Abstract: With the annual increase of APT attacks, conventional penetration testing methods can no longer meet the diversified demands for network security detection in the current environment. Therefore, this article studies covert penetration methods, proposing an embedded PT penetration method using Raspberry Pi as a spy device, focusing on often-overlooked physical security vulnerabilities. This method utilizes tunneling technology and camouflage techniques to disguise control flows as HTTPS streams, achieving covert communication between Raspberry Pi and the C&C server; at the same time, it employs the Tor network to ensure anonymous control for the penetrators, ultimately achieving a covert effect. Finally, through simulated experiments of penetration testing, the covert nature of this method is demonstrated, indicating the potential threats such attacks may pose, and providing reference for security personnel in defending against and detecting APT/PT attacks.
1 Introduction
Since Google reported the “Aurora Operation” in 2010[1], APT (Advanced Persistent Threat) attacks have become a hot topic in the security community. The main characteristics of APT attacks are their special targeting, high complexity, and strong concealment[2]. From the spear-phishing attacks of the Dark Comet operation to the multi-vector attacks of the Night Dragon operation, and to the Stuxnet virus exploiting multiple 0-day vulnerabilities, APT attacks have shown an escalating trend. Due to their covert nature, they can lurk within the target environment for long periods without detection, causing sustained significant harm to information security. This also represents a technical challenge for current security defenses and detection[3].
PT (Persistent Threat) attacks are a component of APT attacks. Compared to APT attacks, they lack complex and powerful targeted attack payloads, but possess covert communication methods that can hide attack code and establish network backdoors through camouflage, encryption, and obfuscation techniques, allowing for prolonged information theft and host manipulation within the target environment[4]. For example, Rootkits, backdoor programs, and some botnets fall within the category of PT attacks, while SQL injection, XSS, and DDoS attacks do not. Currently, there is relatively little research on penetration testing methods for APT/PT attacks, thus this article focuses on studying their covert characteristics through simulated experiments of penetration testing, providing information support to help security personnel understand attackers’ intentions and identify potential threats to systems.
2 Penetration Testing Model
The penetration testing model in this article is shown in Figure 1, and mainly consists of three parts: Raspberry Pi, C&C server, and Tor network. Raspberry Pi is a credit card-sized computer based on the Linux system, which has all the basic functions of a computer. Due to its high cost-performance ratio and excellent compatibility and scalability, it has become the preferred carrier for implanting physical backdoors. During the penetration testing process, it runs the most popular Kali Linux Raspberry Pi customized system, which integrates many necessary penetration tools to assist in penetration testing[5]. The C&C server is simulated using a cloud server with a public IP, running an Ubuntu 14.04 Server instance. Tor is installed on an Ubuntu 14.04 host for penetration testing purposes.

The workflow of the penetration testing is as follows:
(1) Use an instance with root privileges as the C&C server; (2) Configure the Raspberry Pi and implant it into the target environment; (3) After powering on the Raspberry Pi, it automatically establishes a persistent covert tunnel with the C&C server, bypassing firewall restrictions; (4) The penetrators connect to the Tor network to gain anonymity; (5) The penetrators log into the C&C server via the Tor network; (6) The penetrators control the Raspberry Pi within the internal network through the C&C server.
Thus, a communication link is established between the penetrators and the Raspberry Pi, allowing the penetrators to send operational commands to the Raspberry Pi and conduct ongoing penetration testing on the target environment.
3 Covert Tunnel Establishment Method
This article employs reverse SSH to establish control of the Raspberry Pi from the external C&C server; Stunnel is used to encrypt SSH communications and disguise them as HTTPS streams, thereby evading interception and detection by firewalls and IDS/IPS.
3.1 Establishing Reverse SSH Tunnel
The establishment of a reverse SSH tunnel serves two purposes: on one hand, it allows the external C&C server to control the internal Raspberry Pi’s shell; on the other hand, it utilizes the nature of SSH to encrypt data flows, achieving concealment of control information[6]. The connection process is illustrated in Figure 2.

The process for establishing a reverse SSH connection is as follows:
(1) The Raspberry Pi initiates a reverse SSH request to the C&C server; (2) After authentication, a tunnel is established between the Raspberry Pi and the C&C server, while the C&C server opens a listener on Port1; any user connecting via SSH to Port1 on the C&C server will be reversed to the Raspberry Pi; (3) The penetrators log into the SSH service of the C&C server; (4) The penetrators access the Raspberry Pi with root privileges via the SSH listening port on Port1 of the C&C server; (5) Operational commands for the Raspberry Pi are sent through the SSH tunnel, achieving control over the internal Raspberry Pi.
From this point, a VPN-like tunnel is effectively established between the Raspberry Pi and the penetrators, making the information within the tunnel invisible to the outside.
3.2 Using Stunnel to Disguise SSH
SSH data packets can be parsed by protocol analyzers, and network administrators often prohibit the establishment of such VPN tunnels and the transmission of data packets for security reasons. To achieve better concealment, this article uses Stunnel to disguise SSH streams as HTTPS streams.
Before disguising the SSH stream as HTTPS, some analysis of the HTTPS working process is necessary. HTTPS is the secure version of HTTP, which adds an SSL/TLS layer to HTTP, thereby encrypting communication data and achieving CA authentication functionality, enhancing security. Stunnel is a free cross-platform software designed for secure communication between applications, which adds an SSL/TLS layer below the application layer using the OpenSSL library, completing the encryption of communication between the client and server[7]. This is similar to the HTTPS encryption method; this article utilizes this feature to disguise SSH streams as HTTPS streams, as illustrated in Figure 3.

After configuring the Stunnel client for the Raspberry Pi and the Stunnel server for the C&C server, the SSH stream can be disguised as an HTTPS stream, with the process as follows:
(1) The Raspberry Pi initiates a reverse SSH connection request to the listening port Port2 of the local Stunnel client;
(2) The Raspberry Pi’s Stunnel client performs an SSL/TSL handshake with the Stunnel server of the C&C server; upon successful handshake, a Stunnel tunnel is established, and the encrypted SSH data packets are sent through the Stunnel tunnel to the C&C server’s Stunnel server on the 443 listening port;
(3) The Stunnel server of the C&C server receives the encrypted SSH data packets, decrypts them, and forwards the reverse SSH connection request to the local SSH service on port 22;
(4) Upon successful reverse SSH request, the C&C server opens a listener on Port1 and establishes a reverse SSH tunnel;
(5) The penetrators log into the SSH service of the C&C server;
(6) The penetrators log into the Raspberry Pi’s SSH service via the reverse SSH listening port;
(7) The commands sent by the penetrators to the Raspberry Pi are double-packaged and ultimately disguised as HTTPS streams.
4 Anonymous Remote Control Method
When penetrators remotely control the Raspberry Pi, they leave breadcrumbs that can easily be traced back, failing to achieve the desired covert effect. Therefore, this article uses the Tor network for anonymity, ultimately achieving anonymous remote control.
4.1 Tor Anonymity Principle
The Tor network mainly consists of Onion Proxies (OP), Directory Servers (DS), and Onion Routers (OR)[8]. OP mainly performs routing node selection, circuit establishment, and data packet sending and receiving for Tor users; DS is responsible for summarizing the operational status of the Tor network and publishing the latest Tor routing node list to OP; OR is mainly comprised of volunteers of the Tor network, responsible for rerouting data packets to achieve anonymity. During the connection establishment process of the Tor network, OP randomly selects three available ORs as the entry node (Guard Node, GN), relay node (Relay Node, RN), and exit node (Exit Node, EN). Using Diffie-Hellman for key agreement, three session keys are obtained, and the messages are encrypted sequentially with these keys. The three-times encrypted data packet is then sent to GN. GN, RN, and EN sequentially use the shared session keys to decrypt the data packet and forward it to the next hop, with the final data packet sent in plaintext to the target site by EN. The return of the data packet is similarly encrypted at each node with the shared session keys before being sent back to OP, where it is decrypted sequentially using the three shared session keys, ultimately delivering the plaintext to the Tor user.
Since the entry node only knows the sender of the data packet, the relay node knows no critical information, and the exit node only knows the receiver and plaintext information, no single node can obtain the complete information of the message sender, message receiver, and message content simultaneously, thus achieving anonymity.
4.2 Implementing Anonymous SSH
Although the Tor network is primarily used for anonymous transmission of HTTP/HTTPS streams, any application using TCP as the transport layer protocol can be transmitted through the Tor network to achieve anonymity. Since SSH is an application based on TCP, its data stream can be transmitted through the Tor network, but port forwarding is required. To forward the SSH port data to the Tor port, a Sock4/Socks5 proxy server can be used. In this article, under the Ubuntu 14.04 environment, the Proxychains proxy tool is successfully used to anonymously transmit SSH streams through the Tor network, achieving anonymous remote control.
5 Penetration Testing Experiment
Firstly, to verify the covert nature of the penetration method proposed in this article, the Wireshark tool is used on the Raspberry Pi to capture connection and communication data packets between the Raspberry Pi and the C&C server, as shown in Figure 4 (black background with white text indicates data packets sent from the Raspberry Pi to the C&C server, while white background with black text indicates reverse data packets).

As seen in Figure 4, Wireshark does not parse any SSH data packets; the SSH stream has been disguised as an HTTPS stream. Compared to normal HTTPS streams, the disguised HTTPS stream contains malicious control flows, while the disguised HTTPS stream, with its internal information hidden from the outside, can evade interception by firewalls and detection by IDS/IPS, thus achieving the desired covert effect.
Next, to reveal the potential threats posed by the penetration testing method proposed in this article, penetration testing experiments are conducted to provide references for security personnel in identifying and preventing such attacks. The penetration testing flowchart is shown in Figure 5.

During the penetration testing process, the Raspberry Pi is first disguised as a network surveillance camera[9], which can be used for remote monitoring management in homes or enterprises; secondly, the covert penetration method proposed in this article is used to implant a backdoor into the Raspberry Pi, while a startup script is written to utilize SSH public key authentication and autossh automatic reconnection functionality, ensuring that once the Raspberry Pi is powered on and connected to the internet, it immediately establishes a covert and stable tunnel with the C&C server; furthermore, the Raspberry Pi is powered on behind an already connected router, and a pre-configured Ubuntu host is used to anonymously control the Raspberry Pi through the Tor network; finally, operations such as taking photos, recording videos, and file transmission are conducted using the Raspberry Pi, achieving theft and tampering of remote monitoring recordings, while using nmap to scan the network environment and initiate lateral expansion attacks.
Through the experiment, it was understood that although such attacks are relatively covert and can evade conventional defense detections, they can be mitigated by strengthening management of personnel entering and exiting the premises and using electronic devices obtained through proper channels. Additionally, regular physical inspections of key positions in the network and detection of abnormal flows in the internal network can help to promptly identify attack sources and reduce losses.
6 Conclusion
This article elaborates on a covert penetration testing method based on Raspberry Pi, which configures and implants the Raspberry Pi, encrypts and disguises communication data, and anonymizes the operations of penetrators, ultimately achieving a PT attack based on Raspberry Pi. Experiments indicate that network security should not only focus on defending the network perimeter but also understand the internal network risks posed by potential physical vulnerabilities. Moreover, by understanding the attacks, network security can be improved more effectively.
References
[1] STEWART J.Operation Aurora: Clues in the code[EB/OL].(2010-1-19)[2016-04-02].https://www.secureworks.com/blog/research-20913.
[2] WRIGHTSON T.Advanced persistent threat hacking: the art and science of hacking any organization[M].McGraw-Hill Education, 2014.
[3] Cao Zigang, Xiong Gang, Zhao Yong, et al. A review of covert network attacks[J]. Integrated Technology, 2014, 3(2): 1-16.
[4] BODMER S, KILGER M, CARPENTER G, et al. Reverse deception: organized cyber threat counter-exploitation[M]. McGraw-Hill Education, 2012.
[5] MUNIL J, LAKHANI A. Penetration testing with raspberry pi[M]. Packt Publishing Ltd, 2015.
[6] Gan Changhua. Research and implementation of network security protocol SSH[D]. Tianjin: Tianjin University, 2007.
[7] Peng Le. Research on network penetration technology[D]. Beijing: Beijing University of Posts and Telecommunications, 2008.
[8] Wang Fugang. Research on TOR anonymous communication technology[D]. Harbin: Harbin Institute of Technology, 2010.
[9] JONES D. Raspberry pi-teach, learn, and make with raspberry pi[EB/OL].(2016)[2016].https://www.raspberrypi.org/learning/python-picamera-setup/worksheet.md.