Little British Spy - Bookmark on Raspberry Pi
The big theme of the May issue of Hacker was Raspberry Pi. We talked to the creator of “raspberry”, Eben Upton and found out what the results of the first year of the project are, and what the small computer will have next year. We also described two concepts based on Raspberry: an inconspicuous bookmark, which, due to its size, can quietly collect data from the network (accepting SMS commands and dumping logs in Evernote), as well as a video surveillance system integrated with Google Drive. We offer one of these concepts to your attention.
The idea of a dropbox is simple: if you supply a miniature computer with a battery and a 3G modem, you can get a spy box that seamlessly connects to the network under investigation and transmits the collected data. This concept is fully implementable on the Raspberry Pi.
')
Looking ahead, I will say: because of the high power consumption, our dropbox is well suited rather to work in our own networks. For strangers, he simply does not have enough batteries, but the concept still looks tempting. We will do all this on the basis of the PwnPi distribution. In it, we set up work with the modem, learn how to receive commands via SMS and send logs to Evernote. I had a Huawei E1550 3G modem (Megafon E1550) at my disposal.
Many 3G modems, when connected, look like a disk in order to pre-install the necessary drivers, and require switching to modem mode. The E1550 modem is one of them and is initially unavailable as a terminal ...
Let's look at the description of USB devices:
But it is visible as a disk:
In order to switch it to modem mode, you will need to install an additional program and reboot (other modems may need other settings):
Let's look at the description of the USB device again:
It can be seen that the modem of the Device ID has changed, and now its ports have become available to us:
Bash greeting in PwnPi
To test the functionality, you can try to “reach out” to it, as you would to a normal modem, with the help of minicom:
Request information about the manufacturer of the modem using the AT-command
Let's exit by pressing <Ctrl + A + Q>.
The first program we need to set up a 3G modem is Sakis3G, a script for establishing a 3G connection. The home page of the sakis-3g.org project has been unavailable for some time, but a copy of the script is at sourceforge. Download it, unzip it and resolve it:
Install PPP support
Let's try to establish a connection online, specifying the necessary data.
Select the first option, “Connect with 3G”, in response to the following request, select “11. Custom APN ... ". We indicate (data for Megafon-Moscow):
If the connection was established successfully, exit the menu and check the Internet access:
The following program, UMTSkeeper (zool33.uni-graz.at/petz/umtskeeper), is required for automatic connection when the connection is broken. Download, unzip and resolve the execution:
Check UMTSkeeper, substituting your values in the USBMODEM parameters (Vendor ID: Device ID, which is visible when entering the lsusb command) and CUSTOM_APN, APN_USER, APN_PASS, SIM_PIN (data for connecting to the 3G network):
Check the work by opening the journal in another window:
Now edit /etc/rc.local to start when the system boots:
And check after reboot.
Sakis3G interface
To remotely connect to PwnPi via 3G, set up a Reverse SSH tunnel (for this you need a server with a public IP).
In order for PwnPi to connect to the server automatically, without entering a password, on PwnPi we generate a private / public key and copy the public key to the server:
On the server (if it is Debian), add the public key to the list of authorized:
Let's try to connect to the server with PwnPi:
Connection should occur without a password request. If the password is still requested and the connection using keys is configured for the first time, you need to set access rights to this file (and the folder as a whole):
Now we set up a port forwarding tunnel. From PwnPi:
On the server side, port 1221 now waits for connections, but only on interface 127.0.0.1:
On the server side, we check the connection via Reverse SSH by connecting to the local port:
If everything is correct, after entering the PwnPi root user password, we need to access the PwnPi. On the server side, we allow port forwarding for all interfaces:
Now it is necessary for sshd to reread the configuration file. Let's see what its PID is:
And send him a HUP signal:
Now, after establishing a connection with PwnPi, we will see that the process expects connection on all interfaces:
Create a script to start automatically and give it the right to execute:
Add a line indicating to run every minute in the crontab:
There are many options for automatic transfer and storage of data, from traditional mail to popular cloud services, from Google Drive to Evernote. Send data to Evernote using the utility Geeknote (www.geeknote.me):
Specify your login information for Evernote (needs to be done only once, if the user does not change). Create a new notebook and add a test record:
Geeknote supports the automatic synchronization of text files in a specified directory using the included gnsync utility package. To synchronize it, you need to run it with the following keys (
/ root):
Unfortunately, 3G work is not stable here. So, as an addition, you can implement the transfer of commands (for example, reloads) and SMS notifications using the Gammu package.
In the menu, set the port / dev / ttyUSB1 (for 3G / dev / ttyUSB0 was configured). Request a description of the device:
You can turn on monitoring mode and try to send a test message:
For the Russian language (the unicode locale in PwnPi is not set by default), you can use the –unicode key.
Gammu options
To receive SMS you need to install
And specify the same port of the 3G modem in the configuration:
Run as a service and see the log:
Incoming messages are saved to the folder:
Inside contains the received SMS text. Let's create a script to execute commands from SMS. In the example below, when the text 'uptime' is received, a message is sent to the sender with the result of the uptime command:
Since the folder / var / spool / gammu / inbox should already contain our test messages, run this script and make sure that it sends the right message. Add it to the crontab with a periodicity of one minute with the following entry:
We overload the system and check the performance of our configuration.
In modern microcontrollers, a number of tools can be used that increase the reliability of embedded devices in unattended mode. One of the mechanisms designed for this is the hardware watchdog timer, which allows you to restart the device in case of its hangup. The program, the operation of which should be monitored, should periodically reset this timer. If she stops doing this, the timer will exceed the threshold value and a reset signal will be sent to the processor. In Linux, the watchdog support software consists of two parts: a watchdog timer driver and a watchdog daemon that controls the overall performance of the system.
Driver module loading:
Adding to the list of autoloaded modules:
Watchdog-timer starts when opening the device. Reset it by sending any character. Character V disables the timer. You can make sure that it works as follows:
Now the system is separated from the reboot only by typing lines from the keyboard (the cat command passes the typed text line by line). Entering a V character followed by a stop countdown.
The watchdog package consists of two daemons: the simplified wd_keepalive and the main watchdog, which provides more features. With it, you can control not only the system load, but also parameters such as the amount of available memory, access to individual files, the availability of nodes using the ping command and a number of others.
To set up in the /etc/watchdog.conf file, you need to uncomment several lines:
Manual start
The easiest way to check the watchdog setting is to enter the so-called fork bomb on the command line:
The system will very quickly stop responding and, if everything is configured correctly, it will go into reboot in a few seconds.
Raspberry Pi with connected and active Wi-Fi (D-Link DWA-140 B2) and 3G (Huawei E1550) adapters consumes about 700-800 mA. The capacity of currently available sufficiently compact external lithium batteries reaches 20 ampere-hours, which can provide a battery life of up to a day. If you consider RPi as just a multifunctional device, it is very, very good; however, its hidden installation for a longer time will require an external power connection, which may be a USB port or a power supply network.
With its seeming frivolity, the Raspberry Pi can become a dangerous tool, although high power consumption limits the ability to work offline. However, the analogs that are closest in functionality to date, the commercial penetration testing tools of the PWNIE Express company, are in a completely different price category.
First published in Hacker magazine dated 05/2013.
Author: Alexander Lykoshin, alykoshin@gmail.com , ligne.ru
Publication on ISSUU.com
Subscribe to "Hacker"
The idea of a dropbox is simple: if you supply a miniature computer with a battery and a 3G modem, you can get a spy box that seamlessly connects to the network under investigation and transmits the collected data. This concept is fully implementable on the Raspberry Pi.
')
Looking ahead, I will say: because of the high power consumption, our dropbox is well suited rather to work in our own networks. For strangers, he simply does not have enough batteries, but the concept still looks tempting. We will do all this on the basis of the PwnPi distribution. In it, we set up work with the modem, learn how to receive commands via SMS and send logs to Evernote. I had a Huawei E1550 3G modem (Megafon E1550) at my disposal.
Switch to modem mode
Many 3G modems, when connected, look like a disk in order to pre-install the necessary drivers, and require switching to modem mode. The E1550 modem is one of them and is initially unavailable as a terminal ...
# ls /dev/ttyUSB* ls: cannot access /dev/ttyUSB11*: No such file or directory Let's look at the description of USB devices:
# lsusb Bus 001 Device 009: ID 12d1:1446 Huawei Technologies Co., Ltd. E1552/E1800/E173 (HSPA modem) But it is visible as a disk:
# ls -l /dev/disk/by-id/ usb-HUAWEI_MMC_Storage-0:0 -> ../../sda usb-HUAWEI_Mass_Storage-0:0 -> ../../sr0 In order to switch it to modem mode, you will need to install an additional program and reboot (other modems may need other settings):
# apt-get update && apt-get install usb-modeswitch # reboot Let's look at the description of the USB device again:
# lsusb Bus 001 Device 010: ID 12d1:1003 Huawei Technologies Co., Ltd. E220 HSDPA Modem / E230/E270/E870 HSDPA/HSUPA Modem It can be seen that the modem of the Device ID has changed, and now its ports have become available to us:
# ls /dev/ttyUSB* /dev/ttyUSB0 /dev/ttyUSB1 Bash greeting in PwnPi
Modem access with minicom
To test the functionality, you can try to “reach out” to it, as you would to a normal modem, with the help of minicom:
# apt-get install minicom # minicom -D /dev/ttyUSB0 Request information about the manufacturer of the modem using the AT-command
ati0 Manufacturer: huawei Model: E1550 Revision: 11.608.12.10.209 IMEI: < IMEI > +GCAP: +CGSM,+DS,+ES OK Let's exit by pressing <Ctrl + A + Q>.
Sakis and UMTSkeeper
The first program we need to set up a 3G modem is Sakis3G, a script for establishing a 3G connection. The home page of the sakis-3g.org project has been unavailable for some time, but a copy of the script is at sourceforge. Download it, unzip it and resolve it:
# mkdir ~/3g && cd ~/3g # wget http://downloads.sourceforge.net/project/vim-n4n0/sakis3g.tar.gz -O sakis3g.tar.gz # tar -xzvf sakis3g.tar.gz # chmod +x sakis3g Install PPP support
# apt-get install ppp Let's try to establish a connection online, specifying the necessary data.
# ./sakis3g --interactive Select the first option, “Connect with 3G”, in response to the following request, select “11. Custom APN ... ". We indicate (data for Megafon-Moscow):
APN: internet APN_USER: megafon APN_PASS: megafon If the connection was established successfully, exit the menu and check the Internet access:
# ping google.com The following program, UMTSkeeper (zool33.uni-graz.at/petz/umtskeeper), is required for automatic connection when the connection is broken. Download, unzip and resolve the execution:
# mkdir ~/3g && cd 3g # wget http://zool33.uni-graz.at/petz/umtskeeper/src/umtskeeper.tar.gz # tar -xzvf umtskeeper.tar.gz # chmod +x umtskeeper Check UMTSkeeper, substituting your values in the USBMODEM parameters (Vendor ID: Device ID, which is visible when entering the lsusb command) and CUSTOM_APN, APN_USER, APN_PASS, SIM_PIN (data for connecting to the 3G network):
# ./umtskeeper --sakisoperators "USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1003' APN='CUSTOM_APN' CUSTOM_APN='internet' SIM_PIN='1234' APN_USER='megafon' APN_PASS='megafon'" --sakisswitches "--sudo --console" --devicename 'Huawei' --log --silent --nat 'no' Check the work by opening the journal in another window:
# tail /var/log/umtskeeper.log -f 2013-04-01 10:37:38 Start: interval=4*8s Internet status: Modem plugged, not connected to internet. 2013-04-01 10:38:27 Internet connection is DOWN. Calling Sakis3G connect... Sakis3G cmdLine: nice ./sakis3g connect --sudo --console USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1003' APN='CUSTOM_APN' CUSTOM_APN='internet' SIM_PIN='1234' APN_USER='megafon' APN_PASS='megafon' Sakis3G says... E1550 connected to MegaFon (25002). 2013-04-01 10:39:20 Testing connection... 2013-04-01 10:39:37 Success... we are online! Now edit /etc/rc.local to start when the system boots:
# nano /etc/rc.local /root/3g/umtskeeper --sakisoperators "USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1003' APN='CUSTOM_APN' CUSTOM_APN='internet' SIM_PIN='1234' APN_USER='megafon' APN_PASS='megafon'" --sakisswitches "--sudo --console" --devicename 'Huawei' --log --silent --nat 'no' & And check after reboot.
Sakis3G interface
Reverse SSH
To remotely connect to PwnPi via 3G, set up a Reverse SSH tunnel (for this you need a server with a public IP).
In order for PwnPi to connect to the server automatically, without entering a password, on PwnPi we generate a private / public key and copy the public key to the server:
# ssh-keygen # scp /root/.ssh/id_rsa.pub root@< >:/root/ On the server (if it is Debian), add the public key to the list of authorized:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys Let's try to connect to the server with PwnPi:
# ssh root@< > Connection should occur without a password request. If the password is still requested and the connection using keys is configured for the first time, you need to set access rights to this file (and the folder as a whole):
# chmod 755 ~ # chmod 700 ~/.ssh # chmod 600 ~/.ssh/authorized_keys Now we set up a port forwarding tunnel. From PwnPi:
# ssh -q -N -R 1221:localhost:22 root@< > On the server side, port 1221 now waits for connections, but only on interface 127.0.0.1:
# netstat -an |grep 1221 tcp 0 0 127.0.0.1:1221 0.0.0.0:* LISTEN On the server side, we check the connection via Reverse SSH by connecting to the local port:
# ssh root@localhost -p 1221 If everything is correct, after entering the PwnPi root user password, we need to access the PwnPi. On the server side, we allow port forwarding for all interfaces:
# nano /etc/ssh/sshd_config GatewayPorts yes Now it is necessary for sshd to reread the configuration file. Let's see what its PID is:
# ps aux|grep sshd ... root 23511 0.0 2.1 9920 5376 ? Ss 13:09 0:00 /usr/sbin/sshd ... And send him a HUP signal:
# kill -hup 23511 # tail /var/log/sshd.log Now, after establishing a connection with PwnPi, we will see that the process expects connection on all interfaces:
# netstat -an -p |grep 1221 tcp 0 0 0.0.0.0:1221 0.0.0.0:* LISTEN 21990/ sshd: root Create a script to start automatically and give it the right to execute:
# nano /root/reverse_ssh_tunnel.sh #!/bin/sh USERHOST=root@< > RPORT=22 # SSH FPORT=1221 # , CONN=localhost:22 # SSH Listener PwnPi COMMAND="ssh -q -N -R $FPORT:$CONN $USERHOST -p $RPORT" pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND ssh $USERHOST -p $RPORT netstat -an | egrep "tcp.*:$FPORT.*LISTEN">/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "Restarting connection" pkill -f -x "$COMMAND" $COMMAND else echo 'Connection OK' fi # chmod +x reverse_ssh_tunnel.sh Add a line indicating to run every minute in the crontab:
# crontab -e */1 * * * * /bin/sh /root/reverse_ssh_tunnel.sh Automatically save data to Evernote
There are many options for automatic transfer and storage of data, from traditional mail to popular cloud services, from Google Drive to Evernote. Send data to Evernote using the utility Geeknote (www.geeknote.me):
# wget http://www.geeknote.me/dist/geeknote_latest.deb # sudo dpkg -i geeknote_latest.deb # geeknote login Specify your login information for Evernote (needs to be done only once, if the user does not change). Create a new notebook and add a test record:
# geeknote notebook-create --title "PwnPi data" # geeknote create --notebook "PwnPi" --title "Test" --content "Test note" Geeknote supports the automatic synchronization of text files in a specified directory using the included gnsync utility package. To synchronize it, you need to run it with the following keys (
/ root):
# gnsync --path /root --mask *.log --notebook "PwnPi" SMS control
Unfortunately, 3G work is not stable here. So, as an addition, you can implement the transfer of commands (for example, reloads) and SMS notifications using the Gammu package.
# apt-get install gammu # gammu-config In the menu, set the port / dev / ttyUSB1 (for 3G / dev / ttyUSB0 was configured). Request a description of the device:
# gammu --identify : /dev/ttyUSB1 Manufacturer : Huawei : E1550 (E1550) Firmware : 11.608.12.10.209 IMEI : 351911043904005 SIM (IMSI) : 250026700613366 You can turn on monitoring mode and try to send a test message:
# gammu --monitor # echo "test from PwnPi" | gammu sendsms TEXT +7< > For the Russian language (the unicode locale in PwnPi is not set by default), you can use the –unicode key.
Gammu options
Receive SMS
To receive SMS you need to install
# apt-get install gammu-smsd And specify the same port of the 3G modem in the configuration:
# nano /etc/gammu-smsdrc [gammu] port=/dev/ttyUSB1 Run as a service and see the log:
# gammu-smsd --daemon # tail -f /var/log/syslog Incoming messages are saved to the folder:
# cd /var/spool/gammu/inbox && ls IN20130402_193338_00_+7< >_00.txt Inside contains the received SMS text. Let's create a script to execute commands from SMS. In the example below, when the text 'uptime' is received, a message is sent to the sender with the result of the uptime command:
$ nano smscheck #!/bin/bash for file in `ls /var/spool/gammu/inbox` do cmd=`cat /var/spool/gammu/inbox/$file` case "$cmd" in "uptime") echo `uptime` > /var/spool/gammu/outbox/OUT+7< >.txt ;; esac rm -f /var/spool/gammu/inbox/$file done # chmod +x smscheck Since the folder / var / spool / gammu / inbox should already contain our test messages, run this script and make sure that it sends the right message. Add it to the crontab with a periodicity of one minute with the following entry:
# crontab -e */1 * * * * /home/pi/smscheck We overload the system and check the performance of our configuration.
Who watches the follower
In modern microcontrollers, a number of tools can be used that increase the reliability of embedded devices in unattended mode. One of the mechanisms designed for this is the hardware watchdog timer, which allows you to restart the device in case of its hangup. The program, the operation of which should be monitored, should periodically reset this timer. If she stops doing this, the timer will exceed the threshold value and a reset signal will be sent to the processor. In Linux, the watchdog support software consists of two parts: a watchdog timer driver and a watchdog daemon that controls the overall performance of the system.
Watchdog driver
Driver module loading:
# sudo modprobe bcm2708_wdog Adding to the list of autoloaded modules:
# echo "bcm2708_wdog" | sudo tee -a /etc/modules Watchdog-timer starts when opening the device. Reset it by sending any character. Character V disables the timer. You can make sure that it works as follows:
# cat > /dev/watchdog Now the system is separated from the reboot only by typing lines from the keyboard (the cat command passes the typed text line by line). Entering a V character followed by a stop countdown.
Watchdog demon
The watchdog package consists of two daemons: the simplified wd_keepalive and the main watchdog, which provides more features. With it, you can control not only the system load, but also parameters such as the amount of available memory, access to individual files, the availability of nodes using the ping command and a number of others.
# apt-get install watchdog # # update-rc.d watchdog defaults # To set up in the /etc/watchdog.conf file, you need to uncomment several lines:
# nano /etc/watchdog.conf watchdog-device = /dev/watchdog max-load-1 = 24 Manual start
# /etc/init.d/watchdog start Check
The easiest way to check the watchdog setting is to enter the so-called fork bomb on the command line:
: (){ :|:& };: The system will very quickly stop responding and, if everything is configured correctly, it will go into reboot in a few seconds.
Autonomous power
Raspberry Pi with connected and active Wi-Fi (D-Link DWA-140 B2) and 3G (Huawei E1550) adapters consumes about 700-800 mA. The capacity of currently available sufficiently compact external lithium batteries reaches 20 ampere-hours, which can provide a battery life of up to a day. If you consider RPi as just a multifunctional device, it is very, very good; however, its hidden installation for a longer time will require an external power connection, which may be a USB port or a power supply network.
Total
With its seeming frivolity, the Raspberry Pi can become a dangerous tool, although high power consumption limits the ability to work offline. However, the analogs that are closest in functionality to date, the commercial penetration testing tools of the PWNIE Express company, are in a completely different price category.
First published in Hacker magazine dated 05/2013.
Author: Alexander Lykoshin, alykoshin@gmail.com , ligne.ru
Publication on ISSUU.com
Subscribe to "Hacker"
- 1 999 . for 12 numbers of paper version
- 1249r. for an annual subscription to iOS / iPad (Android'a release soon!)
- "Hacker" on Android
Source: https://habr.com/ru/post/183760/
All Articles