WarBerry Pi – Tactical Exploitation Tool

WarBerry Pi – Tactical Exploitation Tool


WarBerryPi is a RaspberryPi based hardware implant that has the ability to go on stealth mode when used in acuiring informational data from a target network, especially useful during read teaming engagements.

It’s designed with a special feature that allows it to get the needed information within the shortest time possible. WarBerryPi’s scripts are designed in such way to avoid noise in the network as much as possible.

Disclaimer: Use it for academic testing only within a controlled environment. Attempts to use it on a network without acquiring the necessary permission may result in legal consequences.

WarBerryPi: Tactical Exploitation Tool

As an open-source tool WarBerryPi is very effective when it comes to performing reconnaissance operations on a given network. It is made up of a collection of several pentesting tools which enables it to perform its functions without much user interaction. A majority of the scans performed by WarBerryPi are automated and therefore are able to run on their own once the tool is launched.

WarBerryPi can also be used as an entry point to a given network once it is implanted into that network. Through this, you can be granted remote access to the target network, which will make data exfiltration from a remote location possible. Once activated, the tool probes the network for any vulnerable services that can be exploited.

How it works?

Once the Pi is plugged in the scripts inside WarBerry Pi will run and begin to perform in-depth network analysis on the network that is being attacked. With WarBerryPi an attacker can acquire information such as MAC addresses, IP addresses, names of hosts, etc. After sniffing the available data packets WarBerryPi will log all the information collected and avails it through the SSH tunnel.

In the event that a valid IP is obtained the tool calculates the subnet to the network in which the IP was obtained. By calculating the subnet WarBerry is able to know which IPs is alive. The reason for doing this is to limit the time spent during a scan and also minimize the amount of traffic generated within a network when an attack is in progress. This is one of the reasons why it is so hard to detect WarBerryPi when it is used to perform an attack on a network. The reporting module on WarBerryPi gives you the option of sending reports in PDF formats. Results obtained after executing a reconnaissance procedure using WarBerryPi are kept in the WarBerry/Results.


  • DHCP Enumeration
  • Internal and external IP reconnaissance
  • Wi-Fi network enumeration
  • UDP/TCP Port scans
  • MSSQL Database scans
  • SNMP services
  • Oracle Database scans
  • OpenVPN
  • Firebird Database scans
  • MongoDB Database scans

Supported Platforms:

  • Linux, Windows, OS X

Some of the Tools inside WarBerryPi:

WarBerryPi Install

Clone the repo:

$ sudo git clone https://github.com/secgroundzero/warberry.git

Then navigate to the WarBerry directory and run:

$ sudo bash setup.sh

Basic Usage

To get a list of all options and switches use -h:

python warberry.py -h

  --version                             show program's version number and exit
  -h, --help                            show this help message and exit
  -p PACKETS,   --packets=PACKETS       Number of Network Packets to capture. Default 20
  -x TIME,      --expire=TIME		Duration of packet capture. Default 20 seconds
  -I IFACE,     --interface=IFACE       Network Interface to use. Default: eth0
  -N NAME,      --name=NAME             Hostname to use. Default: WarBerry
  -i INTENSITY, --intensity=INTENSITY   Port scan intensity. Default: T4
  -Q, --quick                           Scan using threats. Default: Off
  -P, --poison                          Turn Poisoning on/off. Default: On
  -t TIME, 	--time=TIME		Poisoning Duration. Default 900 seconds
  -H, --hostname                        Do not Change WarBerry hostname Default: Off
  -e, --enumeration                     Disable Enumeration mode. Default: Off
  -B, --bluetooth                       Enable Bluetooth scanning. Default: Off
  -r, --recon                           Enable Recon only mode. Default: Off
  -W, --wifi                            Enable WiFi scanning. Default: Off
  -S, --sniffer                         Enable Sniffer only mode. Default: Off
  -C, --clear                           Clear previous output folders in ../Results
Documentation Box
Download Box