The world is full of vulnerable computers. As you learn how to interact with them, it will be both tempting and necessary to test out these newfound skills on a real target. Today, I'll introduce a deliberately vulnerable Raspberry Pi image designed to help you practice and take your hacking skills to the next level.
Many of us are hands-on learners, and the best way to learn a skill is to actually try what you're being taught to gain a real understanding. This can get legally complicated when learning about cyber security, due to complex and beginner-unfriendly computer hacking laws in the US and other countries.
With hacking constantly in the news and on the national radar, police are less and less understanding when dealing with issues of computer intrusion. As many of the principals you will learn are designed to compromise or break computers, learning about ransomware on your sister's laptop or local library computer may not be the best place to make your first mistakes as a hacker.
The solution is a computer with no valuable data inside, one which is deliberately vulnerable and specifically made for attacking. So where do you get this vulnerable computer? Do you buy an old one and hope that it has some interesting vulnerabilities? Ten years ago, that's exactly how you'd practice hacking older systems. Today, specially designed vulnerable operating systems are used to practice hacking tools against common vulnerable software services.
Since Null Byte is a white hat hacking community, it's important we provide every opportunity to practice lawfully and safely as we learn to break things. The Raspberry Pi is a cheap, flexible computer that can run a wide variety of popular software and backend applications. This makes it a perfect alternative to running a virtual machine as a "firing range" computer for practicing attacks.
So why not just run it on your own laptop in a virtual machine? I've always hesitated to unleash the fury on a virtual machine nestled inside my precious hacking laptop. Virtual machines can be complicated for beginners, and the price of running that logic bomb on your mom's HP versus the virtual machine could be destroying the computer.
Physical separation is desirable, but until recently, it was rather expensive to buy another computer for testing when a free VM is available. That has changed with the availability and price point of the Raspberry Pi. Now, for $35, you can get started hacking safe and legal targets thanks to the hard work of the InfoSec community!
Australian security researcher Re4son runs Whitedome Consulting, a site featuring custom Raspberry Pi images developed in support of both cyber security learning and active penetration testing. He also builds things with the Raspberry Pi that Blue Teams see hovering in their darkest nightmares. Offering both offensive and practice images, Re4son's Damn Vulnerable Pi image caught my eye after relying on his excellent "Re4son Kernel" to solve many problems running Kali Linux on the Pi Zero W.
The Damn Vulnerable Pi image is a perfect companion to an offensive Kali Linux build, simulating a target computer running vulnerable services for you to destroy. Setup is simple and use is elegant with an optional touchscreen, although we will be using the "dv-pi" tool to control our DV-Pi over SSH from any laptop or smartphone for the sake of simplicity and compatibility. This tool is perfect for practicing at home, running hacking competitions, or demonstrating at live hacking events.
Re4son's DV-Pi comes with the following features:
- 3 GB image ready to go with all common TFT screens.
- Re4son Kali-Pi Kernel 4.4 with touch screen support.
- Supports Raspberry Pi 0/0W/1/2/3.
- Tool (re4son-pi-tft-setup) to set up all common touch screens, enable auto-logon, etc.
- Command line tool (dv-pi) for headless operation.
- Each image comes with one vulnerability to get in and one vulnerability to get root.
- Each image has two proof.txt with a hash to proof successful compromise.
- a Raspberry Pi 3
- Re4son's DV-Pi image
- a computer to burn the disk image from
- a microSD card (at least 8 GB) and adapter or card reader for your laptop
- an Ethernet cable
Optional: You can set up you DV-Pi from a smartphone instead of a laptop after the image is burned.
After downloading the DV-Pi image, unarchive the image and select your favorite disk image burning software, because we'll be burning the image to an SD card. I like Etcher, which is what I use, but you can use anything that will write bootable disk images to an SD card.
At this point, you'll need to insert the SD card you intend to run the DV-Pi on into your laptop. I recommend using no less than 8 GB microSD cards. Put the microSD card into your adapter of choice, and after plugging it into your laptop, ensure you can see it listed with your other drives.
In Etcher (or whatever program you use), select the .img file you downloaded and unarchived, and burn it to the SD card you have inserted. This will give you a bootable image on the card, ready to insert into your Raspberry Pi.
After you're finished burning the OS onto the card, load the card into your Raspberry Pi and connect it via Ethernet to your network. Plug in the power and you'll see the DV-Pi start up. You can also connect it to an HDMI display and watch it boot to ensure everything is working correctly. It should look exactly like this:
Once the Pi is booted, you should be able to scan your network with arp-scan or Fing network scanner from your laptop or phone to discover the Pi's IP address. When you have the IP address, you'll be able to SSH into the Pi. In this case, the device name we're looking for is "dv-pi3."
Armed with the IP address, we can now SSH into the Raspberry Pi. You can scan the Pi's IP address with Fing Network Scanner to ensure port 22 is open and waiting for a connection.
You can SSH into the Pi via command line from the terminal on your laptop by running:
ssh pi@(ip address here)
The password will be "raspberry." You can also log in on a smartphone using an app like JuiceSSH.
Once you SSH in, you will have access to the DV-Pi's administrative controls! To know you've logged in, you should see a "Message of the Day" screen like below on a successful SSH connection.
To check the current status of our Damn Vulnerable Pi, we can use the dv-pi tool helpfully included by Re4son. To check to see if the DV-Pi is running and vulnerable, enter the following:
This will show the current status of the device. Initially, it should be off/not vulnerable.
Ready to start hacking? To start the DV-Pi's vulnerable applications, you'll need to run:
Then authenticate with the password "raspberry" in the terminal. This will start the vulnerable applications.
To confirm the DV-Pi is running, scan your network again using Fing to find the Pi's IP address. Tapping on the device will allow you to "scan services" to see that both port 22 and port 80 are open.
Tap on port 80, or in your browser go to the IP of your Raspberry Pi. A WordPress service to attack should be running on the Pi if the system is vulnerable. If you see the site below, you know the DV-Pi is live!
Once your DV-Pi is set up, you're ready to get started hacking it. To prove you gained access, a fake "customer database" of credit card info is included to simulate exfiltrating real data and provide some excitement upon succeeding. Re4son runs a fantastic blog and responds to comments and questions on his builds, so check out his site in the future for more great work.
After speaking with Re4son about how useful his images are for our community, he's updated his images to support all versions of the Raspberry Pi, including the new Pi Zero W. Our hope is to bring a custom Null Byte image for our community to practice on, focusing on wireless security techniques using the Pi Zero W as a cheap, easy way to practice offensive Wi-Fi tools.
If there's interest, please mention in the comments and we can start taking community requests for features and look into giveaways for our community!