Little British Spy - Bookmark on Raspberry Pi

    The big theme for the May issue of Hacker was the Raspberry Pi. We talked with the creator of the "raspberry", Eben Upton, and found out what the results of the first year of the project are, and what awaits a small computer in the next. We also described two concepts based on Raspberry: an inconspicuous bookmark, which, due to its size, can imperceptibly collect data from the network (receiving commands via SMS and dropping logs in Evernote), as well as a video surveillance system integrated with Google Drive. One of these concepts we bring to your attention.




    The idea of ​​a dropbox is simple: if you equip a miniature computer with a battery and a 3G modem, you can get a spy box that quietly connects to the network under study and transfers the collected data. This concept is fully implemented on the Raspberry Pi.



    Looking ahead, I’ll say: because of the high energy consumption, our dropbox is more suitable for working in our own networks. For strangers, he simply does not have enough battery, but the concept still looks attractive. We will do all this based on the PwnPi distribution. In it, we will configure the work with the modem, learn how to receive commands by SMS and send logs to Evernote. At my disposal was a 3G-modem Huawei E1550 ("Megaphone E1550").

    Switch to modem mode


    Many 3G modems, when connected, look like a disk in order to pre-install the necessary drivers, and require switching to modem mode. The E1550 modem is one of them and is initially unavailable as a terminal ...

    # ls /dev/ttyUSB*
    ls: cannot access /dev/ttyUSB11*: 
    No such file or directory
    

    Let's look at the description of USB devices:

    # lsusb
    Bus 001 Device 009: ID 12d1:1446 
    Huawei Technologies Co., Ltd. E1552/E1800/E173 
    (HSPA modem)
    

    But it is visible as a disk:

    # ls -l /dev/disk/by-id/
    usb-HUAWEI_MMC_Storage-0:0 -> ../../sda
    usb-HUAWEI_Mass_Storage-0:0 -> ../../sr0
    

    In order to switch it to modem mode, you will need to install an additional program and reboot (other modems may need other settings):

    # apt-get update && apt-get install usb-modeswitch 
    # reboot
    

    Let's look at the description of the USB device again:

    # lsusb
    Bus 001 Device 010: ID 12d1:1003 
    Huawei Technologies Co., Ltd. E220 HSDPA Modem / 
    E230/E270/E870 HSDPA/HSUPA Modem
    

    It can be seen that the modem has changed Device ID, and now its ports are available to us:

    # ls /dev/ttyUSB*
    /dev/ttyUSB0  /dev/ttyUSB1
    



    Greeting Bash at PwnPi

    Accessing a modem using minicom


    To test the performance, you can try to "reach out" to it, like a regular modem, using minicom:

    # apt-get install minicom
    # minicom -D /dev/ttyUSB0
    

    We request information about the modem manufacturer using the AT command

    ati0
    Manufacturer: huawei
    Model: E1550
    Revision: 11.608.12.10.209
    IMEI: < IMEI вашего модема >
    +GCAP: +CGSM,+DS,+ES
    OK
    

    Exit by pressing .

    Sakis and UMTSkeeper


    The first program we need to configure a 3G modem is Sakis3G, a script for establishing a 3G connection. The sakis-3g.org project home page has been unavailable for some time, but a copy of the script is on sourceforge. Download it, unzip it and enable execution:

    # mkdir ~/3g && cd ~/3g
    # wget http://downloads.sourceforge.net/project/vim-n4n0/sakis3g.tar.gz -O sakis3g.tar.gz
    # tar -xzvf sakis3g.tar.gz
    # chmod +x sakis3g
    

    Install PPP Support

    # apt-get install ppp

    Let's try to establish a connection in interactive mode, indicating the necessary data.

    # ./sakis3g --interactive

    We’ll select the first option, “Connect with 3G”, in response to the next request, select “11. Custom APN ... ". We indicate (data for Megafon-Moscow):

    APN: internet
    APN_USER: megafon
    APN_PASS: megafon
    

    If the connection was successful, exit the menu and check the Internet access:

    # ping google.com

    The next program, UMTSkeeper (zool33.uni-graz.at/petz/umtskeeper), is necessary for automatic connection when the connection is disconnected. Download, unzip and enable execution:

    # mkdir ~/3g && cd 3g
    # wget http://zool33.uni-graz.at/petz/umtskeeper/src/umtskeeper.tar.gz
    # tar -xzvf umtskeeper.tar.gz
    # chmod +x umtskeeper
    

    Let's check UMTSkeeper, substituting our values ​​in the USBMODEM (Vendor ID: Device ID, which is visible when you enter the lsusb command) and CUSTOM_APN, APN_USER, APN_PASS, SIM_PIN (data for connecting to a 3G network):

    # ./umtskeeper --sakisoperators "USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1003' APN='CUSTOM_APN' CUSTOM_APN='internet' SIM_PIN='1234' APN_USER='megafon' APN_PASS='megafon'" --sakisswitches "--sudo --console" --devicename 'Huawei' --log --silent --nat 'no'

    We will control the work by opening the journal in another window:

    # tail /var/log/umtskeeper.log -f
    2013-04-01 10:37:38 Start: interval=4*8s
    Internet status:
    Modem plugged, not connected to internet.
    2013-04-01 10:38:27 Internet connection is DOWN. 
    Calling Sakis3G connect...
    Sakis3G cmdLine: nice ./sakis3g connect --sudo --console USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1003' APN='CUSTOM_APN' CUSTOM_APN='internet' SIM_PIN='1234' APN_USER='megafon' APN_PASS='megafon'
    Sakis3G says...
    E1550 connected to MegaFon (25002).
    2013-04-01 10:39:20 Testing connection...
    2013-04-01 10:39:37 Success... we are online!
    

    Now edit /etc/rc.local to start at boot:

    # nano /etc/rc.local
    /root/3g/umtskeeper --sakisoperators "USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1003' APN='CUSTOM_APN' CUSTOM_APN='internet' SIM_PIN='1234' APN_USER='megafon' APN_PASS='megafon'" --sakisswitches "--sudo --console" --devicename 'Huawei' --log --silent --nat 'no' &
    

    And check after reboot.


    Sakis3G Interface

    Reverse ssh


    To connect remotely to PwnPi via 3G, configure the raising of the Reverse SSH tunnel (this requires a server with a public IP).
    In order for PwnPi to connect to the server automatically, without entering a password, we will generate private / public keys on PwnPi and copy the public key to the server:

    # ssh-keygen
    # scp /root/.ssh/id_rsa.pub root@<адрес сервера>:/root/

    On the server (if it is Debian), add the public key to the list of authorized ones:

    $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
    

    Let's try to connect to the server with PwnPi:

    # ssh root@<адрес сервера>
    

    The connection should happen without asking for a password. If the password is still requested and the connection using the keys is configured for the first time, you must set the access rights to this file (and the folder as a whole):

    # chmod 755 ~
    # chmod 700 ~/.ssh
    # chmod 600 ~/.ssh/authorized_keys
    

    Now set up a port forwarding tunnel. From the side of PwnPi:

    # ssh -q -N -R 1221:localhost:22 root@<адрес сервера>
    

    On the server side, port 1221 is now waiting for connections, but only on the interface 127.0.0.1:

    # netstat -an |grep 1221
    tcp  0  0  127.0.0.1:1221  0.0.0.0:*  LISTEN
    

    On the server side, check the connection through Reverse SSH, connecting to the local port:

    # ssh root@localhost -p 1221
    

    If everything is correct, after entering the password of the root user of the PwnPi system, we should gain access to PwnPi. On the server side, enable port forwarding for all interfaces:

    # nano /etc/ssh/sshd_config
    GatewayPorts yes
    

    Now you need sshd to re-read the configuration file. Let's see what PID it has:

    # ps aux|grep sshd
    ...
    root  23511  0.0  2.1   9920  5376 ?  Ss   13:09 
    0:00 /usr/sbin/sshd
    ...
    

    And send him a HUP signal:

    # kill -hup 23511
    # tail /var/log/sshd.log
    

    Now, after establishing a connection with PwnPi, we will see that the process expects a connection on all interfaces:

    # netstat -an -p |grep 1221
    tcp  0  0 0.0.0.0:1221  0.0.0.0:*
    LISTEN  	21990/	sshd: root
    

    Create a script for automatic launch and give it the right to execute:

    # nano /root/reverse_ssh_tunnel.sh
    #!/bin/sh
    USERHOST=root@<адрес сервера> 
    RPORT=22 # Порт SSH сервера
    FPORT=1221 # Порт, который будет открыт на сервере
    CONN=localhost:22   # Порт SSH Listener на PwnPi
    COMMAND="ssh -q -N -R $FPORT:$CONN $USERHOST -p $RPORT"
    pgrep -f -x "$COMMAND" > /dev/null 2>&1  || $COMMAND
    ssh $USERHOST -p $RPORT netstat -an | egrep "tcp.*:$FPORT.*LISTEN">/dev/null 2>&1
    if [ $? -ne 0 ] ; then
      echo "Restarting connection" 
      pkill -f -x "$COMMAND"
      $COMMAND
    else
      echo 'Connection OK' 
    fi
    # chmod +x reverse_ssh_tunnel.sh
    

    Add a line indicating to run every minute in crontab:

    # crontab -e
    */1 * * * * /bin/sh /root/reverse_ssh_tunnel.sh
    


    Automatically save data to Evernote


    There are many options for the automatic transfer and storage of data, from traditional mail to popular cloud services, from Google Drive to Evernote. You can send data to Evernote using the Geeknote utility (www.geeknote.me):

    # wget http://www.geeknote.me/dist/geeknote_latest.deb
    # sudo dpkg -i geeknote_latest.deb
    # geeknote login
    

    Specify your login details for Evernote (you need to do this only once if the user does not change). Create a new notebook and add a test entry:

    # geeknote notebook-create --title "PwnPi data"
    # geeknote create --notebook "PwnPi" --title "Test" --content "Test note" 
    

    Geeknote supports automatic synchronization of text files in the specified directory using the gnsync utility included in the package. To synchronize it, you must run it with the following keys (the
    / root directory is synchronized ):

    # gnsync --path /root --mask *.log --notebook "PwnPi"
    


    SMS management


    Unfortunately, the work of 3G is not stable. So, as an addition, you can implement the transfer of commands (for example, reboots) and SMS notifications using the Gammu package.

    # apt-get install gammu
    # gammu-config
    

    Set the port / dev / ttyUSB1 in the menu (/ dev / ttyUSB0 was configured for 3G). Request a description of the device:

    # gammu --identify
    Устройство : /dev/ttyUSB1
    Manufacturer     	: Huawei
    Модель     	: E1550 (E1550)
    Firmware         	: 11.608.12.10.209
    IMEI             	: 351911043904005
    Номер SIM (IMSI) : 250026700613366
    

    You can enable monitoring mode and try to send a test message:

    # gammu --monitor
    # echo "test from PwnPi" | gammu sendsms TEXT +7<номер телефона>
    

    For the Russian language (the Unicode locale in PwnPi is not set by default), you can use the -unicode switch.


    Gammu Options

    Receive SMS


    To receive SMS you must install

    # apt-get install gammu-smsd

    And specify the same port of the 3G modem in the configuration:

    # nano /etc/gammu-smsdrc
    [gammu]
port=/dev/ttyUSB1

    Run as a service and see the log:

    # gammu-smsd --daemon
# tail -f /var/log/syslog

    Incoming messages are saved in the folder:

    # cd /var/spool/gammu/inbox && ls
    IN20130402_193338_00_+7<номер телефона>_00.txt

    Inside contains the received SMS text. Create a script to execute commands from SMS. In the example below, upon receipt of the text 'uptime', a message is sent to the sender with the result of the uptime command:

    $ nano smscheck
    #!/bin/bash
    for file in `ls /var/spool/gammu/inbox`
    do
      cmd=`cat /var/spool/gammu/inbox/$file`
      case "$cmd" in
  "uptime")
        echo `uptime` > /var/spool/gammu/outbox/OUT+7<номер телефона>.txt
        ;;
      esac
      rm -f /var/spool/gammu/inbox/$file
    done
# chmod +x smscheck
    

    Since our test messages should already be in the / var / spool / gammu / inbox folder, run this script and make sure it sends the right message. Add it to crontab with a frequency of one minute using the following entry:

    # crontab -e
    */1 * * * * /home/pi/smscheck

    We reboot the system and check the operability of our configuration.

    Who is following the follower


    In modern microcontrollers, a number of tools can be used to increase the reliability of embedded devices in maintenance-free mode. One of the mechanisms designed for this is a hardware watchdog timer that allows you to reboot the device if it freezes. A program whose performance must be monitored must periodically reset this timer. If she stops doing this, the timer will exceed the threshold and a reset signal will be sent to the processor. On Linux, watchdog support software consists of two parts: a watchdog timer driver and watchdog daemons that monitor the health of the system as a whole.

    Watchdog driver


    Downloading the driver module:

    # sudo modprobe bcm2708_wdog
    

    Adding to the list of startup modules:

    # echo "bcm2708_wdog" | sudo tee -a /etc/modules
    

    Watchdog timer starts when the device is opened. It is reset by sending any character. The V symbol disables the timer. You can verify the performance as follows:

    # cat > /dev/watchdog
    

    Now, only the input of lines from the keyboard is separated from the reboot (the cat command transfers the typed text line by line). Entering the character V and then stopping the countdown.

    Watchdog daemon


    The watchdog package consists of two daemons: a simplified one - wd_keepalive and a main one - watchdog, which provides more features. Using it, you can control not only the system load, but also such parameters as the amount of available memory, access to individual files, the availability of nodes using the ping command, and a number of others.

    # apt-get install watchdog # Установка
    # update-rc.d watchdog defaults # Добавление в автозагрузку
    

    To configure in /etc/watchdog.conf, you need to uncomment several lines:

    # nano /etc/watchdog.conf
    watchdog-device = /dev/watchdog 
    max-load-1      = 24
    

    Manual start

    # /etc/init.d/watchdog start
    


    Check


    The easiest way to check if the watchdog configuration is working is to enter the so-called fork bomb on the command line:

    : (){ :|:& };:
    

    The system will quickly stop responding and, if everything is configured correctly, will go into reboot in a few seconds.

    Autonomous food


    Raspberry Pi with connected and active Wi-Fi (D-Link DWA-140 B2) and 3G (Huawei E1550) adapters consumes about 700-800 mA. The capacity of currently available fairly compact external lithium batteries reaches 20 ampere-hours, which can provide up to 24 hours of battery life. If we consider RPi as just a multifunctional device, it is very, very good; however, its hidden installation for a longer time will require an external power supply, which may be a USB port or an electrical outlet.

    Total


    With its seeming frivolity, the Raspberry Pi can become a dangerous tool, although high power consumption limits the ability to work offline. However, the closest in functionality analogues to date, the commercial penetration testing tools of PWNIE Express, are in a completely different price category.


    First published in the Hacker magazine from 05/2013.
    Author: Alexander Lykoshin, alykoshin@gmail.com , ligne.ru

    Publication on ISSUU.com

    Subscribe to Hacker





    Also popular now: