Installing netcat backdoors with a piZero

I have been playing with my stack of piZero’s recently and started to read about the kernel OTG gadgets and was intrigued by the OTG_HID gadget.  So after doing some reading I found that someone had ported the USB Rubber Ducky platform to the piZero and called it rspiducky.
Building it is fairly straight forward but if you if you want a ready made solution I put a precompiled copy of the .img file here.
Once you get the image to your SD card (sudo dd if=duckberrypi_zero_minibian_05.img of=/dev/disk*/ bs=4m) you then start putting your payload into (surprise) payload.dd.
It is amazingly easy to drop a NetCat backdoor using this method.  You just need a publically available server you can run nc -l -p 443 -vvv on. 
Here is a non-persistent example:
Here is a persistent example via a cron job:
Here is the script running:

Here is what the NC backdoor looks like:

Bonus Scripts:

Type the longest word in the world 100,000 times:

Hide all windows 100,000 times:
Hello World test script:

As always have fun and only do good with these tools. 

Spoofing Beacon Frames From The 5000 Most Common SSIDS

I have been reading a lot about Beacon Frames on my vacation this week (stop laughing) and I came across a tool in Kali called MDK3 that will allow you to send fake beacon frames.  I couldnt pass up a chance to test this so I pulled out my trusty TL-WN722N and made a list of the 5,0000 most common SSIDS from
Here are the commands to run it assuming your wireless interface is WLAN0:
Grab the commonssids.txt from my gist:
Start airmon-ng:
airmon-ng start wlan0

Start MDK3 with the string:
mdk3 wlan0mon b -f commonssids.txt -g -t -m -s 1000

Here are the command flags: 
b - Beacon Flood Mode
f - Read SSIDs from file
g - Show station as 54 Mbit
t - Show station using WPA TKIP encryption
m - Use valid accesspoint MAC from OUI database

Here is what the output looks like:

Here is what the wireless list looks like on a host:

As always be careful using this anywhere that it could cause issues with other people’s internet access.  No one likes a jerk.

PiZero USB VPN SideCar

Thanks to PoisonTap I have finally had a reason to pull my PiZero out of the ever growing “Stuff to Hack” pile and start  working on it.   I have a couple of neat ideas that are coming down the pipeline but this weekend I built a VPN sidecar using a USB OTG Gadget. I wanted to be able to use the PiZero to offload some slow processes (big nmap scans) and as a place to verify findings through an always on VPN connection (I like and use Private Internet Access).
Configuration  is fairly simple and only takes about 30 minutes: 
Install your pizero as an ethernet gadget.
Share Your Internet Connection With Your PI:

You can now login into your PiZero at:
[email protected]

Update Your Pi and install OpenVPN:
sudo apt-get update && sudo apt-get -y dist-upgrade
sudo apt-get -y install openvpn
unzip -d openvpn
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp "openvpn/US Texas.ovpn" "/etc/openvpn/Texas.conf"
#You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.
sudo reboot

Create /etc/openvpn/login containing only your username and password, one per line, for example:
Change the permissions on this file so only the root user can read it:
sudo chmod 600 /etc/openvpn/login
Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:
sudo nano /etc/openvpn/Texas.conf
Change the following lines so they go from this:
auth-user-pass > auth-user-pass /etc/openvpn/login
crl-verify crl.rsa.2048.pem > crl-verify /etc/openvpn/crl.rsa.2048.pem
ca ca.rsa.2048.crt > ca /etc/openvpn/ca.rsa.2048.crt
Test VPN:
sudo openvpn --config /etc/openvpn/Texas.conf
If the VPN is working you will see:

Next step is to enable VPN at boot:
sudo systemctl enable [email protected]
sudo reboot
After reboot verify VPN connection:

You now have an always on PiZero USB VPN SideCar! Have fun.   🙂

Automated Burp Suite Scanning and Reporting To Slack.

In the last two years Burp Suite Proxy has become my go to web application security scanner.  As with everything recently if I can automate it, I do.   So this weekend I built a simple script to scan a website with Burp, create a PDF report and post it to Slack:

Here is how I set it up:

  • Copy this line to your crontab to run this scan at 0100 on Mondays:
    00 01 * * 1 ./
  • Enjoy weekly automated burp scanning and slack reporting of  your website.

Automated W3AF Scanning with Slack Alerting

I have recently been  automating a lot of my technical security tasks and building slack bots around them and it was w3af‘s turn.   W3af is an amazing open source web application security scanner that my friend Andres Riancho writes and maintains.
The goal of this project was to build scheduled and automated scans of my web properties with pdf reporting and slack alerting:
Configuration is fairly easy.

  • Create a SlackBot and copy API Key.
  • Update and install needed software on server:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get w3af
  • Install wkhtml2pdf in headless mode.
  • Create necessary folders:
    sudo mkdir /w3af
  • Copy this shell script and up token:

  • Copy this w3af config file:

  • Copy this line to your crontab to run this scan every night at midnight:
    00 00 * * * ./w3af/
  • Enjoy automated w3af scans with slack alerting.

Continuous Network Monitoring With Slack Alerting

As I have talked about before “You can’t defend what you dont know exists”  so today while sitting around and trying to recover from walking pneumonia  I wrote slackmap to continually nmap a network and post the differences to slack:

Configuration is amazingly easy.   I run a copy of this on a $5 a month Digitalocean Droplet for an external view and a Raspberry Pi for internal scanning.

  • Create a SlackBot and copy API Key.
  • Update and install needed software on server:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get install ssmtp nmap xsltproc
  • Create necessary folders:
    sudo mkdir /nmap/
    sudo mkdir /nmap/diffs
  • Copy this to /nmap/ and add SlackBot API key to Line 8:

  • Copy this line to your crontab to run this scan every 15 minutes (make longer for bigger networks):
    */15 * * * * /nmap/
  • Enjoy a new level of network visibility. : )

WebSnort Docker Container

One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with  snort -dv -r test.pcap but the output is not great.
I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.
Screen Shot 2016-08-25 at 7.48.51 AM
To run it: 
docker run -d -p 8080:8080 jgamblin/websnort
If you want to build your own the  dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort
Protip: has great PCAPs for testing your security tools.

Honeyfiles from my SSHoneypots

My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet.
The build out is pretty simple, it is the  SSHoneypot Docker Container I wrote on a debian droplet with all outbound traffic blocked so that in theory not much damage can be done. 
Surprisingly, It has taken a few days for people to start exploiting the boxes but when I got up this morning 2 of the boxes had been “hacked”:Screen Shot 2016-08-17 at 7.01.29 AM
In order to share these findings with the community I will copy all files written to these honeypots to
Screen Shot 2016-08-17 at 6.58.05 AM
I have a long way to go with this project as way too much of it is manual now.  I need to invest the time to automate notification, moving the files to the web server and starting a new container.
If you are interested in full pcaps or any of the actual exploited SSHoneypot containers reach out to me on twitter at @jgamblin I will be glad to share.

The Security Summer Camp Talks I Want To See…

I took some time tonight and read through the Security Summer Camp  (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss.
I ended up with these 16 talks I am going to make a special point to see next week:


Managing Security with the OWASP Assimilation Project.
I want to see how Alan is using this OWASP project and how it compares to commercial CMDBs.
Automation of Penetration Testing and the future.
I am really interested in this subject as security is seriously lagging behind in the automation arms race and I think it will be the hottest trend in security over the next year.
How to Get and Maintain your Compliance without ticking everyone off.
The outline for this talk is a little sparse but I am interested in seeing what these guys come up with since I know them and am interested in this subject.
How to travel to high-risk destinations as safely as possible.
Ryan will do an amazing job on this talk but I am going to go to this talk to see how many of these things I can steal for my own OpSec.
A Peek Behind Vegas Surveillance.
Um… because why not? I love Oceans 11.
Automation Plumbing.
Another automation talk…. I sense a trend.


An insider’s guide to cyber-insurance and security guarantees.
I am  interested in this subject in general and how it will shape security in the next few years.
Cyber war in perspective: analysis from the crisis in ukraine
I have a read a couple of books and watched winter on fire about this conflict so it will be interesting to hear about it from cyber-war perspective.


Universal Serial aBUSe: Remote physical access attacks.
This is going to be the best and most talked about talk at Defcon.  If Dominic brings the tool outlined in the talk (and he will) you will be reading about this for the next month.
Realtime bluetooth device detection with Blue Hydra
I love hacking bluetooth devices and Blue Hydra is an amazing new tool.
BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses
These guys know so much about hacking hardware and this talk and tool is going to be amazing.  I hope Joe has a kit together by Defcon so I can buy it.
101 Ways to Brick your Hardware
Joe FitzPatrick is one of the smartest guys I know and watching this talk on how his failures will be entertaining, educational and inspiring.  Amazing and truly talented people can always laugh at themselves.
Picking Bluetooth Low Energy Locks from a Quarter Mile Away
um…. are you telling me you wouldn’t want to see this?
Hacking Hotel Keys and Point of Sale systems
I am glad I will be checked out of my room by the time this talk is given.


Sun, Sin, Security: IOActive
IOActive does an amazing job with their event every year and they will have some amazing talks.
Securing the Internet of Things (SIOT)
I love IOT security and I will be speaking at this event.
I will just leave this here for discussion at another time but I am probably skipping the Blackhat badge next year:

Conference Badge Cost Talks Cost Per Talk
BSidesLV $0.00 6 $0.00
BlackHat $2,295.00 2 $1,147.50
Defcon $240.00 6 $40.00

6 Technical Things To Do Before Security Summer Camp

We are two weeks away from Security Summer Camp (which is BSidesLV, Blackhat and Defcon)!

So it is time for everyone to write their annual blog posts about what you must do before you head out.  I want to be one of the cool kids so here is my list of 6 things to do before you pack:

Delete All The Saved SSID’s On Your Devices

A common attack that hackers like to do is spoof common SSIDs so that your device will connect automatically and start using their AP so they can capture all your information.   I actually wrote a script called mana-common  that spoofs the most common to demo this problem.
You should delete all the saved SSIDS on your devices to stop from falling victim to this attack.

Get A Hot Spot

Connecting to a hotel network at a Hilton in Little Rock is dangerous. Connecting to a hotel network in Las Vegas is reckless. Connecting to a hotel network in Las Vegas during Security Summer Camp is stupid.   You can pick up a mobile hotspot for about $25 a month.


You could easily get a commercial VPN but if you want to go to the next step build your own streisand server or an openvpn server  and delete it when you are done with it.   It will help protect your data from anyone who may be snooping on you.

Change All Your Passwords (Before and After)

You should run your passwords managers auto-change feature before you leave for Vegas and when you get back just incase someone gets a hold of your account.  You do use a password manager right?

Turn on 2FA On All Your Accounts.

You should at a minimum enable 2FA on all your social media and  financial accounts before you head out. has great information on how to configure your accounts to use 2FA.

PCAP All Your Traffic

This is the most paranoid of my tips but when I am at a conference I always PCAP all my data incase I do get breached I can hopefully figure out how or write a good blog post about it.
I wrote a blog post on doing this with docker earlier this summer so I now can run this to save the pcaps to my dropbox:
docker run -v ~/Dropbox/pcap:/pcap --net=host -d jgamblin/tcpdump
The truth is these 6 rules should be followed all the time if you want to have a decent operational security posture. OK, you might not need to PCAP everything, I am just paranoid…follow the first  and you will be ok.
Also while at Security Summer Camp drink plenty water, don’t sleep much and have fun!

Site Footer