Please help me hack my raspberry pi!

[G+_Daniel Stagner]

Please help me hack my raspberry pi!

 

I need some help logging back into my raspberry pi (pivpn). I live abroad and set up a raspberry pi at my parent's house last time I was home in the states. I use pivpn to view Netflix with a US IP address. A few years back Netflix started blocking subscription holder from viewing content over a VPN. I have looked into this and there is nothing I can do about it. So I set up the pivpn in my parents residential IP.

 

I was connecting over the internet to there IP address port 1194. They have an Xfinity router that allows port forwarding without much trouble. So to be clear the router was set up to forward port 1194 on the public side to NAT side IP of the raspberry pi port 1194. It worked fine for over a year. Then the other day it stopped responding. I used nmap to see if the pi was still running and it was. It was just ignoring me. So I looked at the pivpn help page and the same issue is reported by other users having to do with an automatic update. No big deal I just need to reissue the certs.

 

But now I need to know how do I SSH into it from here in Japan over port 1194? I left ssh open on the pi but that is only on port 22. My parents are not tech savvy and don’t even have a computer. Just iPhones and the smart TV I got them for Xmas in 2016.

 

Is there a way to get through the routers firewall? Or use the port I left open to get to port 22 on the pi? Or log into the routers web interface to open another port over the WAN from here?

[G+_Timothy F.]

port forwarding is port + protocol specific on both source and destination side. If 1194 (tcp?) is the only port you have open and it's mapped directly to port 1194 on the rpi then that's all that will be publicly exposed.

 

You say your parents aren't tech savvy, is there anyone else that might be able to go to your parent's house? Do you have any other machines you can ssh into?

 

If yes: I would do a reverse port forward with ssh.

 

// Reverse tunnel to serverA from rpi

user@rpi $ ssh -R 2222:127.0.0.1:22 serverA

 

// SSh to rpi from serverA via reverse tunnel

user@serverA $ ssh 127.0.0.1:2222

 

if no: I would try to setup a VM and expose SSH on a non-standard port then try the above.

 

Side note: I'm of the opinion that you should never expose known / standard ports to the public. As soon as you expose port 22 (or 1194) you'll start to get targeted attacks for the known service.

 

Instead set the externally facing port number to something completely random (under 65,536) and direct to the known port on the internal host.

[G+_Black Merc]

Did you forget to static ip the pi? Lan ip addresses tend to change particularly after power failures...

Has your parents home experienced a strong lightning storm? Thinking cooked pi...

Did mum bump off the power supply? Tossing the fs, resulting in a hung boot routine...

Sorry, my thoughts...

[G+_Ben Reese]

OpenVPN typically uses UDP. When you tested the port did you test UDP or only TCP?

 

Do you have an automatic update script running on your Pi? I don't, but had an issue a while back where the Android app updated and stopped supporting something used on the OpenVPN server. If that's the case for you, perhaps try an older OpenVPN client or another 3rd party client?

 

My ISP (and maybe your parents) will respond to most TCP ports even if I don't have a service running on that port. Is it possible your parents IP changed and that IP is routing to someone else now? Or perhaps the ISP updated the router and broke your port forwarding?

 

I presume you've had someone unplug it and plug it back on already? You may have to use TeamViewer or something similar (Chrome remote assistance?) to get into your parents PC and update accordingly.

[G+_Jeff Gros]

+1 for Timothy F.. If you are going to leave ports open, don't use a standard port. Your parent's house is probably now shown on shodan.io (search engine for open ports).

 

And if you do leave a port open, I would recommend whitelisting if possible.

[G+_Ben Reese]

I agree, and I wish PiVPN setup had an option to randomize the port.

[G+_Jeff Gros]

I've never used piVPN, so I don't know anything about it. But wouldn't the port the pi used be immaterial? I would think what matter is the port exposed to the internet (i.e. the router). For example, have his router open port 65432 which would forward to 1194 used by openVPN.

[G+_Black Merc]

Jeff Gros your example is correct,... The point is to obscure that ports purpose to anyone on the internet.

[G+_Daniel Stagner]

Timothy F.

I did think of using that kind of setup when I thought up this idea of using my parents IP address. I even posted on here asking how to do it but I was never able to get it working. I may try again and set up a second pi to send to my parents and ask them to plug it in with that setup. I hope it does not come to that. I will take better care of the ports in the future. But a standard port scan reveals nothing without seeing the certs upfront.

 

Black Merc.

The Pi is up with DHCP and the router was set up to adding the proper local IP to the pi’s mac address. Nmap also shows that a host is up on that port.

 

Ben Reese

I used UDP. The pivpn software has a checkbox for automatic updates. I checked the box.

 

The pi is running a script that updates a file associated with my google account with the Public IP address every night.

 

I connected the pi to a light switch in the spare bedroom. My dad cycled the power for me before this post.

 

No PC in the house to remote into. In truth, the only reason my parents have internet at all is that the ISP told them it was cheaper to get cable, internet, and phone service as a bundle.

 

Jeff Gros

SSH and OpenVPN can be set up to use passwordless certs for authentication. Its as save as any other option. And Steve always says that security by obscurity is not a good option. But noted I will change the setup once I get back on.

 

Ben Reese, and Jeff Ross

PiVPN can be set up on any port you want. So, in theory, you could have the router lesson on port 55412 and forward what it hears to port 34956 on the LAN IP for your Pi. Pivpn can be set up to lesson on seat port making the whole setup as obscure as possible.

 

So what youall are telling me is that I need my sister to head over there with her laptop because I have no chance of getting on to that raspi.

[G+_Timothy F.]

A couple things of note:

 

The external port is independent of the internal port as Jeff and Black mentioned. It's not security through obscurity as you're not changing the underlying security mechanism (your password-less certificates, though if security is a concern you should use password protected certificates) simply the externally facing listening port

 

SSH can only communicate with the stateful TCP and not the stateless UDP, so even if you were able to move your port forward mapping to point to port 22 on your pi it would not communicate.

 

Hooking the pi up to the light switch is a good idea for simple power cycles, though I would caution about data corruption (https://hackaday.com/2016/08/03/single-board-revolution-preventing-flash-memory-corruption/).

 

If you can get your sister over there with a laptop try to have her setup a port forward on the router to expose public port 2233 (or whatever non-ssh port) with a map to the rpi port 22.

 

You might also consider port knocking (https://en.wikipedia.org/wiki/Port_knocking) if you don't want to leave your SSH port open and listening full time. Though it will depend on your router's capabilities.

hackaday.com - Single Board Revolution: Preventing Flash Memory Corruption

[G+_Ben Reese]

Wow! Sounds like you've exhausted most of your options then. The Google Drive public IP idea is brilliant! When you check the file can you tell it was updated last night?

 

One more option if this is just for Netflix/Hulu/whatever... Setup PiVPN on a VPS hosted by Amazon, DigitalOcean, or Vultr. Vultr is always cheap ($3/mo now I think), but Amazon and DO always have good deals. AWS gives you the first year free and I think the latest TWiT code for DO was $100 credit (~20mo at $5/mo). That should at least get you going again until you get back to the states or can get your sister over there.

[G+_Black Merc]

A possible solution to this, I saw in a hak5 vid promotion its lan turtle, where the user setup a cloud server(for cheep) as a VPN pivot point, configured the lan turtle(in this case pi) to VPN to it... Once deployed behind any firewall, the user vpn'ed into that pivot and back down to the deployed unit. No firewall holes, no mess.

[G+_Daniel Stagner]

I use a password on the client side for the VPN connection cert. But that is on the client side just in case someone at Dropbox got a hold of my certs.

 

I was planning to just ask my sis to punch a hole to port 22 on the Pi through the router and use a random port on the outside. But that would certainly get me listed on shodan as stated by? (that post is missing?). Well in truth I am not sure. I will try and if my parent's TV gets hacked I will buy them a new one. I will give the port knocking a try too.

 

Have you seen a good how-to on Reverse tunneling? Will that work over ssh. i.e. call back to my home computer every hour and if at the same time I happen to ssh in the other direction the ports will be open. Is this like port knocking.

 

Lol, I wonder if the data corruption is the cause. I do not think they used that room much. But I can imagine that every time they go in after dark the light switch is flipped and then turned back on after that fails to change the lighting situation.

 

The google drive thing is below. I combined it from a few how to’s I found online. It works well. It is working now.

 

I have tried Amazon and DigitalOcean both only have blacklisted IP address as far as Netflix is concerned. But I did have fun trying.

_____

How to make a python script and cron job to upload your IP address to google docs every hour or so. I do this on the raspi I run my personal VPN from. It means that if my IP changes the google doc will be updated with my new IP address.

 

Check this out to set up the upload at

 

https://thepi.io/how-to-use-your-raspberry-pi-to-monitor-broadband-speed/

 

and replace his code and his python script with this code to return the IP address instead of internet speed.

 

code

import os

import re

import subprocess

import time

 

response = subprocess.Popen('host myip.opendns.com resolver1.opendns.com', shell=True, stdout=subprocess.PIPE).stdout.read()

 

myip = re.findall('myip.opendns.com has address\s(.*?)\s', response, re.MULTILINE)

 

myip[0] = myip[0].replace(',', '.')

 

try:

if os.stat('/home/pi/myip/myip.csv').st_size == 0:

print 'Date,Time,MyIP'

except:

pass

 

print '{},{},{}'.format(time.strftime('%m/%d/%y'), time.strftime('%H:%M'), myip[0])

code

 

[G+_Black Merc]

Port knocking? No, not by any means.

Hak5.org vids are up and show and explain it in detail... But the short of it is, the VPN pivot cloud is an extension of the network you want to be seen in(netflix will see states side ip). You VPN to that pivot and your apart of that network. You could even print to your parent networked printer if you wanted,

from anywhere.

hak5.org - Technolust since 2005 | Trust Your Technolust

[G+_Timothy F.]

I don't have any tutorials for ssh reverse tunneling, but I'll explain a little more:

 

SSH can carry any data through an encrypted tunnel [client] <=> [serverA]. You can use this encrypted tunnel to funnel traffic and turn either the client or the server into a type of relay or switch.

 

Local tunnels bind to ports on [client] and funnel the traffic that hits the local port to the server side and off to a specific destination. Similar to the port forwarding you're doing on the router.

 

```

[client]$ ssh -L 2222:internal.server:22 user@remote.server.tld

[user@remote.server.tld]$

```

 

```

[client]$ ssh user@localhost -p 2222

[user@internal.server]$

```

 

Dynamic tunnels bind to a port on [client] and funnel the traffic that hits the local port to the server side and off to an unspecified (dynamic) destination. This, in effect, turns the SSH server into a socks proxy.

 

```

[client]$ ssh -D 54321 user@remote.server.tld

[user@remote.server.tld]$

```

^ then configure your browser for Socks proxy @ localhost:54321 to route your network traffic (https://getfoxyproxy.org/).

 

Reverse tunnels reverse the aforementioned tunnels in both where the listening port bind and direction of traffic flow. The listening ports bind on [server] and the traffic flows from server to client. If you provided a specific target for the traffic then it's a reverse local tunnel, otherwise it's a reverse dynamic tunnel.

 

```

[client]$ ssh -R 3333:22 user@remote.server.tld

[user@remote.server.tld]$

```

 

```

[client-japan]$ ssh user@remote.server.tld

[user@remote.server.tld]$ ssh 127.0.0.1 -p 3333

[user@client]$

```

 

Port knocking refers to sending dummy packets (tcp syn packets without the expectation of the three-way-handshake completing) to specific ports on the edge of a network, ex., TCP syn packet to port 13,024 42,895 55221 12255. When the router sees dropped packets on those specific ports in that specific sequence (usually within a specific amount of time) the router opens a specific port for a time-window. Once the time-window expires the router re-closes the port (maintaining Establish / Related connections in the firewall state table).

[G+_Daniel Stagner]

Ok guys. I have once again proven that I should not be trusted with anything more complicated then a box of brightly colored legos. My sister showed up, called and I asked her to lookup the public IP address. It turns out I was not looking to closely at the dates on my csv file. It was a simple change of public IP address. And yes it was logged I could have scrolled down a bit and would have seen the change. All is good now.

[G+_Ben Reese]

Daniel Stagner lol that's pretty funny. Glad to hear your sister was able to help and you got your Netflix back ?

[G+_Ben Reese]

Oh, and if thats the case, you can probably use a free dynamic IP from afraid.org. There should be an IP update script you can run on your Pi.