top of page
  • Writer's pictureORNA

A Splinter in the Network: Weaponizing Mini PCs


You typically trust the people you work with. After all, you interact with them daily and develop camaraderie. Some you feel comfortable enough to get to know better than others, even meeting after work. However, theoretically, what would you do if someone you trusted harbored ill will toward you, a fellow co-worker, or the company?


It might not even be personal, but rather, just another day in the life of a threat actor.


Let’s explore some of the possibilities an attacker could do. While armed with a small, nondescript mini PC such as a Raspberry Pi, small single-board computers (SBCs), which are disposable and were a part of my hacker’s toolkit. One of these tiny PCs could either help me gain access to the network or help me maintain access. Today, they can do so much more.


While on a physical mission, one way I used them to gain access to a local network when I couldn’t locate the router was to find a place to plug one in where it would remain unnoticed. Armed with two wireless antennas, I could connect the device to a public access point, remotely connect to it and take all the time I needed to set the second antenna into monitor mode so I could attempt to break into a local, secured access point.


Interestingly enough, just because a company or establishment has a free public wireless access point doesn’t eliminate the possibility that some employees haven’t connected their devices or workstation to it for some reason.


This presents a unique opportunity for intruders because the company’s assets, whether that be people or network devices, are now exposed to the intruder. Therefore, a competent systems administrator should routinely analyze the private network to ensure that all the devices are up. If a device appears to be missing from the local network, it's imperative to ensure it isn’t connected to the public wireless network, or somewhere else.


Stranger things have happened.


With a connection to the network, the hunt is on to escalate user privileges and traverse the network into more sensitive areas where private data can be stolen or sabotaged. Alas, this is the world we are living in. Thus, outsmarting criminal hackers and disgruntled employees starts with planning ahead and guarding the network like an intelligent war general anticipating an attack. When I led a hacking group of my own, we harbored this same mentality, if not more so.


Public-facing hacking groups are prime targets for competitors looking to make a name for themselves. Naturally, it isn’t uncommon for us to have a security guru responsible for managing our online assets, penetration testing, and securing those assets from rivals.



Raspberry Pi: More than A Network Node


The capabilities of tiny credit card-sized PCs and Raspberry Pi SBCs provide far more utility than merely being used as illicit network nodes. They are incredibly easy to conceal. As a security guard, I had unfettered access to every office and space within the buildings I worked in. This meant I could install my evil nodes anywhere I wanted.


It didn’t matter if I could find a company's router to plug my device into, as long as I could crack or discover the password to the wireless access point, I could power my mini PC anywhere within or outside the facility.


This gave me the opportunity to perform network traffic intercepts while disguising my node as the default gateway, essentially, forcing all traffic to funnel through my device. By poisoning the ARP tables across the network, I would intercept all sorts of juicy sensitive data.


A decent network traffic analyzer can detect ARP cache poisoning, and installing switches can offer a preventative measure against this type of attack. Also, using encryption such as Secure Shell (SSH) or a Virtual Private Network (VPN) will eliminate any data being transmitted plainly across the network as well as to, and from the web.


While highlighting the diverse utility of the Raspberry Pi would amount to a separate article, let’s look at just a few functions that stand out. If I was armed with a Raspberry Pi Zero back in 2009, I would have been able to use the easily concealable device to break into password-protected workstations, using PoisonTap.


This can emulate an Ethernet device over USB and siphon all internet traffic from the machine it’s plugged into. However, it can also steal HTTP cookies and sessions from the user’s web browser. This means that websites and login pages, as well as their credentials, will now belong to the intruder.


If the router isn’t configured to send alerts whenever new devices are introduced onto a protected network, then an attacker is going to have free reign, as I did.


In 2008 I sought employment for a local international television network, simply because I wanted to learn how a television network works, and figure out if I could disrupt live broadcasts and upload my own content on the air.


In all likelihood, it would take a little time to learn how the systems worked, and the applications they used. So, I surmised that the best way to take all the time I needed while not on duty would be to install a splinter on the local network: a mini PC.


There were plenty of stealthy places I could install stealthy malicious devices in the facility and attach it to the local network over Ethernet. Additionally, using a Live Linux distro from a tiny USB thumb drive, I was able to use a password-protected workstation, navigate to the Windows filesystem and scrub the disk drives for passwords, such as Remote Desktop logins, browser cookies, and more. Cracking the hashed Windows login password stored in the SAM registry was a cakewalk.


With my node running freely on the network, I was able to remotely connect to it at my leisure, so I could enumerate a list of connected devices running, and begin traversing the network and looking for interesting machines that could help me understand how the TV network actually functioned.


As long as I compromised one machine on the network, the information I stole from it always provided the data needed to compromise another. All made possible by my illicit little node, hiding undetected.


I could capture keystrokes, and redirect home pages to malicious pages under my control, whatever I wanted. In fact, infecting the captive portal of a local user group was my specialty, because as long as it looked identical to the original, or I was able to modify the original, the user never suspected anything was amiss.


I could install malware onto their computers from the captive portal and that was golden. We didn’t have Ransomware, which wasn’t commonplace in 2009, but it sure is now. Once inside, the possibilities are endless. But automatic downloader scripts were a thing, and introducing malware that wasn’t mainstream onto a computer wasn’t necessarily met with much resistance.


The Red Team benefits of having a splinter in the network would theoretically be priceless. I would like to see how Blue Teams detect the intrusive devices being physically introduced to the network, detect them, spoofed MAC addresses, and all, ultimately preventing them from causing further damage to protected computer systems.



An article by

Jesse McGraw


Edited by

Anne Caminer


54 views

Comments


orna_sh_5_edited.jpg

Rome wasn't built in a day, but your SOC might be.

Subscribe

Weekly cyber insights

Thanks for submitting!

bottom of page