CYA Using a Pi to Pivot
by 0rbytal (0rbytal@burntmail.com)
This article explores one method to cover your tracks online (I haven't actually tried this), and is for educational/informational purposes only. As with every decision you make in life, if you decide to use this information for nefarious purposes, be prepared to face the (likely negative) consequences.
If you're not familiar with the Raspberry Pi, you've been missing out on a trending piece of hacker hardware!
The Raspberry Pi is a computer about the size of a credit card that runs an ARM processor and has exposed general purpose input/output ports, HDMI video output, SD card slot (used to load the OS), two USB 2.0 ports, and a standard LAN port - all for around $35. Once you install Raspbian, PwnPi, Arch, or some other Linux distribution onto your SD card, the Pi boots from the SD card (which also doubles as the "hard drive" for the system).
I only suggest getting the Raspberry Pi because it's the most affordable portable computer, and I have one. The technique detailed in this article could just as easily be implemented using a BeagleBone, Parallella, or other super-portable computer. Since I do not own one of the others, it is up to you to apply this technique to your own configuration.
One of the most important steps in penetration testing and remote exploration is to cover your tracks.
If your activity is traced, you don't want the trail to lead back to you. For this reason, many explorers base their operations from a free/open Wi-Fi spot or Internet cafe. However, a cunning (or lazy) digital explorer would prefer to stay at home but make their activity look like it's coming from somewhere else. This method is called "pivoting," using an intermediate system as a conduit through which all activity is transmitted and received. Any hacker familiar with the Metasploit Framework understands pivoting, and prefers to pivot to cloak their activity behind another source.
Because the Raspberry Pi can run on Linux and be powered by any source with a micro-USB adapter, a creative hacker could design an inconspicuous case for his Pi and stash it somewhere that might be easily overlooked, or never discovered! So, here's how I might pull off a Pi-Pivot if I were to try it...
Step 1: Identify an open Wi-Fi connection, or a Wi-Fi Access Point (AP) "secured" with WEP (because it's ridiculously easy to crack).
Step 2: Register a free No-IP account (noip.com), or some other dynamic-DNS provider that can resolve my registered sub-domain name to my dynamic IP address.
Step 3: Set up PwnPi (like BackTrack for Raspberry Pi) or Kali Linux on my Raspberry Pi. Write a script that automatically connects to the Wi-Fi AP (identified in Step 1), then every five minutes tries to connect to my No-IP sub-domain name (registered in Step 2) on some high port number that I'll remember. By having the Pi call out to us, we don't have to worry about breaching the firewall to the Wi-Fi AP. The Pi would be pushing a remote shell script to my system prompting me to enter a password. This way, if the Pi is ever scanned and the open port is discovered, the curious port-scanner would have to know the password to get the shell.
Step 4: Set up a listener on my home system and port forwarding on my router to direct the traffic (on the port chosen in Step 3) to my listening system.
Step 5: Travel to the Wi-Fi AP (identified in Step 1) and find an inconspicuous place to leave the Pi so it is highly unlikely to be discovered... like sitting atop a ceiling tile. If there was no outlet nearby to power the Pi, I'd bring some sort of battery pack with a micro-USB adapter to supply the power for my clandestine Pi-Pivot. Turn on the Pi and leave it.
Once the Pi-Pivot connects to the Wi-Fi AP, it calls out to the No-IP sub-domain name I registered (e.g. pivotpi.no-ip.biz), shoveling a shell to my home system that is listening for the connection on the high-numbered port. Upon successful connection to my home system, I enter the password, and I'm given a shell to my Pi to be used as a pivot. Now all of my exploration looks like it's coming from the Raspberry Pi hidden somewhere near the Wi-Fi AP.
Tracks are now covered.
Things to keep in mind about implementing this:
- You should be willing to sacrifice this Pi. You can't expect to always retain access to this Pi once it is hidden.
- If you power your Pi with a battery, your connection is only good until the battery dies.
- Your pivot is only available if the Wi-Fi AP configuration stays the same. If the SSID changes, or the AP owner decides to secure it with WPA2, your pivot is down until you can regain physical access to it.
- If your Pi is discovered, it's possible that your activities could be traced back to you if you haven't thoroughly covered your tracks on it as well!
Go get a Raspberry Pi, explore it, share your results, and Hack All The Things!