Pwn The Pwn Plug

Video thumbnail (Frame 0) Video thumbnail (Frame 2556) Video thumbnail (Frame 4069) Video thumbnail (Frame 6728) Video thumbnail (Frame 9033) Video thumbnail (Frame 10886) Video thumbnail (Frame 14969) Video thumbnail (Frame 17846) Video thumbnail (Frame 19341) Video thumbnail (Frame 21908) Video thumbnail (Frame 27884) Video thumbnail (Frame 30268) Video thumbnail (Frame 31113) Video thumbnail (Frame 34291) Video thumbnail (Frame 37244) Video thumbnail (Frame 38406) Video thumbnail (Frame 40708) Video thumbnail (Frame 43588) Video thumbnail (Frame 44843) Video thumbnail (Frame 46113) Video thumbnail (Frame 48063) Video thumbnail (Frame 49038) Video thumbnail (Frame 50104) Video thumbnail (Frame 51653) Video thumbnail (Frame 52453) Video thumbnail (Frame 54061) Video thumbnail (Frame 54966) Video thumbnail (Frame 56118) Video thumbnail (Frame 58279) Video thumbnail (Frame 59138) Video thumbnail (Frame 60903)
Video in TIB AV-Portal: Pwn The Pwn Plug

Formal Metadata

Pwn The Pwn Plug
Analyzing and Counter-Attacking Attacker-Implanted Devices
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Malicious attackers and penetration testers alike are drawn to the ease and convenience of small, disguise-able attacker-controlled devices that can be implanted physically in a target organization. When such devices are discovered in an organization, that organization may wish to perform a forensic analysis of the device in order to determine what systems it has compromised, what information has been gathered, and any information that can help identify the attacker. Also, attacker-implanted penetration testing software and hardware may also be the target of counter-attack. Malicious attackers may compromise penetration testers' devices in order to surreptitiously gather information across multiple targets and pentests. The very tools we rely on to test security may provide an attractive attack surface for third parties. In this talk, procedures for forensic examination and zero-day vulnerabilities that lead to remote compromise of the Pwn Plug will be discussed and demonstrated as a case study. Possible attack scenarios will be discussed. Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University's Computer Security Research Center, where he recently earned a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems. He also lectures for the MSU National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON, and is the author of penetration testing and forensics tools that he publishes through his personal/consultancy website,

Related Material

Area Noise (electronics) Personal digital assistant State of matter Contingency table Information security Information security Twitter
Point (geometry) Mobile app Variety (linguistics) Control flow Drop (liquid) Computer Wave packet Power (physics) Revision control Term (mathematics) Personal digital assistant Cuboid Software testing Router (computing) Computing platform Vulnerability (computing) Social class Area Arm Digitizing Mathematical analysis Data storage device Plastikkarte Pivot element Exploit (computer security) Type theory Spring (hydrology) Personal digital assistant Self-organization Right angle Quicksort Collision Freeware Reverse engineering
Point (geometry) Slide rule Server (computing) Randomization Building Game controller Multiplication sign Mereology IP address Attribute grammar Power (physics) Number Frequency Internetworking Software Software testing Vulnerability (computing) Social class Self-organization Computer network Cartesian coordinate system Software Computer hardware Order (biology) Self-organization System identification
Group action Beat (acoustics) Dependent and independent variables Firewall (computing) Drop (liquid) Client (computing) Login Computer Attribute grammar Power (physics) Medical imaging Component-based software engineering Different (Kate Ryan album) Authorization Software testing Information security Plug-in (computing) Position operator Physical system Area Dependent and independent variables Information Physicalism Client (computing) Staff (military) Incidence algebra Medical imaging Software Personal digital assistant System programming Hard disk drive Normal (geometry) Self-organization Quicksort Procedural programming Window Computer worm
Point (geometry) Digital filter Intel Multiplication Server (computing) Game controller Set (mathematics) Client (computing) Bit Database Client (computing) Mereology Medical imaging Software Root Self-organization Software testing Intercept theorem Block (periodic table) Traffic reporting Quicksort Resultant Physical system Vulnerability (computing)
Polar coordinate system Code Multiplication sign Numbering scheme Mereology Semantics (computer science) Encryption File system Information security God Vulnerability (computing) Physical system Proof theory Scripting language Arm File format Control flow Type theory Proof theory Arithmetic mean Process (computing) Quicksort Procedural programming Point (geometry) Software engineering Surface Game controller Service (economics) Open source Similarity (geometry) Computer Field (computer science) Product (business) Software Energy level Software testing Firmware Computing platform User interface Time zone Vulnerability (computing) Key (cryptography) Surface Mathematical analysis Code Exploit (computer security) Cross-site scripting Software Personal digital assistant Computing platform Communications protocol
Slide rule Serial port Observational study State of matter Code Multiplication sign File system Materialization (paranormal) Medical imaging Root Different (Kate Ryan album) Personal digital assistant Computer hardware File system Booting Firmware Computing platform Installation art Bit Shareware Root Kernel (computing) Interrupt <Informatik> Video game console Computer worm Booting
Point (geometry) Computer file Computer-generated imagery Set (mathematics) Mathematical analysis Data storage device Mereology Medical imaging Goodness of fit Hooking Different (Kate Ryan album) Computer configuration Ubiquitous computing File system Energy level Utility software Normal (geometry) Data compression Physical system Noise (electronics) Standard deviation Data storage device Mathematical analysis Hash function Logic Factory (trading post) Normal (geometry) Configuration space Procedural programming Quicksort Resultant Data compression
Web page Point (geometry) Injektivität System call Mereology Twitter Revision control Spherical cap Root Different (Kate Ryan album) Software testing Firmware Form (programming) Vulnerability (computing) User interface Injektivität Email Interface (computing) Forcing (mathematics) Bit Cross-site scripting Web application Wind tunnel Network socket Interface (computing) Revision control Self-organization Quicksort Resultant Asynchronous Transfer Mode Reverse engineering Computer worm
Web page Slide rule Sine Injektivität System call Scripting language Web page Bit Group action Mereology Regulärer Ausdruck <Textverarbeitung> Cross-site scripting Message passing Network socket Volumenvisualisierung output HTTP cookie Form (programming) Annihilator (ring theory) Computer worm Data type
Web page Scripting language User interface Computer file Code Multiplication sign Set (mathematics) Login IP address Field (computer science) Malware Root Set (mathematics) Software testing Process (computing) output HTTP cookie Form (programming) Vulnerability (computing) Data type Injektivität Installation art Scripting language Server (computing) Interface (computing) Web page Electronic mailing list Code Computer network Bit File Transfer Protocol File Transfer Protocol Proof theory Process (computing) Software Interface (computing) Musical ensemble Local ring Resultant
Area Computer font View (database) Hill differential equation Endliche Modelltheorie Shareware Shareware Row (database)
Web 2.0 Server (computing) Installation art Information Software Personal digital assistant Code View (database) Interface (computing) Software testing
Server (computing) Computer file Server (computing) Directory service Web 2.0 Type theory Graphical user interface Malware Ubiquitous computing Gastropod shell File system Operating system Computer worm
File Transfer Protocol Service (economics) Software testing Drop (liquid) Area Vulnerability (computing)
Web page Goodness of fit Software Multiplication sign Buffer solution Bit Right angle Computer worm Element (mathematics)
Standard deviation Touchscreen Broadcast programming Open source Computer network Element (mathematics) Cross-site scripting Document management system Direct numerical simulation Gastropod shell Video game console HTTP cookie HTTP cookie Form (programming) Vulnerability (computing) Reverse engineering
Medical imaging Mapping Ubiquitous computing Code Gastropod shell File Transfer Protocol Reverse engineering
Scripting language User interface Computer file State of matter Multiplication sign Electronic mailing list Drop (liquid) Real-time operating system Drop (liquid) Login Timestamp File Transfer Protocol File Transfer Protocol Document management system Routing
Personal identification number Goodness of fit Information Internet service provider Self-organization Software testing
okay this one's porn the porn plug okay I hope I said that right Wesley let's go thank you so so how many of y'all out there have been basically emptying the vendor area of all these crazy little devices pone plugs pineapples I got to watch my bees they've got to think this thing called a rutabaga now many ponies things like that how many of y'all been buying these things makes them make a little noise alright so how many of y'all are going to be using those for good how about for evil alright so there's definitely some people doing some bad things with these things and that's but that's pretty cool so what we have here is why those of you who are using these things for good and for evil might want to be a little more careful about when and where you turn these things on and how you use them so the talk is pulling the phone plug analyzing and counter-attacking attacker implanted devices so the idea here is we're gonna be breaking things that break things my name is Wesley McGrew and I am essentially the elder statesman of the Mississippi State contingent here effectively I guess dc-6 6-2 Mississippi State folks make a little noise alright great cool so I'm an assistant research professor at Mississippi State University and also Ron McGrew security comm and the McGrew Security Twitter account that you unfollowed last week so
what I do is I break things that's that's I love breaking things and I'm occasionally good at it so so I'm into any kind of vulnerability analysis any kind of exploit stuff I don't care what it is I want to find the problems with it I'm into reverse engineering I teach a reverse engineering class at Mississippi State University that really well in the spring and I've also been involved in the national forensics training center which teaches free digital forensics classes to law enforcement and wounded veterans recently I finished my dissertation so I now have my PhD for those of you who keep bugging me every year at DEFCON to finish that up so that's prepared me for my new role as the twelfth doctor in the meantime I'm a professor at Mississippi State University sort of leading the charge on doing some cool offensive breaking things type research
what we're going to be talking about today our attacker implantable devices and this is is sort of a term I've sort of applied to a wide variety of things there's a there's a crisis of terminology for these things right now the the traditional name for these are a drop box and unfortunately there's a really bad name collision with that right now those storage guys kind of took that one from us but what I'm talking about are all these little kind of all-in-one embeddable type things that you can buy over there in the vendor area things like the poem plug the the poem the power strip the poni whatever they call that one now the poem plug are two that just got released it I haven't had my chance and a chance to get ahold of pong pads you've got these little tp-link router devices like you see in the lower left there that that can kind of run stripped-down versions of open-work and finally a Raspberry Pi so these new arms sort of credit card sized computers are perfect platforms for this sort of activity so there's a basically a poem oh s type thing for the Raspberry Pi I presume it's probably called the raspberry poem but I can't remember right now so these the the what these things have in common is is that they're small and they're what I call a tacher implantable whether you're a pen tester or an app an attacker you can take these and hide them pretty much anywhere in an organization and you can use that as sort of your in you can use it to sniff packets you can use it to launch attacks from and it's basically you know do-it-yourself pivot point in case you suck at fishing and things like that so
these things have applications for both penetration testers and malicious attackers I'm sure all the the folks that sell you these things want you to be a penetration tester but there's also something to be said for somebody maliciously using one of these things so the question here one question if we're a good guy how do we respond to one of these that we find in our organization so we fund a new toy in our server room that we did not purchase from Pony Express and how did this get here and who's running it and what is it doing to my network and and also for both good and bad guys what are the implications of their being vulnerabilities in these devices so if I'm a penetration tester what does it mean for my penetration testing tools to get attacked and compromised and persistent compromised over a long period of time if I am an organization that's found one of these that a malicious attacker is installed can i counter-attack it why not and and assuming although the legal considerations are in order you know we don't have the same we don't have the same sort of problems with attribution of attack at this point it's not like we're counter attacking some random IP address somewhere else on the Internet and we don't know if that's a Hotpoint or not if there's if there's a poem plug or some Raspberry Pi plugged up for our network inside our building that we don't know about well that's obviously something we can attack why not I say
why not so this slide is is basically on identification and I'm not I'm not going to go into all the different ways of identifying one of these on your network honestly if you're if you're if you've got proper or network access and control and monitoring class and anything you should see one of these things pop up the second it starts doing anything kind of noisy physically they're meant to be sort of inconspicuous but to the trained eye it's not so much so you look at these things and those are the two stickers that come with the the poem plug one and one of them has a reference to SSH on it and the other one is a printer power supply and I think that's the best application for the phone plug itself is it looks like a printer power supply but as part of its part number is 1 3 3 7 ok I'm not actually now that I look at this picture I'm not sure what the barcode is it's probably like for a pack of Skittles or something who knows but these but so if you're if you're going to be a pen tester using these things are even better if you're a malicious attacker using these things print up your own stickers like get an HP like printer power spot and run run that off on it but if you found these things that's uh that's that's calls for
concern so what do we do we can respond to and so the first thing here and and and I just love this picture because rikers hosting this thing I've forgot about that first thing we want to do is pick this thing apart what's going on with it so we want to seize this thing we want to image it we want to forensic ate it we want to figure out out what is it compromised already if we can find that out we want to attribute this to somebody is somebody inside our organization that's trying to do their own sort of unauthorized pen test but they've got good intentions is it somebody who's managed to sneak in do we have a physical security problem now - we want to know who's getting this sort of information back and there's a good chance that with these devices that you can you can find you know where is this thing phoning home who's grabbing the data off of it and it may not be in the logs immediately because these things are small and they're meant to not log all a lot anyways so maybe we have to sit there and wait till somebody actually tries to connect to it and get their data off of so the challenge here for forensics on these devices is essentially how we know procedures for pulling pulling the plug on a computer or our taking a RAM image and imaging hard drive and things like that on a normal PC or Mac or something like that but for an embedded device I said do we know exactly how we're going to acquire a forensic image of this thing without inadvertently changing evidence or destroying the thing or what have you are breaking it you know so so that's one concern is how do we do Incident Response on this and another is if we decide to how do we counter attack it and so obviously if it's sink sitting in our organization we can we can pull the plug on it and after we take our own forensic image of it we blast your own image out to it that's backdoor to Helen back and and and and that's not too terribly hard but what if we want to attack it in place we don't want remove power from it we want to compromise this thing as somebody is using it and that's that's the the main beat meat of this talk and and so once we get into this thing then we can monitor the attacker we have a better chance at attribution we have a better chance at determining the motive I don't know about you but I mean it's ok to stop an attack but I'd rather know who's trying to attack me and what are they trying to get at what what are they after because that can help me defend against them in the future essentially we can turn this device into a honeypot but it's it's the it's the vulnerable system that they are in and trying to attack us from and we can monitor their actions from it so for
pen testers the the typical use case for this there's two different use cases one is the lazy pen tester who doesn't want to take a flight out and go in person and anything to do an internal behind the firewall pen test sends it out and says plug it into the network here plug it into the network here and sort of coordinates with the IT staff on this and and so that's one use case for this and it's all set up you know plug in power plug it in and network gets ready to go it phones home it's establishes an SSH connection whatever then you have your nerdy bond type payload situation where this is somebody who's a little more sophisticated pen tester and actually has a physical component to his penetration test where he'll go in and they'll drop this device off surreptitiously in a network and this is the same thing that an attacker is going to do is he wants to put the place this thing into a position on your network that that gives him access without anybody knowing about it these devices are going to be typically are typically reused from test to test client to client I don't know but they probably emptied your wallet over there at the vendor area when you bought one of these things so you're not leaving it anywhere permanently probably unless you're very malicious in your your profiting enough from one of these to buy 50 more and so when you're using this thing but most pen testers are going to want to pick this thing back up and use it on their next clients engagement so between these tests are you wiping it do you know how to wipe this thing it's an embedded device it's the cleanup procedure on it may not be completely obvious as it would be you know where you can just blow out a new installation of Windows or something it's probably a little more complex than that and are you actually bothering to do that from client to client B and that we can use that to our advantage when we attack these from here
on out I'm basically going to take the stance of an attacker attacking pen testers because oh come on they deserve it right all right so now we were going to put on our black hat and this is the only free image of a cool-looking black hat I could find on the image search I like this guy he looks cool so you put on your black hat and we're going to talk about hacking a pentesters implantable device either in the field or on his bench so the attack that I'm going to talk about in the poem plug here it's fine and dandy if you see this on on a client network and and you can compromise it using the set attack but this attack can also be used if the pen tester is testing the device or provisioning the device for a new test on the bench in his lab getting ready for a penetration test and so actually might be even a little bit easier this is a do the way that we do this attack the benefits of an attacker doing this
are great so the implication of breaking into one of these devices and before I get any further if you're running in a Wi-Fi pineapple you might want to turn that off here pretty soon unless you want it braked because somebody and here's gonna do it and they're gonna do it fast the implications of owning one of these things is one we can intercept things so for penetration testers doing the work for you he's scanning for vulnerabilities breaking into systems I don't have to do that now so I just collect what what that penetration tester is doing for me and we can modify these results so let's control what gets back to the penetration tester he popped root on the database server cool let's not let him know that and let's keep that for myself and so we can filter these results and it never shows up in the report to the client and and everything's cool yeah that database is totally secure we can camouflage ourselves maybe the pen tester sucks and he's not running all the attacks that you wanted to run well just launch your own attacks from the device and it's a attack that thing's supposed to be launching attack so nobody's gonna care and so you you your Ted your attacks are part of the test at this point and it's also a competitive into if you've got a really clever pen tester that leverages Amodei you steal it and essentially this is the gift that keeps on giving you can do this again and again as he reuses that device across multiple clients you can maintain access to these organizations you can get back into the pen testers companies network whenever he takes it back home and plugs it up again cool stuff
so there's difficulties in preventing this sort of thing so and then the reason why these sorts of systems have these vulnerabilities is because they're there's very small platforms and they're running sort of off-the-shelf penetration testing tools these tools are I mean attack tools are great you know people write you know quick Python script to leverage some particular vulnerability or some particular network attack or something like that and it'll work and so everybody starts using it but the problem is is as soon as it works we're very fickle creatures we we get something working and then we move on to the next attack so we don't exactly you know do a whole lot of testing we don't really think of the attack surface of our tools so if you think about penetration testing tools you're connecting to all sorts of services that are not under your control these services is you know implement protocols probably to a level that even your attack tool doesn't fully implement you're pulling in data from lots of sources you're parsing that data you're parsing file formats so your attack surface is essentially your entire code if it didn't have to do with processing things from another service your your code wouldn't be doing it so essentially a vulnerability and any part of your attack tool really opens up for you most of these tools are proof-of-concept tools and that's always a disclaim that's always my disclaimer on our writer security tools this is a proof of concept I got it working and then I stopped and I'm as guilty as this as anybody so so the the disclaimer there is don't use this in a production setting don't use this in your production malicious attack your production penetration test unless you fully understand the implications of what you're doing and you can control it but unfortunately these things are open source and folks who put together these small embedded attack appliances will take take these open-source tools put them on the devices as is and wrap a user interface around it and send it out so there's no at no point in this process is there any kind of audit of what are the vulnerabilities in these tools these are very small weird platforms the arm is getting less and less weird I guess but but these things are not you know these aren't pcs these aren't are these are outside of the comfort zone of a lot of the people who are using them so once you get these tools running on that platform then you just pray to God and you're like alright that's great let's just move on and do something else now when you send these things out they're out of your physical control so obviously unless you're implementing some sort of encrypted file system on this thing and even then how would you do it I mean nobody where's your key you know who's gonna type in a key on this thing once it's out there so it's hard to protect this thing once it's out of your physical control we know I mean we have access to a computer we have access to USB port we're in and finally like the update procedure for these things once they work they work the chances of somebody you know actually seeking out between tests the new firmware for their poem plug the new firmware for their mini poner or a raspberry pone or whatever is very slim as long as this thing's working and doing the job there's not a whole lot of chance they're gonna think to go out there and look for it so it needs if you're gonna do something like this needs to be an automated update procedure but you can't all have automatic updates on a one of these devices out in the field that'll be a whole new attack surface for me to talk about next year so so these things will run old code and they'll run old code for a very long time security geeks
are easy targets so there's there's it's hard as there's a there's another problem I talked about the the problem of the naming scheme for these types of devices you know Dropbox being taken and so I'm going with the wordy attacker implantable devices there's also a similar semantics problem of doing research on this problem so if we're talking about finding vulnerabilities and vulnerability analysis software that's a really tough thing to Google finding exploits in pen testing software very not exactly the easiest researcher but there's a lot of it out there and there's a lot more that yet to be found so I'm not sure who who is currently working on breaking things that break things but but there's a lot left out there you're already familiar with the million bajillion Wireshark vulnerabilities out there and that's very typical of this genre of software we're talking about things that implement protocols parse things and have a huge attack surface we have you know vulnerability cross-site scripting vulnerabilities and Metasploit we have some screenshots of the titles of talks that are here at Def Con and in in in the back at blackhat this past weekend so the tools that security geeks use are no less vulnerable or perhaps even more vulnerable than the tools were attacking because it just hasn't been enough attention and there's not even enough audit on the on these tools so the case
study for this and.and I'm picking on the poem plug for this but it honestly these same problems exist in other devices I'll talk about that in a little bit but today we're gonna be playing with the poem plug I have one plugged up underneath the podium here and wired up and anything and hopefully it'll behave itself long enough for a good demo at the end of this what we have is the discussion of the forensics of it and a demo of a counter-attack against this thing or a straight-up attack against it depends on how you look at it so for
forensic acquisition of a poem plug so this is what I did the first time I get a hold of any new devices I want to know how to perform a forensic analysis this thing which involves imaging it which basically gives me something that I can go back to the original state of the device when I screw it up when I attack it so so so if forensic acquisition is always something that I'm interested in there's the explicit detail on the white they prefer this I haven't looked at the DVD my retina doesn't have a DVD drive on it but the DVD that came with the conference materials has the white paper for this it has these slides it has all the tack code and payloads and all the crap that you need to do this stuff for your own but the white paper has all the stuff about the forensics of this so I'm not going to go into all the different u-boot commands and things like that but the essential step for this is the central idea this is that the the poem plug which is based off of the Shiva plug platform so if you want to play around with these devices you can just buy a little 99 Shiva plug also nowadays you're better off of like the Raspberry Pi or something but the idea is this Shiva plugged hardware that the poem plug is based on can boot off of a USB Drive if you ask it to nicely essentially you can grab a Debian image for Shiva plug and which will have everything you need to DD a drive and more importantly you're not relying on the file system and tools that's already on the poem plug itself you can if you can boot it up into the serial console interrupt you boot tell it to load a kernel and a filesystem off the USB Drive and go and it'll boot up into your USB Drive instead of the Shiva plug and so you can play around some alternate firmware for this thing without blowing away the the base install on it too but more importantly for forensics is you can DD the root filesystem once you get in there now it's just as it turns out it's just as well on this device just a copy you know from root down since uh since
for the analysis of it you know the ubi filesystem that's on these devices and other similar compressed file systems are on a lot of these embedded devices our options for forensic analysis on these are kind of limited so there's lots of compression on these at any given point you don't necessarily know exactly how much free space you have depends on what you're storing really the the flipside of this for forensics is you can probably forget about recovering deleted files on this thing because the whole thing is part of this sort of compressed image and if you lose chunks of it you know you're you're basically out of luck with the rest of the rest is just noise so there's really no tools for doing good friends like analysis that I know of right now for recovering deleted files and things like that but if you have the file system manage which you can then blow out to another phone plug if you wanted to so that's useful you can use MTD utils on you know Linux to to mount this image and start processing it at the at the logical file system level you can go through and look at the files and things these devices support attached storage and the storage onboard most of them is fairly limited so the nice thing about this is doing forensics on the little small USB Drive that's hooked up to this thing it's gonna be a lot easier than doing the forensics on the device itself and and it's gonna be standard procedures you know pop the thing out hook it up to a ftk imager through a write blocker if you please and and start analyzing and chances are it's gonna be a normal issue I'll system that's gonna be XT or fat32 or something like that and the cool thing is is the stuff that's gonna be on that that's gonna be the real goods there that's gonna be all your packet data and things like that that aren't necessarily feasible the store on the internal storage the cool thing about these devices is anything that's different from the base image anything that's
different from the base image on one of these palm plugs is it's likely to be of interest to you because it's something that's changed is something that says that's a result of the the attacker using it or a result of the tools that are running on it as a result of network traffic coming into it so what you can do is you can take that filesystem that you've acquired and running through ftk or whatever tools you have for making a known file hash set hash all the files on the base image you can download the base images off of Pony Express or whatever so you have that hash set and you look at this file system and you blow away everything that matches the hashes in there no that's that's I don't care about that that's the same as the factory config then the files that are left at the files that you're going to tell you something cool stuff now we're
gonna get into attacking these things we're gonna put our black cap back firmly on and we're gonna attack some penetration testers the particular exploit that we're dealing with here is in the poem plug user interface so congratulations for those of you who bought achieve a plug and put the the the the community version the free version of the poem plug firmware on it you're not vulnerable to this this is only in the interface the web-based interface that's on the commercial versions that they that they sell to you so this plug UI our opponents I've seen it called both things in different parts of the documentation this user interface is a web interface for the commercial version of the poem plug and it lets you do things like turning on passive recon so you can sniff HTTP requests look at the passive OS discovery stuff set up the reverse tunnels and things like that and so there's there's all sorts of fun things that this interface can do they tell you in the documentation to if you're going when you put this thing into stealth mode if you're gonna have it in stealth mode an organization this interface isn't nothing going the problem is is you can't do some of these cool graphical things so you know our people aren't going to put it in stealth mode who cares if it's noisy another thing is when you're setting it up on the bench back home back at your lab or whatever chances are you're going to be using this interface so how we break it
so with a bunch of boring vulnerabilities so yes I did get a Def Con talk accepted for cross-site scripting no these these are very boring vulnerabilities they're they're easy varner ability so if you're not if you haven't attacked much you're gonna you're gonna be able to follow this we have three different vulnerabilities in this we have some cross site scripting boring we have some cross-site request forgery that's everywhere and sort of interesting we have some command injections so we can run commands on this device that's kind of cool but you have to be logged in to do it so who cares but if we combine these X points let's say we will say our cross-site scripting is in is triggered by an injected packet that we send to this thing it doesn't have to be directly to it it can be anything that sniffs so we send a packet to this thing so that's a cool way of triggering X access cool better than you know phishing emails or are linked on Twitter and things what if our XSS payload triggers the cross-site request for the cross-site request forgery vulnerability yeah so we have a one page on the interface that's vulnerable to cross-site scripting that payload hits another page that we can submit forms to on the behalf of our penetration tester cool was that get us well our cross-site request forgery is in the page that has command injection so why don't we have our cross-site request forgery vulnerability our payload go ahead and inject the command force on again on the behalf of the penetration tester that's logged in as a result we get remote root so cross-site request for cross-site scripting leading to remote root on this and you know it requires a little bit of setup I mean it has to be you know the stars alone but it's a pretty realistic scenario and I'm
gonna make y'all watch that slide again because the animations are cool oh okay
thank you thank you faith it's all day on the keynote on that I didn't I didn't render that fire myself so so here's your your payload this is what you sin in the exploit package for the device you this is what you're gonna pass into n2h pain to get this thing rolling so this part of it right here just passes the regex to get it to get it on to the passive recon page the this is what it's looking for in a packet you know you might want to make something a little more believable than user agent hi this is the bit that you need to get cross-site scripting going on everything inside that's gonna render in the page and we'll see that in a bit the cross-site
request forgery in here we've got a form in here and you've got a whole bunch of crap that you have to fill out for this form to actually take but we submit this to the SSH tunnel setup page on the poem plug interface and it's goes ahead and submits it on the penetration testers behalf then finally the command injections in there and this can be in any field that these same vulnerabilities exist throughout this interface so so basically you can mutate this to go to basically any page on the poem plug so basically what we have here is the SSH tunnel IP address is now semicolon c2 user been W get my malware run it remove it and keep going so what
do we run as a result of this so we're not you know we're not alerting XSS here where we want to do something with this so there's some proof of concept of a see my disclaimer proof of concept and don't run this in the real world or you'll get owned my proof of concept malware is Poneman it's not specific to this device you can not adapt this to anything it's just a crappy little Python script but it's a little bit better than alert one alert XSS and then it cleans up a bit after itself it installs itself into user band use it sets up some persistence and RC local and cron and all that crafts make sure that it keeps running sets up a lock file so that doesn't run more than once at a time the poem plug specifically disables the bash history for the root user I go ahead and rename that so I can keep up with command logs and occasionally it phones home and tries to get more code to run because that's awesome and every so often it gathers a process list to command the history file listing set of network interfaces and connections all the log files for the most interesting tools in the poem OS and wraps it up and sends it to my FTP server so this is something that you can kind of start from on this
so the demo for this there's everything you need to replicate this on the DVD you need a floor model or above home plug an actual commercial poem plug to replicate this and from from those guys that vendor area tell them I sent you tell him if there's a patch for this to give you the old one so you can play with us or just use an unsuspecting friend or enemies so we're gonna bounce
out here and hopefully this demo will
work if not I have a recording alright so what we have here is and it will take you on a tour of the the different views
here what we have here is our hapless penetration tester setting this thing up over here we have our attacker basically
with a you know where he's launching the attack from and the web server of these hosts and stuff off of the FTP and some info on what's going on here the the players that we have here are the poem plug on 10 the pentester slash victim on 15 and the attacker here on 20 and here we have basically a view on the code of the poem on software in case I want to refer to anything for y'all what we're gonna do first off we're gonna start up our attacker web server
so that uh we have this I'm gonna show you what's in here right now the ubi dot py now these ubi file names since I had to do a bunch of research to figure out what the hell's going on the UVI file system I figure adding some more ubi named commands to this operating system is a good way of hiding my malware and that you know none of it makes sense anyway so we have a ubi GUI and ubi mount here you VI dot py as the poem on malware ubi mount is the command that are the file on the web server that Poneman occasionally pulls for new commands and I'll show you what's in that and okay in a classic you know buying shell type crap here we're going to host this web server if you learn nothing else from this talk you can set up a web server out of your current directory with just that command and that's just tons of fun speed setting up
Apache or whatever don't you know run your blog off of it or anything but payloads are great so so that just fires you up a web server on port 8000 cool let's see where the poem
plugs still awake that's good we have our FTP dead drop here where it's going
to go and everything seems fine so we're gonna be the hapless penetration tester again and we're gonna turn on the under plug services here we're gonna turn on the passive recon stuff here we were
already I may have already triggered a vulnerability that's cool so he's gonna enable this and we're gonna see here in
a second whether or not that's actually so we're enabled we're gonna see over here it doesn't have a requested anything yet so that's good you might
not so what we're going to do is we're going to we have our exploit payload there which I reviewed with you and just a simple H pain command since it sounds
so there's a there's a trick to this we have we're sending it ten times because it's kind of goofy the the passive recon page is pulling from a log file and unless you send unless there's a good bit of traffic on the network it takes a bit for the buffers to flush and for it to actually show up in the page so I just send it ten times the export is set not to run more than once anyway sometimes we request two of them but whatever so we're gonna blast that out and while that's going I'm gonna set up inspect element on this the guy right
here so we can see it when it shows up all right so let's uh inspect right here
so what we see here is our you know
cookie hi form all that crap going on there
so pretty soon we should see requests here and we have so the cross-site scripting vulnerability as come on give me off the blue screen unhighlight all
alright the the set up a standard reverse SSH shell of get all my crap and
that's scheduled to run every minute and thankfully it's already run it sometimes if you hit it wrong I'd be standing here and have to tell you a joke or something before it actually does anything but it's gotten the USB ubi mount script for
code to run it's already phoned in with a basically a tard up image of all the cool crap on the poem plug and so let's take a look at what we got here with the Ovi maps we should have a reverse shell running so in C one nine two six eight dot nine ten on port I think it was nine thousand yep drum roll please
I've always wanted to do that on the stage at Def Con alright so over here at our our FTP dead drop this is actually cool who cares about getting rude we want to get stuff loot alright so what we have here and this is actually kind of funny the the poem plug isn't so hot on it's a real-time clock or anything so this is time-stamped so with UNIX timestamps and you'll notice I have the underscore in a dash here and I was like up in my script you know and I have a dash in here also no that's a negative timestamp there so my poem has lost it and we'll see what it thinks the time is whoops what else going on here oh I see it's it's already grabbed another one okay we'll grab that one implausibly old timestamp 1946 we have defeated the Germans in and now we're wrecking at Bletchley Park I guess so so what we have in here and in it you can see from that because it was complaining about the time stamps is we
have you know listing of Files interfaces logs from Metasploit John bluetooths we've got the command histories and things like that on here and everything on this device runs its route so the web interface is running his route so there was no nothing that keeps us from doing any of this and that's a see that's about it the whole thing's broken now and it takes like ten minutes to get everything back into a good state so I'm glad that worked so back to my slots wherever those are and so for
conclusions for this these attacker implant devices can provide good counter Intel info if you found one of these in your organization as a defender alright it's a curse I suppose depending on what they've already gotten but you also have you know that some probably was there that's going against you and also you've got all the tools in front of you and net that are necessary to to start counter attacking this thing and doing forensics on it to figure out who is doing this to me and why and what are they after what have they already got for those of you who are pin testers out there for those that's very few of you who actually said that you're going to use these devices for good know your tools test your tools use them safely hell if you're an attacker do that monitor carefully and clean up between engagements and things like that you need to be a little more literate with your penetration to us testing tools than simply using them you need to understand how they work you need to maybe even try breaking them every once in a while and for breaking things people who break things pen testing tools make good targets so with that I appreciate y'all coming to my talk there
is no Q&A room so you're just gonna have to track me down before I go off and get bored and do something else