How to Create a Small Lab at Home with a Raspberry Pi to execute Malware


How to create a Small Lab at home with a Raspberry Pi to execute Malware


What you need

  • A computer with internet connection using wifi.

  • A raspberry Pi with power supply.

  • A network cable

  • A file where you will put all the times and actions done. This is the most important part of the research. No documentation, no experiment.


Topology of Connections

Your topology should look like this



  1. You computer should have WiFi and Internet in the WiFi interface (lets call it wlan0).

  2. Connect the Rpi to your computer ethernet port.

  3. Install and setup a dhcp server

    1. On Linux

      1. apt-get install dhcpcd

    2. On Mac

      1. sudo port install dhcpcd

      2. Or use the internal configuration of the Mac. Settings->Network->

    3. Configure the dhcpcd conf file as this

        1. option domain-name "";

        2. option domain-name-servers,;

        3. default-lease-time 600;

        4. max-lease-time 7200;

        5. log-facility local7;

        6. subnet netmask {

        7.  range;

        8.  option routers;

        9. }

      1. The important part is on the IP range This will make dhcpcd choose which interface to use in the system. And since we will put the IP to eth0, it will use eth0.

    4. Setup the interface where the rpi is connected

      1. sudo ifconfig eth0

    5. Run the dhcpcd

      1. sudo dhcpd -f -cf /opt/local/etc/dhcp/dhcpd.conf

  4. Start the Raspberry pi [Add event with time to your README]

  5. Check with tcpdump that you can see traffic in the eth0 interface

    1. sudo tcpdump -n -s0 -i eth0

  6. Find the IP address of the rpi

    1. You can usually see the traffic and find the IP the raspberry got.

    2. Or you can try by hand the range to

    3. Or you can nmap the range.

    4. Or you can see the log of the dhcpcd

    5. We will consider from now on, as an example, that the rpi has the IP

  7. Connect to the Rpi with ssh [Add event with time to your README]

    1. ping

    2. ssh -v pi@

    3. Usually the password is raspberry

  8. Give internet to the raspberry pi

    1. In Mac

      1. Settings->Sharing->Share internet with ethernet

      2. Just choose in your interface ‘Thunderbold’ or ‘ethernet’ to give internet, and thats it.

    2. In Linux (Considering that your computer is not managing the iptables.)

      1. First allow your computer to move packets between interfaces (ability)

        1.   echo 1 > /proc/sys/net/ipv4/ip_forward

      2. Allow the packets to get forwarded between interfaces (authorization). This may be already there, but in any case...

        1. iptables -A FORWARD -j ACCEPT

      3. Change the IP addresses of packets leaving your computer to the internet (wlan0 should be your WIFI interface with internet)

        1. iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

  9. Check that the rpi has internet.

    1. From the raspberrypi

      1. ping

  10. Copy the malware to the rpi [Add event with time to your README]

    1. scp malware.exe pi@

  11. Capture the traffic in the ethernet cable to check that everything works (see that we start the capture here. After the copy and before the start of the malware) [Add event with time to your README]

    1. sudo tcpdump -n -s0 -i eth0 -v -w capture1.pcap

  12. Monitor the traffic

    1. sudo tcpdump -n -s0 -i eth0 -A

    2. (In another console) tail -f capture1.pcap |strings -n 10

  13. Execute the malware [Add event with time to your README]

    1. chmod 777 /tmp/malware.exe

    2. /tmp/malware.exe

What about linux on VM?

  • This should be the same if the linux in the VM has a bridged connection and the ethernet connection is connected to the VM.