Raspberry Pis are really a thing of beauty. They’re extremely versatile and can perform multiple tasks in spite of their small size and power. I currently own three! One is currently serving as a Kodi media server at home, and the second is a portable media server for my daughter. I most recently acquired a Pi 2. The Raspberry Pi 2 debuted last month and sports a new hardware configuration: 1gb ram, 900 MHz quad core ARM processor which is six times the power of the 2’s predecessor, the B+, so course I had to pick up a full kit from Amazon. This kit, which can be found here, has everything you need for a Pi including the Pi, case, power supply, 8gb micro SD, wifi adapter and HDMI cable. Not a bad deal in my opinion.
My goal for this acquisition was to make a miniature pentesting device to which I could connect over WiFi and run a pentest through the Ethernet port. Essentially, I wanted to build a redirection proof of concept. Like in the movies where the hero fools pursuers by leaving a cell phone next to a radio. I wanted to be able to plug in a Pi, hide it, and move around a building and all the while still be able to attack the target network. While there are no-nonsense pentesting builds for the Pi already available, setting up the wireless adapter was going to present a challenge for me. I needed to run in AP mode so I can connect to it, then route the traffic to and from the Ethernet port. While it seems straightforward enough, it was far enough outside my wheelhouse that I wanted to take a little time to make sure everything turned out perfectly.
Lessons Learned
The Kali image for Pi runs smoothly and I have had no issues with it. However, the driver for the wireless adapter that came with the Pi (RaLink 5370) was not recognized and all of my attempts to install the driver would disable wireless networking. So, I decided to move onto Ubuntu Core. Ubuntu Core installed easily and again, worked as it should, except, once again, for the wireless driver. The adapter wasn’t recognized by the OS at all and my attempt at installing the driver failed again. So I ultimately settled on Raspbian. Third time is the charm, as it turns out. The driver worked perfectly, and I had no further issues with the rest of the setup. I should note that I did attempt to use an Alfa Card, but the card I happened to have on hand, an AWUS036H, unfortunately does not support AP mode.
Setting up the Pi 2
The first step is to image your the SD card for your build. There are a variety of images that are supported by the Pi 2 from Noobs to Windows 10 (when it comes out). As stated above, I tried a few different options and ultimately settled on Raspbian because it was designed for the Raspberry Pi and the necessary drivers came pre-packaged. The 8 GB micro SD card that came with the kit didn’t have enough space for my tastes, so I ended up picking up a generic 32 GB card. I used my Win32DiskImager to load the Raspbian image onto the SD card, stuck it into the Pi, and plugged in the power cord.
I then spent some time removing some of the bloatware from Raspbian. Raspbian comes pre-loaded with programs like Mathematica and Minecraft that were completely unnecessary for my purposes. It didn’t take long to manually purge them, and I think the extra space may come in handy if I want to add in additional functionality to the device down the line.
The final step is to create the wireless access point. Attention to detail is pretty critical here.
Requirements:
To start off, go ahead and install hostapd and a DHCP server.
apt-get install hostapd isc-dhcp-server
You’ll want to configure the DHCP server first.
1. Setting up the DHCP server:
1.1 Open dhcp.conf
vim /etc/dhcp/dhcpd.conf
1.2 Find and comment out the lines below by adding a # in front of the line.
option domain-name “example.org”;
option domain-name-servers ns1.example.org, ns2.example.org;
1.3 Uncomment the following line:
authoritative;
1.4 At the very bottom of the file, add the following:
subnet 192.168.42.0 netmask 255.255.255.0 {
range 192.168.42.10 192.168.42.50;
option broadcast-address 192.168.42.255;
option routers 192.168.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name “local”;
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
Note: you can change the IP address to whatever you want, this is just an example.
1.5 Once you’re finished, just save and close the file.
2. Default DHCP server
2.1 Make the wireless adapter the default adapter for the DHCP server.
vim /etc/default/isc-dhcp-server
2.2 Locate INTERFACES=”” and change it to match the following:
INTERFACES=”wlan0″
2.3 Be sure to save the file before you close it.
3. Configure the wireless interface
3.1 Shut down the wireless interface (assumes a single wireless interface)
ifconfig wlan0 down
3.2 Open the following the network interfaces file.
vim /etc/network/interfaces
3.3 Alter the wlan0 section so that it aligns with your DHCP server settings.
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0
3.4 Save and close.
4. Configure hostapd
4.1 Create and edit the following file:
vim /etc/hostapd/hostapd.conf
4.1 Add the following lines to the end of the file:
interface=wlan0
driver=nl80211
ssid=WiPi
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=SuperSecure
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
Note: You can modify the ssid, passphrase, channel and mode to what you see fit. As always, it’s recommended using a strong passphrase.
4.2 Save and close the config file.
4.3 Now, you have to tell hostapd where it’s configuration file is.
vim /etc/default/hostapd
4.4 Find DAEMON_CONF=”” and change it to
DAEMON_CONF=”/etc/hostapd/hostapd.conf”
4.5 Save and close once the change has been made.
5. Routing and IP Tables
5.1 First, open the following file:
vim /etc/sysctl.conf
5.2 Locate “net.ipv4.ip_forward=1” and uncomment it. Then just save your change and close it.
5.3 Run the following command to activate forwarding:
sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
5.4 Add the appropriate IP Table rules to route traffic between network adapters:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
5.6 Save your IP Tables to a file called “iptables.ipv4.nat”
sh -c “iptables-save > /etc/iptables.ipv4.nat”
5.7 Re-open your interfaces file
vim /etc/network/interfaces
5.8 Add the following line to the very bottom of the file:
pre-up iptables-restore < /etc/iptables.ipv4.nat
5.9 Save and close.
6. Start the services
6.1 Now you can start the services and see if they run!
service isc-dhcp-server start
service hostapd start
6.2 If all is configured properly, you should be able to find and connect to your new wireless network!!
Notes:
- To set the services to run on startup, run the following command:
update-rc.d hostapd enable
- I had some permissions issues with the DHCP server, so I had to go a roundabout way to run this service as root. Open up the following file:
vim /etc/rc.local
- Then add this line to the end of the file:
sudo service isc-dhcp-server start
- Be sure to save before you exit!
Restart your device and make sure the services are running. You should now be able to connect to the network and pull an IP address.
Install the Tools
If everything went well, test your configuration by using SSH to connect to the Pi (use the IP address you set for the Pi above, obviously). After you’re connected, install your favorite pentesting tools . I highly recommend screen, nmap, Responder and Metasploit to start. I took my newly built device on a recent assessment used it to run my nmap scans and Responder specifically, and it worked like a charm! It allowed me to focus on (and keep my host’s resources free for) more active testing techniques while the passive stuff ran in the background.
All in all, I’m pretty stoked that the new Pi is capable running these services efficiently, and I’m pretty excited to use it on future engagements.
Happy hunting!