go back to the gui and on the right box there should be tabs at the top. Click the one that says screenshot (usually on port 80) and if successful a screenshot is displayed showing you the router's homepage.


I know there's probably a easier method, but that's not my point. My point is to show that even tools for one purpose can be used for a completely different purpose than what was intended. With that being said, please give me feedback and suggestions but give me some lovins also. Please and thanks. :)


Here's a quicker way of getting the router IP address:
ifconfig | grep Bcast: | awk ' { print $3" "substr($0,length($0)-12) } ' | awk '{print $1}'
You will get it as a string that says Bcast: followed by the IP address of the gateway.

Nice post though, well done.

Or using a Perl one-liner ;)

ifconfig | perl -ne 'print $1 if (/.*Bcast\:([\d\.]+)\s+.*/);'

The above is also a one-liner, it just doesn't fit in this narrow comment section. And you're right, Perl would do great in those brisk tasks.


I knew it was a one-liner... it just wasn't a Perl one-liner ;).

Honestly. I'd probably also use AWK for this one ;)

Yeah, I understand that there's a quicker and easier method but I wanted to show how to use the full functionality of tools. But thank you. :)

Also nmap is a very noisy tool unless you use the arguments effectively. It's just that the title literally states "Physical Backdoor" and, considering that this nmap scan would take long enough to easily be discerned by a sysadmin, I saw the opportunity to inform you of a quick, reliable and silent way of performing the first part of your post, without undermining your attack and without compromising yourself.

Nevertheless, keep going where you're going. Just trying to help you and others along the way :)


Worth noting that you don't have to use the Pi's IP for the nmap scan, you can just use a zero.


Thank you for the suggestion. :)

Um... I didn't know that this had a bunch of other sources.... thank you for posting those links. :)

Share Your Thoughts

  • Hot
  • Latest