SlideShare uma empresa Scribd logo

Steelcon 2015 - 0wning the internet of trash

Transferir como PPTX, PDF
I
infodox

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices. This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

Software
1 de 56
0wning the Internet of Trash Darren Martyn Xiphos Research darren.martyn@xiphosresearch.co.uk
whoami • Darren Martyn / infodox • Penetration Tester & Researcher @ Xiphos Research Ltd • Forensics & Chemistry Student @ GMIT
This talk… • Hacking embedded devices – a gentle introduction. • Both hardware and software explorations • Examining exploitation ITW and post exploitation 
wtf
Today we shall talk about… • Obtaining firmware for embedded devices. • Basics of UART identification and use  • Extraction of firmware/finding vulnz • Popping boxes (exploit development). • Boxes being popped (router malware case studies) • Post exploitation  • Future ideas… (I promise, no more walls of text after this!)
Firmware Honest, this is what firmware looks like
Methods of getting firmware… • Download from internet > Vendor website > random internauts • Extract from device • There are other methods, but not going to get into that here.
Methods of getting firmware… (D-Link FTP)
Methods of getting firmware… (netgear support)
Random Internauts…
Extracting from device… • This is where we segue into the land of UART. • Basically, get some kinda shell on the device • And copy the rootfs (the bit we give a damn about for now). • Two main ways this happens for todays purposes…
UART Basics… • UART = “Universal Asynchonous Reciever/Transmitter” • TL;DR basically serial • Usually 4 pins, we only care about 3 really. • RX, TX, VCC, GND. We usually can ignore VCC.
Identify UART
Bastards removed the pins!
Interfacing with UART. • Buspirate - ~15£, interfaces with bloody everything. • Has disadvantage of being a bit of a pain to use at times. • Save money and cost! • USB-TTL converter for 2£ from ebay 
USB-TTL
Which pin goes where • This is a hard one to explain. Best summary is below. • http://www.devttys0.com/2012/11/reverse-engineering-serial- ports/ • Get a multimeter or oscilloscope… • GND pin, will positively continuity test with … a grounded bit • VCC is tied high at +3.3V or +5V usually • TX fluctuates between 3.3V and 0V as it… Transmits. • RX… Good fucking luck 
Ok, all hooked up. Interaction time? • Not yet. Gotta find the baudrate  • I usually just use this, or do it by hand. • https://code.google.com/p/baudrate/ • Then just ‘screen /dev/ttyUSB0 <baudrate>’ 
Connected! Here we have a “Billion” routers bootloader debug output coming over serial from it :D Sometimes we get a rootshell… Othertimes we get a “uBoot” shell.
GET /FIRMWARE • If you have a uBoot shell, you can often dump out the image • Xfer to yourself over tftp • With a rootshell… xfer back to yourself over tftp the entire rootfs 
A case study in firmware reversing && bug hunting… • For this bit on extracting FW and finding bugs a case study is best. • I presented the end result of this at Bsides Hannover. • We start with Moovbox firmware, end up with rootshells!
Because of scale we scripted binwalk…
Next up, scripting uncramfs… Trigger Warning: Filthy Code Ahead
find . –name “vuln” • Took a fairly blind approach to finding vulns • “Grep and gripe” kind of things • First off, looked at the web interface of device. How does it work. Whats its config. Etc.
Anyone see why this prompted interest?
Scripting is Magic…
Scripting is Magic…
Some numbers • All 108 were vulnerable to ShellShock • All 108 had the same shitty CGI script • 106 used thttpd rooting as root • 2 ran lighttpd. Also as root
Remote Root Everywhere
Further firmware analysis • Lets look for more fun stuff in this firmware • First off, we analyse the passwd files • 4 unique hashes
The Hashes • I have yet to crack these. People have been trying and failing for about a month. Can you succeed? root:$1$5jjAfVIS$dIG6AvGNwq8EENjTHnfpK/ root:$1$jb.3W.1D$8FeBW.T/x2wwJVB.lp.gv1 root:$1$bw7WuzHj$aU6V7omf9zBWA2sEaJv9p1 root:$6$W74jOIhT$QaYoDDN.N1SRgyG5ALymJHcYc9TmXKcITXyCstG DdK9cXOssLOTMQPl2uRm.wsNZ7oE5byOOrdNlvNxyguqVs/
SSH Keys • Protip: Hardcoded SSH Keys Suck • They all have /etc/ssh/ keys. RSA and DSA • They also have the same /etc/ssh_key privkey, which is a bit unusual...
/etc/ssh_key • Now, this is an odd one. It matches exactly two boxes in the wild – both hosts in Germany • As to wtf these are, I have no idea • If anyone can figure it out, it would be great ;) • 89.110.151.186 & 89.110.148.26 (who is this?)
Using SSH keys to fingerprint
Look! Duplicate Keys! Everywhere!
Let’s go after SSL keys… • OpenVPN Keys: find . -name "*.key" (108) > All identical • SSL Keys: find . -name "*.pem" (973) > 2e465be3c06ea7db968347aaa3df7d37 > Also all the same...
SSL Keys • 6 of them on each image. All identical across images: > 7135ad5b7fd5fb2eb23f8dfecf74919d > cb5199178e4649461928356c7cbdae74 > de2c6949bd1bca55c20d9610510a08d1 > 905a7590ee039a788a08d4dfd15d2582 > a926c2beaa439f37bc62a5678a4e5906 > 35a569e0e768495554c4cbddd787f9e4
Popping Boxes/xdev • Most of the vulns you will find are remote root • A lot of them will be command injection bugs. • Most people just enable telnetd and leave it at that. • More fun to be had…
Popping Boxes/xdev –Se0wned
Popping Boxes/xdev –dloser 0day Greetz to imax who actually bought a NAS back when we wrote the early versions of this exploit!
Popping Boxes/xdev • Getting a shell is just step 1. • Better payloads (tshd, for example) allow file transfer. • This means we can upload tools and exfil files easily  • (A POSIX Meterpreter that worked on ARM/MIPS/PPC would be nice and all… Just sayin’)
Router Malware • This stuff is being done ITW • I had nice screenshots and pictures, but /tmp ate them • So I’ll TL;DR it and explains some examples.
LinuxFlasher.A • Discovered by myself and _ta0 in the wild. • Firmware flashing malware, installed malicious firmware that included a password sniffer (dsniff) and exfil scripts using wput. • Sent very little network traffic, un-killable unless you reflashed. • Crude, held together with bash scripts, but highly effective.
Hydra/Aidra Family • Worm/Botnet, IRC controlled. • Spreads via telnet (and SSH) bruteforcing, also a D-Link config bug. • Mainly used by script kiddies for DDoS purposes…
Moon • Linksys only affected vendor. • Discovered by some SANS handler (Johannes). • Used a remote root command execution 0-day to spread. • Functionality mostly unknown. Had hardcoded target ranges. Just spread… And spread. Possible test run?
Post Exploitation • Exposed embedded devices put you firmly within an affected targets network • Often (routers) in a privileged position (routing all traffic!) • So much potential for pivoting, sniffing, etc… Going beyond rootshells… • Persisting is a harder problem we will address!
Post Exploitation - Building Toolkits • We need to statically link things so they will run on these devices. • Uclibc.org – excellent cross compiler toolchains, 10/10 recommend. • Now what tools do we actually need to do fun stuff?
Post Exploitation - Requirements • C&C – So we can manage the devices • Robust tools for getting shell access, transferring files. • Tools for sniffing, spoofing, doing things. • Persistence.
Post Exploitation – C&C • For C&C, we should practice excellent OPSEC. • Use Tor. Cross compiling static Tor is hard. I will publish the build guide in a week or so on Github  • Set up Tor to be a hidden service pointing at tshd bindshell. • There was a screenshot, but bloody /tmp ate it 
Post Exploitation – Access • We need to be able to run commands, interactive shell, and transfer files. • Tshd by Christopher Devine fits the bill for this. • Encrypted file xfer/PTY/command exec, bind and reverse connect modes. • Will publish the build-toolchain later 
Post Exploitation – Hack The Planet • Tcpdump && Ettercap && socat && nmap • Its been done before • We have to catch up  • Will publish the build-toolchains later 
Persist • How does firmware work? • Its infectous! • Unlesss you reflas…… Permapened • “RPEF” by Michael Coppola are ITW  • Firmware infections here to stay
Rootkit Firmwares • They exist • They are using them • If you believe otherwise you are an idiot. • …
Tl;dr • Embedded = owned • Harass vendors • Embedded rootshells are embedded root shells • 
Thanks  • Coworkers and such for tolerating weirdness • F1nux, Alastair, digininja, `k, getting me talking • Router mfg’s for making such products  • 
Q&A Questions & Comments & Abuse? Contact: @info_dox (twitter) darren.martyn@xiphosresearch.co.uk (email) infodox@jabber.ccc.de (jabber, use OTR else /ignore) 

Recomendados

BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
infodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Packers
PackersPackers
Packers
Ange Albertini
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 

Recomendados

BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
infodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Packers
PackersPackers
Packers
Ange Albertini
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
bannedit
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 

Mais conteúdo relacionado

Mais procurados

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 

Mais procurados (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 

Semelhante a Steelcon 2015 - 0wning the internet of trash

Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Packaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything ElsePackaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything Else
mckern
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting
bob dobbs
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 

Semelhante a Steelcon 2015 - 0wning the internet of trash (20)

Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Packaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything ElsePackaging is the Worst Way to Distribute Software, Except for Everything Else
Packaging is the Worst Way to Distribute Software, Except for Everything Else
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 

Último

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 

Último (20)

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Steelcon 2015 - 0wning the internet of trash

  • 1. 0wning the Internet of Trash Darren Martyn Xiphos Research darren.martyn@xiphosresearch.co.uk
  • 2. whoami • Darren Martyn / infodox • Penetration Tester & Researcher @ Xiphos Research Ltd • Forensics & Chemistry Student @ GMIT
  • 3. This talk… • Hacking embedded devices – a gentle introduction. • Both hardware and software explorations • Examining exploitation ITW and post exploitation 
  • 4. wtf
  • 5. Today we shall talk about… • Obtaining firmware for embedded devices. • Basics of UART identification and use  • Extraction of firmware/finding vulnz • Popping boxes (exploit development). • Boxes being popped (router malware case studies) • Post exploitation  • Future ideas… (I promise, no more walls of text after this!)
  • 6. Firmware Honest, this is what firmware looks like
  • 7. Methods of getting firmware… • Download from internet > Vendor website > random internauts • Extract from device • There are other methods, but not going to get into that here.
  • 8. Methods of getting firmware… (D-Link FTP)
  • 9. Methods of getting firmware… (netgear support)
  • 11. Extracting from device… • This is where we segue into the land of UART. • Basically, get some kinda shell on the device • And copy the rootfs (the bit we give a damn about for now). • Two main ways this happens for todays purposes…
  • 12. UART Basics… • UART = “Universal Asynchonous Reciever/Transmitter” • TL;DR basically serial • Usually 4 pins, we only care about 3 really. • RX, TX, VCC, GND. We usually can ignore VCC.
  • 15. Interfacing with UART. • Buspirate - ~15£, interfaces with bloody everything. • Has disadvantage of being a bit of a pain to use at times. • Save money and cost! • USB-TTL converter for 2£ from ebay 
  • 17. Which pin goes where • This is a hard one to explain. Best summary is below. • http://www.devttys0.com/2012/11/reverse-engineering-serial- ports/ • Get a multimeter or oscilloscope… • GND pin, will positively continuity test with … a grounded bit • VCC is tied high at +3.3V or +5V usually • TX fluctuates between 3.3V and 0V as it… Transmits. • RX… Good fucking luck 
  • 18. Ok, all hooked up. Interaction time? • Not yet. Gotta find the baudrate  • I usually just use this, or do it by hand. • https://code.google.com/p/baudrate/ • Then just ‘screen /dev/ttyUSB0 <baudrate>’ 
  • 19. Connected! Here we have a “Billion” routers bootloader debug output coming over serial from it :D Sometimes we get a rootshell… Othertimes we get a “uBoot” shell.
  • 20. GET /FIRMWARE • If you have a uBoot shell, you can often dump out the image • Xfer to yourself over tftp • With a rootshell… xfer back to yourself over tftp the entire rootfs 
  • 21. A case study in firmware reversing && bug hunting… • For this bit on extracting FW and finding bugs a case study is best. • I presented the end result of this at Bsides Hannover. • We start with Moovbox firmware, end up with rootshells!
  • 22. Because of scale we scripted binwalk…
  • 23. Next up, scripting uncramfs… Trigger Warning: Filthy Code Ahead
  • 24. find . –name “vuln” • Took a fairly blind approach to finding vulns • “Grep and gripe” kind of things • First off, looked at the web interface of device. How does it work. Whats its config. Etc.
  • 25. Anyone see why this prompted interest?
  • 28. Some numbers • All 108 were vulnerable to ShellShock • All 108 had the same shitty CGI script • 106 used thttpd rooting as root • 2 ran lighttpd. Also as root
  • 30. Further firmware analysis • Lets look for more fun stuff in this firmware • First off, we analyse the passwd files • 4 unique hashes
  • 31. The Hashes • I have yet to crack these. People have been trying and failing for about a month. Can you succeed? root:$1$5jjAfVIS$dIG6AvGNwq8EENjTHnfpK/ root:$1$jb.3W.1D$8FeBW.T/x2wwJVB.lp.gv1 root:$1$bw7WuzHj$aU6V7omf9zBWA2sEaJv9p1 root:$6$W74jOIhT$QaYoDDN.N1SRgyG5ALymJHcYc9TmXKcITXyCstG DdK9cXOssLOTMQPl2uRm.wsNZ7oE5byOOrdNlvNxyguqVs/
  • 32. SSH Keys • Protip: Hardcoded SSH Keys Suck • They all have /etc/ssh/ keys. RSA and DSA • They also have the same /etc/ssh_key privkey, which is a bit unusual...
  • 33. /etc/ssh_key • Now, this is an odd one. It matches exactly two boxes in the wild – both hosts in Germany • As to wtf these are, I have no idea • If anyone can figure it out, it would be great ;) • 89.110.151.186 & 89.110.148.26 (who is this?)
  • 34. Using SSH keys to fingerprint
  • 35. Look! Duplicate Keys! Everywhere!
  • 36. Let’s go after SSL keys… • OpenVPN Keys: find . -name "*.key" (108) > All identical • SSL Keys: find . -name "*.pem" (973) > 2e465be3c06ea7db968347aaa3df7d37 > Also all the same...
  • 37. SSL Keys • 6 of them on each image. All identical across images: > 7135ad5b7fd5fb2eb23f8dfecf74919d > cb5199178e4649461928356c7cbdae74 > de2c6949bd1bca55c20d9610510a08d1 > 905a7590ee039a788a08d4dfd15d2582 > a926c2beaa439f37bc62a5678a4e5906 > 35a569e0e768495554c4cbddd787f9e4
  • 38. Popping Boxes/xdev • Most of the vulns you will find are remote root • A lot of them will be command injection bugs. • Most people just enable telnetd and leave it at that. • More fun to be had…
  • 40. Popping Boxes/xdev –dloser 0day Greetz to imax who actually bought a NAS back when we wrote the early versions of this exploit!
  • 41. Popping Boxes/xdev • Getting a shell is just step 1. • Better payloads (tshd, for example) allow file transfer. • This means we can upload tools and exfil files easily  • (A POSIX Meterpreter that worked on ARM/MIPS/PPC would be nice and all… Just sayin’)
  • 42. Router Malware • This stuff is being done ITW • I had nice screenshots and pictures, but /tmp ate them • So I’ll TL;DR it and explains some examples.
  • 43. LinuxFlasher.A • Discovered by myself and _ta0 in the wild. • Firmware flashing malware, installed malicious firmware that included a password sniffer (dsniff) and exfil scripts using wput. • Sent very little network traffic, un-killable unless you reflashed. • Crude, held together with bash scripts, but highly effective.
  • 44. Hydra/Aidra Family • Worm/Botnet, IRC controlled. • Spreads via telnet (and SSH) bruteforcing, also a D-Link config bug. • Mainly used by script kiddies for DDoS purposes…
  • 45. Moon • Linksys only affected vendor. • Discovered by some SANS handler (Johannes). • Used a remote root command execution 0-day to spread. • Functionality mostly unknown. Had hardcoded target ranges. Just spread… And spread. Possible test run?
  • 46. Post Exploitation • Exposed embedded devices put you firmly within an affected targets network • Often (routers) in a privileged position (routing all traffic!) • So much potential for pivoting, sniffing, etc… Going beyond rootshells… • Persisting is a harder problem we will address!
  • 47. Post Exploitation - Building Toolkits • We need to statically link things so they will run on these devices. • Uclibc.org – excellent cross compiler toolchains, 10/10 recommend. • Now what tools do we actually need to do fun stuff?
  • 48. Post Exploitation - Requirements • C&C – So we can manage the devices • Robust tools for getting shell access, transferring files. • Tools for sniffing, spoofing, doing things. • Persistence.
  • 49. Post Exploitation – C&C • For C&C, we should practice excellent OPSEC. • Use Tor. Cross compiling static Tor is hard. I will publish the build guide in a week or so on Github  • Set up Tor to be a hidden service pointing at tshd bindshell. • There was a screenshot, but bloody /tmp ate it 
  • 50. Post Exploitation – Access • We need to be able to run commands, interactive shell, and transfer files. • Tshd by Christopher Devine fits the bill for this. • Encrypted file xfer/PTY/command exec, bind and reverse connect modes. • Will publish the build-toolchain later 
  • 51. Post Exploitation – Hack The Planet • Tcpdump && Ettercap && socat && nmap • Its been done before • We have to catch up  • Will publish the build-toolchains later 
  • 52. Persist • How does firmware work? • Its infectous! • Unlesss you reflas…… Permapened • “RPEF” by Michael Coppola are ITW  • Firmware infections here to stay
  • 53. Rootkit Firmwares • They exist • They are using them • If you believe otherwise you are an idiot. • …
  • 54. Tl;dr • Embedded = owned • Harass vendors • Embedded rootshells are embedded root shells • 
  • 55. Thanks  • Coworkers and such for tolerating weirdness • F1nux, Alastair, digininja, `k, getting me talking • Router mfg’s for making such products  • 
  • 56. Q&A Questions & Comments & Abuse? Contact: @info_dox (twitter) darren.martyn@xiphosresearch.co.uk (email) infodox@jabber.ccc.de (jabber, use OTR else /ignore) 