This worksheet will provide guidance for setting up the UWEcyber Raspberry Pi Cyber Range. The purpose of this cyber range is to provide an "out-of-the-box" solution for schools to deploy a networked infrastructure that can then be used to model attack and defence. The range can be easily extended with "containerised" applications that provide further challenges for students, and we provide OWASP Juice Shop and CTFd as pre-installed containerised applications.
The first step is to download the two Raspberry Pi images available from the UWEcyber website:
(The downloads are password-protected: UWEcyber2022).
We have created these two images specifically for this guided lab. The images are customised versions of the RasPwnOS image and the Kali for Raspberry Pi (ARM) image, that we have extended with further functionality. You will also need to download Etcher which is a tool for writing the image file to an SD card that will be used to boot the Raspberry Pi. You will require:
When you boot up the UWEcyber-KaliPi devices, you will need to log in. Use the username kali and the password kali. This is the default for each of the student devices - we will come back to this later on. On booting all devices, you should find that there is a wireless network called UWEcyber-RasPwnOS hosted by the UWEcyber-RasPwnOS device. You should also find that all UWE-KaliPi devices connect automatically to this access point. We now have a networked infrastructure hosted through the RasPwnOS! (Should you need to manually configure access to this network, the default password is
If you are connected to the UWEcyber-RasPwnOS network, try bringing up a "Terminal", and then type:
nmap 192.168.99.0/24. This will perform a scan of the IP subnet 192.168.99.* that the RasPwnOS access point is hosting. You should be able to find out information about all other connected devices. What services are running? Can you connect to any of these?
Using the UWEcyber-KaliPi, double-click the Terminal icon on the Desktop. You can navigate the file system using the Terminal. The two most commonly used commands are:
ls: List directory
cd: Change directory
cd UWEcyber to navigate to the main resources folder. Here you will see the following scripts that can be launched:
The UWEcyber-KaliPi comes pre-configured with an instance of OWASP Juice Shop that can be used either locally or remotely across the UWEcyber-RasPwnOS network.
To initiate the Juice Shop example, bring up a Terminal, and type
cd Desktop/UWEcyber, followed by
./run_juice_shop.sh. This will start a Docker container of the application, that can be accessed in a web browser at
localhost:3000. If you are connected on the UWEcyber-RasPwnOS network, then other devices can also access this service by navigating to
<IP_ADDRESS>:3000 (e.g., 192.168.99.165:3000) in then web browser.
CTFd is a Capture-The-Flag competition server, that allows you to set up a question and answer service for submitting answers (flags) from a given challenge. This can be configured in many ways, but most likely is to use it in conjunction with a tool like Juice Shop that providees flags on completion of tasks. The service is fully installed, however you would need to custom the setup for your own event. Full details are available on the GitHub repository: https://github.com/CTFd/CTFd
There is much you can do with a Raspberry Pi network to help teach cyber security. As an example, here we will describe the steps taken in the sessions for conducting some red team/blue team challenges.
ifconfigand you will be able to find this. Now, can you also find out what the IP address of the other devices in the room are that below to the other students? We can scan the full subnet range uing a tool called
nmap 192.168.99.0/24. Devices associated with the raspwnos should be ruled out - these are out of scope and are for the access point. However, we should now have a set of IP addresses that correspond to other users in the room.
X.X.X.127. You can type
ssh firstname.lastname@example.org connect to this. We know that the default credentials for all devicecs are
kali:kaliso you should be able to log in.
cd Desktopto navigate to the Desktop folder. You could then also type
nano README.txt. Here you have a text editor, why not write them a message - "I AM ON YOUR COMPUTER!" - you can then save your document by pressing
Ctrl+Sand exit the editor by pressing
cd /var/www/html/and then by typing
sudo nano index.html(note that you need to run as
sudo- this means "superuser do"). Edit this document (perhaps change the title) and then save. Anyone accessing their page via a web browser will see this change.
passwd. You can enter the new password as prompted - note that it will not display on the screen.
hydra -l kali -P /usr/share/wordlists/rockyou.txt <IP_ADDRESS> ssh. Here, we are specifying the username, the password wordlist to try, the IP address of the machine to attack, and the protocol to attack. If the password is on this list, this will work (depending on where on the list, this could take a while).
sudo nano /etc/ssh/sshd_config. Where it says,
Port 22change this number to be something greater than 1000. Save and exit the file. You will also need to restart your SSH server
sudo systemctl reload sshd. For the attackers, they will need to now change their scanning range,
sudo nmap -p -sV 1000-3000 192.168.99.127. We are using -sV and sudo to scan for version numbers of services, which requires administrator access.
You can extend this concept much further - for example, you could have students open and close ports using a firewall. UFW or iptables would be recommended for this (e.g., https://linuxconfig.org/how-to-install-and-use-ufw-firewall-on-linux)
The UWEcyber-RasPwnOS provides a simple and pre-configured wireless access point for your client machines (Kali-Pi). It also acts as a web server with some vulnerable applications pre-installed. The most popular application available on the RasPwnOS is the Damn Vulnerable Web Application (DVWA). This is a widely used vulnerable application. A detailed guide is available for the 2019 version of DVWA at https://github.com/mrudnitsky/dvwa-guide-2019. One of the key features of DVWA is that it allows you to modify the security level, essentially giving you a means to experiment where low security is imposed, and seeing how these attacks hold up when security is increased.
For now, let's focus on a few key challenges:
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 dvwa http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.
hydra -l admin -P rockyou.txt -s 80 dvwa http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=[your_value_here]"
This is a useful means to demonstrate how hydra can be used not only against a SSH connection, but also against services such as login pages on a web form.
127.0.0.1 & whoami & hostname
This is a useful example to show where a vulnerable text field is being used to take command line arguments. Given that there appears to be no input sanitisation, we can therefore append to the query and make other requests on the command line, such as whoami and hostname (or something much more malicious should we decide to).
%' or '0'='0
This is a useful example to explore SQL injection, to see whether terminating characters are being sanitised by the input prompt.
Author: Phil Legg
Last updated: 25/03/2022