Bjorn is a powerful network scanning and offensive security tool for the Raspberry Pi with a 2.13-inch e-Paper HAT. It discovers network targets, identifies open ports, exposed services, and potential vulnerabilities. Bjorn can perform brute force attacks, file stealing, host zombification, and supports custom attack scripts.

• Introduction
• Features
• Design
• Educational Aspects
• Disclaimer
• Extensibility
• Development Status
• Detailed Project Description
  • Project Structure
  • Core Files
  • Actions
  • Data Structure
  • Behavior of Bjorn
• Installation and Configuration
  • Prerequisites
  • Quick Installation
  • Manual Installation
    • Step 1: Activate SPI & I2C
    • Step 2: System Dependencies
    • Step 3: Bjorn Installation
    • Step 4: Configure File Descriptor Limits
    • Step 5: Reload Systemd and Apply Changes
    • Step 6: Modify PAM Configuration Files
    • Step 7: Configure Services
• Running Bjorn
  • Manual Start
  • Service Control
  • Fresh Start
• Important Configuration Files
  • Shared Configuration (shared_config.json)
  • Actions Configuration (actions.json)
• Known Issues and Troubleshooting
  • Current Development Issues
  • Troubleshooting Steps
• E-Paper Display Support
• Development Guidelines
  • Adding New Actions
  • Testing
• Web Interface
• Project Roadmap
  • Current Focus
  • Future Plans
• Contributing
• Support and Contact
• Conclusion
• License
• Contact

↖️

Bjorn is a « Tamagotchi like » sophisticated, autonomous network scanning, vulnerability assessment, and offensive security tool designed to run on a Raspberry Pi equipped with a 2.13-inch e-Paper HAT. This document provides a detailed explanation of the project.

↖️

• Network Scanning: Identifies live hosts and open ports on the network.
• Vulnerability Assessment: Performs vulnerability scans using Nmap and other tools.
• System Attacks: Conducts brute-force attacks on various services (FTP, SSH, SMB, RDP, Telnet, SQL).
• File Stealing: Extracts data from vulnerable services.
• User Interface: Real-time display on the e-Paper HAT and web interface for monitoring and interaction.

↖️

• Portability: Self-contained and portable device, ideal for penetration testing.
• Modularity: Extensible architecture allowing addition of new actions.
• Visual Interface: The e-Paper HAT provides a visual interface for monitoring the ongoing actions, displaying results or stats, and interacting with Bjorn .

↖️

• Learning Tool: Designed as an educational tool to understand cybersecurity concepts and penetration testing techniques.
• Practical Experience: Provides a practical means for students and professionals to familiarize themselves with network security practices and vulnerability assessment tools.

↖️

• Ethical Use: This project is strictly for educational purposes.
• Responsibility: The author and contributors disclaim any responsibility for misuse of Bjorn.
• Legal Compliance: Unauthorized use of this tool for malicious activities is prohibited and may be prosecuted by law.

↖️

• Evolution: The main purpose of Bjorn is to gain new actions and extend his arsenal over time.
• Modularity: Actions are designed to be modular and can be easily extended or modified to add new functionality.
• Possibilities: From capturing pcap files to cracking hashes, man-in-the-middle attacks, and more—the possibilities are endless.
• Contribution: It's up to the user to develop new actions and add them to the project.

↖️

• Project Status: Ongoing development.
• Current Version: Scripted auto-installer, or manual installation. Not yet packaged with Raspberry Pi OS.
• Reason: The project is still in an early stage, requiring further development and debugging.

↖️

↖️

Bjorn/
├── Bjorn.py
├── comment.py
├── display.py
├── epd_helper.py
├── init_shared.py
├── kill_port_8000.sh
├── logger.py
├── orchestrator.py
├── requirements.txt
├── shared.py
├── utils.py
├── webapp.py
├── __init__.py
├── actions/
│   ├── ftp_connector.py
│   ├── ssh_connector.py
│   ├── smb_connector.py
│   ├── rdp_connector.py
│   ├── telnet_connector.py
│   ├── sql_connector.py
│   ├── steal_files_ftp.py
│   ├── steal_files_ssh.py
│   ├── steal_files_smb.py
│   ├── steal_files_rdp.py
│   ├── steal_files_telnet.py
│   ├── steal_data_sql.py
│   ├── nmap_vuln_scanner.py
│   ├── scanning.py
│   └── __init__.py
├── backup/
│   ├── backups/
│   └── uploads/
├── config/
├── data/
│   ├── input/
│   │   └── dictionary/
│   ├── logs/
│   └── output/
│       ├── crackedpwd/
│       ├── data_stolen/
│       ├── scan_results/
│       ├── vulnerabilities/
│       └── zombies/
└── resources/
    └── waveshare_epd/

↖️

The main entry point for the application. It initializes and runs the main components, including the network scanner, orchestrator, display, and web server.

Handles generating all the Bjorn comments displayed on the e-Paper HAT based on different themes/actions and statuses.

Manages the e-Paper HAT display, updating the screen with Bjorn character, the dialog/comments, and the current information such as network status, vulnerabilities, and various statistics.

Handles the low-level interactions with the e-Paper display hardware.

Defines a custom logger with specific formatting and handlers for console and file logging. It also includes a custom log level for success messages.

Bjorn’s AI, an heuristic engine that orchestrates the different actions such as network scanning, vulnerability scanning, attacks, and file stealing. It loads and executes actions based on the configuration and sets the status of the actions and Bjorn.

Defines the SharedData class that holds configuration settings, paths, and methods for updating and managing shared data across different modules.

Initializes shared data that is used across different modules. It loads the configuration and sets up necessary paths and variables.

Contains utility functions used throughout the project.

Sets up and runs a web server to provide a web interface for changing settings, monitoring and interacting with Bjorn.

↖️

Conducts network scanning to identify live hosts and open ports. It updates the network knowledge base (netkb) and generates scan results.

Performs vulnerability scanning using Nmap. It parses the results and updates the vulnerability summary for each host.

• ftp_connector.py: Brute-force attacks on FTP services.
• ssh_connector.py: Brute-force attacks on SSH services.
• smb_connector.py: Brute-force attacks on SMB services.
• rdp_connector.py: Brute-force attacks on RDP services.
• telnet_connector.py: Brute-force attacks on Telnet services.
• sql_connector.py: Brute-force attacks on SQL services.

• steal_files_ftp.py: Steals files from FTP servers.
• steal_files_smb.py: Steals files from SMB shares.
• steal_files_ssh.py: Steals files from SSH servers.
• steal_files_telnet.py: Steals files from Telnet servers.
• steal_data_sql.py: Extracts data from SQL databases.

↖️

Located at data/netkb.csv. Stores information about:

• Known hosts and their status. (Alive or offline)
• Open ports and vulnerabilities.
• Action execution history. (Success or failed)

Preview Example:

Located in data/output/scan_results/. This file is generated everytime the network is scanned. It is used to consolidate the data and update netkb.

Example:

Contains real-time information displayed on the e-Paper HAT:

• Total number of known hosts.
• Currently alive hosts.
• Open ports count.
• Other runtime statistics.

↖️

Once launched, Bjorn performs the following steps:

1. Initialization: Loads configuration, initializes shared data, and sets up necessary components such as the e-Paper HAT display.
2. Network Scanning: Scans the network to identify live hosts and open ports. Updates the network knowledge base (netkb) with the results.
3. Orchestration: Orchestrates different actions based on the configuration and network knowledge base. This includes performing vulnerability scanning, attacks, and file stealing.
4. Vulnerability Scanning: Performs vulnerability scans on identified hosts and updates the vulnerability summary.
5. Brute-Force Attacks and File Stealing: Starts brute-force attacks and steals files based on the configuration criteria.
6. Display Updates: Continuously updates the e-Paper HAT display with current information such as network status, vulnerabilities, and various statistics. Bjorn also displays random comments based on different themes and statuses.
7. Web Server: Provides a web interface for monitoring and interacting with Bjorn.

↖️

• Raspberry Pi OS installed.
  • Stable:
    • System: 32-bit
    • Kernel version: 6.6
    • Debian version: 12 (bookworm) '2024-10-22-raspios-bookworm-armhf-lite'
• Username and hostname set to bjorn.
• 2.13-inch e-Paper HAT connected to GPIO pins.

At the moment the paper screen v2 & v4 have been tested and implemented. I juste hope the V1 & V3 will work the same.

↖️

The fastest way to install Bjorn is using the automatic installation script :

# Download and run the installer
wget https://raw.githubusercontent.com/infinition/Bjorn/refs/heads/main/install_bjorn.sh
sudo chmod +x install_bjorn.sh
sudo ./install_bjorn.sh
# Choose the choice 1 for automatic installation. It may take a while as a lot of packages and modules will be installed. You must reboot at the end.

↖️

sudo raspi-config

• Navigate to "Interface Options".
• Enable SPI.
• Enable I2C.

# Update system
sudo apt-get update && sudo apt-get upgrade -y

# Install required packages

 sudo apt install -y \
  libjpeg-dev \
  zlib1g-dev \
  libpng-dev \
  python3-dev \
  libffi-dev \
  libssl-dev \
  libgpiod-dev \
  libi2c-dev \
  libatlas-base-dev \
  build-essential \
  python3-pip \
  wget \
  lsof \
  git \
  libopenjp2-7 \
  nmap \
  libopenblas-dev \
  bluez-tools \
  bluez \
  dhcpcd5 \
  bridge-utils \
  python3-pil


# Update Nmap scripts database

sudo nmap --script-updatedb

# Clone the Bjorn repository
cd /home/bjorn
git clone https://github.com/infinition/Bjorn.git
cd Bjorn

# Install Python dependencies within the virtual environment
sudo pip install -r requirements.txt --break-system-packages
# As i did not succeed "for now" to get a stable installation with a virtual environment, i installed the dependencies system wide (with --break-system-packages), it did not cause any issue so far. You can try to install them in a virtual environment if you want.

Choose your e-Paper HAT version by modifying the configuration file:

1. Open the configuration file:

sudo vi /home/bjorn/Bjorn/config/shared_config.json

Press i to enter insert mode Locate the line containing "epd_type": Change the value according to your screen model:

• For 2.13 V1: "epd_type": "epd2in13",
• For 2.13 V2: "epd_type": "epd2in13_V2",
• For 2.13 V3: "epd_type": "epd2in13_V3",
• For 2.13 V4: "epd_type": "epd2in13_V4",

Press Esc to exit insert mode Type :wq and press Enter to save and quit

To prevent OSError: [Errno 24] Too many open files, it's essential to increase the file descriptor limits.

Edit /etc/security/limits.conf:

sudo vi /etc/security/limits.conf

Add the following lines:

* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535

Edit /etc/systemd/system.conf:

sudo vi /etc/systemd/system.conf

Uncomment and modify:

DefaultLimitNOFILE=65535

Edit /etc/systemd/user.conf:

sudo vi /etc/systemd/user.conf

Uncomment and modify:

DefaultLimitNOFILE=65535

sudo vi /etc/security/limits.d/90-nofile.conf

Add:

root soft nofile 65535
root hard nofile 65535

Edit /etc/sysctl.conf:

sudo vi /etc/sysctl.conf

Add:

fs.file-max = 2097152

Apply the changes:

sudo sysctl -p

Reload systemd to apply the new file descriptor limits:

sudo systemctl daemon-reload

PAM (Pluggable Authentication Modules) manages how limits are enforced for user sessions. To ensure that the new file descriptor limits are respected, update the following configuration files.

sudo vi /etc/pam.d/common-session
sudo vi /etc/pam.d/common-session-noninteractive

Add this line at the end of both files:

session required pam_limits.so

This ensures that the limits set in /etc/security/limits.conf are enforced for all user sessions.

Create the service file:

sudo vi /etc/systemd/system/bjorn.service

Add the following content:

[Unit]
Description=Bjorn Service
DefaultDependencies=no
Before=basic.target
After=local-fs.target

[Service]
ExecStartPre=/home/bjorn/Bjorn/kill_port_8000.sh
ExecStart=/usr/bin/python3 /home/bjorn/Bjorn/Bjorn.py
WorkingDirectory=/home/bjorn/Bjorn
StandardOutput=inherit
StandardError=inherit
Restart=always
User=root

[Install]
WantedBy=multi-user.target

Create the script to free up port 8000:

vi /home/bjorn/Bjorn/kill_port_8000.sh

Add:

#!/bin/bash
PORT=8000
PIDS=$(lsof -t -i:$PORT)

if [ -n "$PIDS" ]; then
    echo "Killing PIDs using port $PORT: $PIDS"
    kill -9 $PIDS
fi

Make the script executable:

chmod +x /home/bjorn/Bjorn/kill_port_8000.sh

Modify /boot/firmware/cmdline.txt:

sudo vi /boot/firmware/cmdline.txt

Add the following right after rootwait:

modules-load=dwc2,g_ether

Modify /boot/firmware/config.txt:

sudo vi /boot/firmware/config.txt

Add at the end of the file:

dtoverlay=dwc2

Create the USB gadget script:

sudo vi /usr/local/bin/usb-gadget.sh

Add the following content:

#!/bin/bash
set -e

modprobe libcomposite
cd /sys/kernel/config/usb_gadget/
mkdir -p g1
cd g1

echo 0x1d6b > idVendor
echo 0x0104 > idProduct
echo 0x0100 > bcdDevice
echo 0x0200 > bcdUSB

mkdir -p strings/0x409
echo "fedcba9876543210" > strings/0x409/serialnumber
echo "Raspberry Pi" > strings/0x409/manufacturer
echo "Pi Zero USB" > strings/0x409/product

mkdir -p configs/c.1/strings/0x409
echo "Config 1: ECM network" > configs/c.1/strings/0x409/configuration
echo 250 > configs/c.1/MaxPower

mkdir -p functions/ecm.usb0

# Check for existing symlink and remove if necessary
if [ -L configs/c.1/ecm.usb0 ]; then
    rm configs/c.1/ecm.usb0
fi
ln -s functions/ecm.usb0 configs/c.1/

# Ensure the device is not busy before listing available USB device controllers
max_retries=10
retry_count=0

while ! ls /sys/class/udc > UDC 2>/dev/null; do
    if [ $retry_count -ge $max_retries ]; then
        echo "Error: Device or resource busy after $max_retries attempts."
        exit 1
    fi
    retry_count=$((retry_count + 1))
    sleep 1
done

# Check if the usb0 interface is already configured
if ! ip addr show usb0 | grep -q "172.20.2.1"; then
    ifconfig usb0 172.20.2.1 netmask 255.255.255.0
else
    echo "Interface usb0 already configured."
fi

Make the script executable:

sudo chmod +x /usr/local/bin/usb-gadget.sh

Create the systemd service:

sudo vi /etc/systemd/system/usb-gadget.service

Add:

[Unit]
Description=USB Gadget Service
After=network.target

[Service]
ExecStartPre=/sbin/modprobe libcomposite
ExecStart=/usr/local/bin/usb-gadget.sh
Type=simple
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Configure usb0:

sudo vi /etc/network/interfaces

Add:

allow-hotplug usb0
iface usb0 inet static
    address 172.20.2.1
    netmask 255.255.255.0

Reload the services:

sudo systemctl daemon-reload
sudo systemctl enable systemd-networkd
sudo systemctl enable usb-gadget
sudo systemctl start systemd-networkd
sudo systemctl start usb-gadget

You must reboot to be able to use it as a USB gadget (with ip)

Set the static IP address on your Windows PC:

• IP Address: 172.20.2.2
• Subnet Mask: 255.255.255.0
• Default Gateway: 172.20.2.1
• DNS Servers: 8.8.8.8, 8.8.4.4

↖️

To manually start Bjorn (without the service, ensure the service is stopped « sudo systemctl stop bjorn.service »):

cd /home/bjorn/Bjorn

# Run Bjorn
sudo python Bjorn.py

Control the Bjorn service:

# Start Bjorn
sudo systemctl start bjorn.service

# Stop Bjorn
sudo systemctl stop bjorn.service

# Check status
sudo systemctl status bjorn.service

# View logs
sudo journalctl -u bjorn.service

To reset Bjorn to a clean state:

sudo rm -rf /home/bjorn/Bjorn/config/*.json \
    /home/bjorn/Bjorn/data/*.csv \
    /home/bjorn/Bjorn/data/*.log \
    /home/bjorn/Bjorn/data/output/data_stolen/* \
    /home/bjorn/Bjorn/data/output/crackedpwd/* \
    /home/bjorn/Bjorn/config/* \
    /home/bjorn/Bjorn/data/output/scan_results/* \
    /home/bjorn/Bjorn/__pycache__ \
    /home/bjorn/Bjorn/config/__pycache__ \
    /home/bjorn/Bjorn/data/__pycache__ \
    /home/bjorn/Bjorn/actions/__pycache__ \
    /home/bjorn/Bjorn/resources/__pycache__ \
    /home/bjorn/Bjorn/web/__pycache__ \
    /home/bjorn/Bjorn/*.log \
    /home/bjorn/Bjorn/resources/waveshare_epd/__pycache__ \
    /home/bjorn/Bjorn/data/logs/* \
    /home/bjorn/Bjorn/data/output/vulnerabilities/* \
    /home/bjorn/Bjorn/data/logs/*

Everything will be recreated automatically at the next launch of Bjorn.

↖️

Defines various settings for Bjorn, including:

• Boolean settings (manual_mode, websrv, debug_mode, etc.).
• Time intervals and delays.
• Network settings.
• Port lists and blacklists. These settings are accessible on the webpage.

Lists the actions to be performed by Bjorn, including (dynamically generated with the content of the folder):

• Module and class definitions.
• Port assignments.
• Parent-child relationships.
• Action status definitions.

↖️

• Problem: OSError: [Errno 24] Too many open files
• Status: Partially resolved with system limits configuration.
• Workaround: Implemented file descriptor limits increase.
• Monitoring: Check open files with lsof -p $(pgrep -f Bjorn.py) | wc -l
• At the moment the logs show periodically this information as (FD : XXX)

# Check service status
sudo systemctl status bjorn.service

# View detailed logs
sudo journalctl -u bjorn.service -f

# Check port 8000 usage
sudo lsof -i :8000

# Verify SPI devices
ls /dev/spi*

# Check user permissions
sudo usermod -a -G spi,gpio bjorn

# Check network interfaces
ip addr show

# Test USB gadget interface
ip link show usb0

# Fix ownership
sudo chown -R bjorn:bjorn /home/bjorn/Bjorn

# Fix permissions
sudo chmod -R 755 /home/bjorn/Bjorn

↖️

Currently hardcoded for the 2.13-inch V2 & V4 e-Paper HAT. My program automatically detect the screen model and adapt the python expressions into my code.

For other versions:

• As i dont have the v1 and v3 to validate my algorithm, i just hope it will work properly.

In my journey to make Bjorn work with the different screen versions, I struggled, hacking several parameters and found out that it was possible to remove the ghosting of screens! I let you see this, I think this method will be very useful for all other projects with the e-paper screen!

↖️

1. Create a new action file in actions/.
2. Implement required methods:
   • __init__(self, shared_data)
   • execute(self, ip, port, row, status_key)
3. Add the action to actions.json.
4. Follow existing action patterns.

1. Create a test environment.
2. Use an isolated network.
3. Follow ethical guidelines.
4. Document test cases.

↖️

• Access: http://[device-ip]:8000
• Features:
  • Real-time monitoring with a console.
  • Configuration management.
  • Viewing results. (Credentials and files)
  • System control.

↖️

• Stability improvements.
• Bug fixes.
• Service reliability.
• Documentation updates.

• Additional attack modules.
• Enhanced reporting.
• Improved user interface.
• Extended protocol support.

↖️

The project welcomes contributions in:

• New attack modules.
• Bug fixes.
• Documentation.
• Feature improvements.

↖️

• Report Issues: Via GitHub.
• Guidelines:
  • Follow ethical guidelines.
  • Document reproduction steps.
  • Provide logs and context.

↖️

Bjorn is a powerful tool designed to perform comprehensive network scanning, vulnerability assessment, and data exfiltration. Its modular design and extensive configuration options allow for flexible and targeted operations. By combining different actions and orchestrating them intelligently, Bjorn can provide valuable insights into network security and help identify and mitigate potential risks.

The e-Paper HAT display and web interface make it easy to monitor and interact with Bjorn, providing real-time updates and status information. With its extensible architecture and customizable actions, Bjorn can be adapted to suit a wide range of security testing and monitoring needs.

↖️

Bjorn is distributed under the MIT License. See the LICENSE file for more information.

↖️

• Author: infinition
• GitHub: infinition/Bjorn

Note: This document is subject to change as the project evolves. Please refer to the GitHub repository for the most recent updates.