PWNPi is a penatration testing distro for the the Raspberry Pi. It currently has 200 penetration and network security auditing tools. The latest version also now supports the 512 meg version of the pi. Please be aware that these tools are for serious penatration testers only and not meant to be used for hacking or being an asshat.
Crypto Cat Plush Animal
The tiny, $35, Linux-based Raspberry Pi computer has drawn a lot of attention in the last few months, and though it was originally developed to teach computer programming to young students, Internet activists have taken notice as well. A recent BBC interview with developer Nadim Kobeissi, creator of a web-based secure communications program called Cryptocat, shows off just one potentia
l use of the low-cost hardware and free software system. Kobeissi says he’s looking forward to the arrival of Raspberry Pi as a way to bring extra-secure communication to web chat, especially in places where conversations might be watched.
Kobeissi’s Cryptocat is an open-source program that encrypts chat conversations before they’re sent to a server. For relatively little money, he plans to buy Raspberry Pi computers, set them up as servers running Cryptocat, and send them to areas where free speech is monitored or prohibited. The small, modifiable nature of Raspberry Pi computers make them well-adapted to foster chat privacy.
Considering general privacy concerns and recent NSA surveillance probes, the idea could be intriguing for westerners too. “Big Data continue to amass gigantic amounts of personal information without providing any guarantee of privacy, while encryption remains largely inaccessible,” Cryptocat’s website claims, “Cryptocat aims to bridge the gap for those who need easy, encrypted communication.”
Earlier this week, Raspberry Pi became available for pre-order through two Britain-based manufacturers, and the demand for the little open-source system was so great that both manufacturers sites went down on Tuesday evening. When the Pi becomes more widely available, Kobeissi plans to put the software for turning the Raspberry Pi into a chat server online for anyone to use.
I am just brainstorming here but what about using the Raspberry Pi for security devices other than just a Pen Test Drop Box. Other ideas..
Multi-camera security system
Secure Chat tool with CryptoCat
Firewall (something like untangle for Arm)
Proxy Server
BT5 ARM? Is the Raspberry Pi invited to the party too? (I mean, I’d expect so, but I only see smartphone threads in this section so I thought I’d ask.)
The RasPi could be a pretty handy tool if paired with BT — a super-customizable BT card which you could place in seemingly benign containers/locations for gathering data.
Or, y’know, just get a bunch of them spread out over some area and get exceptional wireless coverage, command your own team of nodes, etc.Oh, yeah, this has to be a thread. Let’s discuss any creative uses we can come up with using Raspberry Pi boards/systems and BackTrack.
Short answer: No, BT can’t run on Raspberry Pi without modifications.
Long answer: RaspberryPi has an ARM11 CPU
http://elinux.org/RaspberryPiBoard#Hardwarewhich means it has the ARMv6 architecture:
https://secure.wikimedia.org/wikiped…ture#ARM_coresBT is compiled for Nvidia Tegra 2 which is ARMv7:
https://secure.wikimedia.org/wikiped…Tegra_2_seriesBut, if you have the source code, theoretically you could compile it yourself for the ARMv6 ISA
You don’t need RaspberryPi running BT for being useful in Penetration testing, you could install the needed tools in the distro that comes with RaspberryPi and use it that way, without senseless modifications.
What’s great about RaspberryPi is the very low power consumption (~700mAh at 5V ~=3.5W) which can be used together with of the shelf 18650 LiIons and a voltage regulator.
RaspberryPi: US$25
4×18650: US$9
1xL7805: US$1
Wifi dongle: US$7
—————————
Total: US$42The perfect backdoor/dropbox which runs at least 12h off the batteries.
18650 LiIons have 3000mAh -> 3Ax3.7V=11.1W X 4= 44.4W / 3.5W =12.6H
From what I understand (and maybe I am missing) he has converted a PS2 Keyboard into a USB that also has hidden inside a bootable USB stick and a USB wifi adapter. Maybe I am wrong.. but his idea here makes me think about some other cool usb hacking ideas.
Hello guys,
I’m new to the forum and thought I would introduce myself with my current Keyboard Project.
Here’s what the project consists of:
1 IBM M-type Keyboard
1 16gb flash drive
1 Dlink USB wifi card, modified with External Antenna (Injection Capable)
1 5 port USB Hub
1 7.7db Omni Antenna
Why: To make a long story short, I work in the Security industry, and commonly help recover (or penetrate) various systems. I wanted something that I could carry relatively easily that would allow me the following things a. a bootable operating system b. a internet connection that was capable of injection (just in case!) c. a device with enough storage space to backup passwords, pictures, etc.
How: Most of you will likely know, there were never USB IBM M-type Keyboards they were only released in PS/2, AT, and Terminal types. So to make this all work I have to convert the keyboard to USB. Once the Conversion takes place, I’ll need to completely rewire the internals, mount the external Antenna, and then some.
Here goes.
This is the Keyboard PCB with USB to PS2 converter soldered on. The little bit with a mouse port hanging off the side is the actual adapter.
This is several hours later, Almost all the ends and odds mounted. Top Left is USB hub, immediately under that is the 16gb flash drive. To the right, the Keyboard PCB and the USB adapter. Above this you can see the Switch I installed for the wifi. You can also see the rear USB ports mounted next to the switch.
USB wifi mounted and external RP-SMA installed. You may notice this is the only device that I made removable. This is because I am not particularly impressed with this wifi card. I will be swapping for a better card in the near future.
Here’s a Birds Eye of where the keyboard sits today.
Here’s the near finished product
In light of the recent hackaday coverage here’s the completed(ish) shots publicly viewable.
If you like this kind of projects, please join the forums. We need community driven feedback for where to focus attention for future projects.
You can easily build your own Mini-Pwner.
cd /usr/share nc 192.168.1.111 3333 > minipwner.tar
tar -xf minipwner.tar
cd /usr/share/minipwner cp -f /etc/config/network /etc/config/network.orig cp -f /etc/config/wireless /etc/config/wireless.orig cp -f /etc/config/firewall /etc/config/firewall.orig cp -f /etc/profile /etc/profile.orig cp -f /etc/config/fstab /etc/config/fstab.orig cp -f /etc/opkg.conf /etc/opkg.conf.orig cp -f /etc/config/system /etc/config/system.orig cp -f /etc/config/dhcp /etc/config/dhcp.orig cp -f ./network.1 /etc/config/network cp -f ./wireless.1 /etc/config/wireless cp -f firewall.1 /etc/config/firewall cat /etc/config/wireless.orig
vi /etc/config/wireless
Delete the bad MAC address (cursor to it and use x to delete) then paste in the copied MAC (i to insert then paste). Then change the Wifi settings to connect to your wireless router (by default tries to connect to SSID “TOKI”. Shift-ZZ to save and exit. :q! to exit without saving.
/etc/init.d/network restart wifi
ifconfig wlan0
to check that your wireless settings came up. If you don’t have a DHCP assigned address you’ll need to troubleshoot your settings.
cd /usr/share/minipwner opkg update opkg install kernel opkg install kmod-usb-storage opkg install kmod-fs-ext4 opkg install block-mount cp -f profile.1 /etc/profile cp -f fstab.1 /etc/config/fstab cp -f opkg.conf.1 /etc/opkg.conf cp -f system.1 /etc/config/system mkdir /mnt/usb /etc/init.d/fstab enable /etc/init.d/fstab start ls /mnt/usb
cd /usr/share/minipwner ln -s /mnt/usb /opt ln -s /etc /mnt/usb/etc opkg install netcat opkg -dest usb install tar opkg -dest usb install openssh-sftp-client opkg -dest usb install nmap opkg -dest usb install tcpdump opkg -dest usb install aircrack-ng opkg -dest usb install kismet-client opkg -dest usb install kismet-server opkg -dest usb install perl opkg -dest usb install openvpn opkg -dest usb install dsniff opkg -dest usb install nbtscan opkg -dest usb install snort opkg -dest usb install karma opkg -dest usb install samba2-client opkg -dest usb install elinks opkg -dest usb install yafc cp -f ./network.2 /etc/config/network cp -f ./wireless.2 /etc/config/wireless cp -f ./dhcp.2 /etc/config/dhcp ln -s /mnt/usb/usr/share/nmap /usr/share/nmap cat /etc/config/wireless.orig
vi etc/config/wireless
Delete the bad MAC address (cursor to it and use x to delete) then paste in the copied MAC (i to insert then paste). Shift-ZZ to save and exit. :q! to exit without saving.
ln -s /mnt/usb/usr/share/nmap /usr/share/nmap"
This device is a little pricey.. Like REALLY pricey – I want to do this on the cheap, and home brew style – If you looking for a more mature device with support this may be the way to go.
Building a Svartkast with a pretty pink Pogoplug: Cheap hardware to leave on someone else’s network
The first obvious question is what the hell is a Svartkast? Well, it’s a term I picked up from Telecomix. Before I would have just referred to it as a “drop box” (too much name collision there now), but some also call it a kamikaze box or a Blackthrow (which is English for the Swedish term Svartkast). The core idea is to have a cheap host you can leave on someone else’s network that you can remote into but that can’t easily be tied back to you. The Svartkast does this one better by using a cipher-space like Tor or I2P to further obfuscate where communications to the box are coming from (though slowing down communications of course, anonymity isn’t “free”). While there are a lot of options for hardware, from old laptops to Mini-ITX, I went with the Pogoplug because one can be had for $50 and if it’s lost in action, so be it. It has built in gigabit Ethernet, 4 USB plugs, 256MB of RAM and a Marvell Kirkwood 1.2GHz ARMv5te CPU. Feel free to take off the pink shell to make it smaller and less obvious, but be careful of the exposed parts on the power supply. Future plans are to use a Raspberry Pi when it becomes available. A legitimate pen-tester would probably want to skip the cipher-space part as it just slows things down, and I’m only recommending the Blackthrow component for those that live under repressive governments. Still, I think it’s a fascinating concept.
Let’s Get Linux On It
Since we are talking about some pretty low end ARM hardware we are not going to be running Windows on it. 
Lucky, the Pogoplug comes with it’s own version of Linux, which we can replace with a version of Debian Linux. Jeff Doozan has provided some scripts and instructions for getting it installed on his site:
http://jeff.doozan.com/debian/
I’ve copied and pasted from some of his command lines, with a bunch of my own commentary spliced in.
1. First you will need to know the IP of your Pogoplug so you can SSH into it. Easiest way to do this is while you are configuring it on a network you control take note of the MAC address (printed on the bottom) of your Pogoplug, then look for it’s IP on your router.
2. You may have to open up its web interface first to enable SSH support, and it’s been so long since I’ve had an unhacked Pogoplug I can’t tell you exactly where that option is (Google away for it if you can’t find it).
3. Once you have the SSH service running you should be able to login as root with the default password ceadmin.
4. Insert a formatted (or at least non bootable) thumb drive into one of the free USB ports.
5. Let’s partition the drive, the following commands (highlighted in green) are what I used on my 4GB flash drive. You may want to change them a little to match your needs.
————————————
login as: root
root@192.168.1.124′s password:
Pogoplug:~$ fdisk /dev/sda
Command (m for help): m
Command Action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition’s system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): o
Building a new DOS disklabel. Changes will remain in memory only,
until you decide to write them. After that the previous content
won’t be recoverable.
Warning: invalid flag 0×00,0×00 of partition table 4 will be corrected by w(rite)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1018, default 1): 1
Last cylinder or +size or +sizeM or +sizeK (1-1018, default 1018): 800
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (801-1018, default 801): <enter>
Using default value 801
Last cylinder or +size or +sizeM or +sizeK (801-1018, default 1018): <enter>
Using default value 1018
Command (m for help): p
Disk /dev/sda: 4040 MB, 4040724480 bytes
125 heads, 62 sectors/track, 1018 cylinders
Units = cylinders of 7750 * 512 = 3968000 bytes
Device Boot Start End Blocks Id System
/dev/sda1 1 800 3099969 83 Linux
/dev/sda2 801 1018 844750 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table
Pogoplug:~$
————————————
6. Once the partitions are set up, we can use Jeff Doozan’s scripts to install Debian Squeeze onto the flash drive. Run the following command, or just copy and paste them into your SSH session (Copied from Jeff’s page linked to above):
————————————
cd /tmp
wget http://jeff.doozan.com/debian/dockstar.debian-squeeze.sh
chmod +x dockstar.debian-squeeze.sh
export PATH=$PATH:/usr/sbin:/sbin
./dockstar.debian-squeeze.sh
<at this point, all you should have to do is ok at the script confirmation>
ok
————————————
After the above steps, the password is now “root” (please change that on first boot with the command passwd). We now should have Debian on our little pink buddy (not that one you perv!).
Next up, lets install some useful apps.
At this point you should have a nice little computer that can be used as a drop box. Install whatever you might normally want on such an item, pretty much if it’s in Debian’s repositories you can install it with easy (think of the pen-test options). The rest of the article will focus on the darknet/anonymity aspects. The next step will be to grab a bunch of packages that will be useful for the following steps. We can pretty much do this with one command:
————————————
apt-get install lxde iceweasel xfonts-base xrdp tightvncserver nano cron
————————————
Here are the things we are installing, and why:
default-jre: Java Runtime, but on the Pogoplug this IceTea version is a little too slow. We will need to replace it with the Oracle/Sun version of Java.
lxde: A relatively light weight desktop environment.
iceweasel: The Debian version of FireFox.
xfonts-base: Needed by some of the other apps.
xrdp: This is so you can use a Windows Remote Desktop client to connect to the Blackthrow and use GUI tools. Keep in mind GUI access will be slow even with a direct connection, over a darknet it will likely be unusable.
tightvncserver: Another option for GUI access.
nano: My favorite text editor, because I’m lame like that.
cron: This is for scheduling jobs, but I use it as a ghetto way to keep the I2P daemon running.
Installing Java so I2P can function
If you are using hardware other than the Pogoplug you may be able to skip this step. For the Pogoplug default-java may not be enough, so we have to do the following.
1. Let’s Wget the Oracle/Sun Embedded Java package. You will likely have to replace the URL with an updated one. Check out possible links by looking for the most current “ARMv5 Linux – Headless” download at http://www.oracle.com/technetwork/java/embedded/downloads/javase/index.html
————————————
wget http://download.oracle.com/otn-pub/java/ejre/7-b147/ejre-7-fcs-b147-linux-arm-sflt-headless-27_jun_2011.tar.gz
————————————
2. Now we can untar the download.
————————————
tar -zxf ejre-7-fcs-b147-linux-arm-sflt-headless-27_jun_2011.tar.gz
————————————
3. To make sure our special Oracle/Sun Embedded Java is in the path edit:
/etc/profile
and add:
/root/ejre1.7.0/bin
to the path. Use Nano or Vi to make the edits. The lines should look something like this after editing:
if [ "`id -u`" -eq 0 ]; then
PATH=”/root/ejre1.7.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/$
else
PATH=”/root/ejre1.7.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/$
fi
export PATH
At this point you may want to logout and back in to make sure the path is set.
4. Run:
————————————
java -version
————————————
and hopefully it should say something like:
Java SE for Embedded 7 (Build 147) ARMv5 Linux – Headless, EABI, Soft Float, Little-Endian
Installing I2P
Since I2P is the cipherspace we will be using, we need to install it (duh!).
1. Find the URL to download from by going to http://www.i2p2.de/download, this will change with time as new versions are released. At the time of this writing the following works.
————————————
wget http://mirror.i2p2.de/i2pinstall_0.8.8.exe
————————————
Yes, that was an EXE we just downloaded to an ARM Linux box, we meant to do that.
2. Next, to install I2P use the following command:
————————————
java -jar i2pinstall_0.8.8.exe -console
————————————
3. Take all the defaults. I put mine in a directory called just i2pbin. Keep in mind that i2pbin is the directory where the binaries for I2P are but the active configs will be in root’s home under .i2p (note the leading period).
4. In theory, if we are in root’s home we should be able to use the command:
————————————
i2pbin/i2prouter start
————————————
But this does not seem to work on the ARM platform. Use this instead:
————————————
i2pbin/runplain.sh
————————————
Now we should have the directory /root/.i2p/ where our configs will be. For simplicity (the damnable enemy of security) I’m running all of this as root, but ideally you may want to make a special account to run it from. Hey, it’s meant to be throwaway hardware anyway. In the case of making a non-root account to run it from put the Java and I2P binaries in a more accessible directory and modify the paths in these instructions accordingly.
5. For step 6 to work, we need to modify the start up script. For that we will copy it to a new file, then edit that file:
————————————
cp i2pbin/runplain.sh i2pbin/myrunplain.sh
nano i2pbin/myrunplain.sh
————————————
Right below the line that reads #!/bin/sh, add:
PATH=/root/ejre1.7.0/bin:$PATH
export PATH
This is so our special Java is in cron’s path.
6. Now the problem with this is making sure it’s running at all times, even after a crash. The following is my solution, but there may be a better way. Run:
————————————
crontab -e
————————————
This should bring up an editor so we can add scheduled tasks. Add the following lines:
0 * * * * /root/i2pbin/myrunplain.sh
@reboot /root/i2pbin/myrunplain.sh
then exit. These lines should start up I2P on boot and try to load it every hour. The reason for the every hour line is to restart I2P in case it has crashed. If I2P finds that it is already running, it should graceful close.
7. We should now have I2P up and running.
Extra I2P Tweaks
For a full list see http://www.irongeek.com/i.php?page=security/i2p-tor-workshop-notes
These are just some useful items. Note that we have the core binaries in the directory “/root/i2pbin”, but the config files are in “/root/.i2p”
1. Let’s make it so we can get into the web console from any box, not just the local host. Edit .i2p/clients.config and look for a line that looks like:
clientApp.0.args=7657 ::1,127.0.0.1 ./webapps/
and set it to:
clientApp.0.args=7657 0.0.0.0 ./webapps/
2. If we do step one, it is probably a good idea to make a router password. Just edit .i2p/clients.config
————————————
nano .i2p/clients.config
————————————
then add the line:
consolePassword=SomePassword
Obviously replacing “SomePassword” with the password you want to use. The logon name is “admin”.
3. If you have done step 1 above, you may also want to open up I2P’s web proxy to the rest of the LAN as well.
a. Go to the web interface at http://<ip of pogoplug>:7657/
b. Click through to I2PTunnel, then the “Name: I2P HTTP Proxy” settings.
c. In the Access Point->Reachable Dropdown, set it to 0.0.0.0 if you wish. 0.0.0.0 means it will listen on all configured IPs.
You may also be able to do the above by just directly editing .i2p/i2ptunnel.config.
4. If too many resources are being taken by routing for others, you may wish to add:
router.maxParticipatingTunnels=0
to your .i2p/clients.config. Sharing is good for the network, but the Pogoplug is a little under powered to be of that much help to others perhaps.
5. To make our changes take effect we may have to stop and restart I2P. To do this, we can just use this command to stop I2P:
————————————
kill `cat /tmp/router.pid`
————————————
Please note those are back ticks (~ key), not single quotes. To start it again we can just use:
————————————
/root/i2pbin/i2prouter start
————————————
Setting up access over the Darknet
Of course to make it a working BlackThrow you would need something more to access it remotely. You could go to the extreme and use Garlicat(http://www.cypherpunk.at/?p=40) but for simplicity I’m just using OpenSSH. OpenSSH is already installed, fairly low bandwidth is required for just remote shell access and you can use dynamic port forwarding over SSH to make it act as a poor man’s VPN/anonymising proxy.
1. On the server’s install of I2P (the Pogoplug) go into the console and make a Standard server tunnel and point it to port 22 on 127.0.0.1. Also make sure you enable “Auto Start”, no other settings should need to be changed. After you start the server tunnel for the first time make note of the Base32 address.
2. On the client’s install of I2p make a client tunnel with a port of your choosing (I used port 22 for consistency), reachable by 127.0.0.1, and insert the Base32 address you found above into the “Tunnel Destination(T):” field.
3. Now you should be able to SSH and dynamic port forward into the Pogoplug.
And that’s it. If you can, set up port forwarding on the NAT router, but the default UDP hole punching behavior should be sufficient. Hopefully these notes are enough for someone with a little experience with Linux and SSH to be able to get a Svartkast up and running. If not, the following may help:
As for how to use dynamic port forwarding, check out
http://www.irongeek.com/i.php?page=videos/sshdynamicportforwarding
My notes on I2P and Tor, hope these are helpful
http://www.irongeek.com/i.php?page=security/i2p-tor-workshop-notes
For an intro to I2P see my section of these talks
http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2011
Getting started with the I2P Darknet in Windows
http://www.irongeek.com/i.php?page=videos/getting-started-with-the-i2p-darknet
Installing the I2P darknet software in Linux
http://www.irongeek.com/i.php?page=videos/getting-started-with-the-i2p-darknet
Hosting Hidden Services in I2P: eepSites and SSH
http://www.irongeek.com/i.php?page=videos/i2p-darknet-hidden-servers
Darknets and hidden servers:Identifying the true IP/network identity of I2P service hosts
http://www.irongeek.com/i.php?page=security/darknets-i2p-identifying-hidden-servers
This is not my work but it is so AWESOME that I had to repost it.. please check out the source at http://www.irongeek.com/i.php?page=security/svartkast-pogoplug-dropbox
When I get my AWESOME raspberry pi – I plan on getting it setup to do some penetration testing on the cheap.
Your Pi Belong to us!
