Hak5 LAN Turtle
- 1 Summary
- 2 Description
- 3 Use Cases
- 3.1 Remote access attacks with AutoSSH
- 3.2 Man-in-the-middle attacks with DNSSpoof
- 3.3 Information Gathering with nmap
- 4 Used Hardware
- 5 References
The LAN turtle is a tool for penetration testers and system administrators disguised as a simple USB Ethernet adapter. It provides possibilities to perform remote access, man-in-the-middle and information gathering attacks. These functions are provided by the turtle modules which are preinstalled on the LAN turtle. The modules are based on the OpenWRT platform which allow users to add customized modules. The turtle itself is covert by a generic USB to Ethernet adapter and can therefore be placed unnoticed in IT infrastructures.
Setting up the LAN Turtle
- Plug the LAN turtle into one of the USB ports of your computer.
- Your computer will get an 172.16.84.x address as soon as the startup sequence of the turtle finished. If not, then you have to statically configure an IP out of the 172.16.84.0/24 range.
- Connect to the turtle with
ssh firstname.lastname@example.org enter the password
- The simplistic graphical shell interface will prompt you to change the password but the old one is also allowed.
- Then the LAN turtle can be configured and modules can be installed within the interface.
- If you end the interface you will be greeted with an normal Linux shell but you can open it again with the
Using the turtle modules
The LAN turtle comes packed with pre-installed tools. Furthermore it is possible to program your own or download them from the internet and configure them with the module manager as well.
AutoSSH is a service which provides persistent SSH connections. If an SSH session drops, it will be quickly re-established by AutoSSH. This service is typically used to provide a convenient and persistent reverse shell into the LAN Turtle on the standard SSH port 22 - though it may be configured with any standard SSH parameters to forward any arbitrary port.
host- The username and hostname (DNS or IP) separated by @ for which to establish the SSH connection.
port- The port number from which the remote server will bind.
listen port- The port number to which the remote port will bind.
Example: Per the defaults, the remote server will bind its local port 2222 back to the LAN Turtle port 22. In this scenario one may establish a persistent connection to their LAN Turtle from this reverse shell by first connecting to the public server, and then from there establishing an SSH connection to port 2222.
Cron is a job scheduler which can be used to start and stop modules at specific times or regular intervals using the 'start' and 'stop' commands.
DNSSpoof forges replies to arbitrary DNS address / pointer queries on the LAN. This is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the-middle attacks. For example, the IP address returned for a client lookup of the domain \"example.com\" can be replaced with that of the LAN Turtle itself, or a 3rd party server. In this scenario, the computer connected to the Internet through the LAN Turtle attempting to browse to this domain may be redirected to the spoofed IP.
With this tool you can create RSA keypairs and copy them to the public server. This is needed when AutoSSH is configured.
This module deploys an persistent shell to the Metasploit Framework of an other Machine.
This module uses
nmap for discovering running devices and their port of the current LAN network.
OpenVPN enables remote access the LAN Turtle and optionally the network on which it resides. It allows to send the captured data to your operating network.
SSHFS (Secure SHell FileSystem) is a file system for Linux (and other operating systems with a FUSE implementation, such as Mac OS X or FreeBSD) capable of operating on files on a remote computer using just a secure shell login on the remote computer. On the local computer where the SSHFS is mounted, the implementation makes use of the FUSE (Filesystem in Userspace) kernel module. The practical effect of this is that the end user can seamlessly interact with remote files being securely served over SSH just as if they were local files on his/her computer. On the remote computer the SFTP subsystem of SSH is used.
URLSnarf allows you to capture which websites were accessed by the plugged in computer. URLSnarf only works with HTTP webpages which are hard to find today.
The LAN turtle can be deployed in various use cases, which can be divided into three categories:
- remote access attacks with AutoSSH or OpenVPN
- man-in-the-middle attacks with URLSnarf or DNSSpoof
- information gathering with Nmap-Scan
Remote access attacks are used to gain access to a private network from a remote place in order to start further attacks from the inside network. This makes it a lot more easier because the attack itself does not have to bypass a router or firewall. All the attacker needs is the pre-configured LAN turtle inside the network and a remote server on the internet. To perform a remote access, the LAN turtle builds up a tunnel to the remote server so the firewall cannot capture the traffic. Finally the attacker can access the LAN turtle through the tunnel from the remote server. This attack can be performed with the modules AutoSSH or OpenVPN.
The LAN turtle also allows man-in-the-middle attacks, where the turtle can intercept the communication between two parties. To perform such an attack, the LAN turtle must be connected to an USB port of the victim host and to a network cable which connects the host to the internal LAN. Now the whole traffic of the victim host goes over the LAN turtle and can be logged or altered. An attacker can use URLSnarf or DNSSpoof to perform such an attack.
The last use case is information gathering. The aim of this attack is to receive information about the topology, the hosts and the protocols of an internal network in order to perform further attacks. This can be done with the modules like Nmap-Scan.
The following step-by-step instructions will outline how to configure the LAN turtle in order to perform the different types of attacks.
Remote access attacks with AutoSSH
In this example consider an internal network which is secured by a firewall and a public server in the internet controlled by the attacker.
Step 1: Generate RSA keypairs with Keymanager
- Open the Keymanager module and select
hostremote SSH server
portremote SSH server port (typically 22)
useruser on the remote SSH server
passwordpassword for the user on the remote host
Step 2: Configure AutoSSH
- Open AutoSSH and insert the following parameters:
user@hostuser and host to establish the SSH tunnel
remote portremote port to bind through the SSH tunnel (default 2222)
local portlocal port to bind tunnel (default 22)
- Submit the changes and start AutoSSH (or enable it for autostart)
Step 2: Access LAN turtle from remote server
- Connect to the remote server
- Connect locally to the remote port of the AutoSSH configuration by
- You are now on the LAN turtle, continue with further attacks
Man-in-the-middle attacks with DNSSpoof
Step 1: Configure the spoofhost file
- Open the DNSSpoof module and go to "Configure"
- Add the DNS entries that the LAN turtle should spoof by entering the IP address and the spoofed DNS name
Step 2: Place the LAN turtle in the network
After configuring the spoofed hosts, place the LAN turtle on the victim computer by simply plugging the turtle into an USB port of the computer and the network cable into the LAN turtle.
Information Gathering with nmap
As an example project we use the following modules:
- Cron to periodically start the attack
- SSHFS to save the caputred information in a file on the remote server
- Nmap-Scan to sniff the configuration and devices of the network
Step 1: Configure SSHFS
- Access the SSHFS module via the module manager
- Go to the configure tab and insert
hostIP address of the remote server
pathThis can be left blank if you want to use the users home directory
- Start SSHFS and enable it for start up
Step 2: nmap-scan
- Access the nmap-scan module via the module manager
- Go to the configure tab and insert
192.168.0.1-255(This may differ for our network)
- use the desired attack profile
- save the configuration with execute
Step 3: cron job
- add in the con config
*/15 * * * * start nmap-scan
This line start an nmap-scan every 15 minutes.