Planting a Hidden System

Quick guide to planting a hidden system elsewhere

Posted by BlackVikingPro on 2017-03-19 15:55:04

Planting a Hidden System

So this is a bit of an strange post for me. However, I thought that it may be useful for those involved with field pentesting and such. This idea has been used before, I'm sure of it. However, it wasn't until Mr. Robot came along whenever it just popped into my mind. The fact you can practically pwn and abuse a network by implanting a private computer system on the target network and use to your advantage.

I'm referring to the Raspberry PI in this post. This little nifty tool has proven useful to educators, programmers, pentesters, and many more. This idea was derived from the attack that Elliot, and Mr Robot (along with all the other FSociety members) used that involved implanting a Raspberry PI behind a thermostat (cleverly used to power it also). This was used to pwn the network, and setup a VPN within the proximity, thus creating a secured and anonymous connection between the real attackers and the pwned network.

This idea scratched my brain hard enough to think more about its possibilities and simplicity. Imagine going to a coffee shop, scanning the network for possible IDS's or Firewalls, then once determined as safe, to install a Raspberry PI somewhere behind a counter or in the restroom or like so. Then, if the connection was open to everyone, then just connect to the open, unsecured network, and pwn the network like so. Simple as PI ;). Afterwards, just install a VPN server on the PI and keep the PI connected to a persistant power connection.

Once you have done this, just wipe fingerprints and other physical footprints (metaphore), and you should be set to start SSH'ing into the PI or connect to it's VPN service. Or possibly hosting a Tor Hidden Service from it, or maybe a proxy server for anonymous browsing on your end. You could also use it to setup a FakeAP near the network's proximity and phish on the network. I mean the possibilities are endless. It's a remote service that has victims flooding it's proximity 24/7. This attack vector would be insanely hard to trace back to the original hacker, assuming he/she wiped all physical traces and even setup an encrypted LVM on the PI, as well as lock access to write to log files (making the server software unable to log (even if you disabled logging in the config)). A paranoid hacker (like me) would also do something clever like setup a script persistantly running to listen for physical changes to the PI to determine if some forensic's specialist was tampering with it in order to seek out it's internal organs so he/she can find you, then once some tampering was detected, to automatically self-destruct the PI. This would really erase most traces of finding you.

Unfortuately, I am not going to display any work that I've done to test/prove this theoretical idea. Instead I just wanted to give a general idea of how such attack vectors would be carried out. I believe this one is by far my favorite, as you could really and truthfully never be traced back to you. However, just make sure you don't attempt to pwn a network with another hacker present. If he/she was determined to do so, they could listen to all network traffic going in and out of your dummy PI, and gather abundant information needed to report you for a reward. He/she could also potentially convert your PI from a tool to a honeypot in an protected network AP he/she could setup. So moral of this, be safe when doing such an attack.

Thanks so much for reading about this fantastic idea, I hope you enjoyed it. Follow me on Twitter if you haven't, at @BlackVikingPro. Come back for more, and peace out!