Building a Raspberry Pi Dropbox

Introduction

Often times when I'm on a physical penetration test I'm working in conjunction with a network pentester. We may not necessarily be performing a red team engagement, but we are working together if an opportunity presents itself. One great way for me to assist the network team is to place a computer on the target network that they can use to gain a foothold. Today I'm going to talk about how to build such a device as well as some of the design considerations. Let's get started!

Objectives and Design

Our goal is to connect a computer to our target's local network. It should be easy to hide and easy to access from the outside. Small form factor and single board computers come in many shapes and sizes and should meet the hidability goal without breaking a sweat. Toss in a VPN, a HAT to add cellular connectivity, or both, and we've met the second objective. We'll also add in a USB wireless adapter for attacking wireless networks. Wireless testing can be useful on the network side for finding user names on many enterprise wireless networks. Our hardware list might look something like this:

Raspberry Pi SBCs are extremely popular, which means there is a wide array of add-ons designed for it, such as our cellular modem. The 27 watt power supply is probably overkill today, but it keeps our options open for future design enhancements in case we need more power.

Next we need to select software. Two operating system options to consider are Raspberry Pi OS and Kali OS. The first party OS from the hardware manufacturer "should" provide the highest level of stability. We're going to be leaving this device unattended and likely won't be able to return to troubleshoot why it suddenly went offline. If that's a concern for you, Raspberry Pi OS may be a good decision. It can be customized with only the tools you need, resulting in a slimmer installation tailor-made for the target. On the other hand, Kali comes with a boatload of tools baked in, making it more of a giant one-size-fits-all solution that should be adequate for most targets. Downloading and installing tools you forgot or didn't know you needed can slow down or even kill an engagement.

We're going to use Kali for this build since the plethora of tools should reduce the amount of time spent customizing for each individual target. The Raspberry Pi Imager is an excellent tool for quickly and easily imaging our Micro SD card. It has numerous OS options right in the menu, including Kali Linux, which means we don't need to download it manually. The latest release of Kali (2024.4 at the time of writing) allows us to take advantage of the customization settings, such as selecting a hostname, username and password, and enabling SSH.

Once the imaging is complete install the SD card, boot up the Pi to make sure it's working, perform any updates and upgrades that are necessary, then reboot. Before we move on to the cellular modem, let's configure a Wireguard server for VPN access. Wireguard is a secure, easy to use, and easy to configure VPN tool. I'll be using AWS to create my server, but you can use whatever VPS solution you like or even host it in your own data center. Selecting and building a server won't be covered in this blog (just make sure it can listen on UDP-51820), but we will cover installing and configuring Wireguard on whatever you choose. The Raspberry Pi will be configured to attempt to connect to this server every time it boots. When we're done with this part we'll have two "peers", the server and the Raspberry Pi client, each with a new interface called wg0 that can communicate with each other over the VPN using 172.27.1.10 and 172.27.1.20 respectively.

Install and Configure Wireguard

Server

1. Install Wireguard
   sudo apt install wireguard

2. Generate the private key
   wg genkey > privkey-server
   You may receive a warning similar to "Warning: writing to world accessible file. Consider setting the umask to 077 and trying again." It can be safely ignored for now.

3. Generate the public key
   wg pubkey < privkey-server > pubkey-server

Raspberry Pi Client

1. Log in and install Wireguard
   sudo apt install wireguard

2. Generate the private key
   wg genkey > privkey-client

3. Generate the public key
   wg pubkey < privkey-client > pubkey-client

Next we'll create the configuration file for each. Run sudo nano /etc/wireguard/wg0.conf on both machines, then copy and paste the respective templates below.

Server:

[Interface]
ListenPort = 51820
PrivateKey = <<SERVER PRIVATE KEY>>
Address = 172.27.1.10/24

[Peer]
PublicKey = <<CLIENT PUBLIC KEY>>
AllowedIPs = 172.27.1.20/32

Raspberry Pi Client:

[Interface]
PrivateKey = <<CLIENT PRIVATE KEY>>
Address = 172.27.1.20/24
DNS = 1.1.1.1

[Peer]
PublicKey = <<SERVER PUBLIC KEY>>
AllowedIPs = 172.27.1.10/32
Endpoint = <<SERVER PUBLIC IP ADDRESS>>:51820
PersistentKeepalive = 25

The last thing we should do on each peer is configure a Wireguard daemon to bring up the interfaces in the event of a reboot. This is especially important for the Raspberry Pi since you're probably not going to be connecting it to a keyboard and monitor when you deploy it.

BOTH Server and Client

1. sudo wg-quick up wg0
   If you receive an error "resolvconf: command not found" you need to install openresolv with sudo apt install openresolv

2. sudo systemctl enable wg-quick@wg0

If everything worked you should now be able to communicate to each machine. Make sure you can SSH to the Raspberry Pi from the server using the 172.27.1.20 address.

Install and Configure the Cellular Modem

Sometimes you may not be able to find an accessible network port, or the port you do find isn’t live, or the live port has NAC configured, or any number of other reasons. The cellular modem is the contingency plan. The instructions for my Quectel cellular HAT from Sixfab can be found here: https://docs.sixfab.com/docs/raspberry-pi-4g-lte-cellular-modem-kit-intoduction. My before and after looked like this:

Follow the steps to assemble the pieces and register your SIM card. One nice thing about Sixfab is that they include a $25 USD credit with the kit. That's not nearly enough for a real life engagement, but it is convenient for this demonstration.

Now we need to configure the hardware. First, uninstall modemmanager with sudo apt purge modemmanager, then make sure the module was properly loaded by checking lsusb. It should look something like this:

Next install the atcom tool to issue commands to configure the module. The Sixfab instructions call for the use of pip3 to install the tool. For reasons outside the scope of this blog (really far outside the scope) we are going to use pipx instead. Simply run pipx install atcom and you should be good to go. If this is the first time you've used pipx you may need to run pipx ensurepath to add the installation directory to your path. If so simply log out then log back in. Run atcom AT to test that everything is working.

On to the actual configuration commands:

1. atcom AT+CGDCONT=1,\"IPV4V6\",\"super\"

2. atcom AT+QCFG=\"usbnet\",1

3. atcom AT+CFUN=1,1
   Note the backslashes preceding the quotes.

You should now have another new interface, either usb0 or eth1. This is your cellular connection. You can test this by issuing a ping command specifying that new interface with ping -I eth1 1.1.1.1 -c 3

That should be it for the cellular modem! Power down the Raspberry Pi, remove the Ethernet cable, and bring it back up. If everything is working it will come back up, connect to the cellular network, and connect to your Wireguard server. Just give it a minute or two.

Test the Wireless Adapter

Our last step is to connect our USB wireless adapter. While the Raspberry Pi does have an integrated wireless chip, its range is not as great. On the other hand, the ALFA AWUS036AXML has excellent range and works out of the box with the 6.6.* kernel.

First, let's power off the Pi and disconnect the cellular modem. We don't want to accidentally use up all our data. Power it back up with the ALFA connected. It should be on the wlan1 interface, but if you aren't sure simply disconnect it, run ip a, connect it again, and the new interface should be the ALFA.

Let's test everything just to be sure. Place the adapter in monitor mode with sudo airmon-ng check kill and sudo airmon-ng start wlan1. Note that airmon-ng may change the interface name to something else, like wlan1mon, when enabling monitor mode. The tool will tell you in the output.

Run sudo airodump-ng wlan1mon to ensure monitor mode is working. It should look something like this:

We have successfully confirmed monitor mode is working and that we can listen to nearby wireless traffic! Press CTRL-C to stop airodump-ng. Before we test injection, lets choose a wireless network we control and have permission to test. I've selected one already in the image above. Disable then re-enable monitor mode, but this time set the channel. My target network is using channel 6, so my commands will be sudo airmon-ng stop wlan1mon and sudo airmon-ng start wlan1 6

Now we can test injection with sudo aireplay-ng -9 -D wlan1 -a B6:97:4E:1B:49:29. It should look something like this:

That's it! That's everything! We have a Raspberry Pi 5, running Kali Linux, with a Wireguard VPN for remote access, a cellular modem for a backup connection, and a USB wireless adapter for attacking Wi-Fi. All we need now is a case, but I have something special in mind for that. Stay tuned for part 2!