Darren Martyn Xiphos Research darrenmartynxiphosresearchcouk whoami Darren Martyn infodox Penetration Tester amp Researcher Xiphos Research Ltd Forensics amp Chemistry Student GMIT ID: 223435
Download Presentation The PPT/PDF document "0 wning the Internet of Trash" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
0wning the Internet of Trash
Darren MartynXiphos Researchdarren.martyn@xiphosresearch.co.ukSlide2
whoami
Darren Martyn / infodox
Penetration Tester & Researcher @ Xiphos Research LtdForensics & Chemistry Student @ GMITSlide3
This talk…
Hacking embedded devices – a gentle introduction.
Both hardware and software explorationsExamining exploitation ITW and post exploitation Slide4
wtfSlide5
Today we shall talk about…
Obtaining firmware for embedded devices.Basics of UART identification and use
Extraction of firmware/finding vulnzPopping boxes (exploit development).
Boxes being popped (router malware case studies)Post exploitation
Future ideas…(I promise, no more walls of text after this!)Slide6
Firmware
Honest, this is what firmware looks like Slide7
Methods of getting firmware…
Download from internet > Vendor website > random
internautsExtract from device
There are other methods, but not going to get into that here.Slide8
Methods of getting firmware… (D-Link FTP)Slide9
Methods of getting firmware… (netgear
support)Slide10
Random Internauts
… Slide11
Extracting from device…
This is where we segue into the land of UART.
Basically, get some kinda shell on the deviceAnd copy the rootfs
(the bit we give a damn about for now).Two main ways this happens for todays purposes…Slide12
UART Basics…
UART = “Universal Asynchonous Reciever/Transmitter”
TL;DR basically serialUsually 4 pins, we only care about 3 really.
RX, TX, VCC, GND. We usually can ignore VCC.Slide13
Identify UARTSlide14
Bastards removed the pins!Slide15
Interfacing with UART.
Buspirate - ~15£, interfaces with bloody everything.
Has disadvantage of being a bit of a pain to use at times.Save money and cost!
USB-TTL converter for 2£ from ebay Slide16
USB-TTLSlide17
Which pin goes where
This is a hard one to explain. Best summary is below.
http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/Get a multimeter or oscilloscope…
GND pin, will positively continuity test with … a grounded bitVCC is tied high at +3.3V or +5V usuallyTX fluctuates between 3.3V and 0V as it… Transmits.
RX… Good fucking luck Slide18
Ok, all hooked up. Interaction time?
Not yet. Gotta find the baudrate
I usually just use this, or do it by hand.
https://code.google.com/p/baudrate/
Then just ‘screen /dev/ttyUSB0 <baudrate>’ Slide19
Connected!
Here we have a “Billion” routersbootloader debug output coming over serial from it :D
Sometimes we get a rootshell…Othertimes we get a “uBoot” shell.Slide20
GET /FIRMWARE
If you have a uBoot shell, you can often dump out the image
Xfer to yourself over tftp
With a rootshell… xfer back to yourself over tftp the entire rootfs Slide21
A case study in firmware reversing && bug hunting…
For this bit on extracting FW and finding bugs a case study is best.
I presented the end result of this at Bsides Hannover.We start with
Moovbox firmware, end up with rootshells!Slide22
Because of scale we scripted binwalk
…Slide23
Next up, scripting uncramfs…
Trigger Warning: Filthy Code AheadSlide24
find . –name “vuln
”Took a fairly blind approach to finding vulns
“Grep and gripe” kind of things
First off, looked at the web interface of device. How does it work. Whats its config. Etc.Slide25
Anyone see why this prompted interest?Slide26
Scripting is Magic…Slide27
Scripting is Magic…Slide28
Some numbers
All 108 were vulnerable to ShellShock
All 108 had the same shitty CGI script106 used thttpd rooting as root
2 ran lighttpd. Also as rootSlide29
Remote Root EverywhereSlide30
Further firmware analysis
Lets look for more fun stuff in this firmware
First off, we analyse the passwd files4
unique hashesSlide31
The Hashes
I have yet to crack these. People have been trying and failing for about a month. Can you succeed?
root:$1$5jjAfVIS$dIG6AvGNwq8EENjTHnfpK/
root:$1$jb.3W.1D$8FeBW.T/x2wwJVB.lp.gv1root
:$1$bw7WuzHj$aU6V7omf9zBWA2sEaJv9p1
root:$6$W74jOIhT$QaYoDDN.N1SRgyG5ALymJHcYc9TmXKcITXyCstGDdK9cXOssLOTMQPl2uRm.wsNZ7oE5byOOrdNlvNxyguqVs/Slide32
SSH Keys
Protip: Hardcoded SSH Keys Suck
They all have /etc/ssh/ keys. RSA and DSA
They also have the same /etc/ssh_key
privkey, which is a bit unusual...Slide33
/etc/
ssh_keyNow, this is an odd one. It matches exactly two boxes in the wild – both hosts in Germany
As to wtf these are, I have no idea
If anyone can figure it out, it would be great ;)
89.110.151.186 & 89.110.148.26 (who is this?)Slide34
Using SSH keys to fingerprintSlide35
Look! Duplicate Keys! Everywhere! Slide36
Let’s go after SSL keys…
OpenVPN Keys: find . -name "*.key" (108)
> All identicalSSL Keys: find . -name "*.pem" (973
) > 2e465be3c06ea7db968347aaa3df7d37 > Also all the same...Slide37
SSL Keys
6 of them on each image. All identical across images:
> 7135ad5b7fd5fb2eb23f8dfecf74919d > cb5199178e4649461928356c7cbdae74 > de2c6949bd1bca55c20d9610510a08d1 > 905a7590ee039a788a08d4dfd15d2582
> a926c2beaa439f37bc62a5678a4e5906 > 35a569e0e768495554c4cbddd787f9e4Slide38
Popping Boxes/xdev
Most of the vulns you will find are remote root
A lot of them will be command injection bugs.Most people just enable
telnetd and leave it at that.More fun to be had…Slide39
Popping Boxes/xdev
–Se0wnedSlide40
Popping Boxes/xdev
–dloser 0day
Greetz to imax who actually bought a NAS back when we wrote the early versions of this exploit!Slide41
Popping Boxes/xdev
Getting a shell is just step 1.
Better payloads (tshd, for example) allow file transfer.This means we can upload tools and
exfil files easily
(A POSIX Meterpreter that worked on ARM/MIPS/PPC would be nice and all… Just sayin’)Slide42
Router Malware
This stuff is being done ITW
I had nice screenshots and pictures, but /tmp ate themSo I’ll TL;DR it and explains some examples.Slide43
Linux\Flasher.A
Discovered by myself and _ta0 in the wild.
Firmware flashing malware, installed malicious firmware that included a password sniffer (dsniff) and exfil scripts using wput.
Sent very little network traffic, un-killable unless you reflashed.
Crude, held together with bash scripts, but highly effective.Slide44
Hydra/Aidra
FamilyWorm/Botnet, IRC controlled.
Spreads via telnet (and SSH) bruteforcing, also a D-Link config bug.
Mainly used by script kiddies for DDoS purposes…Slide45
Moon
Linksys only affected vendor.
Discovered by some SANS handler (Johannes).Used a remote root command execution 0-day to spread.
Functionality mostly unknown. Had hardcoded target ranges. Just spread… And spread. Possible test run?Slide46
Post Exploitation
Exposed embedded devices put you firmly within an affected targets network
Often (routers) in a privileged position (routing all traffic!)So much potential for pivoting, sniffing, etc… Going beyond rootshells…
Persisting is a harder problem we will address!Slide47
Post Exploitation - Building Toolkits
We need to statically link things so they will run on these devices.
Uclibc.org – excellent cross compiler toolchains, 10/10 recommend.Now what tools do we actually need to do fun stuff?Slide48
Post Exploitation - Requirements
C&C – So we can manage the devices
Robust tools for getting shell access, transferring files.Tools for sniffing, spoofing, doing things.
Persistence.Slide49
Post Exploitation – C&C
For C&C, we should practice excellent OPSEC.
Use Tor. Cross compiling static Tor is hard. I will publish the build guide in a week or so on Github
Set up Tor to be a hidden service pointing at tshd bindshell
.
There was a screenshot, but bloody /tmp ate it Slide50
Post Exploitation – Access
We need to be able to run commands, interactive shell, and transfer files.
Tshd by Christopher Devine fits the bill for this.Encrypted file xfer
/PTY/command exec, bind and reverse connect modes.Will publish the build-toolchain later Slide51
Post Exploitation – Hack The Planet
Tcpdump && Ettercap && socat && nmap
Its been done before
We have to catch up Will publish the build-toolchains later
Slide52
Persist
How does firmware work?
Its infectous! Unlesss you reflas
…… Permapened“RPEF” by Michael Coppola are ITW
Firmware infections here to staySlide53
Rootkit Firmwares
They exist
They are using themIf you believe otherwise you are an idiot.
…Slide54
Tl;dr
Embedded = owned
Harass vendorsEmbedded rootshells are embedded root shells
Slide55
Thanks
Coworkers and such for tolerating weirdness
F1nux, Alastair, digininja, `k, getting me talking
Router mfg’s for making such products
Slide56
Q&A
Questions & Comments & Abuse?Contact:@info_dox (twitter)
darren.martyn@xiphosresearch.co.uk (email)infodox@jabber.ccc.de (jabber, use OTR else /ignore)