Jump to content
Hak5 Forums
TheHermit

PoisonTap by Samy Kamkar

Recommended Posts

Samy Kamkar has released a tool called PoisonTap - https://samy.pl/poisontap/

tldr; 

siphons cookies, exposes internal router & installs web backdoor on locked computers

Created by @SamyKamkar || https://samy.pl

When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

  • emulates an Ethernet device over USB
  • hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
  • siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
  • exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
  • installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
  • allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
  • does not require the machine to be unlocked
  • backdoors and remote access persist even after device is removed and attacker sashays away

He says it should be possible to run on a Lan Turtle,

Quote

PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable & microSD card, but can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle.

 

Anyone familiar with creating modules happy to look at this? Else you have to wait till i learn how to write modules. 

 

 

  • Upvote 2

Share this post


Link to post
Share on other sites

What a beautiful setup.    I would love to see this on a turtle or after review maby a nano.  

Let's have fun this weekend shall we 

 

 

Share this post


Link to post
Share on other sites

The issue is that it requires NodeJS.

NodeJS required FPU or FPU emulation in the kernel, and is a rather large binary. Sadly, this won't happen anytime soon.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks for letting me know. 

Share this post


Link to post
Share on other sites

Has anyone gotten the poisontap to work successfully? It appears to function properly when looking at tcpdump on the target; but I never get anything reaching out to the nodejs control server. Also, how does one interact with the nodejs server? Navigating to the server's interface:port give a "sorry unknown url" error.

Share this post


Link to post
Share on other sites
On 11/19/2016 at 3:21 PM, Sebkinne said:

The issue is that it requires NodeJS.

NodeJS required FPU or FPU emulation in the kernel, and is a rather large binary. Sadly, this won't happen anytime soon.

 

Share this post


Link to post
Share on other sites
23 hours ago, b0N3z said:

 

Sorry, I wasn't clear in my post. I'm not referring to using this on any of my pineapples. I meant using poisontap in general according to the prescribed method.

Share this post


Link to post
Share on other sites
On 11/19/2016 at 1:21 PM, Sebkinne said:

The issue is that it requires NodeJS.

NodeJS required FPU or FPU emulation in the kernel, and is a rather large binary. Sadly, this won't happen anytime soon.

@Sebkinne I understand that I could build a custom kernel that enables FPU support in order to get Node running, but what is the issue with the size of the node binary?  Disk space or RAM?  Is that a big enough problem that you think running Node code isn't viable on the Pineapple, even once FPU support is in the kernel?  Thanks!

Share this post


Link to post
Share on other sites
16 hours ago, elimisteve said:

@Sebkinne I understand that I could build a custom kernel that enables FPU support in order to get Node running, but what is the issue with the size of the node binary?  Disk space or RAM?  Is that a big enough problem that you think running Node code isn't viable on the Pineapple, even once FPU support is in the kernel?  Thanks!

You may JUST be able to get node installed and have some room to breathe, but I honestly don't know without giving it a shot. It would also not run very smoothly, but it might be enough for poisiontap to work.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×