In the earlier post, we saw various penetration testing kill chain models and how to map tools to the penetration tests. In this article, we will look into some of these tools and techniques to position the Raspberry Pi in order to conduct a successful penetration test.
Addition of non-standard tools to arsenal
Even though Kali Linux comes with a ton of security tools that can be installed via the meta packages,
there are some other useful tools outside of those packages you may need to install to perform the various kill chain phases. Some of these tools may not be required for every task, and some of them may be similar to other security tools that you may already be using, but all these tools can be used as a good starting point. All these tools were installed using apt-get or wget on the command line via a terminal.
- xRDP: A xRDP is an open source Remote Desktop Protocol (RDP) server that will accept RDP connections from any RDP client, such as Microsoft’s Remote Desktop Client.
- tightVNC: A tightVNC is a Virtual Network Computing (VNC) application that allows us to connect to the Raspberry Pi using a VNC client to the VNC server and provides us with a remote desktop that we can manage.
- Responder: The Responder is a Link-Local Multicast Name Resolution (LLMNR), Netbios Name Service (NBT-NS), and MDNS poisoner, with a built-in rogue authentication server for a number of protocols.
- gparted: A gparted is a graphical utility for partitioning the local disk.
- openSSH: The openSSH allows us to connect to the Raspberry Pi securely using a SSH client.
- stunnel4: The stunnel is a proxy between and client and server utilizing TLS.
- squid: A squid is a caching proxy that we used to test our stunnel configuration.
- Driftnet: The Driftnet is a utility used to sniff various image types.
- sslstrip: A sslstrip is a tool that proxies HTTPS connections and sends them as HTTP to the client. This way, items such as credentials can be taken using tcpdump, since they will be in clear text.
- Easy-creds: This leverages other security tools to obtain credentials.
- gedit: The gedit is a GNU Network Object Model Environment (GNOME)-based text editor.
- proxychains: This is a tool that forces TCP connections through a proxy.
- imageMagick: This is a tool for displaying, converting, and editing images.
- shutter: A shutter is a screenshot tool.
- zip: This is an archiving tool for Linux.
- File roller: A file roller is an archive manager.
- snort: A snort is an open source network intrusion prevention and detection system (IPS/IDS).
Positioning the Pi
Where to position the Raspberry Pi for penetration testing also depends on what type of test you are trying to conduct. If you are an internal assessor or auditor testing your own corporate network in a white box penetration test, then you may not have to worry about someone finding your Raspberry Pi and blowing the whole operation. Black box testing is another story where you will want to carefully consider the risks versus the benefits of placing the Raspberry Pi inside the target.
Remember, our main goal here is to test portions of the target’s network to see how effectively the current security controls are working. Generally, the positions where Raspberry Pi can be fixed are as follows:
- Outside the network: If you are starting outside, testing is being done as if an external threat is trying to gain access from the outside of the target network in. Here, you may try and get through the edge security defenses (through a known exploit, weak Firewall ruleset, and so on) to gain access to the network. Alternatively, you may be trying to exploit a publicly available service or website to gain access to that treasured data. Sometimes this is a black hat exercise, but most of the major compliance entities, such as PCI, require external penetration tests to be done on the target environment to make sure these vulnerable services are not publicly facing, and these variants may be white hat in nature.
- Inside the network: The placement here may be required in part of a white hat test, but black hat testing may depend on sustained presence here, and the challenge of getting your Raspberry Pi into a good vantage point without being detected can be substantial. Sometimes there is no substitute for being there, and when it comes to some of the later phases in the Penetration test Kill Chain, it will be essential to have insiders (Raspberry Pi or converted target zombies) to launch those attacks. You will also have to consider the communications with the insider boxes.
If physical detection is a great concern, you can always try and hide the Raspberry Pi within an object, such as a clock or junction box. This sort of placement could allow the Raspberry Pi to listen on the wireless or transparently sniff and harvest all types of information.
You should ensure you are documenting all steps throughout the test, including how you decided upon the placement of the devices and subsequent insertion. This will assist in developing the report, as well as ensuring the customer is aware of where you were and weren’t active in the target environment.