MitM Rpi Passive Ethernet Sniffer

In the movies you might have seen those devices spys place to sniff a computers network connection by sitting in the middle of their ethernet connection.  I thought this would be cool to do and it turned out to be super easy to do with the right commands on a raspberry pi.  There are also some awesome very practical uses for something so low cost and cheap to run like this.

MiTM Rpi

The Raspberry pi I setup has two ethernet interfaces (and a wireless one as a bonus, broadcasting a wifi hotspot).  It uses the on board one built into the board, and a external usb to ethernet adapter that was recognized by the Pi no problem out of the box as eth1.

Pi Setup

I made a small script that can be run at boot by putting it in /etc/rc.local which sets up the two interfaces to allow traffic to flow right through it:

createbr.sh:
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
echo "1" > /proc/sys/net/ipv4/ip_forward
brctl addbr bridge0
brctl addif bridge0 eth0
brctl addif bridge0 eth1
ifconfig bridge0 10.0.0.110 netmask 255.255.255.0
ifconfig bridge0 up

Now we still have our two eth0 and eth1 interfaces that look like this:

eth0andeth1

However now we also have our special bridge0 interface that looks like this:

bridge0

Now the cool thing is that 10.0.0.110 is now our pi’s ip address that can be connected to from either eth0 or eth1.

Now if we connect a victim computer in between it’s connection to the switch:

20160706_161605

The Rpi can now see all traffic going through!  So if we run a simple tcpdump command:


tcpdump -n -s 0 -w sniff.cap -i bridge0

We see all traffic from the victim computer! (truncated)

sniff

Now unless you are on the same network as the victim (to connect to the pi through 10.0.0.110), you can’t really access the files until you retrieve the device.  However the cool part is I have a wifi interface that uses hostapd and isc-dhcp-server that acts as a fully working wifi access point.  So after this device is planted, it can be remotely connected to and used to download the capture files, just like a spy~!

Practical Uses

There are a few awesome practical uses for this.  Imagine just installing snort, the Intrusion Detection System, and listening over the bridge!  You could catch some sketchy traffic you didn’t know about leaving or entering your computer.  You could also set up a low cost firewall of course, or spam filter, or web filter.  You could even make a parental control system that shuts off the internet after a certain time using a cronjob that runs:

ifconfig bridge0 down

At 10pm, then brings it back up at 8am or something.  You could even get clever and shut off the internet only for your kids by adding an ip table rule that denies all traffic except a few mac addresses of your own devices.  Comment if you think of another cool use!

Lessons

This can even be scaled up greatly (given you hopefully have a quad core Pi 2 or 3, imagine putting this between a subnets uplink to the router or internet.  You may not be able to see intranet traffic between LAN computers, but anything going to the outside world then would be captured by the Pi!

This small devices goes to show the importance of physical security when it comes to ethernet.  This device is unseen in any traceroute command through it, and if you assigned an address like 0.0.0.0 to the bridge, it would be totally invisible!  Especially if you disable the wifi hotspot and just retrieve the device later, the device is undetectable!  However if you think there is a way to detect this device, please let me know in the comments!  I’d love to hear about it.

All it needs is a proper black box and it’s good to go!

2 thoughts on “MitM Rpi Passive Ethernet Sniffer”

  1. I talked with a pentester one time who took a pi+3g hat+wireless card+battery pack and
    Packaged it all up and mailed it to the company he was testing. Once the device hit their mail room he connected to it via the 3g connection, then started attacking the wifi with the wireless card. Eventually he cracked the wifi, and had access to the network and was able to pop a box and set up persistence before the Pi battery died.

    As for ways to detect the device, I think an ARP scan would be able to pick it up.

    One additional use case is installing Onion Tor on the pi, that way every time you put the device in place all of your traffic is running through tor for a layer of anonymity.

    1. That’s really cool! I am always impressed with how clever some pentesters are. As for the ARP scan, good point, although I believe setting the bridge ip to 0.0.0.0 should make it not reply to any ARP requests? Finally that’s very true about running tor. Even running tor through the VPN too!

Leave a Reply

Your email address will not be published. Required fields are marked *