Creating a Wi-Fi bridge to access the corporate network

In the summer of 2023, as part of an internship at one of the companies specializing in pentesting, I was entrusted with a project to automate the creation of an Ethernet/Wi-Fi bridge on a Raspberry Pi to be able to penetrate corporate networks through unprotected network sockets. The project was successful, and today I want to share this experience. This is especially true in the Russian-speaking segment of the Internet, where there is little information on this topic.

In this article we will look at the process of creating and automating an Ethernet/Wi-Fi bridge with
using Raspberry Pi and discuss potential security risks,
which may arise for corporate networks

An Ethernet/Wi-Fi bridge (Ethernet-to-Wi-Fi bridge or Wi-Fi-to-Ethernet bridge) is a device or software solution that allows you to connect two different networks: a wired Ethernet network and a wireless Wi-Fi network, providing exchange of data between them. A penetration tester or redtimer, being physically inside the company, can detect a network outlet and connect a “bridge” to it, which begins to work as an access point. By connecting to this access point, you can gain access to the company’s internal network.

A little about Malinka

The Raspberry Pi is a minicomputer designed and manufactured by the British firm Raspberry Pi Foundation. It is designed to provide an affordable and easy-to-use computer that can be used to teach programming, electronics, robotics, and other applications. Raspberry Pi is small in size, low in cost, and low in power consumption, making it an ideal choice for a variety of applications.

The choice of devices from the Raspberry Pi family is quite wide, but for this project I chose the Raspberry Pi 4B model. This model is a powerful single board computer capable of handling a variety of tasks. With 4GB of RAM and an ARM Cortex-A72 processor clocked at up to 1.5GHz, it delivers fast performance. Four USB ports allow you to connect a variety of devices, and built-in support for Wi-Fi and Bluetooth makes the Raspberry Pi 4b an ideal candidate for Ethernet/Wi-Fi bridging and similar tasks.

Preparing for work

To get started, you will need a Raspberry Pi and a Micro SD card with Raspberry Pi OS installed. To install the OS, use Raspberry Pi Imager, which can be downloaded and installed on your device. After installation, select the required OS version and memory card, and then record.

Now we can proceed directly to setting up and automating the operation of the bridge itself. There are several ways to do this, but first we need to update the OS of our Raspberry, this is done in the terminal using the commands:

sudo apt-get update
sudo apt-get full-upgrade
sudo reboot

Now let’s proceed directly to creating the “bridge”. As mentioned above, there are several ways. The most popular are the use of HostAPD and bridge-utils, these are powerful tools that can be used to create a Wi-Fi access point and configure a bridge between Ethernet and Wi-Fi interfaces on the Raspberry Pi. HostAPD allows you to turn your Raspberry Pi into a Wi-Fi hotspot, giving you the ability to manage network settings such as SSID and security. Then, using bridge-utils, you can create a bridge between Ethernet and Wi-Fi, allowing devices to communicate between networks.

However, I want to suggest a simpler method in which we will use only one tool, and at the same time its configuration is quite simple. I’m talking about a utility called RaspAP.

RaspAP is an open source project that allows you to create wireless routers from a variety of popular devices running the Debian operating system, including the Raspberry Pi. It offers an easy-to-use web interface for configuration, includes an ad blocker, and routes network traffic through the OpenVPN or WireGuard protocols.
Install RaspAP from the command line with the command:

curl -sL https://install.raspap.com | bash

Once installed, the Raspberry Pi will automatically reboot and the RaspAP settings will be set to default.

At this stage, we have already done the most difficult part. Now, every time you boot the Raspberry Pi, RaspAP will also automatically turn on and if you connect the RPi to an Ethernet outlet, we will automatically get an access point. But, if you paid attention to the default settings that RaspAP has after installation, you found DHCP working, i.e. we will have our own separate subnet, which was not part of our plans.

Let’s fix this, especially since it’s very easy to do.

Let’s move on to configuring RaspAP via the web interface. Enter the default address (10.3.141.1), username (admin) and password (secret) to access the RaspAP web interface. Go to the Hotspot > Advanced tab and enable the Bridged AP mode switch.

Then go to the Basic tab, where you can configure basic settings for the access point, such as name and network type. Complete the setup by going to the Security tab, where you set the password, encryption type, and other security settings. Save the changes. Your bridge is now configured and provides access to the local network through unsecured network outlets.

Testing

Throughout this article, we have configured the RPi to automatically operate as an Ethernet/WiFi bridge. Now it’s time to check our settings and the operation of the Raspberry Pi in conditions close to combat.

As a test environment, I suggest using a small local network consisting of two PCs and a server running Windows Server 2008. This network is routed through a router.

The server, as you already understood, has an IP address of 192.168.1.4.

And at this time, Malinka, connected to the network, began to distribute access to our network. I specifically gave a clear name to the network so that it is easy to identify.

Judging by the received IP address, the machine with Kali is located in the target grid.

But still worth checking. Therefore, we scan the network using a well-known utility, NMAP.

After the scan is completed, we receive the output of devices on the network. One of which belongs to the IP address of the target server. Let’s do a more targeted scan.

From the output of the scanner, we received confirmation that at the address: 192.168.1.4 there is indeed a machine with the server software installed. Having found out the version of which, we can assume the presence of the BlueKeep vulnerability, which is present in the RDP service, Windows Server 2008. Open port 3389 tells us that the service is active.

Using Metasploit, we are convinced of this.

Hence, we have verified that our configured bridge functions without any problems.

It is important to remember that the use of such methods should be limited to security testing with the consent of the network owners and in compliance with all legal regulations and laws.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *