Packet Hacking Village - CIRCO Cisco Implant Raspberry Controlled Operations - TIB AV-Portal

Packet Hacking Village - CIRCO Cisco Implant Raspberry Controlled Operations

00:00

11

Formal Metadata

Title

Packet Hacking Village - CIRCO Cisco Implant Raspberry Controlled Operations

Title of Series

Number of Parts

335

Author

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/48752 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of "Sec/Net/Dev/Ops" enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials! Emilio Couto is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)

Speech

Text

Image

00:00

Control flowOperations researchHacker (term)Programmer (hardware)Artificial neural networkComputer networkLipschitz-StetigkeitUser profileEnterprise architectureTime zoneGoodness of fitMultiplication signSoftwareBitEnterprise architectureLetterpress printingCodeFreewareLattice (order)Open setArtificial neural networkSpacetimeComputer animation

02:15

SoftwareDisintegrationComputer fileService (economics)System administratorComputer networkArtificial neural networkDigital signalArchitectureProxy serverPhysical systemSystem administratorSoftwarePasswordINTEGRALCuboidCodeEncryptionProjective planeRevision controlDistanceCellular automatonComputer forensicsComputer animation

03:39

ComputerSoftwarePower (physics)Computer configurationCuboidKey (cryptography)Revision controlPlastikkarteComputer forensicsSet (mathematics)Computer animation

04:33

SoftwarePower (physics)HookingControl flowElectronic mailing listImplementationDifferent (Kate Ryan album)Standard deviationPoint (geometry)Element (mathematics)Computer animation

05:49

Network socketWhiteboardBitPrototypeData conversionComputer animation

06:36

Local area networkWireless LANPartial differential equationRegulator geneCuboidRight angleVoltmeterPower (physics)Business modelConnectivity (graph theory)Module (mathematics)Computer animation

07:23

QuadrilateralArtificial neural networkLocal area networkDew pointCurvatureNetwork socketElectronic meeting systemProduct (business)CuboidAlgebraic closureBitRevision controlAdaptive behaviorLocal area networkSpacetimeComputer animation

08:11

CASE <Informatik>Computer forensicsBitLetterpress printingLocal area networkDifferent (Kate Ryan album)Power (physics)VoltmeterData conversionCuboidGreatest elementAdaptive behaviorRevision controlComputer animation

09:20

Local area networkCurvatureArtificial neural networkComputer hardwareAdaptive behaviorCASE <Informatik>Software testingLocal area networkCuboid1 (number)Traffic reportingTunisComputer animation

10:27

Error messageSoftwareTime domainHuman migrationDomain nameMoment (mathematics)Component-based software engineeringDemo (music)Server (computing)CuboidSoftwareConnectivity (graph theory)InternetworkingMereologyIP addressCombinational logic1 (number)Row (database)Power (physics)DistancePoint (geometry)Wireless LANCommunications protocolCodeFreewareDifferent (Kate Ryan album)Local area networkHash functionMusical ensembleFile Transfer ProtocolOffice suiteDirect numerical simulationRight angleView (database)Personal identification numberMotion captureProxy serverMetropolitan area networkConnected spaceComputer animation

13:59

TelnetIntrusion detection systemCommon Language InfrastructureFile formatArtificial neural networkService (economics)LogicDataflowAsynchronous Transfer ModeBridging (networking)ArmNormal (geometry)Ring (mathematics)Bridging (networking)Server (computing)TelnetDataflowSoftware bugAsynchronous Transfer ModeDigitizingSoftware testingProduct (business)Physical systemLogicCycle (graph theory)CuboidFirewall (computing)SoftwareRouter (computing)InternetworkingInformationLine (geometry)Right angleDemo (music)Configuration spaceIP addressNeighbourhood (graph theory)Software development kitComputer animation

16:25

CASE <Informatik>Overlay-NetzExtension (kinesiology)Artificial neural networkPerfect groupCuboidInternetworkingComputer simulationProper mapPropositional formulaDefault (computer science)Configuration spaceConditional-access moduleTunisComputer animation

17:22

PasswordFile formatCuboidPasswordInternetworkingComputer configurationSoftwareContext awarenessSource codeLaptopAdvanced Encryption StandardDemo (music)DemonRhombusDistanceMultiplication signRight angleSystem administratorComputer animation

18:28

Type theoryMusical ensembleComputer animation

19:31

Sign (mathematics)Right angleServer (computing)InternetworkingComputer configurationSystem administratorCuboidRevision controlComputer animation

20:09

Vulnerability (computing)Causality2 (number)Scripting languageDemo (music)Object-oriented programmingMenu (computing)InternetworkingService (economics)CuboidCASE <Informatik>Open setSoftwareType theoryPartition (number theory)Product (business)Computer fileInterface (computing)Plug-in (computing)Direction (geometry)Forcing (mathematics)Configuration spaceKey (cryptography)Cartesian coordinate systemBootingMoment (mathematics)Asynchronous Transfer ModeEncryptionLaptopPhysical systemKeyboard shortcutWeb 2.0Expected valueGoodness of fitMultiplication signPseudopotenzialRight anglePoint cloudObservational studyProxy serverBitCircleDirect numerical simulationArithmetic meanMusical ensembleFunction (mathematics)Computer animation

28:38

Execution unitLine (geometry)Proxy serverPasswordRevision controlTheoryIP addressProduct (business)Type theoryTelnetDirect numerical simulationDescriptive statisticsRoutingNumberInheritance (object-oriented programming)Connected spaceWave packetObject-oriented programmingLattice (order)System administratorReal numberSource codeRight angleoutputWeightAsynchronous Transfer ModePhysical system1 (number)Electronic mailing listConfiguration spaceArrow of timeComputer simulationSet (mathematics)Dimensional analysisInterface (computing)3 (number)LaptopComputer animation

33:13

Lipschitz-StetigkeitInternetworkingConfiguration spacePersonal identification numberDefault (computer science)Connected spaceComputer animation

34:01

Source codeConnected spaceSystem administratorPasswordCommunications protocolTelnetCodeMultiplication signCASE <Informatik>Software testingReal-time operating systemEncryptionFunctional (mathematics)Chemical equationTraffic reportingCuboidAsynchronous Transfer ModeOpen setOnline helpPole (complex analysis)Computer animation

36:21

Discrete element methodTravelling salesman problemTime domainDirect numerical simulationQuery languageFAQProxy serverArtificial neural networkAdvanced Encryption StandardTerm (mathematics)MIDIConnectivity (graph theory)Right angleExistential quantificationPoint (geometry)Communications protocolFirewall (computing)PasswordShooting methodIP addressLatent heatField (computer science)CryptographyEncryptionLine (geometry)RoutingPersonal identification numberComputer animation

37:57

Installable File SystemEmailField (computer science)System identificationEmailMathematicsSequenceNumberDifferent (Kate Ryan album)CASE <Informatik>WritingCryptographyGraphics tabletLatent heatPersonal identification numberRight angleCommunications protocolOrder (biology)Tracing (software)Computer animation

39:27

EmailDisk read-and-write headComputer wormString (computer science)Goodness of fitText editorInternetworkingSimilarity (geometry)WindowServer (computing)Client (computing)CryptographyMathematicsComputer animation

40:45

AxiomCommunications protocolRevision controlPeer-to-peerAnnulus (mathematics)Maxima and minimaInclusion mapCryptographyReverse engineeringWindowRight angleBitNumberIntegerFile formatData transmissionTimestampFraction (mathematics)Multiplication signComputer animation

41:35

BitQuery languageCryptographyCommunications protocolGraphics tabletCASE <Informatik>Fraction (mathematics)Damping32-bitTimestampData transmissionMultiplication signLatent heatComputer animation

42:16

Direct numerical simulationServer (computing)InternetworkingImage resolutionDirection (geometry)Query languageDirect numerical simulationHash functionEncryptionSquare numberComputer animation

43:05

DataflowDirect numerical simulationProxy serverCryptographyPhysical systemDataflowServer (computing)String (computer science)AuthenticationDomain nameQuery languageInternetworkingImage resolutionComputer configurationOperating systemComputer fileParsingKey (cryptography)CASE <Informatik>Axiom of choiceRight anglePolar coordinate systemForm (programming)Graphics tabletUniform resource locatorIP addressDatei-ServerLoginStandard deviationComputer animation

45:29

Direct numerical simulationWeb 2.0Computer fileMobile appProxy serverDatei-ServerGateway (telecommunications)Electronic mailing listMatrix (mathematics)SoftwareMereologyWindowProfil (magazine)Computer animation

46:37

Wireless LANDataflowDigitizingAddress spaceRouter (computing)MereologyCryptographyWireless LANBroadcasting (networking)FrequencyGraphics tabletForm (programming)Point (geometry)Multiplication signIntrusion detection systemComputer animation

47:43

CodeSoftware testingAddress spaceBlock (periodic table)RootVirtualizationSoftwareDefault (computer science)AreaFood energySpacetimeService (economics)Computer animation

49:15

BuildingSlide ruleRevision controlTelecommunicationMultiplication signElectronic program guidePresentation of a groupWebsiteComputer animation

Transcript: English(auto-generated)

00:00

So soon to be a good afternoon to everyone. And now it is my absolute pleasure to introduce you to Emilio. Thank you. Thank you. Let's see. Can you hear me? Good. All right. I think good morning, good afternoon, good evening,

00:20

depending which time zone you are. Let me start with today. I'm going to present a tool called Circo. Circo. So let me first do some introductions. Hello, that's me. So I come from Japan.

00:41

I know that I don't look very Japanese yet, but I've been living there for 10 years. So you can call me either way. It works both ways, Emilio, Emilio, or something like that. I like to play with networks, packets, and a bit of 3D printing as well. So I did demo a few tools already

01:00

in a couple of conferences. Some of them are in Japan, so you may be aware or not. And just keep in mind, I'm not a programmer. So the code works, it's nice, and there's a lot of improvement to do. But it runs. As long as it runs, it's good to go.

01:20

All right, for those who are not familiar with what is actually the tool itself, the idea born actually from the automations. We have within the enterprise networks, we have a lot of automation tools. And those tools actually are just discovering every new device that connect to the network and actually connect it and provisioning

01:41

and do a lot of really cool stuff. Sure, but what about if it's not the Cisco switch what you are connecting to? They're basically giving us the credentials for free. Great, that was a good idea, I thought. So when it come out, actually it was a way to make something camouflage, which not going to be noticed

02:02

and put it in there when you do red teaming within meeting rooms, open space, secretary, those kind of places. So I looking to find a way to do this. In this release, 1.5, what is new is actually before releases, I was not able to have an IP phone

02:22

working, so I will go and unplug the IP phone and use that cable, but that's it. The IP phone will be off. That's something that people will notice because either it's not working anymore and I wasn't very comfortable. So few people pointed out as well. So this version, I managed to remove the phone

02:41

but plug the phone back to the box itself and it keep working as it's nothing. So we're going to dig into that. I did some coding updates and also add some exfiltration techniques and encryption for project forensic, self-destroy switches, integration with Faragai

03:01

and bypass NAC, basically. Lot of features, basically between 1.4 to 1.5. So who do we target? Well, pretty much any automation system out there. These are quite a few known systems. HPNA is very popular. Of course, NetMRI as well.

03:23

NAC itself is not an automation system for network provisioning, but what it does is try to prevent things that I'm trying to do, basically. So I will get rid of NAC as well. And of course, there's always some admin connecting to things in that trust and put password everywhere.

03:41

This is an example of things that happen with a Raspberry Pi, you know. Some device in the network that nobody noticed, you've been like filtrating data in the NSA. And this is not uncommon, because NAC is very hard to solve all our problems. So it did happen.

04:01

Okay, so what are my main issues for version 1.5? Power options. I'm going to put a Raspberry Pi, which I need power. Okay, battery, PoE. IP phone, when I plug it, that looks suspicious. Someone told me about, if you find the little enclosure and you open, you can see the keys where the box is exfiltrating data set,

04:22

because it's just an SD card and a Linux. Yes, so I need to add some forensics, prevent forensics on it, encryption, basically. Which is a key, always a problem. All right, so let's start with the first problem, that is the power. So I came out with the paper idea,

04:41

as the easiest one. You just start to drawing things and come up with a list of wishes that you want to do. So this concept was, okay, the PoE negotiation is very complicated, and it has many standards, and there's many different ways to do it. Many implementations are different. But there's one thing, one element,

05:01

that the phone and the switch, they will do the negotiation of the power. How much power you need, how many watts, et cetera, et cetera. So I didn't want to get into that. So I say, okay, let the phone negotiate. Once that done, I just hook the power. So it came up with the idea that violate every principle in networking, pretty much.

05:22

Okay, why not? Let's give it a try. So once you have a paper idea, what you tend to do is breakboarding. Let's do, let's go. Come on, plug some cables and see what happen. Something will blow up for sure. So you start to build up some ports, and this break all network industry standards, by the way.

05:42

So trust me on that one. So what tend to happen when you start to do this is at some point, without you noticing, this actually works. And I'm like, okay, this is actually a good thing. So now you actually elaborate on it. So you move into prototyping. So this is a little board for just,

06:04

because they keep coming out, the jumpers from the breadboard. So you say, okay, let's make it a bit more stable. So I did a prototype to see basically it's four RJ45 and a DC to DC converter plus a USB socket. So it was a very simple idea.

06:21

It's all the wiring, the thing that goes underneath. So again, I never designed a PCB. So it would be nice to have like a raspberry hub maybe, or go into that. So I'm still trying to figure out. For prototyping, it's okay. All right, how Cilco evolved between different releases.

06:41

So Cilco has around one year old, maybe, around October 2018. So it start like an idea in a box. When I mean in a box, I mean literally, in a cardboard box. It was good because you can see the components and you can see, ah, this is, you can even put labels on it. So it was quite, yeah, it was fun.

07:03

So what happened here is that I used to use a PoE LAN modules and I bought one that DC, so basically what it does is it does the PoE negotiation and then give you the LAN back and the power. So I bought one, 12 volts, okay, and you need to convert this to five volts and then I figure out they sell the five volts.

07:21

So this is the first release, right? So then we evolved into a production. So you say, okay, let's move on. So I got some enclosures. They look like these boxes that you have under your desk, over your desk. So the whole concept is, okay, let's work with what we have in the market.

07:40

So I look for these enclosures to put stuff in it. So in this release, I only have, you see there's only one cable going on. That's because I did unplug the phone and that's it. And also did the smaller version. That was a bit more tricky because there's less space, but you can use this Raspberry Pi Zero,

08:01

which is, it's a bit cool, but you really need to work with space. Again, this version has only one LAN. So you need to work with the LAN adapters on the Raspberry Pi. Right, so we move to this version. This version is actually this box. This box, because I remember, now I'm still in the phone and I'm going to plug back the phone here.

08:22

So what I'm going to do is use two different LAN adapters on the Raspberry Pi. So that's the reason I have a USB LAN adapter plus the onboard. Or as well there is on the bottom, you will see a DC-DC converter, the 48 volts of PoE back to five volts to power the Raspberry Pi. And on the yellow thing that you may see there,

08:42

that's actually a magnet switch. It's a by 3D print some handles to mount it. But it's basically a magnet and a tilt magnet switch. So what it does, that is the key, like when you open the case, it will detect that you open it. And you know, you can RMRF, you can do whatever you want.

09:01

Reboot, shut down. So this is to prevent forensic, in case some forensic go, don't unplug the cables and just open the suspicious case that they found. It will blow up basically if you want to. That was a bit dangerous to do. EPMs, you know, HIDAPs, fire hassles. So just be careful.

09:21

Of course, the same thing into the smaller box as well. Is that here what I need to do is tune USB LAN adapters and a hub. So it get tricky, but it still fit. So depend what you find in the market as a discussed box, you can play around. So,

09:41

how much this cost? Because this must be really expensive thing. Well, this is an example of how this box cost, right? So to give you an idea, this is a Raspberry Pi, zero. The two USB LAN adapters, the USB, micro USB hub are like ridiculously small.

10:02

And just the outlet, which is one of the things most expensive. The outlet I think is $10 or something. So yeah, you can get this for 50 bucks. So if you don't want to go to pick it up, so you do a pen testing, you leave it there, you are welcome to go and pick it up or not. Depends how well things finish

10:20

on the pen testing report, right? So, you know, just in case you want to lose it. All right, so the hard ones is one thing. It's very simple components. LAN adapters, Raspberry Pi, plastic box, and some DC to DC buckets. So now the question is what we're using as a software. Well, Silco is actually the little box,

10:42

but we also have a few components. We have a component called Carpa, which is actually a software component only running on the intimate in a VPS Python Linux. That's very simple components. So that's software only. Why? Because once this box is get infiltrated into the network, what is it going to do?

11:00

Well, it's going to become a Cisco switch to get discovered. So all these are lovely automation systems will connect to me and give me the credential. So essentially it's a honeypot, basically. But what happened once I have the credentials? SNMP, TELUS, SSH, whatever they use them, send to me. Great, now I need to exfiltrate to the internet. And this is a tricky part because I need something on the internet to receive it.

11:23

And that way is Carpa coming to play. At the moment I have a demo here, which I running on the Raspberry Pi Linux. You can run it anywhere in any VPS, in internet, Amazon, or any VPS server will do. The only requirement is that you have a domain name assigned to NS records assigned to this public IP

11:44

of your VPS, or NATED, if you have a NATED. So, and then we have one more component, which is Haula. Haula is, again, software component. You can run it in the Raspberry Pi with a power bank and a wireless adapter. What it does is, basically, you can also exfiltrate via wireless.

12:01

So you also, it will do from the box itself to the internet, or via wireless, or both if you want to. But the via wireless, of course, you need to be in proximity. Keep in mind here, we are not setting up any access point. This is not an access point because that will be catch by WIPS, right? WIPS. So we don't want any WIPS to notice us.

12:21

So, currently it's in Python 2, coming to 3 soon, and it's all packet manipulation are mainly based in SCAPI, in Python. And we are using some other tools from a different combination of people as well. For example, for the OS fuller, some part of the code of the OS fuller

12:41

to full NAC, effectively speaking. And what actually filtration we can use, we have ping, traceroute, NTP, HTTP, HTTPS, DNS, proxy, and wireless. Of which, all of these are atomic. Basically, nothing come back, ever.

13:02

So from a forward point of view, it's a timeout session, H out. So there's never a session, and none of those protocols that I just mentioned, or established connection, or anything back. So basically, the Carpa never send anything back to me. And another new feature that came out is just, because I have a phone, right,

13:22

and the phones keep working, I'm basically manning the middle between the phone and the network. However, most of the offices, people connect the phone and the PC to the phone. So that automatically give me free traffic from the PC as well. So that was a free bug, kind of. So effectively speaking, you can run different tools

13:42

to capture the telnet, SSH, FTPs, unencrypted protocols, or hashes, and exfiltrated as well. So not just the network part, but also the PC, if any, connected to it. So how I become a Cisco switch?

14:02

Well, I need to be able to send a CDP, LLDPs. I need to be able to have an SNMP server, agent basically running, and telnet, and SSH, and all my packet need to look like a Cisco switch. So that was the triage, basically, of how we come up. So for flows, I have a single mode

14:21

that used to be when you don't connect the phone back, and the bridge mode, which is the most interesting for this talk. So in bridge mode, this is how it will work, the logic, right? So once this box turn on, what it does is does the discovery first

14:40

to see what is the switch that is close to me, the real switch, and you try to get the name. Once you get the name, he will try to get one similar to itself. So if this switch, for example, is switch Tokyo 01, he will become C03. Well, he will change the last digit by two. You know, the logic is very simple.

15:00

If not, they always fall back to test C01. We need to pretend to be a nice, new brand Cisco switch in the network. So we want to get that information first, then we get an IP address, and we start to set it up. Of course, the Maccadre, it is of the Cisco switch. We changed Maccadres at the beginning. As well, one thing we want to do

15:21

is to start to advertise CDP and LLDP to the switch. That's the way we get discover of the automations tool. Then what tend to happen is that the existing production switch is already hooked to automations tool, and when he see CDP and LLDP new neighborhoods, he will discover that on the system. On the system, once a day, we connect and try to pull the config, et cetera, et cetera.

15:43

Basically, give us the credentials. So once this happen, once we get the credentials, we can set it up to how often we want to exfiltrate it. So I and I will cycle if we want to just do it once, or do it every one hour, the same filtration,

16:01

and which method you want, all of them. So to do this demo, I actually need to build a network with a proper switch and a firewall and a router and a DHCP and the internet. So I used to have all this spread in the desk. It was very difficult to set it up. You always forget one cable and things don't work.

16:20

So because in Japan, we have a Toyota that make cars, so it came out with macaroni. This is our infrastructure in a box, basically, so in a briefcase. And it only cost 200 bucks. It doesn't cost 28 grand like Toyota. But what it does, it simplifies things very much.

16:43

And so the lab itself, I know, everything has an acronym, right? Much perfectly. So the lab itself looked like this. It's basically a proper, you can look it up after if you want to. It's a proper Cisco switch, and the CarPlay simulated with a Raspberry Pi. I also hooked Snort in the outside on the internet

17:03

to see what the Snort will see. This is Snort is configured as a cam. In the middle, there's no actually any tuning. So it's default, basically, all. So it's supposed to catch even rubbish traffic as well. So what I'm going to do is explain how the exfiltration technique works.

17:23

So for exfiltration, what I'm doing, I need to be able to tell my device in the internet which these credentials, who took it from. So it came from my Ternet daemon, my SSH daemon, through SNMP, or even the PC that was hooked.

17:40

It's an optional work I'm working. Also, I want to know that this is enabled password of the switch, or it's the user and password of the switch, and it's an MP the community of, basically. This work with SNMP one, two, V2 as well. Three, not yet. Nobody used three, actually, in any network that I'm aware. But so this is the format and the source IP

18:01

of the automation tool or the laptop administrator, whoever connect to my box. Right, this is specifically the format that we want to exfiltrate. So one way to exfiltrate this data is, first of all, we will encrypt it with AES-256. So let me first go into showtime.

18:25

Let's start with the demo. Let me see if you can see that. Let me close this.

18:50

So yeah. I cannot see though. I cannot see what I'm typing. Let me bring back kind of mirror.

19:18

I don't know how to do this.

19:32

Look better now? Look okay? Yeah? All right. So this is my server in the internet.

19:46

So when I run it, I just, this give me the options of the server. So this is my SNORT. This is my administrator PC. And what I need now is my box. I also have this,

20:01

because this version integrate with Farai. So let me log in. So Farai, just I have one workspace, and I have host. I only have one host with some vulnerabilities. All right, so let me do a magic.

20:30

I need to put a magnet because I opened the lid. So I need to hack the lid open type of thing.

20:43

So what you do is you take the phone out. This is my lamp from the switch, an extra cable from the phone, the actual phone.

21:08

And there's a lot of flashing lights here. I suggest a Raspberry Pi. Nothing more interesting than that. So one thing that I did find out was how to prevent encryption. So I'm going to use LUX to encrypt the partition

21:21

where I'm going to have the software here in case someone found it. The problem with encryption is to encrypt and decrypt, you need a key. So what happen when you want to do that? In a box that is already closed, you go there and put it. You don't have a laptop and installation system to spend or put a keyboard to Raspberry or whatever.

21:40

So what I came out with is I need a long key that I can use quickly to mount and encrypt this Raspberry Pi. So I found that this Raspberry Pi has blue too. Great. So I create the, there's a million of applications. There's a Bluetooth application that you can create the services. You can do it from a Linux as well.

22:02

So what I'm doing is I'm creating a service called Circo and it has the UID, UUID, which is 128 bits. So guess what? That's my key. So what this guy is doing, once he boot up, at the moment it's in demo mode, so I should be able to access.

22:23

So if I do the F, the home drive I want to do is called P and keep. So if I do, there's nothing, because it's not mounted, right? So what I'm going to do is turn on this Bluetooth services.

22:41

It's a demo key, in case you are sniffing Bluetooth. It's not for production use, right? So once I turn on, it run every five seconds. I think I put it at 10 seconds. What it does basically is it's scanning to see if it found the services and use that key to mount and decrypt looks.

23:01

So ideally this is all automatically, actually. Let me see, I think it's 10 seconds every, run every 30 seconds, 10 seconds, I can't remember where I put it. I create the services.

23:27

System, looks. Yeah, I created a little script basically to do that. Let me see, this is on.

23:40

Or maybe I have Bluetooth, I will explain. No way it's jamming Bluetooth, right?

24:04

This is what happen with live demos. Come on. It did work before.

24:27

Yes. Let me stop start, and let me restart.

24:45

This is my phone. I think it's my phone, actually.

25:18

All right, let's see.

25:32

Restart, nope.

25:56

All right, let me do this manually.

26:10

Let me create this.

26:20

Oh, it did work. Oh, it was already mounted. Yeah, well, playing with Bluetooth within Defcon, sometimes no good idea. So let me turn off this back off. All right, it's already mounted. So let me go to, this normally was to restart automatically, but,

26:41

so, oops. So I just to give you the menu. So I got Carpa, which is the one in the internet to receive the credentials, which I'm going to start in their voice mode. And the plugin is a Faraday plugin. And the interface is here, and just a file where you want to put the output, the credentials you find.

27:02

And so this is the Zirco interface. So what you do, first of all, we go into breach mode, or I put their voice. We go into breach mode because it's the one using the phone and the LAN at the same time. You still have backward compatibility because that's a good way to do things. And then we can choose what exfiltration technique we want it. You can actually see the all, or let's,

27:21

can you ping, DNS, HTTP, web, NTP, proxy, I could put to minus A actually. So when you start it, let me see, this one already start, and log in to Faraday, okay.

27:40

The plugin to Faraday, what it does basically is every credentials that he get, he will inject it into Faraday directly. So when the Zirco starts using verbose mode, that's the reason you see all the steps that what it's doing. So it starts, become a Cisco Macadez switch. This is to bypass NAC. Due to the Macadez I'm using, it's a golden one. So if you read through NAC,

28:01

force out NAC manual, it's a very small syntax. If you use this Macadez, you're always allowing it. Just read the document, should be fine, right? Guess what? That's what I'm using. Great, thank you for the manual. So, become a, can you read, right? Yes?

28:21

You know I can make it bigger. That's too big? Better? Yeah? So, what it does is we, well, it become a switch, discover, it become a Macadez switch, discover, it start the ACP, it's configured interface, so this is all the configuration proxy. The proxy, I have three different techniques for the proxy.

28:41

We go into details. This one is using the ACP. And then from here onwards, it become, it start a honeypot, right? The last line you see is because the magnet I put there. The lid is open, but I put a magnet manually. So if I take that magnet out, things will be crazy. So, now, I'm going to go to the real switch.

29:03

This is my real switch, right? This is Tokyo01, is my real switch. If I don't show CDP, neighbors, guess what? I see a phone, and I also see a switch called C03, C2960.

29:23

You can choose details. And this is, yeah, it has an IP address, this is the version, the port, the Cisco switch. So I can see show CDP and show LDP. As well, I can see LDP. So this switch, believe, someone connect a new switch,

29:42

maybe in the meeting room for training or something. So it does has an IP address, which is 151, all right? So this is my admin PC. What happen if I turn that IP address? I get the same prompt. Okay, so I tap my super user, and switch number three.

30:07

So now, what I believe is a switch. I can run commands, Cisco commands, show version, yep, it's a 2960, this is the version running. Show IP route, show IP up, show MAC address,

30:21

show interface description. It is a Cisco switch, where I believe it. Show CDP, neighbors. I need to type it correctly, of course, it's a Cisco switch. Yeah, I can see now Cisco switch one, the production one. So they see each other in theory. Same with the show LDP neighbors.

30:43

Yeah, I can see, so from this switch, so when automation systems connect to the switch, either by telnet or SSH, with the master credentials, they will run a set of commands to get the configuration, inventory, et cetera, et cetera. So those are most of the commands that support. I did not call the whole iOS simulator just for fun.

31:01

It wasn't fun. Yeah, the question mark also work, by the way. Yeah, oh, and if you wanna go to show run, of course. You need to be enable mode. Okay, go enable. Yeah, sure. Great, secret. Now I can do show run.

31:21

Yeah, that work. What I can do is comfy. No, that doesn't work. I said the common stack exeros because I'm not going to prepare an iOS basically, right? So this was a telnet I did, right? So you can see in the configuration that the community is public, the SNMP community. Now what tend to happen is automation system

31:41

will first try their own SNMP community, and if fail, it will try the public, you know, one of the least of the common ones. So let's say I will try the system community, the one that they use in the company, right? So when I try that, that will not work. But A, because it's public, it will not work.

32:02

But you did already give in the community with that command. So when you do public, it has to reply like a Cisco switch. It is actually a name, the uptime, the version. It is a full SNMP device that you can pull. Now, what happened when I went back to Carpa?

32:23

Well, I start to receive this data. This is because it's verbose. So basically it's telling me that something via ping from this public IP, telnet, usernet admin, password, very smart, from this source IP they connect,

32:41

which is internal IP of this administrator laptop automation system. And then I get the same password via ping, DNS, traceroute, pdns is proxy, by the way, HTTP, NTP, and then I also get this via here.

33:00

So, oops, someone connect telnet, enable, the E just stand by enable with this super secret password. So again, if I now do the same thing, let me open the, so this is where this LIPS is looking. Ignore the unreachable,

33:21

because I don't have internet connection, of course. But the only traffic that these guys can see, because I enabled the default, is a ping. So a Cisco switch is sending a packet ping. Nothing come back, but that's the only alarm, which I don't know anyone that has a SNORT with ping configured for alarms.

33:41

That would be quite a lot of alarms. That's the only thing you can see on the SNORT side. So again, when you see a P, and the community, even the switch, my switch did not reply to the community, but you did give it to me. It did reply to public, but not to the community you give me, but I exfiltrated.

34:00

So now if I go to a follow-by, right? So when I do a host, when I do refresh, now I have a new extra host. This 10.10.10.88 is the source IP of the automation tool or administrator, then whoever is connecting. So what happen is if I go to the credentials,

34:22

I can see the target, I can see the protocol that comes to the telnet, the enable, and the password. This is the telnet, the username, and the password. And this is SNMP, I should put SNMP instead of P. So now, as soon as I get them in CARPA via an API,

34:41

I can inject it in final in real time. So that's for helping the pen testing reports, right? So now, what happen if I actually remove the magnet? So you start to see this alarm open, alarm open.

35:02

That means that because I did not unplug it, right? I remove the magnet. So what it does is when you detect that someone opened the case, the magnet get open, it will send a magic packet via exfiltration saying that someone opened it. So maybe they already stand to make the report.

35:25

So of course, you can make it, if you go here, for example, this was the Cisco running in debug mode, right? So you see that it's sending the credentials, and here is when I took the magnet off, right? You can do this, for example. That command, what it does is it immediately reboot.

35:43

So what it does, remember, because we have the Bluetooth encryption. So unless I'm back close to this box with this thing enabled, that will not work if you reboot. So if someone unplug it and replug it, it will not mount encryption. So that is a balance between having encryption and functionality.

36:01

So if you want encryption, you want the Bluetooth, sure. But if someone by mistake unplug it and replug it, it will not work again. You need to be back, walking around with a mobile in your pocket, right? So yeah, you can do whatever you want. You can, you know, eat PGM pools, I don't know, burn fires, whatever you like there.

36:21

So this is the way that this stuff work. So these are the components. So let me go deep into the exfiltration. Something's in the middle, right? Excuse me, there you go.

36:41

Go away. All right, so how I do, so this is basically a nice honeypot. Now, how do I take the data out? Nice, interesting point. So this is going back to basics. So we are using protocols that are through firewalls.

37:02

Some of them are blocking the company, some of them can go through. So for example, some companies do allow ping to go for travel shooting or traceroute. So these are the protocols I'm using. ICMP, I'm using specific TCP and IP and UDP packets fields to actually put my data.

37:20

Remember, I have one line. We say T dash comma, username comma, password comma, and IP address. That, what I do is encrypted AS256, and now chunk it in two bytes or six bytes. So the way to work encryption, basically to decrypt it, you need to tell me how many packet I should expect,

37:42

how long should my crypto be? So I'm going to send you 13 bytes of crypto in seven packets, two byte each. So first of all, I need to be able to tell that in advance before sending the packets. So what I'm doing is I'm sending one packet. Let me, these are the IP header.

38:00

There's a field called identification in IP packets. That do not get changed by NAT. When you NAT through a firewall, that doesn't get changed. So okay, it's two bytes that I can use for something. ICMP packets, within the ICMP packet, you also have identification and sequence numbers. Again, two and two bytes that I can use for something.

38:23

So ICMP, how it works. Basically, I need to tell you my 13 bytes and seven packets. So I was in one packet saying that 213 is the IP ID. And the rest is just randoms. So that means that the receiver know that he's expecting 13 bytes.

38:41

Then I'm going to send you 307 as the IP ID. 300 means that actually you're expecting seven packets. And then I will send you seven packets with the 500, one. 500, two, as a sequence ID. That is a sequence of a packet in case they get a different order, a write.

39:01

And the crypto, within the ICMP sequence, which is two bytes, I will get that become an integer, and that will be my crypto. So I need seven packets to do 13 bytes, plus padding, one byte of padding. So this is the way that most of the filtration technique works. It's basically chunking data into specific fields

39:23

within different protocols, like ping, for example, or traceroute. Traceroute, we are using the data payload. For Cisco switch, the last four bytes are rubbish. So we are using those four bytes with X. My encrypted data become X. So I encode it into X,

39:41

so it looks like an XML string. So that's good place to put four bytes. Again, similar concept. First, I need to tell you I'm sending 30 bytes and seven packets, and then I send it one by one. Now, if we move into HTTP or HTTPS, remember, I'm not making a session. I'm just merely sending the same packet.

40:02

That's it. So there's something called window size in TCP, and do not change between the client and the server through NAT. So you have NAT, and that thing doesn't change. Again, great. So I have one, two bytes that I can use that does not change between the internal client and an internet server.

40:21

So that's what I'm using. Similar concept. I'm using the standard 213 like we saw in nice MP, but I'm putting the crypto within the window size of the TCP packet. So yeah, port 80, 443, or any port you like, 25 if you want to. But remember, most of the stuff probably don't have direct access to the internet.

40:42

So those filtration may not work. HTTP, HTTPS, actually any TCP port will be the same concept on this, right? You just send the same, nothing come back, and in the crypto goes into the window size. Of course, I become an integer, right? This is just supposed to be a number. So from X, I converted it into an integer.

41:02

And the whole process is in reverse in the other side. In the karpa, it's the other side receiving, it's the whole thing the other way around. So NTP, NTP was a bit fun. There's something called transmission timestamp, great. So the transmission timestamp has this format. So it's basically a timestamp plus a fraction.

41:24

And the timestamp is 32 bits, and the fraction is 32 bits. Wait a minute, that's a lot of data I can put there in those 32 bits, I see. So I'm using the fraction. So basically, the way that works is I'm using, I'm playing with the stratum and poll

41:40

to tell them the, again, my crypto is 13 bytes, and it will send seven packet or six packet or whatever is the padding that I need to do. In this case, I can send four byte. So in reality, I don't need seven packet because it's 13 byte, so maybe four packets will do. So I need to tell them it's four packets for this protocol specifically. And then I put it in the fraction,

42:01

convert it into an integer, or actually it's a float because it's 32 bits. But, and then the process is the other way. So inside NTP query, I'm putting the fraction timestamp of the transmission timestamp, 32 bits of it. DNS packet, this one is easy. It just uses subdomain.

42:21

Encrypted.mydomain.com. But I'm not sending a query to the internet. I'm sending an NS query to the actually internal DNS on the company. So this attack is not direct. So I don't have access to go outside. But the DNS server has internet resolution

42:40

through a relay or direct maybe. So what tend to happen when you do an NS query, what it does, you will do recursive until you get it. Assuming your DNS actually has internet resolution. Again, this is a hash encrypted. It's 20 bytes, 13 bytes we talk, so it's not very long chart.

43:01

You send it one, one query. Here is, you don't need multiple. So in this case, it's the flow of the thing. You will send just to the DNS server, internal DNS server, and the DNS server will go just directly to the, the trick here is that NS server should be CARPA, the IP address, the public IP, of course, of that evil domain that you're using.

43:22

Now, what happen when the company do not have DNS resolution as well? No access to internet in any protocol, no DNS resolution, external DNS resolution. Right, proxy. They might have something. So proxy works in a way, how you discover proxy, well, through, how you set up in PC's proxy,

43:41

DHCP option 252, WAP or GPOs. Those are the three main, or manually, but I don't think people do that anymore. Those are the three most common. Okay, so what I do for DHCP, I will do a DHCP inform to actually the DHCP server to see if that option 252 is there and get the pack file.

44:01

Now, what you get is actually a pack file server, right? URL. Get there, connect, get the pack file, parse it to get the proxy IP import, then connect to the proxy, right? And of course, all proxies are most likely authenticated. Doesn't matter. This doesn't need authenticate to the proxy to work. So this is a bit tricky because this unfortunately works with all blue codes,

44:24

McAfee's, all the like high-end proxies. Because they forgot about something. When I do a tenant, a simple tenant to a proxy, and I do a get HTTP, my crypto put dot my domain, and of course, I do enter, enter,

44:40

and I get a 403, right, from the proxy. However, the proxy will generate the log in the system saying this IP address, try to go to this URL, and he got a 403. But a proxy does one more thing. He doesn't any query of that URL to put in log, the IP,

45:01

which there's no IP. But what that means is he, which has DNS resolution, now is querying my DNS server with a string that I want to send. So he's, okay, thank you, that will do. So yes, it does generate one entry of 403 in a proxy logs. You know how many of those you get in a proxy constantly?

45:23

Millions. So yeah, great. That works if we have DHCP OCHM 252, okay? Sometimes you have WAP, if you still have WAP. Similar concept, I just will look for the WAP DNS entry, connect to the pack file, get the proxy, and do all over again.

45:40

Again, no DHCP, no WAP, so probably most likely GPO. So the last thing I can do is DNS guessing. Basically, you give an array of names, like keywords, internet, or gateway, or GW, or PRX, or proxy, or gateway something. So you do that list of 10, 15 words,

46:01

and I will generate a dictionary with a dash, with an underscore, backward and forwards, a matrix. And I will generate a list of 12, we'll say maybe 280, and then I will try, with a DNS internal, which one actually replied back to me. Then I will test, is this a proxy, a pack file server?

46:20

So I will try to connect and try to get a pack file. Could be something else. If it doesn't work, I will keep trying until I see something. So this is the way to go around the GPO, because GPOs, you need to have access to the windows to actually see them. They're not being, it's per profile basically, so you can't really sniff it out the network. And the last thing is the wireless.

46:40

For wireless configuration, remember I said I'm not setting up a wireless access point? I'm using vcons. Very short vcons of 500 milliseconds. So what I'm doing is, within the vcons, I'm using the SSID names of the wireless at home and in many places. Normally tend to have like an X address,

47:00

the last six digits of the MAC address of that home router is on the name of the wireless SSID. So I'm taking the opportunity to mirror that and broadcasting, by instance, those MAC address, part of my crypto. So again, I have a 13 byte, I will chop it in three, I will have six, six and one, we'll get padding,

47:20

and then broadcast for 500 milliseconds, that SSID of each of the three. And the receiver will be looking for, it's like a phone broadcasting SSIDs for very short time of period. So that's the reason whips will not see it. Basically I'm using vcons as a back channel to push data out for credentials.

47:45

And that's it. And all I have. Questions? Or no?

48:04

Can you defeat MACsec? The thing is, when you connect the switch, right? What you have is actually a phone connected to the switch. So most NAC systems, or if you like, you want to have a network with one MAC address allow it only. Well, most of the company has a phone,

48:20

the phone tend to have a PC after. So you need at least two, minimum, right? So because you are putting a Cisco switch and the MAC address that, Raspberry Pi, the MAC address I'm using is actually a golden MAC, NAC cannot block that one. Because the trick is very simple. There's a MAC address for virtual,

48:41

like HSRP or VRP services. Cisco HSRP is a root in a standard gateway, right? So what it does is, they have virtual MAC address that they create. Those virtual MAC address are whitelisted by default in all NACs, based on the documentation. I did not write it. So, are you seeing one of those?

49:07

Any other question? Yeah, where? This one? Ah, sorry.

49:21

Yeah, I will release the version after DEFCON, no time over DEFCON, it's procrastination, but I will push it out to have the newest version and the guide for the building. Building is quite straightforward to, it doesn't require to be electronics to do that, just Raspberry Pi and a few things.

49:40

And the presentation, I believe the slides will be up soon. We'll put it in the website as well. There's a website somewhere, yeah. Now there's stickers on the back, if someone wants stickers. If not, let me know. I still have some stickers.

50:00

If no more questions, thank you very much for listening.