Rogue Device Blog Posts

Posts

Rogue Device Spotlight: Reaver Pro II

RISK ASSESSMENT RATING: 5.00

 

Popularity: 5

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The Reaver is a common enough device, thanks to its simplicity and how easy it is to acquire. However, its limited capabilities has made it less popular than some of the other pre-built network testing devices on the market.

 

Simplicity: 7

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The Reaver was built for simplicity and ease of use: the end. Not only is the product being sold fully built for the reasonable price of $75.00 online on the manufacturer’s website, even the Amazon reviews focus on the ease of use (and the fact that it’s being sold on Amazon should further emphasize the intended audience). However, the $75.00 price is still quite high when comparing The Reavers capabilities to similar devices at  similar price points.

 

Impact: 3

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The Reaver Pro II simply won’t compromise most systems. It’s meant as a fairly basic tool that is very good at one thing – cracking insecure wireless networks. Even the Reaver Systems blog points out that you should not use the device if you are in a hurry and that for pros familiar with Kali Linux or the original reaver open source tool, the Reaver Pro II might not be the best device to use.

 

Reaver Pro II

Created by Reaver Systems, the Reaver Pro II is a WiFi penetration testing tool focused on networks with insecure WEP and WPA2 implementations. Requiring minimal configuration, and capable of being controlled entirely through a straightforward web interface, the Reaver Pro II is advertised as one of the easiest methods available to identify and breach vulnerable WiFi networks.
As the name implies, the Reaver Pro II makes extensive use of “reaver-wps”, an open source implementation of the WPS PIN brute forcing attack revealed in 2011 by Stefan Viehböck. The hardware is simply a branded version of the OpenWRT supported Alfa AP121U travel router; the same hardware used in previous versions of the Hak5 WiFi Pineapple.

 

Hardware Specifications

  • CPU: Atheros AR9331@400MHz
  • RAM:32 MB
  • ROM: 8 MBOS: OpenWRT
  • I/O: Ethernet, USB
  • Radios: Atheros AR9331 802.11 b/g/n

Pictures

reaverpro

 

Notable Features

Like many other portable penetration testing devices, the Reaver Pro II is based on the popular OpenWRT distribution of Linux. Unfortunately, there is little support or documentation available for modifying the system software on the device. Whereas other OpenWRT devices are easily extendable with the addition of new software packages or even peripheral devices, the Reaver Pro II is essentially a “black box” product meant for fairly basic tasks. This lack of extensibility  can be a hinderance for more advanced operators, as it puts arbitrary limits on an otherwise extremely capable software and hardware combination.

The web interface on the Reaver Pro II is designed to be stylish and simple to operate by users of all skill levels; more like configuring a home router than operating a penetration testing device. Configuration and operation of the Reaver Pro II is indeed extremely easy, but much like the limits placed on the hardware and software, more advanced users may feel encumbered by an interface which clearly puts design aesthetics over flexibility.

However, issues with the product’s software design and hardware capability are moot in light of the more pressing functionality issue: fewer and fewer networks are still vulnerable to the WPS brute forcing that the Reaver Pro II is primarily designed to perform. While the product’s WEP cracking functions will make short work of networks still running such an outdated encryption scheme, the number of variables involved in successfully performing a WPS PIN brute force attack make cracking into a WPS network much less likely (and much slower). The target network needs to have WPS enabled in the first place, and even then, improved protection routines in modern routers may block attempts to guess the PIN after only a few minutes.  Even under ideal conditions, the brute force attack employed by reaver can take over 8 hours to successfully recover the key, making this online attack about as easy to track as the sun on a cloudless day.

 

Conclusion

Between the automatic configuration and slick web interface, the Reaver Pro II is certainly one of the easiest to use penetration testing tools on the market. Almost anyone could pick up a Reaver Pro II and begin scanning for, and gaining access to, vulnerable networks. Priced at an attractive $75, the Reaver Pro II is a dream product for the average person who simply wants to crack their neighbour’s WiFi or determine their own network’s security.
While the Reaver Pro II is admittedly the most polished implementation of reaver-wps available, a security appliance built around a single tool is simply not direct competition to more flexible penetration testing devices. Considering its relatively powerful hardware and the wide range of tools and exploits available to OpenWRT devices, the niche nature of the Reaver Pro II seems like something of a wasted opportunity.

Rogue Device Spotlight: Rubber Ducky

RISK ASSESSMENT RATING: 6.00

 

Popularity: 6

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While maybe not well-known in non-security circles, the Rubber Ducky is an InfoSec favorite due to its low price, ease of use, and general quality. The tool is prevalent and accessible enough to qualify as a fairly popular rogue device.

 

Simplicity: 6

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

Between the pre-built nature of the device and the the community forums that provide support and tips, the Rubber Ducky qualifies as one of our more n00b-friendly devices. However, this is still a device that doesn’t just plug and go; it does requires some knowledge to use and deploy properly.

 

Impact: 6

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The Rubber Ducky, used by an expert in the right setting, can be extraordinarily detrimental – with data storage capabilities and a sleek outer appearance, it fits right into the standard office setting. More impressively, the tool and community allow even a fairly inexperienced user to cause a dent in an organization’s security. All of that ease of use and professional polish only gets the user as far as USB HID spoofing can get you – which can be very far in poorly segmented “tootsie pop” systems, or when executed on an administrator’s system; or not particularly far when faced with an appropriately secured computer or network.

 

Rubber Ducky

The techniques and hardware needed to perform USB HID spoofing attacks with hobby grade microcontrollers has been fairly common knowledge since at least 2010, but the homebrew nature of most of these devices has kept their numbers relatively low. While it doesn’t take much technical knowledge to construct a functional USB HID spoofing device, putting together a polished and reliable tool that doesn’t look suspicious plugged into a computer is another matter entirely.

Seeing the need for a standardized and professional keystroke injection tool, the team at Hak5 came up with the Rubber Ducky: an easily scriptable USB HID spoofing dongle that is externally indistinguishable from a standard USB flash drive. Beyond the hardware itself, Hak5 has also created a community around developing and sharing scripts for the Rubber Ducky; greatly improving its adaptability and likelihood of success when compared to homebuilt devices.

 

Hardware Highlights:

  • CPU: AT32UC3B1256 32 Bit AVR @ 60MH
  • I/O: Type A USB, JTAG
  • OS: Open Source, scripts written in Duckyscript
  • Storage: MicroSD
  • Supported OSes: Windows, Linux, Mac OS, Android, iOS

 

Pictures:

rubberducky

 

Notable Features:

The most obvious difference between the Rubber Ducky and homebrew solutions is its outward appearance; rather than being a collection of cobbled together circuit boards, the Rubber Ducky looks exactly like a USB flash drive. Plugging it into a computer and leaving it connected looks normal in nearly any setting. The ability to hide in plain sight is a huge advantage for a tool like this, and could easily mean the difference between success and failure for an attacker.

The Rubber Ducky is designed to stay hidden: through the use of composite firmware on the device, it’s possible for it to emulate a USB keyboard while at the same time making its MicroSD card available to the host operating system as a USB storage device. This helps keep the Rubber Ducky hidden: not only does it look like a flash drive, it actually works like one. Equally important, it gives the Rubber Ducky a place to store extracted files on and launch exploits from, opening up numerous possibilities beyond simple keystroke injection.

Programming the Rubber Ducky is made exceptionally easy through the use of “Duckyscript”: a simplistic scripting language not unlike Windows “Batch” files. With Duckyscript, the user only needs to know a handful of plain-English commands to program the hardware; a big improvement over the type of low-level programming necessary to inject keystrokes with a bare microcontroller. Not that any programming is actually required to use the Rubber Ducky: there’s a web-based “Duck Toolkit” which will let users generate a Duckyscript file based on their selected presets, and even a forum and Wiki dedicated to collecting community created scripts.

 

Conclusion

Compared to the microcontroller-based, homebrew keystroke injectors that came before it, the Hak5 Rubber Ducky is an exceptionally polished device. From the build quality to the software environment and community, the Rubber Ducky takes the best parts of the independent projects that came before it and turns them into a cohesive final product. The importance of a standardized hardware and software platform for keystroke injection experimentation and research can’t be overstated and, at under $50, Hak5 has made entry into the field very affordable.

But for all its advanced features and polish, the Rubber Ducky still can’t escape the reality of keystroke injection. Authentication on the target machine will stop the Rubber Ducky in its tracks, and even a single unexpected dialogue popping up can completely derail the attack. So while it may be a well designed and supported product, its real-world effectiveness is still very much up for debate.

Rogue Device Spotlight: Wireless Printers

RISK ASSESSMENT RATING: 6.00

 

Popularity: 6

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While it may not be immediately clear that this is a point of attack, wireless printers are becoming both more common and more vulnerable to attack.

Simplicity: 5

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

Unlike many of our previous posts, the printer is not just a “plug-and-play” rogue device, nor does it have to be built. Instead, the attacker has to rely upon knowledge of a device that already exists on the network and may vary in attack simplicity.

Impact: 7

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The impact from a successful attack can be quite devastating – by using the misconfigured printer either as a window into the network or even by simply intercepting the print jobs sent to the printers, sensitive data can be much more easily accessed.

 

Wireless Printers

Wireless Printers are becoming more and more common around the world, providing convenience in several different ways. However, this convenience comes with a security cost. It is vital to understand the different wireless modes these printers can be in, as well as the dangers of default configurations and how they can be exploited by the bad guys when not properly configured.

 

Hardware Specifications:

CPU: Varies

I/O: Varies

Radio: Varies

Storage: Varies

OS: Varies

 

Photos:

wifiprinter

 

Notable Features:

Wireless printers, while thought of as an office convenience, can also be a convenient way for rogue actors to access your network. There are multiple ways in which wireless printers can be used as rogue devices. These are:

  1. Wireless Client
  2. Wireless Access Point (Infrastructure Mode)
  3. Wireless Access Point (Ad-Hoc Mode)
  4. Wireless Printer Web Interface

Mode 1:  Wireless Client

When using the wireless feature of a printer in an environment with a pre-existing, secured wireless infrastructure, the best way to use the printer is to configure it as a wireless client as it will connect to the secured corporate wireless network.  By default, most wireless printers are NOT configured as wireless access points, although they do usually have WiFi enabled. This wouldn’t necessarily be a security issue if the printer itself wasn’t setup to automatically connect to an open network used in initial configuration from the manufacture. Wireless printer manufacturers like HP and Canon all use open wireless networks with names like “hpsetup” and “default” to configure large numbers of wireless printers at the factory. The problem here are these open wireless networks saved in the printers’ “preferred wireless network list.” When WiFi is enabled on the printer and the printer is in range of an open network with the same SSID name, the printer will automatically connect to that wireless network, thinking that it is the default wireless network used to configure it. This makes the printer a vulnerable wireless client to Evil AP attacks, just like many other types of wireless clients that probe for open networks they have previously connected to.

This can be a real threat for the corporate network when an attacker tricks the printer into connecting to a malicious access point (Evil AP), which can then potentially do things such as take over the printer, dump the memory of sensitive printed documents, install hacker toolsets, and worse – potentially use the printer as a pivot point to gain access to the wired network if the printer is also connected to the network via Ethernet wire. Unfortunately, it is fairly common for someone to order a network printer that also has wireless capabilities, but only configures the wired Ethernet connection and fails to disable WiFi on the printer. In these cases, it is possible for an attacker to potentially access the rest of the wired network through the WiFi card of the printer.

This can be easily solved by disabling WiFi completely if only the Ethernet wired connection is intended to access the printer. If Wireless is the preferred method of connecting the printer to the network, it is vital to ensure that it is connecting to a wireless network with proper security and encryption. If possible, either remove the default open wireless network from the printer’s preferred network list or disable it from automatically connecting to that open network.  This way even if an attacker manages to de-authenticate the wireless printer from the corporate network, it won’t automatically connect to a known open network like “hpsetup”.

 

Mode 2:  Wireless Access Point (Infrastructure Mode)

As wireless printers have become more prevalent, manufacturers often make the process of connecting to wireless printers even easier by configuring wireless printers to provide their own wireless access points by default so that wireless clients can simply connect to the printer itself. There are several issues here: for one, the default wireless access point the printer broadcasts is usually open, allowing anyone to connect to the printer directly over WiFi.  If the printer is in its default state, an attacker can then access the printer’s configuration and control with a default admin username and password – assuming an admin account is even present in a default configuration (which it usually is not). The attacker then has the capability to compromise almost anything, similar to when the printer is a vulnerable wireless client, except now it can also directly attack any other wireless clients connected to the printer’s wireless access point.

The other major issue for corporate wireless clients is that even if someone eventually locks the wireless printer’s access point down, any corporate wireless client that has connected to the wireless printer in an open network state (no security or encryption), is now potentially vulnerable to an Evil AP attack, regardless of being within range of the wireless printer.  By default, most wireless clients will automatically connect to an open wireless network they have previously connected to, giving the attacker the ability to hijack corporate wireless clients tricking them into connecting to a malicious wireless access point pretending to be the open wireless printer network. Again, if the corporate wireless client is also plugged into the wired network via Ethernet, the client can then potentially become a wireless bridge to access the wired network.

The key to avoiding this kind of problem is to properly configure the printer based on what the networking needs are.  If it is intended to be a wireless only printer, configure it to use encryption and do not also plug it into the wired network.  Wireless infrastructure considerations should be made, such as using strong encryption and security, and also using a proper channel to ensure the printer’s wireless network is not causing wireless interference with the rest of the corporate wireless infrastructure. If the printer is intended to strictly be a wired network printer, disable the WiFi card on the device.  To ensure corporate wireless clients are not automatically connecting to open wireless networks, remove open networks from the wireless clients preferred network list or simply disable automatically connecting to a preferred open network when in range.

 

Mode 3:  Wireless Access Point (Ad-Hoc Mode):

This issue has all the same problems as when a printer is a regular wireless access point, except that when wireless clients connect in Ad-Hoc mode they also become open wireless access points themselves that anyone can connect to. Ad-Hoc mode should not be used normally in corporate environments, and is designed to be used more “on the go” in areas where wireless access is not available. These days, it is so trivial to setup a hotspot Access Point on almost any mobile device that Ad-Hoc mode isn’t really needed to provide networking on the fly.

 

Mode 4: Wireless Printer Web Interface

As manufacturers attempt to make connecting to these wireless printers ever easier, many have added web interface functionality. They generally add a hard drive with simple ftp and a web interface, providing a web server that can be an alternate point of attack. The attacker can even then store stolen data on the printer via the network connection. Any hard drive with pre-installed firmware is also potentially vulnerable to attacks that no proper configuration can fix, giving attackers a potential window into an organization’s network through the printer’s wireless connection.

 

Conclusion

Unfortunately, it is still very common to see these types of wireless threats in corporate environments due to a lack of proper and thorough configuration on network printers.  While one of the most critical threats of wireless printers being used as a potentially “wireless bridge” to the wired network, this is just one type of device that can act as a wireless bridge or wireless entry point to the rest of the corporate network. There are many types of wireless bridge devices that can easily be used as rogue devices, and even in environments with no wireless access these devices can be used to create a doorway into the wired network by transparently creating a wireless bridge access point.

Rogue Device Spotlight: KeySweeper

RISK ASSESSMENT RATING: 3.33

 

Popularity: 2

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The KeyGrabber can be considered “popular” in the sense that people are talking about it, but real world attacks at this point in its development are unlikely and currently unreported.

 

Simplicity: 3

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

While the KeySweeper has impressive documentation, it is meant to be built from scratch and is still not a project for a beginner.

 

Impact: 5

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Like the KeyGrabber, the impact of the KeySweeper is dependent upon what is typed. Though much of the information would most likely be trivial, a long enough period of data (or certain login information) is of immense value to an attacker.

 

KeySweeper

 

Unveiled in January 2015 by security researcher Samy Kamkar, KeySweeper is an open source sniffer for Microsoft wireless keyboards. Built into the case of a standard USB wall charger, the KeySweeper can easily be deployed and hidden without arousing suspicion. Depending on the optional hardware, an individual can construct their own KeySweeper for as little as $10 by following the detailed instructions on Kamkar’s site.

While all of the hardware to construct the KeySweeper is readily available, the skills required to assemble one are far from trivial. In addition, the fact that it targets only a single type of wireless keyboard gives it a rather narrow scope. Still, if taken as a proof of concept for what’s possible with hobby-grade electronics, the KeySweeper is a sobering wake up call.

 

Hardware Specifications

 

  • CPU: Arduino or Teensy Microcontroller
  • I/O: NRF24L01+ 2.4GHz
  • Radio: Quad-Band GSM
  • Storage: 1 MB SPI Flash (Optional)
  • OS: Open Source, written in Wiring

 

 Photos

keysweeper

 

Notable Features

The KeySweeper is undeniably one of the best-disguised rogue devices ever conceived, to the point that it’s essentially undetectable short of the victim opening it up to see what’s inside. It’s important to note that not only does the KeySweeper hardware fit inside of the USB charger case perfectly, the charger still works after the modification. While the KeySweeper device would be slightly heavier than a standard USB charger given the added hardware, the chances that a potential victim would notice this and become suspicious of the device are very slim.

Considerable thought was put into the KeySweeper’s design, including a number of optional contingency features. Kamkar details additional hardware such as an internal battery to power the electronics while the device is unplugged, and onboard storage to retain data in the event it cannot be retrieved wirelessly. These optional hardware and software features show just how much flexibility is possible with these types of devices and gives a glimpse at what’s possible with more development.

While it was technically designed to only target Microsoft keyboards utilizing a specific wireless chipset, Kamkar mentions that other keyboards are likely using similar technology. With open source code and fully documented hardware, it’s possible the KeySweeper, or a device very much like it, will be updated in the future to support keyboards from more manufacturers.

 

Conclusion

Given its exceptionally narrow scope and very public unveiling, it’s best to consider the KeySweeper a proof of concept. Even if it was ready to be used as a practical rogue device, the skills required to construct one are not trivial, and Kamkar’s documentation isn’t quite detailed enough to allow a beginner to build one unaided.

While the KeySweeper itself may not be a practical threat for most organizations, the technology it demonstrates certainly is. The framework laid out in Kamkar’s documentation and code can be adapted to many other tasks which could benefit from the same covert properties that make the KeySweeper so impressive.

Rogue Device Spotlight: VoCore

RISK ASSESSMENT RATING: 6.67

 

Popularity: 4

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While not yet commonly used (to our knowledge), the VoCore’s Indiegogo funding helped it to become well known in theory, if not yet in practice. With its ease of use, low cost, and low physical profile, it is likely that the VoCore will be seen on a more consistent basis in the near future.

 

Simplicity: 9

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The VoCore is extraordinarily easy to acquire and use. While DIY kits are available, for slightly more money a fully-assembled unit can be purchased and deployed with extreme ease.

 

Impact: 7

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The VoCore is the kind of device that can cause substantial damage in the hands of either an experienced or inexperienced user – with some knowledge of how to properly take advantage of its full capabilities, the VoCore can be used to compromise an entire network. Even an inexperienced user, however, could leave a sizeable security hole in a network’s defenses by simply plugging the device into an Ethernet jack.

 

VoCore

The VoCore is the perfect example of a low-cost micro-computer (coin size) that acts as an easy to use transparent wireless bridge. Simply plug this tiny device into your wired network and by default it will immediately start broadcasting an open wireless network. Once a wireless client connects to the VoCore wireless access point, the wireless client will obtain an IP address directly from the wired network the VoCore is plugged into. What’s even scarier about this device is because it acts as a “transparent bridge” it is virtually undetectable on the wired side of the network. It doesn’t get an IP address on the wired or wireless side, making it invisible and not accessible to detect or configure once plugged into the wire. In addition, the wireless chipset on this device supports packet injection and can easily be modified to attack wireless networks or clients and run EvilAP attacks.

 

Hardware Specifications:

  • CPU: RT5350(360MHz MIPS)
  • RAM: 32 MB
  • OS: OpenWRT
  • I/O: USB, 10/100M Ethernet, UART, SPI, I2C, I2S
  • Radios: Ralink RT5350
  • Storage: 8MB SPI Flash

 

Photos:

 VoCore

 

Notable Features:

The VoCore is best known for its diminutive size – at merely 25 x 25 mm, it can be placed (and used) almost anywhere. The VoCore is an Indiegogo funded project and can today be easily acquired online, assembled or as a DIY kit, and has been suggested as a low cost WiFi module for inexpensive, home-built connected devices.

 

Conclusion:

Devices like the VoCore are why it’s so important to maintain an awareness of wireless security, especially if your organization doesn’t use wireless networking.  Many times organizations that don’t use wireless have limited awareness or visibility of wireless security threats as they pop up and emerge in their environment, mainly due to the thought that “we don’t use wireless so it’s not something we have to worry about”.  With inexpensive and available wireless bridges and regular APs, it is only a matter of time before someone brings in some type of wireless AP for convenience and opens a major hole into your network. Laptops and mobile devices can also pose wireless security threats in the same manner if not properly locked.



FREE Industry Report on IoET


Rogue Device Spotlight: #r00tabaga MultiPwner

RISK ASSESSMENT RATING: 6.67

 

Popularity: 7

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

Another one of the “name brand” penetration testing devices, the #r00tabaga’s popularity stems from its usefulness to conduct multiple types of attacks on a tried and tested hardware platform.

 

Simplicity: 7

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

While the #r00tabaga is another of the pre-built penetration testing tools, its two potential uses make it both slightly more expensive and challenging to use than either of its parts. However, with instructions on how to set up your own #r00tabaga and the availability of purchase online, the tool is fairly simple to acquire, if not quite as easy to use.

 

Impact: 6

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Used properly, a #r00tabaga can cause the damage of a Pineapple Hak5 or the MiniPwner. As always, the full exposure of information of the target depends heavily on the way that the organization’s security controls are structured, but the #r00tabaga gives an penetration tester an effective route into the target’s networks.

 

#r00tabaga MultiPwner

Building on the groundwork laid by the MiniPwner and WiFi Pineapple, ACE Hackware’s #r00tabaga MultiPwner combines the best traits of both devices into one exceptionally portable and capable penetration testing tool. The MiniPwner’s OpenWRT core gives the #r00tabaga all the dropbox tools you’d expect, and the WiFi Pineapple’s automated rogue access point functionality makes setting up a cloned network a hands-free affair.

The #r00tabaga MultiPwner is based on the TPLink MR3040 travel router, a device that’s proven popular in the OpenWRT community thanks to its low cost and built-in battery.

 

Hardware Specifications

 

  • CPU: Atheros AR7240 @ 400 MHz
  • RAM: 32 MB
  • ROM: 4 MB
  • OS: OpenWRT

  • I/O: Ethernet, USB, Serial

  • Radio: Atheros AR9331 802.11 b/g/n

  • Storage: USB Flash Drive

 

Photos

r00tabaga_ports_compact

 

Notable Features

The #r00tabaga operates in two distinct modes, called “MiniPwner” and “Pineapple”, which the operator can switch between by using the “activate minipwner” or “activate pineapple” commands accordingly. Switching modes therefore requires an interactive shell on the device, as well as a reboot to make the switch. This can make mode switching a bit cumbersome in the field.

By default the #r00tabaga operates in MiniPwner mode and creates a WiFi network the operator can connect to for configuration. When switched into Pineapple mode the user connects to the device via the Ethernet port, and the #r00tabaga will start cloning WiFi networks that client devices are looking for. Once clients have connected, the #r00tabaga has access to the full suite of WiFi Pineapple Infusions in addition to the standard penetration testing tools.

Since it’s based on open source projects, the #r00tabaga can be built from the ground up by a user who’s willing to spend the time working on their own TPLink MR3040 hardware. The team at ACE Hackware even provides instructions on how to setup your own #r00tabaga from the stock OpenWRT image.

 

Conclusion

Combining the MiniPwner and WiFi Pineapple software into one device is a logical evolution of these popular open source penetration testing projects, but the somewhat awkward process of switching between them hinders the overall experience. Further development to more seamlessly merge these two projects would create a formidable penetration testing device.

The #r00tabaga is more expensive than either of the products it’s based on, though at only $150 it’s still very affordable. Enabling users and developers to build their own version of the #r00tabaga from the OpenWRT sources offsets the higher cost to a degree, but the lack of clear and concise documentation makes this process more difficult than it could be.



Learn More About Rogue Devices

Rogue Device Spotlight: Wireless KeyGrabber

RISK ASSESSMENT RATING: 8

 

Popularity: 7

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The KeyGrabber is a series of devices, all of which are designed for commercial use in addition to their use for other, maybe more questionable reasons.

 

Simplicity: 10

The cost or “DYI burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The KeyGrabber stands alone in incredible ease of use. The device is sold commercially as a way of tracking children’s online whereabouts and employee productivity, so it is designed for the most inexperienced user. With a DIY kit and multiple models, the tool is also easily accessible.

 

Impact: 7

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The impact of a KeyGrabber is entirely a function of what is typed: while most organizations cannot be taken down by the contents of an employee’s daily email, a few stolen username/password combinations could prove disastrous to the organization.

 

Wireless KeyGrabber

Created by KeeLog, the KeyGrabber product line includes no less than 6 distinct types of devices designed for the express purpose of capturing, storing, and reporting intercepted keystrokes from a locally connected keyboard. Each one is intended for a slightly different deployment, from a bare PCB the user needs to solder into the keyboard to “nano” sized units that easily slip between the computer and peripheral. KeeLog even offers an open source DIY keylogger that anyone can build around a Atmel microcontroller.

KeeLog’s top of the line product is the KeyGrabber Wi-Fi Premium, an Internet-connected keylogger, which allows for device configuration and data retrieval over the local network or Internet. Once a KeyGrabber Wi-Fi Premium is properly deployed, it could be left operational on-site indefinitely.

 

Hardware Specifications

 

  • I/O: PS/2 or USB
  • Radio: 802.11 WiFi (open/WEP/WPA/WPA2)
  • Storage: 4 GB
  • OS: Closed Proprietary
  • Supported OS: OS Independent
  • Battery: Internal battery good for 7 years

 

Photos

wifi_hardware_keylogger_06

 

Notable Features

Traditional keyloggers utilize a special combination of keys which must be pressed to access the device’s internal menu and dump the data out to a text file. This requires the operator to recover the device from wherever its been deployed; often a risky proposition. But with its network connectivity, configuring the KeyGrabber and recovering the stored keystrokes can be done without having physical access to the device.

Captured data can be sent out as periodic email messages, or downloaded directly from a computer on the same network. By sending the data out as an email message the KeyGrabber doesn’t require anything more than a valid email recipient and can easily get around inbound firewalls.

In addition to network connectivity, the KeyGrabber can also be put into a USB Mass Storage mode which will make the host operating system see it as a standard 4 GB USB flash drive. The stored keystrokes, as well as the devices configuration files, are then accessible as standard plain-text files on the drive.

 

Conclusion

Software keyloggers are harder to install and could be detected by security software on the local computer, making them difficult to use effectively. By using a hardware-based approach, the KeyGrabber is effectively invisible to the host operating system; greatly reducing the chances it will be discovered.

Not having to physically recover the device to collect the captured data on the KeyGrabber Wi-Fi Premium makes it considerably more effective than traditional local-only keylogger devices. Remote command and control even opens up the possibility of running large numbers of keyloggers on the same network, a task which would not be feasible otherwise.

On the other hand, connecting to the network makes the KeyGrabber detectable to those who know that to look for. The risk of picking the KeyGrabber up on a WiFi scan has to be balanced against the considerable advantage network connectivity offers.

Rogue Device Spotlight: MiniPwner

RISK ASSESSMENT RATING: 5.67

 

Popularity: 7

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While not possessing the cachet of the Pineapple, the MiniPwner is still a “brand name device” of the InfoSec world. It is built on fairly common hardware and is easy to acquire.

Simplicity: 6

The cost or “DYI burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The MiniPwner can be either purchased or built, meaning that acquiring one is fairly simple. However, the device is not built for beginners: with little thought given to simplicity or ease of use, only intermediate to advanced operators can use the tool effectively.

Impact: 4

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Slow and difficult to use, the MiniPwner’s battery power gives it the biggest boost in this category – with a time of almost five hours and no setup, it is considerably easier to hide than most devices in the category.

 

MiniPwner

Originally created in 2012 by security researcher Kevin Bong, the MiniPwner leverages the incredibly flexible OpenWRT project to turn cheap consumer wireless routers into highly capable penetration testing devices. The initial iteration of the project was little more than stock OpenWRT running on the immensely popular TPLink MR703N, but that was enough to get the ball rolling, and the project has been steadily evolving since.

The current version of the MiniPwner project is maintained by Michael Vieau and runs on the TPLink MR3040, an enhanced variation of the MR703N which features an internal battery.

 

Hardware Specifications

  • CPU: Atheros AR7240 @ 400 MHz
  • RAM: 32 MB
  • ROM: 4 MB
  • OS: OpenWRT
  • I/O: Ethernet, USB, Serial
  • Radios: Atheros AR9331 802.11 b/g/n
  • Storage: USB Flash Drive (16 GB included)

 

Photos

minipwner

 

 

Notable Features

The TPLink MR3040 router that MiniPwner is currently being developed for is especially well suited to mobile security work thanks to its integrated 2000mAh battery; a feature uncommon to even purpose-built penetration testing devices. The battery is recharged whenever the MR3040 is connected via USB, and is estimated to last for over 5 hours during continuous wireless and wired use.

The MR3040 also features a physical switch which can be configured from within the MiniPwner web interface to run user-configured scripts known as MiniModes, not unlike the boot mode selection on the Hak5 WiFi Pineapple Mk V. While this feature holds considerable promise for covert configuration of the MiniPwner device, developer Michael Vieau cautions this feature is still under development and should be used carefully.

In terms of its availability, the MiniPwner is unique in that it’s primarily a DIY project with optional sales of completed kits intended to help fund development. While users can purchase a MiniPwner directly from the developer, they can also download a current MiniPwner snapshot and apply it to their own MR3040 router with no loss in functionality or support.

 

Conclusion

The open source and community-driven nature of the MiniPwner project, combined with the very low cost of the hardware required, makes this a particularly appealing platform. For less than $50, an individual can have a completely self-contained mobile penetration testing device that runs the large majority of common Linux security tools.

On the other hand, the MiniPwner assumes a fairly strong working knowledge of those tools and Linux in general. There is little consideration given to automation or other user friendly enhancements in the MiniPwner software; an inexperienced operator could just as easily brick their own MiniPwner as launch an attack against a target.

Hacker Favorite Raspberry Pi Gets Sucessor

UK tech publication “The Register” recently had the honor of revealing that the followup to everyone’s favorite Linux single board computer, the Raspberry Pi, has finally been released. Officially dubbed the Raspberry Pi 2 Model B (to leave the possibility for an as of yet unconfirmed model A), the new Pi is supposedly 6 times as powerful as its predecessor, but still costs the same $35 and keeps more or less the same form factor. The Pi 2 is intended to be more or less a drop in replacement, so projects making use of the existing Pi should be easily upgradeable.

While certainly not the Raspberry Pi’s most common use, its effectiveness as a rogue device cannot be ignored. With the upgraded processing power of the Pi 2, it’s likely that we’ll see even more rogue devices being built around this highly available board.

 

Upgraded Performance

The original Pi wasn’t terribly fast, but for $35, nobody really complained. While it was more than capable for many basic tasks, and perfectly suitable for its intended goal as a low-cost educational tool, it left something to be desired when it came to things like encryption or man-in-the-middle attacks. But the upgrade to a quad-core 900 MHz processor with 1 GB of RAM promises to make such concerns a thing of the past.

Head of the Raspberry Pi Foundation Eben Upton belies this iteration of the Pi is even good enough to serve as a proper desktop computer, “I think it’s a usable PC now. It was always the case that you could use a Raspberry Pi 1 as a PC but you had to say ‘this is a great PC in so far as it cost me 35 bucks’. We’ve removed the caveat that you had to be a bit forgiving with it. Now it’s just good.” Upton says the increased performance of the Pi 2 was validated through several synthetic benchmarks such as Sysbench, which may not be 100% comparable to real-world use, but at least give an idea of the system’s computational capacity.

In relation to computationally intensive security applications such as modifying network data in real time, however, synthetic benchmarks are actually quite useful. In other words, while using the Pi 2 as your desktop computer may still be impractical, there’s no question that this new Pi will be cracking encryption a whole lot faster than the old model.

 

Availability

 The original Pi was such a runaway success that lead times of several weeks were not uncommon from many retailers. But this time around, Upton claims there should be more than enough for everyone.

The Raspberry Pi 2 Model B is available immediately with 100,000 units ready to go and a production rate of over 1,000 per day at their Pencoed, South Wales factory. It may take some time for all of the electronics suppliers to get it in stock, but it sounds like anyone who wants one will be able to get one in short order.