I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.
Please note that this only works on the RPi Zero. Other RPi's will not work!
1.0 Setup the the RPi Zero for Ethernet over USB
Download and install the latest Jessie Lite from here onto an SD Card.
Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.
config.txtGo to the bottom and add dtoverlay=dwc2 as the last line:
Save the config.txt file.
cmdline.txtAfter rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether
Save the cmdline.txt file.
Eject the SD card and pop it in your RPi Zero.
Your RPi is now setup to be recognized as an Ethernet over USB device, but we have unconfigured network interfaces at both ends so you probably wont be able to do much with it just yet.
Let's boot up the RPi Zero and connect it to the internet to install a DHCP server and grab the responder scripts while we are at it.
2.0 Preparing the RPi for Attack
For this section I connected my RPi to my ethernet switch using the OTG cable and a USB to ethernet converter and sshed to it. You could use a wireless dongle.
I'm not using the newly created usb0 interface until we are ready to deploy.
Sure you could share the internet from your PC with the RPi over your newly created USB0 interface, but thats a whole load of configuration with routes and iptables that we would then need to undo when we want to deploy the RPi.
2.1 Installing DHCP serviceWe are going to create a static ip address on usb0 and install dnsmasq as our dhcp server.
Create a static config for usb0
Using your favorite linux editor edit /etc/network/interfaces
Find the USB0 section or create it to match the following
Of course you can configure whatever ip address and network you want in here, just make sure that it is consistent with the details that you configure in the DHCP server.
We are using dnsmasq as our DHCP server which we will also use to point clients to the responder.py for poisoning.
Throwaway the default configuration and use the following:
Note that the IP addresses have to be consistent with the static IP address you configured on the usb0 interface. Importantly for the wpad.dat attack to work is the dhcp-option 252 which points at the IP address of the Pi to allow the responder script to attack it.
Also notice that port=0 configures dnsmasq to not be a DNS server as we want responder to be the poisonous DNS server.
2.2 Installing ResponderThe following download responder.py and install the necessary dependencies
The responder script currently detects if the responder.db file exists and creates it if not, if responder.db is an empty file it doesn't create the tables. The easiest way to deal with this is to delete the file /root/responder/Responder.db and allow the script recreate it correctly.
2.3 Putting it all together
To get responder to startup when the the RPi boots and shutdown once crds have been obtained, add the following to /etc/rc.local
The inotify checks to see if the Responder.db has been updated and shutsdown the Pi. Because we are letting responder create the Responder.db file this won't work the first time we deploy the RPi.
To see what the commands are doing you can use screen to watch what is going on:
You can manually check the contents of the sqlite database with the command:
However the log files under /root/responder/logs contain a file that is perfectly formatted for cracking with John the Ripper Jumbo.
This will take some time...
3.0 Deploying the RPi Zero
Just plug the RPi Zero into the target machine using a standard micro usb cable in the usb connection. No power is needed. The RPi is powered via the usb port like so:
Give the RPi about 20 seconds to boot up, then wait. If you watch the screen on the target windows PC you will see the Ethernet gadget install and then within about 10 seconds you will see the PC trying to configure the proxy. All being well the RPi should detect the update to Responder.db and shut itself down. Unplug the RPi.
[ VIDEO ]
This will work regardless of whether the screen is locked or not allowing us to snag the network hashes.
On domained PCs windows NLA may kick in detecting a new network and stopping the wpad.dat attack from working, however leaving the RPi plugged in for a short while will provide a wealth of details about the network for further analysis.
I've had pretty good success with this on various windows machines, however I've found that this doesn't work well on VMs, perhaps something to do with the Ethernet gadget drivers.
I'm also looking for better ways to target domained up PCs to stop the network detection kicking in and preventing this from working. Let me know if you have any ideas!