I have been a fan of the gadgets produced by Hak5. For example, you can find a post I wrote on the WIFI Pineapple HERE. I picked up the latest tool from Hak5 known as the LAN Turtle from DEFCON23 and have configured it to auto SSH to a server hosted in the cloud (thanks to Aamir aka DrChaos for the server). This post will cover an overview of the LAN Turtle and how to setup an auto SSH to remotely access the LAN Turtle as well as cloud folder to easily remove data from a target network.
The LAN Turtle is a small USB to Ethernet adapter that runs the LAN Turtle application. Hak5 was charging 50$ for it at DEFCON making it an extremely cost effective penetration testing option. It leverages the most basic USB to Ethernet drivers so most systems should auto enable it when plugging it into a USB port without any external drivers being needed to be downloaded. By default, the Ethernet side uses DHCP to establish an outside connection while the USB side provides a internal subnet of 172.16.84.X where the turtle acts as 172.16.84.1. The local computer can access the LAN Turtle network by using PuTTY and accessing 172.16.84.1. It is also recommended to change the PuTTY translation to ISO-88591 Europe but not necessary.
Once you PuTTY into the turtle, you will need to log in using the default user name root and password sh3llz. You will be asked to change your password before you see the turtle software. You can also do this later under the config menu.
The first thing you should do once you access the turtle software is to check for updates. This option is found under the Config menu. Updating the Turtle will re-flash the Turtle wiping any previous configurations.
Once updated, you will have to log in and create a new password again. The next step is accessing the Modules under the main menu. You will find you have only one module called the module manager. Select that and there will be the option to download modules from the LAN Turtle directory (you must be online to do this aka have a live ethernet port connected). Use that to download all the available modules. Once downloaded, you should see a ton of available models as shown in the next screenshot.
This is all good however as of now, only systems on the same network can access the LAN Turtle as well as the LAN Turtle is limited to pen testing that environment. What is more useful is setting up auto SSH connection so the Turtle can be accessed remotely from anywhere. There are two modules designed for this.
Before proceeding, you will need a cloud server with SSH so the Turtle can connect to it. You can rent a server online however make sure you have root access to it. For example, Amazon cloud doesn’t offer this when using their free service. You will need to create a SSH user name and password to your cloud server.
Once your cloud server is setup, you are ready to configure the LAN Turtle. First go to the models section and select keymanager. This is where you will create and copy over the RSA key since the LAN Turtle will need to use this to log into the server without typing. Go under the configure menu and you will see the first option is to generate a key. Click this and wait a few minutes for a new key to be created. Once created, you need to copy that key to your cloud server. You will need a root lever user and password to accomplish this. The second option on the keymanager configure menu is to copy. Enter in your cloud server IP address, the SSH port (typically 22), and the user you created on your cloud server. Click submit and you will be asked to enter that user’s password. The next screenshot shows a user myuser for a server 10.1.1.2.
If successful, you should see that the key is copied via a popup. You can verify the key bopied under the keymanager config menu option review.
Next you need to setup AutoSSH. That is a separate module meaning you need to go back to the main module menu. Access the AutoSSH module and click configure. You will need to enter the [email protected] so for my example its [email protected]. Leave the other stuff default and click submit.
Go back to the AutoSSH menu and start the service and you should be able to access your LAN Turtle from anywhere using your cloud server. Next to the start option is the option to enable upon boot up so the LAN Turtle will always be listening for a connection whenever plugged in. This means you can sneak this on a system, walk away and access it later.
The next screenshot shows accessing the turtle over SSH via my cloud server. I logged into my cloud server, type ssh [email protected] -p 2222 since I’m root on my LAN Turtle and that gets me into my LAN Turtle from my cloud server as shown.
This is rad however another cool thing to do is setup a folder so you can drag and drop data from your target network to your cloud server. There is a module called SSHFS that is used for creating a file share. Access your cloud server and create a folder for storing data (note the path). Next access the turtle and go to the module SSHFS. You will be asked for your cloud server IP, port (typically 22), user name and path to your folder on your cloud server. Once that is created, you should not see a error message meaning it found your folder (if you see the error message, you probably put in the wrong file path).
To test this, I accessed my cloud server and created a folder called turtle under the home directly (mkdir /home/turtle). I accessed my LAN Turtle and exited the turtle software brining up the command line inside the LAN Turtle (BTW to get back to the turtle GUI, just type turtle). I created a file called testing.txt to symbolize creating something. That file was sent to my cloud server as shown on the brown terminal automagicly.
So at this point, I can plug the LAN Turtle into a server, computer or any system that will install the drivers for a USB to Ethernet adapter on a target network (pretty much any computer I can get physical access to). I can plug the LAN Turtle into the network and later access it from anywhere using my cloud server. I have an active file share so any data found during my pen test can be quickly transferred over to my cloud server via just saving it on the LAN Turtle as it will be auto sent to the cloud file share. The Turtle has many other modules designed for penetration testing so anything on the same network as the LAN Turtle is pretty much a potential target.
The scary question to ask is “Do you think your coworkers would recognize this USB to Ethernet adapter on the network”? Most likely they wouldn’t making this a extremely effective back door tool for remotely owning a network once planted.
Check out lanturtle.com for more details on this cool tool.