How to Hack Like a GOD - Master the secrets of hacking through real-life hacking scenarios

As mentioned before, the idea is to plant a small hardware backdoor in one of GibsonBird’s many shops. This implant will connect back to our computer, giving us remote access to their local network. I say “our computer” but it’s more an anonymous server hosted somewhere on the internet. In my previous book – How to Hack Like a Pornstar – I detailed some common setups to use in hacking jobs. For the sake of completeness, though, I will briefly recap some basic precautions.

 

Our attacking server, the one receiving and issuing all attacking commands, is a private server rented with the cryptocurrency Bitcoin5, making it harder to trace through payment systems. You can check out a list of viable providers at the following URL6. We will call this machine hereafter the Front Gun (FG) server. It hosts a KALI Linux distribution7, which is a dedicated operating system that comes with many pentesting/hacking tools.

That is not enough, however, to guarantee our personal safety. The FrontGun’s IP address will clearly appear as the origin of all attacks should any investigator take the time to piece the evidence together. Furthermore, should they request access to this Front Gun machine or hack it – the government is not the most law-abiding entity, after all – they will clearly see our home IP address in the connection logs. Not good!

We will therefore rely on a Virtual Private Network (VPN) service provider8 to mask our IP address when connecting to the Front Gun server. VPN providers establish encrypted tunnels concealing our IP address, and thus our identity.

Despite their public agreement not to disclose connection logs (and thus their users’ source IP address), it is ludicrous to entirely trust a VPN provider, or TOR9 for that matter. That’s why it is crucial to avoid using your home/university/work IP address. Instead, prefer connecting through public Wi-Fi (a café, train station, etc.) to ensure in-depth protection.

As for your local computer, you can choose a volatile operating system that only lives in memory while the USB key is plugged in, for instance. That way, every time you boot up, you start afresh with no data to incriminate you. All hacking tools and data collected from GibsonBird live solely on the Front Gun Server.

You can learn to create a ‘live USB’ key hosting any Linux distribution in the following page10. TAILS and WHONIX operating systems have some success in the privacy world, but any Linux distribution will do.

Our attacking infrastructure now fully operational – that was the easy part – let us focus on the hardware implant.

 

Shopping for success

Contrary to what we might see in most Hollywood movies, our hardware implant will not be a one-inch chip that we stick on a cable in a dark room somewhere11, though that image is not too far removed from reality. We will rely on a technology that gained immense success in the DIY realm and conquered the hearts of many tech lovers: the Raspberry PI.

Raspberry PI is a barebones circuit board that contains the essential parts to run a mini computer. It has no screen, keyboard, mouse, or any other fancy add-on, but we will manage to play with it just fine.

We could technically go with any model (A, A+, B, or Zero); the main difference is in the size and computing power. But for the sake of stealth, we will opt for the smallest one, which is known as PI Zero: 66mm (2,5 inches) long and 35mm (1,1 inch) wide.

The PI Zero has 512MB of RAM and a 1Ghz single core CPU. It might not seem like much, but it is more than enough to wreak havoc inside a multi-million-dollar brand’s network.

1 – Micro SD card slot. The PI does not have a hard drive, so we need to plug in a Micro SD card containing the operating system to boot on. We will opt for the Raspberry KALI version, though any Linux distribution would theoretically do.

2 – Micro USB to power the PI.

3 – A second micro USB where we can plug an RJ45 adaptor to connect the PI to a router, for instance.

In total, we need to buy the following items to have a fully functional backdoor:

• Raspberry PI Zero (~ $5)
• Micro-USB Ethernet connector (~ $6)
• Micro-USB power plug, if you do not already have one (~ $3)
• 16GB micro SD card (~ $8)
• Hard black cover case to conceal the device (~ $8)

Total: $30!

 

Ready to boot

Once we have all the material in hand, we need to prepare the operating system to run on the PI Zero. As stated previously, we will opt for an ARM version of KALI Linux. It ships with most of the hacking scripts and tools needed to perform the job.

After downloading the ‘.img’ file from the official website12, we need to write it to the SD card using appropriate imaging tools. If your lab machine is on Windows, Win32DiskImager13 will do just fine.

If on a Linux platform, you can perform a simple raw copy using dd command:

root@Lab:# dd bs=4M if=kali-2.1.2-rpi2.img.img of= /dev/mmcblk0p1 14

Burning the Kali image creates two partitions on the SD card:

• A 63 Mo boot partition that launches the Kali.
• A partition containing the OS and future data. This partition is formatted in EXT4, so you will not see it on Windows.

Technically, our SD Card contains a functioning operating system that will boot up perfectly when we plug in the PI Zero. But since we have no keyboard or monitor to follow the boot process and interact with the machine, we need to make a minor adjustment: We need to make sure the SSH server starts at boot time! SSH stands for Secure Shell and provides remote access to Linux machines.

We plug in the SD Card in a machine hosting a Linux distribution (a Live Ubuntu on USB for instance) then add one simple line to the “/etc/rc.local” file located in the second partition. This partition cannot be viewed on Windows, as stated previously; hence the need for a Unix flavored system.

 

# Print the IP address

_IP=$(hostname -I) || true

if [ "$_IP" ]; then

printf "My IP address is %s\n" "$_IP"

fi

 

# Add the following line to have SSH at boot

sudo /etc/init.d/ssh start

exit 0

That’s it! Once we hook the PI Zero to a power supply it will automatically boot and start the SSH server after a few seconds.

To find the PI Zero’s address, we simply ‘ping’ all available addresses in the lab network segment (192.168.1.0/24 in my case). A ping command will send a ‘hello’ packet to all machines and wait for a reply to determine which ones are up. We can use a tool called nmap, installed by default on Kali, for instance15:

root@lab:~# nmap -sP 192.168.1.0/24

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-08 20:27 CET

[…]

Nmap scan report for 192.168.1.19

Host is up (0.0032s latency).

MAC Address: 00:E0:4C:56:19:CD (Realtek Semiconductor)

[…]

 

Once we have the PI Zero’s IP address, we can connect to it using the ssh command on Linux, or putty16 tool on Windows. Default credentials are root/toor:

The first thing we obviously do is change the password, and also the hostname to make it easy to follow later:

 

root@kali:~ $ passwd

Changing password for root

(current) UNIX password:

Enter new UNIX password:

 

root@kali:~ $ echo 'PIspy' > /etc/hostname

root@kali:~ $ reboot

Bridges in the sky

The ultimate purpose of the PI Zero is to ‘infiltrate’ the store’s local network and give us interactive access to launch commands from the Front Gun server. What is thought of as a closed local network becomes thus an open network, to our delight.

The shop’s local network is likely to be very similar to that of a regular home network. A small – though possibly more powerful – router will host all devices on a private IP segment and will automatically deny incoming connections from the internet (i.e., from the Front Gun server). Outgoing connections will, however, most likely be allowed! How else can they contact corporate?

The idea, then, is instead of connecting directly to the PI like we did in the previous chapter, to instruct the PI to connect to the Front Gun server! We can use many tools and combinations of scripts to achieve this: tgcd, metasploit, custom scripts, etc. But we will opt for a native solution: SSH.

Ports and services

A small digression to...