Hackinabox: Building a Portable Penetration Testing Lab with Raspberry Pi

so apparently it's a good thing if you're gonna be presenting bringing your laptop I didn't know that so hi I'm our boy this is the packing a box this is my silly little Raspberry Pi project my lead security a firmer lead information security engineer for IO solutions in Farmington Utah I am the one-man army of security for my company letters behind my name I'm one of the chief cat herders of vco1 and did it on labs hackerspace in sonic city and I have hobby ADHD I collect hobbies as a hobby and find myself with the twenty raspberry PI's and plan 60 floors and stuff like this and I needed something to do next Lisa this why did I do this

several years ago when I was studying for the CD age it was my first exposure into the pen testing world blue team guy normally I don't hurt a lot on the offensive side and I wanted to come up with a lab to test this stuff out and learn and practice and for various reasons I ditched the things that sense and then with these Raspberry Pi things and as this project kind of went on I found that it was potentially pretty helpful for students and you can set up a lab to safely teach pen testing without putting vulnerable machines in your environment and letting people find them online and and I have no idea that what was going

on when I started this one thing kind of led to another and then people got more interested people got more interested than I did but I just pushed through and built out my project and I talked about it for some reason England I'm very much your honor so originally I was going to set up a VMware Xen hypervisor on some old hardware I had laying around my house and at the time the assumed that I had laying around used to use ddr2 RAM that was super expensive and I didn't feel like paying $500 for a gram or something like that what was that so I started looking around for other options and then I found out about

Metasploit Little Miss portables a VM that is a victim service that you can use to learn medicine and learn the hand testing stuff and so that that's originally what I wanted to do is run that being run maybe a calamy him to attack from and have everything kind of all in one and then I started by Hank as berry pies or people started giving raspberry PI's and there's collected a tongue so I started thinking why don't we use these they're cheap they're all over the place I had a bunch and to do something with it and then I wanted to keep everything kind of again all in one spot one place all right let's throw it in the box and

with the setup that I eventually came up with everything was easy to power self-contained and more importantly isolated from any environments that you bring into woods as the security guy always talked people you know maybe you don't want to plug that little toy in on a corporate network I don't want you getting owned and then everyone else getting home as well that's step one a hole in the box I just bought a tool box and threw everything in there and then found that I couldn't power it as a part of it the displays that I use the the first one was just like a $80 TV from Walmart and it just happened to fit exactly in the

lid of the Harbor free tool box of Ages and so I could just snap it in and that was kind of fun but then powering it was giant Woolworth ugly grabbed a couple raspberry PI's of cases velcro them together the ultimate monitor that I used was a games dinging display HDMI USB powered monitor it didn't fit as nicely so I just grabbed some industrial stinger del Corona slap it in there USB power supply was in there and they had some tackle box tubs lying around threw it in their side and places for SD cards back in the days when I only had a couple of the locks and lock picks I throw my lockpick stuff in there too

that's changed since this is kind of what it looked like beginning a giant wall wart all of the power supplies for the raspberry PI's everything table together I was using a little switch as well to network the raspberry PI's together and this it was unwieldy unmanageable and then that that just gives me angst and anxiety to this day and can't stand those things and this was the original TV display that was in there this that again just water 19 select 720p TV and just it worked pretty good but the big thing was powering it was kind of a pain and having the power supply and tool box banging around I was always afraid was gonna bust the TVs

and this is kind of how everything evolved over time I got rid of the TV and then found the game's monitor looks like four times as expensive but it worked really well for the days I was using a little for poor Ethernet switch so there has raised to talk to each other again didn't like the wall word power yet so I started doing some ad hoc Wi-Fi stuff then all my friends with the author tools decided to make that not super great so then I stole a network cable from the hacker space and because never buying network cables they're freed everywhere so just made a crossover cable and network that way at one point with all the little devices I

had I wanted to make multiple victims servers because I had playing 64 Jaguar boards and the buncher advertises all these things and then the Windows 10 IOT release the Raspberry Pi was really interesting to me until I started playing around with it I was hoping that you could run like the servers or something on it and really it's more like a sensor that you have to control from Windows to seeing and so eventually that just got taken out the kid as well but I wanted as many different services as possible to attack a train and mimic what a real network looks like on a small scale with varying amounts of success so what it looks like today planed everything just

fell occurred all the tools in there you can see the hole that I cut out to power right these little tool boxes that you get from Harbor Freight are great because you can kind of make them they're modularity and they can do whatever you want and the top of there you can see a little Wi-Fi router that I have that was in there that was one of the things that I did it's little GI something-or-other you can have a lot of fun with those as an aside the you should make a little pineapples out of them things like that I use that for a while as well but I ran into a lot of problems with that just the throughput

wasn't very good and they're not really designed for things to talk across that there weren't design you plug it into your hotel or things like that just to give yourself Wi-Fi without having to pay other ratings and it wasn't super reliable so it got taken out of the final version as well but if you find those little routers are they're fun had projects and of themselves and that's the game's display that's a sweet little monitor it's like a 15 inch display and it's 1080 and that was a great find particularly because of the USB power and there were some other options as well games doesn't make this display anymore and the replacement now that's a

super super expensive but aoc makes one and I think I've seen a cert or something like that have a few of these that are little USB powered displays and that the USB power is really key because you can just plug everything into one one like charging station as long as the charging station has enough Amsterdam everything and that that was one thing I actually had to do three or four different various various charters just to find one that would work because you can burn out the charter really easily when everything boots up plug three things in everything dies Raspberry Pi 3 years what we have today the three B or whatever it is it's got like three or four times more

powerful than the Raspberry Pi 2 and that rhetoric mighty was the first one oh this would actually work on tally on the Raspberry Pi B it was just absolutely useless you couldn't do anything with it but the the later ones even it's not a full-fledged computer obviously the you can do a lot and if you know tally you can do everything that you wanted as long as there's an arm library for whatever drivers that you need the victim server is just raspbian with a basic lamp stack on it and then deep dvwa is the damn vulnerable web app is a great little web app and test training module super easy for the other and was that was the best way to find

something marble that you can control does he think set levels on it you know everything's wide open clear text passwords and things like that too it's pretty locked down actually have to work at it too anything to it the tool acts as they say it is like a twenty five dollar girl or the free thing the games display it's a little travel monitor these they sell a Xbox kit that goes with it so you throw everything together and take it on the road with you I really like the the power for it being USB removed having the horror out a bunch of cables and stuff like that and I really liked that and then I used the anchor or USB

chargers and those were absolutely the best they they had plenty of amperage to run everything without drowning out and they're dis rock solid advanture makes it I'll buy it a lot of problems that we ran into the the power I went through three or four different fabrics before I found the anchor that would actually work you know they're great for charging your phone or something like that it's more more forgiving than a computer computers don't like to be shut down suddenly and you end up really flashing your SD cards online when when things go south with Callie Callie does not like to be just gracelessly shut down if you don't do it an actual shutdown that perhaps really

bad never did we figure out why there are a lot of packages that you're going to expect in a Linux distribution that are not on the raspbian or the the Callie distro for our little things like coral so you have to update those and you kind of fall into dependency held that I know that's any Linux system really the xenon flash machine when I was actually taking pictures for these slides I break one of my tality raspberry PI's because the flash on my camera there's one little tip on there that apparently a really great light did flips it or something and it crashes it there's there's a couple really cool articles the Raspberry Pi 3 was first introduced

recommend or going to read those are kind of fascinating the TV remote control and I was running the TV it would bounced around in the tool box and I cracked the screen eventually with that that's why I'm going to the games eventually and I'd kept home I don't even have this TV anymore and I just found the the remote after I moved a couple years ago this lot server notes all over the place that you don't even have that hardware for anyone for the perfect concept I took somebody who's not a security guy we went through we built the raspbian image with the evw a put everything together this guy started going through a DW a walkthrough lab and everything

just started working right out of the box with the exception of the packages that I would expect him in Cali just weren't there and so you need to make sure that you install on your tooling before you have it off to a student that was a fair of my part I give this guy a system in the lab I said here you go step by step through this and oh hey this is missing that's missing that's missing but it worked pretty good pretty good and be quickly so I think that the the perfect concept proved out that someone not ever touching this stuff was able to go and start doing your home inoculation and things

like that he never really encountered before so it was a fun test of it wasting a privileged system the victim services I wanted more I wanted to throw stuff that we see a lot of like web servers databases what's in the real world I wanted to build more of those and I'm still looking at services they can be hit an attack that aren't necessarily intentionally weak but just what's what's out there and I wanted to have more of them you'd be get into a price stale issue and we have ten raspberry PI's all of a sudden the value aspect of this goes out the door the Kelly power damages if you if you don't shut down

before you power it off you were almost certainly risk corrupting the SD card and I think it's because the logs are always writing so you may be some log management where it's not not trying to do I owe the entire time I haven't quite figured that out but that's one of the things that this better and then there's a lot of fun something you can do 3d print cases or almost free play with Legos I really wanted to make like a little Lego supercomputer the Raspberry Pi as part of this and the lab needs to be improved we need to build more content in there and get more not necessarily a lab on Rails you know do this do that do that

pop the box but make it a better learning process and that's something that I'm I'm asking the community to help out so feel free to reach out to me if any of this resonating you feel like help them out then there's the pie top the pie pie top is a little laptop that it runs off of Raspberry Pi so they give you everything to build it it's like a two or three hour project and you can actually fit tea raspberry pies in there so you could have your victim server along with the attack server on one piece of equipment not even in the in the box it's kind of expensive very two three or four bucks

and tally doesn't make the high top release you might be able to get all the drivers and everything for that but probably better if you reverse engineer tally into the PI top release and start putting in let's play for him working things like that onto the pipe or at least he stepped out of SD cards of the nospace weights to make this whole thing cheaper that original display was under $100 I want to say it was like 80 or $90 looking at that and then the Gaines display at the time was about 170 did or you don't even need to use the Box concept you can just get a couple raspberry PI's hook one up to the TV the

other one runs headless you can also run these services locally you can install dvwa and you just attack yourself but because I'm a network guy I always want to see the traffic on the wire I want to be able to run pack the captures things like that so I liked having to physical boxes rather you find Zero's even cheaper the raspberry PI's it's kind of the original dongle hell though because you have to get the little not quite micro USB Micro USB adapters in order to power it and to connect things to they're not super powerful you might be able to use it though for the memory you we brought in Kalyan and you don't need

the toolbox and stuff like that either you can really build this lab out of $45 worth a year and plug it into a TV build materials is here a couple of raspberry PI's SD cards full box display again always still ethernet cables funny progress the the original build cost was under $300 and the game's display - you did there's ways to make this deeper and a little more accessible but the very distressing thing is that I started this like four years ago now you can go buy a laptop for tuner dollars to do all this - need a laptop but it's not know any respond and then you know how a Raspberry Pi Nalepa turn into a retro

violator the software is pretty easy razz me an Atlantic stack is your victim server the callee are described for the attack server dvwa support these guys all these projects are open and they're really great for training I can't thank dvwa enough because they gave me something that I could and not being the right team guy you know I didn't I didn't have a good idea of how to set something up to make it intentionally lauraball other than going and finding like Sugar CRM which is notoriously awful and setting that up and there's other other projects as well to what you know like the Mets quarter will be em I'd really like to take everything that makes the best voidable

Metasploit able and then throw it on the Raspberry Pi as well I have to thank these guys pope from BC 801 and grifter both were each help and sourcing a bunch of this stuff and coming up with ideas dvwa n hyperplane with DC 801 gave me a Python to play with my wife's out of the slides because I don't like these and the besides SLC her forced me to present this the first time and got me up on stage now given a to you guys I've also given this talk it be said Raleigh and I don't like public speaking so and this is a total silent no anything that you don't like the your own comfortable just

do it and force yourself and stretch so that's everything for me any questions you

you