Aaron Vigal’s Website

Programming, Security & Computer Science

Poison Tap on Raspberry Pi Zero

PoisonTap on Raspberry Pi Zero

Today we are going to look at how to install Samy Kamkar’s PoisonTap on the Raspberry Pi Zero. This was an exploit designed to bypass locked and password protected computers over USB to install a persistent back-door and siphon cookies from your browser.

How it works:

When PoisonTap is plugged into a locked computer it emulates an Ethernet over USB device and gives the machine a crafted DHCP packet to trick your computer into believing that it should pass all of it’s network traffic through the PoisonTap.

Installing an OS on your Pi:

The first thing we are going to do is install an operating system on your Raspberry Pi Zero. I’ll be using Raspbian Jessie (recommended) all though lots of other systems work too.

Download Raspbian Jessie LITE from the Raspberry Pi Website and drag the .img file into a safe location. Now for burning the image onto your SD card. The process is the same across every operating systems, just with a different program. These are the programs I would recommend using:

MacOS: Apple Pi Baker

Windows: Win32 Disk Imager

Linux: Brasero (pre-installed)

Let that image burn onto the SD card and when it’s finished, move on to the next section to begin making the changes to boot partition.

Configuring the boot partition

By default, Raspbian disables some of the features that we want to take advantage of to allow us to get into the pi. First we are going to add the following line to the end of /boot/config.txt:


This is going to allow us to load modules onto the Raspberry PI itself. Now we need to actually load those modules. Add the following code segment after rootwait in /boot/cmdline.txt:


Finally, as of late 2016, Raspbian has disabled SSH by default so we need to go re-enable it. To do this, we simple need to create a new file called ssh with no extensions in /boot/ssh. This file doesn’t need any contents, it simply has to exist.

SSH into the Raspberry Pi

Next we need to gain control over the pi via SSH. To do this, plug your Raspberry Pi into your computer over USB and make sure you are using USB input not PWR! This is essential since you cannot transmit any data over the power microUSB. Open up your terminal and type the following:

ssh pi@raspberrypi.local

When prompted for a password, type raspberry. These are the default credentials for the Raspberry Pi. You can go change these later by typing raspi-config.

Installing PoisonTap

If you are not using the Lite version of Raspbian for installing PoisonTap, you can this step. But the Lite version doesn’t ship with git installed, so we need to do that:

sudo apt-get install git

Next we need to clone Samy Kamkars repository onto the Pi. We can do this with the following command:

git clone https://github.com/samyk/poisontap.git

Now change directories into the new folder named poisontap:

cd poisontap

Now, we can run a simple setup script written to do all the dirty work for you to setup the files to run on boot, etc.

echo -e “\nauto usb0\nallow-hotplug usb0\niface usb0 inet static\n\taddress\n\tnetmask” >> /etc/network/interfaces
echo “dtoverlay=dwc2” >> /boot/config.txt
echo -e “dwc2\ng_ether” >> /etc/modules
echo “/bin/sh /home/pi/poisontap/pi_startup.sh” >> /etc/rc.local
mkdir /home/pi/poisontap
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs

The last thing we need to do in order to get PoisonTap up and running is to move the DHCP configuration file:

sudo mv dhcpd.conf /etc/dhcp/dhcpd.conf

You should now have an up and running PoisonTap device!
One note to take is that if your PoisonTap device is not acting as an Ethernet device as it should, you can change the VID and PID in pi_startup.sh to give it another shot!