In today's post, we're taking a trip down my social engineering memory lane, to around April 2013, probably a Thursday at about 5pm. Cast your mind back to 2013: between the horrific Boston Bombing and just months before Edward Snowden releases the famous stolen files, a little UK company released the Raspberry Pi, a small formfactor computer that was incredibly cheap. The UK went crazy for it and everyone I knew was desperate to get their hands and have a play. After waiting a few weeks I had one in my grubby mitts and, like most people, I had no idea what I was going to do with it but I knew it would be cool!
A few months later I found myself utilising the Pi in a manner that I don't believe anyone else was doing at that time. Now forgive me, dear reader, as this was way back and I didn't keep all the technical details or many photos. But here is the project proposal in a nutshell:
Can you break into a company, steal a VOIP capable phone, insert a Raspberry Pi into the device and then get the phone back in the company? The end goal to have a Wi-Fi access point directly on the internal network that no one will suspect.
The answer it turns out is yes, very easily it seems. Now I am not going to say I invented this type of attack, covert Wi-Fi access was already a thing, it's just... well let's be polite and say the attempts at the time looked hidious and would make you reel in horror if you saw one.
Anyway, back to the project. Here is the original photograph I took of the phone:
(Note, that whilst the phone clearly has power it currently displays no IP address as it's not currently plugged into a network cable.)
So we have a couple of things I needed to overcome to create the ultimate covert Wi-Fi access point:
- It must still look and function as a VOIP phone
- The Raspberry Pi needs as little modification as possible
- Kali Linux needs to somehow fit on the Pi so that we can use all the tools of a pentest
As if by some miracle, in March 2013 Kali Linux had been released (a complete reworking, from the ground up, of BackTrack). It's hard to imagine life as a pentester now without Kali or the Raspberry Pi but back then these were shiny and new. The downside was getting Kali to run on the Pi was an extremly hard task back then. Once that was done, I had to just work on the physical side.
This is the final result. There are no build instructions but I will do my best to recall what I did.
In the image you can see the Raspberry Pi sitting at a jointy angle in order to fit inside the case and not foul anything. Given more time I would have desoldered a bunch of stuff like the audio jack and tv outputs. You can see the fancy blue SD card running at some blisteringly slow pace.
A few things here to take note, the power is being delivered by the black cable on the bottom right near the SD card, the other end of this cable is soldered onto the phone's PCB where I was lucky enough to find a 5v power feed (roughly where the label is on the blue ethernet cable). This meant that as soon as the phone was plugged in the Pi would have power, no seperate power issues to deal with. Phew!
The other thing to understand is the network connection. You can see the light blue ethernet cable plugged into the RJ45 port of the Pi, the other end is soldered into the network port of the phone itself: this was effectivly a hub/vampire tap (if you're not familiar with them, worth a quick google) onto the network and meant that the phone would still work as a VOIP device whilst also allowing the Rasperry Pi access to the network traffic. We could then spoof the mac address of the phone and start running our tools from the Pi itself whilst mimicing a phone that was allowed on the network (in case they had 802.11x running).
The final piece to the puzzle is a part you unfortunatly can't see in the photograph, but underneath the USB cable (USB keyboard used for setup) is a USB Wi-Fi dongle. It is this that is actually the most important part, once the phone - and therefore the Pi - had booted this Wi-Fi access point allowed us remote access from the carpark directly onto the Pi and straight onto the client's network.
The first photo actually shows the phone after modification, so you can imagine that when plugged into a network it would be virtually impossible to detect from visual inspection, no additional leads or aerials or misbehaviour of the device itself.
I was very proud of this device and how it worked. I am glad that I can now share this creation with the world.
*Edited Saturday 17th August
An old blog post I wrote in 2014 has been found by an good friend, for more of the technical details about this Ph0ne I created, please see the original article here - in https://labs.portcullis.co.uk/blog/raspberry-ph0wn/
Its amazing what the years can do to a memory, I forgot the blog post even existed and that the USB cable was actually a webcam not a keyboard.