Building the Poison Apple Pi

so good morning everyone and thank you for coming and the first talks on Sunday are not usually well attended so thank you everyone who did come my name is Andrew shumate giving a talk building the poison apple pie it's a basically remote wireless our pen testing platform nothing really spectacular but I just you know I like getting ideas from conferences and then feeding those ideas that I get back help the kind of enforce the feedback loop about me I was in the Navy for 20 years I spent 15 years doing aviation electronics five years doing computer network defense is a CTN and then I retired I now work is a SMS consultant for pivot point security

small firm in New Jersey geek pirate lover of puzzles and technology so there's a song there will be a lot of disney references in here because i'm a big fan of Disney and Disney Imagineering they're really great at taking ideas and turning them into these huge things that we see and it all starts with one little spark and if you want it who knows what an earworm is it's a song that gets stuck in your head yeah go google figment one little spark little song with Eric Idle listen to it it'll be stuck in your head for a while so a lot of ideas start with that one spark of imagination or an idea that you

hear mine started last year at bsides DC and a little bit before that I've always been a fan of covert testing boxes things like that like the spark cast the small covert things you can leave on a network very cheap somewhat disposable last year i'm here at bsides DC and gift or a gave the talk about the range box and running hostapd on a raspberry pi as a way to test you know breaking web and things like that yes okay cool you know what else can you do connect to the Raspberry Pi remotely then Pony Express produced video Jason E Street evil briefcase vs boston anybody's seen that Jason streets walking around Boston this briefcase

full of raspberry PI's and a proxmark doing his stuff and at the end of the video it shows he's you know attacking a wireless network and party express his product detects the attack goons come out to the lobby and raining a man because his heads down in a briefcase attached to his testing devices then about the same day that Jason I see the Jason Street video Yuri over at red team's blog post he was looking for a small backpack for covert testing and that kind of sealed the deal for me I was like you know what can I do with a small covert remotely accessible platform so about half an hour after he tweeted this I ran around my office

grabbed a bunch of stuff and tweeted that so that's that's probably a lot more than i usually use it's raspberry pi b 2 tp-link card rtls dr dongle and newer tooth and it's all powered by a honker 64,000 amp hour battery pack which gives it about a day and a half runtime so I'm going to tempt fate with demo God's early

so I have the device up and running in here and you give it an oculus name in my case HP jetdirect I'm going to have to

yes and

and we'll see the demo gods are happy I probably will not because it's not okay so happy which three small be honest there we go it's happier now

so that is the the biggest limitation is the EDI max wireless dongle which is this little tiny thing here don't have a lot of power so if you wanted longer range you'd want to use the tp-link high power

make sure that okay and so yeah so it's going to fail until it action negotiates so essentially decided to take all this put it together into wireless test testing platform

so while the demo gods are angry at me will come back and I had a few build requirements on this I wanted something portable something that literally I can fit this in my back pocket small backpack non-detectable I wanted it to be remote I don't want to be attached to it because a use case I'll get into in a minute I wanted it to be non attributable I don't want you know fancy hardware that people know like a poem plug or a Pony Express that people know or pin testing tool I want audit be able to be broken down I want it modular so using the Raspberry Pi you've got four USB ports so you can add anything you

want to it and I wanted to be cheap if you are in the business of pen testing margins are an important thing and just because you charge a lot of your clients for services doesn't mean you need to pay a lot for the tools that you use so you know let's look at some different tools that are available calli nut honor is portable it runs on a nexus but you have to buy the hardware and unless you're using the cellular connection you have to be attached to the device again that's what not what I wanted poem plug easy to use it's expensive and it's not portable it's got to be on mains power to work and then the Raspberry Pi it's

cheap portable your detached from it but takes time and effort to put it together in building which I'll talk about that in a minute so again talking about what are you use cases aside from your standard attacking the wireless network sniffing wireless networks things like that one of the use cases that I looked at was gauging in sin a response if you're attacking a company's wireless networks and they say they have wireless instant response how do you gauge that and again you I all go to the trope from movie has anybody seen the real McCoy with Kim Basinger the real McCoy with Kim Basinger it's it's a heist film and one of the tropes and it is they need to

measure the response time of the police showing up at the bank they're getting ready to so they put a remote control car on the bottom of an ashtray drive it around the lobby set off the alarm time how long the police take so similar thing with this you put this in the lobby of a building somewhere you fire it up you wait see how long it takes for the security goons come out and again if it's cheap you get an overzealous security guru that smashes it you're out thirty forty dollars another use case that I thought about today while watching people do the wireless CTF from the fox hunt so hack RF costs what 300

plus dollars and here it's one device you're running around trying to measure signal strength what if you took a half dozen of these put them around in your area with the twenty-dollar rtls dr dongles and then had them all report back to you on signal strength readings there's already open source software out there that will take all that correlate and help you do the triangulation to locate what you're looking for so that's another use case that came up with justin is con looking at how people are trying to execute the wireless ETF so looking into the future of other things to do it attach the DIY MC catcher on it using the open bc firmware modified

motorola devices adding cellular connectivity so i can leave it in place longer connect to it remotely so i can do this from my house and then using a microcontroller for sweet blake times the microcontroller does have the downside of if you want a luxe encrypted partition on your device protect information you can't do that unless you're doing auto login which is not really a good idea because vice level wakes up you need to have be able to put in the credentials so the sleep/wake is slightly problematic but depends on what data you're storing on the device so let's try the demo again

no HP jetdirect again as you know gave it something innocuous that you're likely to see in any business or corporate environment so apparently my my sacrifice to the demo gods is not sufficient so who I should recorded that last night so I'm sorry I don't have the the demo is basically simply connecting to it I had hoped to have it in the flower pot over there fire up a few scans so so that's that's my simple feedback loop for ideas that i get from coming to the conferences and trying to feed ideas back into the community you know the people up here that thank our red jeans blog guitar dave Conroy who created the module for EDI max cali

won't natively run hostapd using an EDI max card so Dave Connolly put together a nice how to and a driver that will work and then of course Jason Street already expressed for kind of inspiration of how to do this put it together so actually building the box is fairly simple raspberry pi 2 point 0 grab cali image put it on the SD card go get Dave Conroy's EDI max hostapd driver and put it on from there connect and you know use it as you will like I said if you're into the wireless CTF Fox hunts it's a great thing you get a half dozen of these and put the twenty-dollar dongles on it and start having them all report

back as a wireless mesh to measure a signal strength that'll help you speed up your your Fox hunts again having a way to wirelessly attack network if security dude goons do come out you're sitting 20 feet away from it completely detached not attributable they run off with a device and you walk away so so thank you for coming to my short talk you all get an early lunch because the demo gods are not pleased and I will take any questions so yeah I did the range box works really well and again I had to modify XA at the time I had an A and an ED imax and it can do the the five-minute it takes a little bit of

practice but it works after a little while any others all right thank you