Is the r00tabaga "secure"?
Not by default! The r00tabaga is designed to test security, not provide it.
While the r00tabaga can easily be locked down, its default configuration is essentially "open."
The r00tabaga is built foremost for functionality and ease-of-deployment. (Read: the default configuration is insecure!)
On the shoulders of giants
Because we have built the r00tabaga on a number of pre-established frameworks and open source projects, the r00tabaga will have any vulnerabilities inherent in those projects in addition to the possibility that it has some of its own.
r00tabaga is built upon:
- TP-Link TL-MR3040 hardware
- OpenWRT 12.09 "Attitude Adjustment," released on 25 April 2013
- MiniPwner Build Scripts by Kevin Bong
- Wifi Pineapple web interface by Hak5
Making r00tabaga more secure
When using the r00tabaga, it is strongly advised that you take the following basic security precautions to ensure that your r00tabaga does not itself become a target or beachhead for yet another attacker:
- Immediately: Change the r00t password from its default "r00tabaga"
- Suggested: Setup and use (only) ssh-keys to provide better security and brute-force prevention
- Optional: Install a package like fail2ban and/or 2-factor auth to prevent unauthorized remote access
- Hardcore: Use ssh-keys, two-factor authentication (we like WiKiD), and port knocking (fwknop is in the repositories) for SSH
- Immediately: Setup some form of security for the Pineapple web interface (htpasswd to setup basic auth) (minipwner uses OS creds)
- Suggested: Change the default port numbers, and/or use port knocking for web interfaces
- Hardcore: Disable web interfaces and stick to the command line
- Always: Encrypt and/or backup encrypted data collected during your assessment
- Always: Get written authorization to test or scan any network upon which you deploy a r00tabaga. Better safe than slammer.
- Suggested: Setup AutoSSH or OpenVPN to create a secure, persistent reverse tunnel to your r00tabaga
- Optional: Push encrypted data to a VPS at regular intervals via cron (better to expect r00tabaga to get discovered than to be surprised if it is)