Rogue Pi – A Low Cost Penetration Dropbox (Proposal)
Project Goals
The primary goal is to design and build a low-cost penetration device using the Raspberry Pi and other peripherals. The Rogue Pi will offer a wide variety of applications and capabilities making it a universal tool for any security analyst. With tools like nmap, aircrack suite, and metasploit, it comes well equipped for whatever defenses it’s up against. The LCD display and 5 button input adds a unique versatility no other pentesting dropbox offers. With instantaneous visual feedback to let the user know if the Rogue Pi is ready, there is no more second guessing about leaving the dropbox or aborting mission.
The secondary goal is to make the public aware of the dangers of such a device. This will make enforcing IS policy a higher priority for businesses in all fields. Beyond the scope of this project, seminars and training sessions could be introduced to explain the abilities of the Rogue Pi. This will equipp employees to combat intrusions and avoiding serious catastrophes.
What is the Rogue Pi?
The Rogue Pi is a low-cost robust penetration dropbox built on top of the recently released Raspberry Pi. It serves as a tool to help promote security awareness, focusing specifically on network devices. Designed to look like a small inconspicuous device, the Rogue Pi is any System Administrators’ worst nightmare. Coming preloaded with an arsenal of hacking tools, it can be quickly plugged into any computer network and then used to access it remotely from afar. With a built in USB wireless adapter it can be accessed wirelessly from someone sitting across the street in their car.
What makes the Rogue Pi so useful is that it offers a wide variety of learning outcomes. For example it offers:
- Remote, low-cost pentesting that allows for more efficient time spent auditing and not traveling back and forth
- Creating awareness for not only physical security but as well as social engineering tactics
- Comprehensive learning tool: the Rogue Pi deals with numerous aspects of information security including physical, social, data leakage, and more.
- Undetected reconnaissance and data exfiltration using covert channels to sneak past IDS systems and firewalls
| Component | Specs |
| Raspberry Pi |
|
| LCD Display |
|
| Wireless Card |
|
| Power Supply |
|
| Memory |
|
Critical Analysis
In this section, I discuss the current state of network security practices and identify the consequences of poorly implemented policies. Only in the last five years has Information Security received the attention it truly deserves; specifically within the medium to large sized business sector. Upper management is beginning to see the necessity in budgeting for security. But management has not been alone in their failure to notice the importance of security.
When companies hire new employees their interview questions usually relate to education, previous jobs, strength and weakness and so forth, but rarely asked anything in regard to computer security. For example “Would you be able to identify a suspicious device plugged into an Ethernet port?” or “If someone asked to go to the printer room and you didn’t know who they were, would you take them there?” Most employees are completely unaware of the technical dangers that exist and certainly would not be able to spot them in the wild. This oblivious mindset is what leads to a lot of problems.
Practically all organizations have information that requires some type of established protection. This important information may include financial data, electronic funds transfers, access to financial assets, and personal information about clients or employees. Should this data be compromised, the consequences can be very serious, including the loss of customers, criminal actions being brought against corporate executives, civil law cases against the organization, loss of funds, loss of trust in the organization, and the collapse of the organization. To avoid such catastrophes organizations implement IS security plans to create policies and standards to decrease the angle of attacks.
There appears to be a belief within the computer and the information systems industry that everyone understands the operational security requirements for protecting information. For this reason, most funding for Information Security is funneled to technical mechanisms, and little, if any, funding is designated for security awareness and operational security training. Unfortunately within non-defense related organizations, the assumptions about the level of security awareness of the organization’s employees are incorrect.
As stated in Peter Tippett’s book on Firewalls he says “The disclosure of information through non-technical means can and will occur. This type of disclosure can bypass millions of dollars of technical protection mechanisms.” (Tippett, 1996) In many cases, if an awaiting attacker wants to gain access to a computer system, all they have to do is ask. More times than not, this technique works because the employees for various organizations do not fully comprehend the value of the information to which they have full access. It does not take much for sensitive information to be disclosed. One wrong move can lead to customer data, financial records, employee records and other private data being disclosed. Surprisingly, login credentials are awfully easy to obtain. Unidentified individuals seamlessly walk into an office. They explain that they are here to check out one of the printers and say it is an emergency since the Vice President needs to print off some important documents. The receptionist complies and opens the door for the “technician” to plant a Rogue Pi. Inadequate security training can lead to devastating results for a company.
As management wakes up to the 21st century and starts to budget for security, more and more pentesters will be needed to handle the demand of contract jobs. With a tool like the Rogue Pi, security analysts can successfully perform their jobs in a swift and orderly fashion while also having a “wow” factor for the less technical individual. Since budgets are typically signed off by management, it is key to convey these core concepts to management first. Once management is on board and the IS department puts in their yearly budget for security, it won’t be brushed off to the side or flat out declined.
Through training and awareness these types of breaches can be reduced significantly and this is where the Rogue Pi serves its purpose. Holding seminars and training sessions demonstrating how malicious dropboxes work will help convey the points of physical security and social engineering attacks.
Technical Challenges
- Limited system resources on the Raspberry Pi require that all software components are optimized to their fullest potential to avoid lockup.
- Overclocking the ARM processor to handle CPU intensive I/O work will create heat concerns.
- Older security tools and applications will need to be been recompiled from source code for the Debian “Wheezy” Linux distribution.
- The Rogue Pi will need to interface with an external LCD display during on the on boot system check
- A bridged wireless connection must be accessible in case the reverse tunnel cannot successfully connect out.
- The cost of the entire Rogue Pi should not succeed one hundred Canadian dollars.
Hypotheses
It is hypothesized that the Raspberry Pi can be used as a low-cost hardware platform for a pentesting dropbox.
It is hypothesized that the Rogue Pi can be used for creating awareness about network security, physical security, and social engineering attacks.
Project Features
Optimized Linux Distro
The Raspberry Pi which was first launched in February of 2012 has gathered the attention of thousands of Linux enthusiasts. This has lead to a new Linux distribution developed specifically for the Raspberry Pi. The new distro is named Raspbian and is an unofficial port of Debian Wheezy armhf with compilation settings adjusted to produce code that uses “hardware floating point” which will run on the Raspberry Pi. With nightly builds been released there is still plenty of room for more improvement. Even with all the current optimizations for the Raspberry Pi, there are a lot of unnecessary packages which bog down the system. One of the biggest is the Debian desktop environment. Since most Linux tools are command line to begin with, the Rogue Pi will not have a desktop environment. This decision will certainly help keep memory and CPU resources available for more important tasks.
With many tools being available on the Rogue Pi, optimizing each tool for the Pi is key, especially tools which require a lot of CPU time. This is why all applications on the Rogue Pi will be compiled from source. This allows for a lot more flexibility during compile time. Flags can be set to enable or disable certain functionality that will never be needed. At the end of the day, the Rogue Pi is running on limited resources, so every byte counts.
Security Tools
The Rogue Pi is only as good as the applications it comes with. Offering tools for almost any job is the goal of the Rogue Pi. Finding the right tool quickly is accomplished with ease on the Rogue Pi because of its folder hierarchy. Applications are broken down into manageable categories consisting of, wireless security, network scanning, enumeration, reconnaissance, and reverse engineering. Unlike other dropboxes which try to include every tool under the sun, the Rogue Pi consists only of tools that are of a realistic value. Due to the limited resources it is unreasonable to expect a pleasant experience when trying to perform heavy I/O operations; and because of this, all applications are individually compiled from source to obtain every bit of optimization for the platform.
Reverse Tunnel
In best practice scenarios, corporate networks protect their users by setting up perimeter firewalls which block malicious inbound traffic from ever getting in. This can make it difficult or even impossible to communicate with machines on the inside. When planting a Rogue Pi inside of a network, the user is going to want to have remote access to the device from outside of the corporate network. This is where reverse tunnels come into play.
How the reverse tunnel works is that instead of the client connecting to the Rogue Pi, the Rogue Pi connects back to the client. Using autossh and multiple flags, the Rogue Pi will continue to attempt to connect back to an IP. If at any time the connection drops, the Rogue Pi will do an auto-reconnect to bring the tunnel backup. This method bypasses most hardware and software firewalls making it a popular approach. By also using autossh, it guarantees a persistent shell in case the connection drops.
One flaw when performing a reverse tunnel is that the user’s external IP address is exposed. To get around this issue, Tor will be used. The Tor network allows for anonymous communication between two separate nodes. Instead of having the Rogue Pi connect back to the users home IP, it will first connect into the Tor network, bounce off multiple Tor relays, and then connect back to the home computer. By doing so, this method will complete anonymize all traffic going in and out of the Rogue Pi making it virtually impossible to track.
Wireless Surveillance
Wireless communication has become an everyday activity, especially within the offices of many businesses making it a popular target for analysts. Wireless is so popular because it makes it easy for any employee to be mobile with their laptop. This allows the CEO to send off an email and a Sr. developer to pull the latest files from a repository all over the airwaves. With improper configuration and security practices, all of this data could essentially be available to prying eyes. This is why the Rogue Pi comes prepared for Wireless penetration testing.
With the wireless adapter, a pentester can now perform the following from the Rogue Pi:
- WLAN discovery
- Sniff for IP ranges
- Perform deauth attacks
- Capture / Inject packets to break WEP encryption
- Create Rogue Access Point
The above list will provide a broad range of Wireless penetration attacks which can be tested against any nearby Access Points within range of the Rogue Pi.
On Boot System Check
After looking at other penetration dropboxes such as the pwnie express, sheevaplug, and minipwner, I noticed that none of these devices have any type of visual feedback to let the operator know if the device is working or not. The Rogue Pi offers a solution to that problem; a built in LCD panel gives the user a status report during the initial 60 seconds after being plugged in. This removes the uncertainty of mis-functionality of the device.
The system check will include the following:
- Can the Rogue Pi obtain an IP via DHCP?
- Can the Rogue Pi ping the default gateway?
- Can the Rogue ping outside of the network, for example http://google.com
- Can the Rogue Pi connect back to a designated computer over the reverse tunnel
The RGB LCD will emit either a message with green text letting you know that the certain system check was successful or red if it failed. Having a visual cue to let the user know if the Rogue Pi is running as intended or if it something went wrong is very valuable and can save the user a lot of time and confusion.
Button Interactions
On first deployment, the Pi might not have an internet connection or the user may want to perform a reverse tunnel over Tor instead of directly connecting to their control node. To accomplish this, the user can use the buttons to select either “reverse over tor” or “reverse direct” from the menu system. This is a smaller example of the button functionality.
An even more realistic scenario could be for someone to walk into the room while the user is planting the Rogue Pi. The user might not have enough time to hide the device. Having already transfered data to the Rogue Pi the user has the option to wipe the device clean, removing all information. An LCD screen along with 5 buttons allows the user to enter a secret combination which will wipe the device.
References
Raspbian Installer. (2013, January 1). Retrieved January 13, 2012, from Raspbian: http://www.raspbian.org/FrontPage
Anonymous. (2010, January 1). TOR vs VPN Services. Retrieved January 13, 2013, from tuvpn.com: http://blog.tuvpn.com/2010/01/tor-vs-vpn-services-who-wins/
Anonymous. (2012, November 25). Raspberry Pi Raspbian turning / optimizing. Retrieved from Extreme Shok: http://blog.extremeshok.com/archives/1081
Dunsmore, D. (2012, July 27). Boot without starting X-server. Retrieved January 10, 2013, from Stack Exchange: http://raspberrypi.stackexchange.com/questions/1318/boot-without-starting-x-server
Public, G. (2013, January 4). RPi Performance. Retrieved January 13, 2013, from elinux: http://elinux.org/RPi_Performance
Tippett, P. (1996). Social Engineering: The Non-technical Threat. In P. Tippett, Firewalls & Internet Security (p. 2).
About the Author
Kalen Wessel is a multidisciplinary systems administrator. Whether it's auditing network security, implementing scale-able systems, or providing technical services - he makes it his focus to perform due diligence on all his tasks.
Related Posts
Developing the Rogue Pi →
Linux Key Logger →
Raspberry Pi SSH LED Notification →
Awesome idea! It definitely gives the raspi a new purpose.