"Raspberry Pi Hacking"

Hacker Hotshot: Hacker Hotshot: DJ Palombo @DJPalombo

Tuesday November 2012 6th at 12pm EST/ 9am PST


Update! Check our 85 uses for the Raspberry Pi blog post! Have you any crazy or cool uses for the Pi? Take a look and add your suggestion, we'd love to hear from you.


Max, Concise Courses:
So as I have said before, I am DJ Palombo. The [presentation] name has changed several times now, the name now is "How Raspberry Pi Can Change How People Attack Networks". We just went through who I am, junior at Champlain College, computer digital forensics studying in Dublin Ireland, 20 years old.

DJ Palombo:
So starting off with the basics, "What is the Raspberry Pi?" It is a $35 dollar computer the size of a credit card, runs off of Linux Operating Systems. They just changed their RAM Shipping config - it used to ship with 256 RAM, they jumped it up to 512 RAM - same cost which was very nice of them. It has two USB ports, Ethernet Port, Video Out, HDMI Out, so it's fairly useful, low power consumption which Ill get into - which ends up begin very useful. You load the Operating Systems on an SD card so your space could range all the way to 64 GIG, that's the highest I've seen. So that's the starting point and gives us a starting point of what the Pi is. This is a picture of a generic Raspberry Pi that looks the same.

From 2:53 minutes onwards: So this slide shows what we are going to go through and what we are not going to go through. Firs thing, this is not the "be-all-and-end-all" of network attacks and is not meant to be the best thing since sliced bread, it's just another way to show what can be done and something which professionals should know about because it is a viable threat. I just want to put that out there so we start off on the same page.

From 3:25 minutes onwards: What's the theory behind it? It's a cheap and inexpensive computer. I started calling it a "Burner Computer" back when I started working on this presentation, when I was watching the TV show about "Burner Phones" - same concept [in that] they are cheap and disposable if you need to, and it just gives you a certain level of anonymity so that you can continue doing what you need to without being caught. The form factor makes it very easy to work with, and it's like I said, about the size of a credit card and is extremely thin and very easy to hide. You can attack someone within a network rather than attack your way through, it's a lot easier when you have access to a network rather than having to go through the outside, dealing with firewalls and things of that nature so it just gives you easier access to information.

From 4:23 minutes onwards: So what you can do with this? Really you can do whatever you want. I'll be presenting some of my ideas but you definitely don't have to stick with them, this is just some ground work and you can go from there and do whatever you like - it's just some ideas to start you off with.

From 4:41 minutes onwards: You can sniff networks for information and passwords. Once you are inside the network this is easy to do. You can see all the internal network traffic - this is one of the major points because you can do quite a lot of damage just by getting information from the network. You can also try and shut down the network from within just by flooding it, you can do quite a bit by using a small and inexpensive device by getting it inside the network.

From 5:17 minutes onwards: My first concept; there have been lots of studies out there and articles saying that you can build a cluster of these that make a large amount of computing power which is very cool and inexpensive. Its very useful if that's what you are looking to do - to get a lot of power for not that much money. But that's just a starting point, you could do quite a bit from there and that's going to be the meat of this presentation.

So what you can do? Run all the traffic through the Pi. Once you set up the Pi in the middle of a network, all the traffic will be routed through the Raspberry Pi and you can then get whatever information you wanted.

You could Packet Sniff right along with the "Man In The Middle Attack" and get as much information as you want.

From 6:17 minutes onwards: VLAN Hopping. This is one I go into depth in about two slides, which is the ability to get other information other than the network that you think you have access to, its like there is going to be more information that you should be able to get your hands on if you try properly.

From 6:37 minutes onwards: And finally VOIP sniffing. A lot of big companies are now using VOIP for calling, video chatting and things like that - and we can actually, with this device, record VOIP calls and play them back at a later point and get quite a bit of information there.

Man In The Middle Attacks. OK, just going into a little more depth from the other slides. There is an ability built into Ettercap which is a tool that runs on Linux Operating Systems that is very useful. My original idea was to do it through ARP Poisoning, and telling everything, "Hey bring your traffic over here for a second", but I realized that that gets very noisy on the network, [especially] if a network administrator is checking and tracking all the traffic on the network.

They [the network administrator] will normally be able to see something like that. So [use] something that might be able to DHCP Spoofing so it says, "Hey talk to me", instead of having a lot of information flooding out of the Pi, it just has its own network traffic and is a lot harder to be found out. So all traffic is going to be re-routed through your Raspberry Pi. You can also modify the traffic as it runs through your system, you can get filters online and scripts online and be able to change the traffic and when you send it out it will be able to look like packets, so anyone monitoring the network won't be able to see any difference. So that's gives you [some information] to the damage that can be done.

From 8:44 minutes onwards: VLAN Hopping (in more depth). You can check to see if there are other parts of the network, and listen to their traffic too. You can check to see if there are other parts of the network - most networks do not just run one network, sometimes there are private parts of the network that are not normally seen but once you have access to part of the network you could actually go through and attempt to listen in on other parts of the network. There is a tool that is built into the Raspberry Pi Operating System that is called PwnPi. PwnPi is very similar to Back Track. So, this tool sends out network traffic like it is a VOIP phone and is going to look for other devices across the network and it will listen to other traffic that will tell you if there are any other devices.

From 9:43 minutes onwards: SIP There is a tool that is built into PwnPi that works similar to aircrack in the way that it captures a ton of data that is then able to parse through and rip passwords and piece it together and gain access into the system and do whatever you'd really like to.

From 10:11 minutes onwards: VOIP Attacks. So if your inside a network, say you put this into the lobby of a big company, why not just listen in on their calls? If you're trying to be malicious, listening in can be quite an easy way to get a lof of information that may or may not be sent out through regular traffic, it might not be emails.

So again using PwnPi, there is a VoiPong, it allows you to sniff calls on the network. Since all the traffic is going through the Pi, its going through you anyway, so this allows you to see that there is VOIP traffic going through which you could record on a .wav file and then you could just transfer that out of your Pi onto another computer to listen to it later. Like I said earlier, your storage is limited so you wouldn't want a lot of files on there but you can just save it and then kick it out.

From 11:26 minutes onwards: So, for some other options on this, you could definitely use this for hardwire. Like I said, it does have an Ethernet Port built in but it does not have built in wireless, although a wireless dongle will work very easily - just set it up and your done. There has been quite a few articles out, there was one of Lifehacker a few weeks ago, where you put Raspberry Pi into one of those surge protectors that has an Ethernet Cord. So you set that up and run the cord into the Pi and then you are able to get all the hardwire traffic as long as people plug into there, again giving you full access to the network. So that is quite a bit of damage you can do because once you have [the device] within surge protection, then you no longer need battery power. Another option is that you could use if for the manufacturers intended purpose, which technically is education, they made it small and cheap to teach programming.

From 12:45 minutes onwards: So the Surge Protector Pi. For a small cost you can set it up inside the Surge Protector. It is very difficult to find these because it will look like just like any other surge protector. Total cost would be about $55 including the Raspberry Pi. Very hard to find with the advantage of hard-wire connectivity, and like I said, you don't need to worry about battery power. Battery power is probably going to be your biggest issue. I was able to build a power pack for the Pi that probably gave me about five hours of power for about $7 from Radio Shack, but that's only about five hours of network traffic. This offers you quite a bit more time to gather information from inside the network. So, that's one of the big threats.

From 13:44 minutes onwards: How to defend against this? The first way is obviously physical security which you cannot stress enough. Monitor the network traffic. There are tools that you are able to see something like this, there is actually a tool in nmap that checks for packet sniffers. If you are running something like that then you should be able to see something like this running on your network. You would also monitor the traffic looking for new devices coming online and check for ARP Poisoning and see it coming through on a wireshark log.

From 14:47 minutes onwards: This is a slide I took from someone at CarolinaCon, "How do you defend against the defenders?" Once an attacker is inside your network they will be able to see your MAC address, so change it periodically, same as the IP address. The more you change it the more you can stop the tracking on you because the information won't be there. Don't be afraid to lose the device, it's a $35 dollar investment and if you lose it, you lose it. It's just another way to do an attack and you should not be worried about it.

From 15:44 minutes onwards: How to prepare yourself? Obtain a Raspberry Pi, you can get it from Element 14 and RS Components that are the two authorized resellers from Raspberry Pi Foundation. Then set-up the Pi, I recommend using the PwnPi with whichever distro you want, they have four of five different versions out there and install the tools that you want to use whatever attack you wanted to do.

Know your toolkit; this might be the most important part. Know what each of your tools does and know how to use it - try using the command line. If you are going to be doing this remotely then you are going to have to learn how to use the command line.

Know your target and your goal, and know what you are looking for and know you think you can get it so that you will have an idea going in. Figure out how you are going to power it. You can have it with batteries and it's easier to hide, but less information can be gathered. Or, you can do it the hardwire way which is harder to get it in there, but once you get it set-up your pretty much golden from quite some time.

From 17:12 minutes onwards: The Drop-Off. This is dependent on who you are attacking. If you are trying to get information from a doctor's office and are going to use batteries then you can make a Lego case and hide in the toy box that they have - and once you do that then it's going to be pretty hard to find. Use common sense and be sneaky, don't just have it sat there in a shiny box sitting out in the open. For example you could hide it in the fake plants that are always in the doctor's office.

From 17:58 minutes onwards: Know your options and know your opponents. What is going to be in that area and know where they might be checking so that you could try and be one step ahead?

So that's pretty much all I have. My twitter handle is @DJPalombo and I use the hash tag #ProjectRasPi


Questions and answers

Max, Concise Courses:
You didn't brilliantly, got to tell you, very impressed with your creativity. I've got a couple of questions here. Who are you working with to realize the end-uses?

DJ Palombo:
Getting a lot of help from a friend here and my professor, Richard Messier, who has been helping me out quite a bit so I appreciate his help but a lot of it has just been me sitting down and saying, "If I wanted to do something malicious, how would I do it?"


Max, Concise Courses:
In regards to resources, do you suggest anybody to follow or to research their use of the Raspberry Pi?

DJ Palombo:
There are websites popping up constantly. A lot of my information actually comes from lifehacker. I get a ton of stuff out there. If you Google "Raspberry Pi" on a regular basis you'll get something different each time because there are just so many people doing so many things with it.


Max, Concise Courses:
Last question, are you getting the same enthusiasm from the Dubliners in regard to Raspberry Pi?

DJ Palombo:
Actually I was at a conference a week or two ago, and I mentioned it to somebody and he played around with the Pi a lot and he said, to try the "ARP Attack". I just looked at him and thought, "How could I not have thought of that!?" People here are like as interested if not more than people back home to this technology!


Leave a comment!

comments powered by Disqus

I just wanted to say a very big thank you for arranging/ organizing the course. I thoroughly enjoyed it. I learned so much from it!! - although unfortunately I had to leave before the end. I will have to find away to build upon what I have learnt so far (may be a bit difficult though).

Dominic Assurance & Security BetterImprint UK Limited

(November 2013: How To Hack & Defend Website Course)

"This is the leanest, most effective security class you need to take to get up to speed on open source tools. The completely self-contained virtual lab (an ingenious fully functional multi-tier pentesting environment built around BackTrack) combined with Jeremy Faircloth's expert tutelage are an impressive combination for successful learning!"

John Marosi CEO John Marosi Consulting

Student: Applied Penetration Testing Level 1

The course was very good and the support that I have received was excellent and really appreciated.

Renjith Venugopal Head of IT Infrastructure and Security, Centena

Student: Applied Penetration Testing Level 1

The Web portal with training materials, slides, etc. is VERY nicely laid out, full of valuable and helpful information, and easy to navigate so I can recreate these exercises easily and continue learning on my own.

Brian J

(November 2013: How To Hack & Defend Website Course)