Shells on Cells

For my talk I'll be going into how to setup a Raspberry Pi Zero W with a Cellular modem to provide out of band persistence inside a target network for the purpose of using it as a pen test drop box. On the technical side of things I'll provide a hardware summary and demo along with code examples to get it all working.

The setup is super basic. Using a cellular hat for the PI you can connect it via GPIO to the Pi, install PPP for whatever distro (my demo uses a Raspbian image), and configure the cellular modem with a PPP peer configuration for your cell provider. I'll also go over how to configure autossh so you can remote back from your C2.

Things that don't work yet are the direct cellular connection to the boxes using server mode on the modems allowing a tester direct shell access over cellular. I will be able to demonstrate how to connect to the hardware directly from within the cellular network. Additionally, with a properly provisioned SIM, you would get a routeable IP address from your provider.

You should walk away from this talk with the ability to configure a cellular modem with PPP and the ability to have it auto dial an SSH tunnel on boot. As well as a platform to build your pen test tools on.

As the CEO of Xcape, Inc., a Managed Services Provider in the greater Los Angeles area, Tj McClearin is both executive and lead hacker with a background in Corporate IT,...

Back to talks..