The proposed attack is based on Social Engineering (SE) and leveraging the discreet size of the Raspberry Pi. The overall premise of the attack is placing a Raspberry Pi running Kali Linux on a host network without the host knowing. There are multiple ways this can be accomplished and a full analysis of the actual steps of the process falls out of the scope of this project. That said, several assumptions have been made and one description of a possible SE attack will be covered. This is not meant to be a discussion of SE attacks, but a way to demonstrate a feasible method that could be accomplished.
The Raspberry Pi is the main hardware used in the attack. It was chosen due to the small size, ample processing power, and low power consumption. More detailed information about the Raspberry Pi can be found on the Components Section of this website, additional information can also be found at the Raspberry Pi foundation website. In addition to the Raspberry Pi a portable battery pack will be used to provide power while connected to the host network. Lastly, a wireless adapter providing a range of at least 50 yards will be used to provide remote access capabilities.
The Raspberry Pi has several power options due to its low power requirements. Only needing 5V at 750mA most power sources involve a typical phone charger. However, this low voltage requirement opens a whole realm of possibility of power sources. Power can be provided by combining several AA batteries, using Power over Ethernet (PoE), or even a portable battery used to recharge cell phones. In this scenario I chose the latter due to the high amount of reserve power and affordable price. The Limeade 15,600mAh power cell provides plenty of power to execute the attack and only costs around $50.
Performing a test of the battery was quite easy. Using a Python script that simulated a relatively moderate load on the processor, Ethernet port, and USB wireless adapter. The test included multiple connections though the WiFi Adapter, running Wireshark, ARPSpoof, and capturing packets on the Ethernet port.
The total run time on the 15,600mAh battery was: 22 Hours and 51 Minutes
In my opinion those results are quite impressive for the amount processing load and data transfer on the Raspberry Pi. Please feel free to use the code to test your own Raspberry Pi.
In addition to the Raspberry Pi and the Limeade battery a TP-Link TL-WN722N USB adapter is used to allow a remote connection. This adapter uses a 4dBi high gain omni-directional antenna. Using a similar adapter on a laptop an ad-hoc network connection was established from a quarter a mile away with a transfer rate of 100Mbps.
Placing the Raspberry Pi on the Host Network
A full review of Social Engineering and its use in Penetration Testing falls out of the Scope of this project. However, a possible Social Engineering attack vector would be an attacker dressed up as a HVAC maintenance worker who enters the building by showing a fake ID badge. Once having access they would then requesting access to a remote part of the building. In a discrete location the Raspberry Pi is then connected to an open Ethernet port and powered by the Limeade battery. Giving the attacker almost 23 hours to gather as much data possible about the organization, while having full access to their internal network. The retrieval of the hardware could also follow the same process, with the attacker claiming they forgot some tools located in the same area as the installed Raspberry Pi.
If you do not feel the suggest attack is feasible it is strongly recommended to take the time to read Social Engineering: The Art of Human Hacking. The Social Engineering attack described above is often used in penetration testing and has a history of being quite successful.
Remote Access of the Raspberry Pi
Access to the Raspberry Pi will occur over the wireless adapter with the attacker located in the parking lot of the target network. This will allow the attacker full access to the host network while maintaining a safe distance.
Man in the Middle Attacks
Man in the Middle (MitM) attacks is where an attacker intercepts data that is being sent between two parties and then re-transmits the data between them without knowledge of either the recipient or sender. This allows the attacker to read messages that are sent back and forth, and even substitute data for the attackers own data.
In this scenario the data that is being intercepted is between the client and server, and the target data is the user’s credentials. This is an effective attack only if the attacker has the physical ability to intercept the messages that are being transmitted. This is often limited by the physical access to network components in which either the client or server is connected to.
The aforementioned proposed attack has the following assumptions:
- Access was gained to the host location without detection
- The Raspberry Pi is successfully connected to the network and powered by a battery.
- The host location does not have detection capabilities that would detect the presence of a foreign device.
- A connection to the Raspberry Pi is established over a WiFi network by an attacker located in the parking lot of the target network.