Career, Hacking, Security

I have been playing with my stack of pizero a bunch lately and tonight I decided to put together a piZero OTG Ethernet gadget that runs Kali (Really KaToolin),  XRDP and Mate in a computer on a stick configuration.  This way I have a full (as I want it to be) Kali installation with me as long as I have access to a USB port.

 

Here are the steps to build your own:

Install your pizero as an ethernet gadget.

Share your internet connection with your piZero:

You can now login into your PiZero at:
pi@raspberrypi.local

Copy and Run this shell script:

Reboot:
sudo reboot

Configure RDP and access your KaliZero:

Use KaToolin to install the tools you want:
sudo katoolin

**Be Warned:  The piZero is slow.  It is usable for basic tasks but is not amazing.

Career, Hacking, Security

I have been playing with my stack of piZero’s recently and started to read about the kernel OTG gadgets and was intrigued by the OTG_HID gadget.  So after doing some reading I found that someone had ported the USB Rubber Ducky platform to the piZero and called it rspiducky.

Building it is fairly straight forward but if you if you want a ready made solution I put a precompiled copy of the .img file here.

Once you get the image to your SD card (sudo dd if=duckberrypi_zero_minibian_05.img of=/dev/disk*/ bs=4m) you then start putting your payload into (surprise) payload.dd.

It is amazingly easy to drop a NetCat backdoor using this method.  You just need a publically available server you can run nc -l -p 443 -vvv on. 

Here is a non-persistent example:

Here is a persistent example via a cron job:

Here is the script running:

Here is what the NC backdoor looks like:

Bonus Scripts:

Type the longest word in the world 100,000 times:

Hide all windows 100,000 times:

Hello World test script:


As always have fun and only do good with these tools. 

Hacking, Security

I have been reading a lot about Beacon Frames on my vacation this week (stop laughing) and I came across a tool in Kali called MDK3 that will allow you to send fake beacon frames.  I couldnt pass up a chance to test this so I pulled out my trusty TL-WN722N and made a list of the 5,0000 most common SSIDS from wiggle.net.

Here are the commands to run it assuming your wireless interface is WLAN0:

Grab the commonssids.txt from my gist:
wget https://gist.githubusercontent.com/jgamblin/da795e571fb5f91f9e86a27f2c2f626f/raw/0e5e53b97e372a21cb20513d5064fde11aed844c/commonssids.txt

Start airmon-ng:
airmon-ng start wlan0

Start MDK3 with the string:
mdk3 wlan0mon b -f commonssids.txt -g -t -m -s 1000

Here are the command flags: 
b - Beacon Flood Mode
f - Read SSIDs from file
g - Show station as 54 Mbit
t - Show station using WPA TKIP encryption
m - Use valid accesspoint MAC from OUI database

Here is what the output looks like:

Here is what the wireless list looks like on a host:

As always be careful using this anywhere that it could cause issues with other people’s internet access.  No one likes a jerk.

Career, Hacking, Security

Thanks to PoisonTap I have finally had a reason to pull my PiZero out of the ever growing “Stuff to Hack” pile and start  working on it.   I have a couple of neat ideas that are coming down the pipeline but this weekend I built a VPN sidecar using a USB OTG Gadget. I wanted to be able to use the PiZero to offload some slow processes (big nmap scans) and as a place to verify findings through an always on VPN connection (I like and use Private Internet Access).

Configuration  is fairly simple and only takes about 30 minutes: 

Install your pizero as an ethernet gadget.

Share Your Internet Connection With Your PI:

You can now login into your PiZero at:
pi@raspberrypi.local

Update Your Pi and install OpenVPN:
sudo apt-get update && sudo apt-get -y dist-upgrade
sudo apt-get -y install openvpn
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpn
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp "openvpn/US Texas.ovpn" "/etc/openvpn/Texas.conf"
#You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.
sudo reboot


Create /etc/openvpn/login containing only your username and password, one per line, for example:
username
password123

Change the permissions on this file so only the root user can read it:
sudo chmod 600 /etc/openvpn/login

Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:
sudo nano /etc/openvpn/Texas.conf

Change the following lines so they go from this:
auth-user-pass > auth-user-pass /etc/openvpn/login
crl-verify crl.rsa.2048.pem > crl-verify /etc/openvpn/crl.rsa.2048.pem
ca ca.rsa.2048.crt > ca /etc/openvpn/ca.rsa.2048.crt

Test VPN:
sudo openvpn --config /etc/openvpn/Texas.conf

If the VPN is working you will see:

Next step is to enable VPN at boot:
sudo systemctl enable openvpn@Texas
sudo reboot

After reboot verify VPN connection:

You now have an always on PiZero USB VPN SideCar! Have fun.   🙂

Career, Security

In the last two years Burp Suite Proxy has become my go to web application security scanner.  As with everything recently if I can automate it, I do.   So this weekend I built a simple script to scan a website with Burp, create a PDF report and post it to Slack:

Here is how I set it up:

  • Copy this line to your crontab to run this scan at 0100 on Mondays:
    00 01 * * 1 ./autoburp.sh
  • Enjoy weekly automated burp scanning and slack reporting of  your website.
Career, Security

I have recently been  automating a lot of my technical security tasks and building slack bots around them and it was w3af‘s turn.   W3af is an amazing open source web application security scanner that my friend Andres Riancho writes and maintains.

The goal of this project was to build scheduled and automated scans of my web properties with pdf reporting and slack alerting:

Configuration is fairly easy.

  • Create a SlackBot and copy API Key.
  • Update and install needed software on server:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get w3af
  • Install wkhtml2pdf in headless mode.
  • Create necessary folders:
    sudo mkdir /w3af
  • Copy this shell script and up token:
  • Copy this w3af config file:
  • Copy this line to your crontab to run this scan every night at midnight:
    00 00 * * * ./w3af/w3af.sh
  • Enjoy automated w3af scans with slack alerting.
Career, Security

As I have talked about before “You can’t defend what you dont know exists”  so today while sitting around and trying to recover from walking pneumonia  I wrote slackmap to continually nmap a network and post the differences to slack:

Configuration is amazingly easy.   I run a copy of this on a $5 a month Digitalocean Droplet for an external view and a Raspberry Pi for internal scanning.

  • Create a SlackBot and copy API Key.
  • Update and install needed software on server:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get install ssmtp nmap xsltproc
  • Create necessary folders:
    sudo mkdir /nmap/
    sudo mkdir /nmap/diffs
  • Copy this to /nmap/slackmap.sh and add SlackBot API key to Line 8:
  • Copy this line to your crontab to run this scan every 15 minutes (make longer for bigger networks):
    */15 * * * * /nmap/slackmap.sh
  • Enjoy a new level of network visibility. : )