Catch me if you can

How to build a disposable attack box using a Raspberry Pi

This post describes the basic process of building an attack box on a Pi. The goal here is to introduce the concept and rationale for building a minimal-resource attack box - not to deep dive into each command.

If you’ve worked with me long enough, you’ve probably seen me whip out a Raspberry Pi and start coding. For years, I’ve started every serious project on a Pi with 1GB RAM before shifting the code to a laptop for continued development.

Why?

Resource management. Clean code. Efficiency.

Raspberry Pi’s leave little room for the clumsy mistakes that are a common by-product of rushing the early development stages. By starting on a Pi, I’ve been able to put proper thought into the foundation of the code before expanding into larger, more forgiving environments.

I’ve built small systems applications, custom malware and even high-performance, big data (billions of files of throughput) applications, all starting on a measly $35 Pi.

The other day, a Raspberry Pi 4, complete with 8GB of RAM, arrived at my doorstep. The plan for this one? Build a disposable attack box I can use in real-world red team operations. And I figured I’d blog it as I go, in case it helps other minimalist programmers like myself.

An attack box is the computer used to launch attacks. It can come in many shapes and sizes, such as a Windows or MacOS laptop, a virtual machine, a Vagrant image, or the most popular Kali or Parrot images on a Linux machine. I like Raspberry Pi attack boxes because they’re cheap and I can swap the SIM cards in/out for different experiences.


Step 1: Unboxing

Unboxing the Pi, I can see the my components.. the Pi, the case, the cords, the heat sinks and fan, the instructions. Tossing the latter aside, I start with the heat sinks. These little guys provide heat dissipation to the chips, to alleviate overheating.

Then, I move into installing the fan, which is as simple as plugging the red/black wires into the correct GPIO pins on the board. This isn’t really required but I hate the thought of overheating my new board - and since I’ll be enclosing it in the case - I’ll go on the side of safety and install the fan.

Note my pin placement on the board. The red wire could go in multiple locations, I chose the one which will run the fan at a slower speed. Moving the pin to a new location can speed it up but I’ll save that for the day I need higher performance.

Next, I add the case and insert the SD card. Then I plug it into my monitor, keyboard and mouse.. and voila!

Step 2: Installing

Because I bought a Pi with an included Raspbian OS, I can follow the prompts to install the operating system. Takes 10-15 minutes.

Through this, I will set my timezone, password and tinker with my screen resolution.

I have since repeated this process, using Manjaro Linux, as I like the ongoing release cycle the Arch Linux community uses.

Step 3: Adding my C2

Now for the fun part: adding my attack tools.

Prelude Operator is my daily driver, as a command and control (C2) center. I head to prelude.org and look around for a compiled ARM binary. No dice!

Hmm, stumped.

So I open Operator on my MacOS and click the help button, which dispatches a request to the Prelude development team. Within a few minutes @khyberspache gets a hold of me and I explain my case.


Yes, Alex is really that fast.

Downloading the binary, I go through the typical Linux install steps of making it executable and starting the program.

chmod +x operator-arm-binary
./operator-arm-binary

A few seconds later, I’m welcomed with the friendly Operator login page. Entering my email, and corresponding token, I’m able to log in. Moving on.

Step 4: Adding more tools

Operator is a post-compromise C2. Not a recon, initial access or throwing framework. So if I want to participate in these parts of the kill chain, I’ll have to add a few familiar tools.

I typically create a “toolbox” directory on my attack boxes and clone the tools I use into it. An all-inclusive operating system like Kali or Parrot is great - but for me, I have a small set of rotating tools that I already know well and I would rather use them on a stock ARM/Debian OS because it feels more quaint.

Back in “the day” I used to build my own operating systems using Linux From Scratch (LFS), as a way to create a minimal, 10MB operating system which was custom built around a kernel specifically to avoid fingerprinting from a memory forensics tool (like Volatility) if it was ever stolen from me.

Here are a few tools I like to use:

  • Metasploit (throwing framework)

  • NMAP and its speedy little sister, ZMAP (port scanning)

  • Burp Suite (general web spidering and HTTP proxy intercepting)


I hope you enjoyed this quick tutorial on an easy low-cost way to get an attack box online. If you’re not part of our Discord community, we’d love to see you there.