Tri Valley Security Groupwww.tvsg.org/ups Introducing the TVSG Dev Team AutoNiN – Software, Team Lead Spyder~1 – Hardware Mystic – Integration JustaBill – Organization
Tri Valley Security Groupwww.tvsg.org/upsConcept Place a stealthed hostile packet sniffer on a victim network. Physical concealment is to hide in plain sight - posing as an Uninterruptible Power Supply (UPS). Network concealment involves clandestine exfiltration methods like Auto-IP Detection and encrypted UDP tunneling.
Tri Valley Security Groupwww.tvsg.org/ups Caveat - Prototype Unit presented today is a prototype (mk II) unit demonstrating basic concepts. Unit is really not "Undetectable" but should be difficult to detect, even in its nascent state. Additional hardware and software features are being researched to further decrease detectibility and increase attack effectiveness.
Tri Valley Security Groupwww.tvsg.org/upsUndetectable? Not really… Takes advantage of todays overworked, under-resourced, over-managed and under-trained Information Technology staff Completely blocked by proxies (but well fix that soon enough!)
Tri Valley Security Groupwww.tvsg.org/upsOverview IntroductionIntegrationHardwareSoftware Practical Demonstration Questions & Answers
Tri Valley Security Groupwww.tvsg.org/ups Warning: Amps Kill! Avoid working on your chassis with AC power on Use non-conducting tools, holding them correctly Use GFCI outlets to power your project, if possible Use caution when working around filtering capacitors Be careful not to short out your various PCB's to the chassis Be sure to properly ground your chassis Don't say we didn't warn you
Tri Valley Security Groupwww.tvsg.org/upsIntegration Overarching Goal – Stealth: Tried to maintain 'Stock' look as much as possible. Tried to maintain 'Stock' look as much as possible.
Tri Valley Security Groupwww.tvsg.org/ups Hardware Requirements 486 or Higher CPU 64Mb or More RAM 1Gb or More Hard Drive No moving parts Small form factor Integrated network Most Important: Cheap!
Tri Valley Security Groupwww.tvsg.org/ups System Components UPS Chassis Power Supply Embedded Computer Network Hub
Tri Valley Security Groupwww.tvsg.org/ups Physical Components PowerSupply EmbeddedPC 110v AC 5v DC Hub Ethernet Chassis RJ-45s In Out
Tri Valley Security Groupwww.tvsg.org/ups UPS Chassis Tried several UPS Chassis before we found one that worked well
Tri Valley Security Groupwww.tvsg.org/ups Power Supply Needed to convert the 110v AC provided by the wall to 3.3v, 5v, and/or 12v DC needed by the other components in the system. Most UPS power supplies are trickle-charge systems that cannot produce enough power to run our covert system.
Tri Valley Security Groupwww.tvsg.org/ups Variety of Embedded Systems Older, Slower, Larger Systems are the Cheapest Popular Embedded Manufacturers: http://www.advantech.com http://www.advantech.com http://www.advantech.com http://www.kontron.com http://www.kontron.com http://www.kontron.com http://www.ampro.com http://www.ampro.com http://www.ampro.com http://www.emj.com http://www.emj.com http://www.emj.com
Tri Valley Security Groupwww.tvsg.org/ups Our Selected Mainboard: Kontron's Coolmonster: Pentium-166 with passive cooling heatsink Pentium-166 with passive cooling heatsink 128MB PC-100 SDRAM 128MB PC-100 SDRAM 44-Pin IDE Channel for temporary CD-ROM Drive 44-Pin IDE Channel for temporary CD-ROM Drive 40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive 40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive Single 10/100 Ethernet port Single 10/100 Ethernet port PS/2 Keyboard & Mouse ports, VGA Port PS/2 Keyboard & Mouse ports, VGA Port PISA Interface (bus expansion) PISA Interface (bus expansion)
Tri Valley Security Groupwww.tvsg.org/ups Network Hub Our embedded system had only 1 Ethernet port, so we could not bridge two interfaces together. For simplicity's sake, we ripped a 10/100 hub out of its case and placed it inside ours. Runs off 5v DC, just like the embedded PC.
Tri Valley Security Groupwww.tvsg.org/ups Network Connections Repeater hub connected to both wall and client RJ45 jacks. Embedded PC also connected to hub. Good: Client can still access network even if UPS is booting or down Good: Client can still access network even if UPS is booting or down Bad: Can't do Proxy-ARP attacks, client sees all UPS traffic Bad: Can't do Proxy-ARP attacks, client sees all UPS traffic Ugly: Either way, client gets Ethernet 'Link' from the UPS, which is odd Ugly: Either way, client gets Ethernet 'Link' from the UPS, which is odd
Tri Valley Security Groupwww.tvsg.org/upsSoftware OS is Redhat 7.2 patched & stripped Custom Perl and Shell Scripts Additional Malware added: NetCat by Hobbit & Weld NetCat by Hobbit & Weld dSniff by Dug Song dSniff by Dug Song Nmap by Fyodor Nmap by Fyodor thcrut by The Hackers Choice thcrut by The Hackers Choice
Tri Valley Security Groupwww.tvsg.org/ups Malware Installation - NetCat Many thanks to Hobbit & Weld for this incredibly versatile tool. Used for UPS Listening Post Communications. Default configuration sends it over UDP port 53 to exploit firewall rules that permit outbound DNS queries from desktop clients. http://freshmeat.net/projects/netcat/?topic_id=150
Tri Valley Security Groupwww.tvsg.org/ups Issues - UDP/53 Tunneling Modern IDS/IDP systems can detect UDP tunneling Layer 7-Aware sniffers can detect that while the traffic is going over UDP/53, the payload is decidedly not DNS
Tri Valley Security Groupwww.tvsg.org/ups Tunneling Alternatives Simple Port 80/HTTP Tunneling Mask UPS requests in HTTP URL's Mask UPS requests in HTTP URL's LP replies in HTML WebPages LP replies in HTML WebPages Advanced DNS Tunneling Mask UPS requests in DNS requests Mask UPS requests in DNS requests LP replies in DNS replies LP replies in DNS replies
Tri Valley Security Groupwww.tvsg.org/ups Malware Installation - DSniff Many thanks to Dug Song for his excellent suite of Sniff/Snarf/Spy tools. Minor tweak in the makefile for the Berkeley DB path and we were set! http://www.monkey.org/~dugsong/dsniff/
Tri Valley Security Groupwww.tvsg.org/ups What We Used - DSniff macof - MAC address flooder - stuffs CAM table dsniff - Cleartext authentication extractor filesnarf - NFS interceptor mailsnarf - Email interceptor urlsnarf - URL interceptor msgsnarf - Instant Messenger interceptor
Tri Valley Security Groupwww.tvsg.org/ups Malware Installation - Nmap Thanks Fyodor, you rock! Comes as an RPM with Redhat 7.2, no installation really necessary Awesome portscanning/host locating tool, used to detect permitted connectivity outbound through victim firewall http://www.insecure.org/nmap/
Tri Valley Security Groupwww.tvsg.org/ups Custom Scripts A variety of Perl scripts were developed to handle UPS Listening Post communications, command and control, including IP Address Mode, Active Scan Commands and Exfiltration Methods. http://www.tvsg.org/ups
Tri Valley Security Groupwww.tvsg.org/ups Custom Scripts ups.pl - Master Control Script Started as a service on UPS boot time and health checked by a cron job, this script is responsible for monitoring UPS-specific processes and initiating connections to the command queue server.
Tri Valley Security Groupwww.tvsg.org/ups UPS Process Flow Load Config Configure Network Auto-Identify Network (if Configured) Confirm Network Confirm/Update System Settings Contact Listening Post Get Commands Process Commands
Tri Valley Security Groupwww.tvsg.org/ups IP Modes 4 Different Methods of Configuring IP: 1. No IP Mode (Dumb Sniffer) 2. Fixed IP Mode (Good for Testing) 3. DHCP Mode (Not very Stealthy!) 4. Stealth IP Mode (Auto-find Subnet/Gateway)
Tri Valley Security Groupwww.tvsg.org/ups Custom Scripts netsnarf.pl Required for IP Mode 4 – automatic network discovery Watches the network for ARP requests and replies for network information to determine local network topography Uses The Hackers Choice R U There (thcrut) to ARP scan IPs on the same layer 2 segment
Tri Valley Security Groupwww.tvsg.org/ups Custom Scripts netcheck.pl Uses nmap and host to probe Internet targets to verify external connectivity. Nmap 3 popular websites (HTTP) Nmap 3 popular websites (HTTP) Unix host command to 3 DNS Root Servers Unix host command to 3 DNS Root Servers Nmap to Listening Post on UDP/53 Nmap to Listening Post on UDP/53
Tri Valley Security Groupwww.tvsg.org/ups Custom Scripts Various Shell Scripts Other scripts for UPS process management, task automation, and other cool stuff...
Tri Valley Security Groupwww.tvsg.org/ups Corporat e Network Command and Control Internet LP Attacker UDP/53 TCP/80 NAT/Firewall UPS TCP/22 (SSH)
Tri Valley Security Groupwww.tvsg.org/ups Custom Scripts client.pl & server.pl Remote command fetch system with DES encryption, randomly generated keys, and pre-shared key system. Client connects at intervals controlled by the master control script to Server to check command queue for changes in configured behavior.
Tri Valley Security Groupwww.tvsg.org/ups UPS Connectivity 2 Different Methods of Communicating: 1. UDP/53 (looks like DNS) beacon to config server 2. TCP/80 (looks like HTTP) reverse shell to LP
Tri Valley Security Groupwww.tvsg.org/upsDemonstration Our demonstration will place the UPS behind a NAT device along with a victim PC We will place a Listening Post outside the NAT and command our unit to monitor the user We will then exfiltrate the captured data to the LP
Tri Valley Security Groupwww.tvsg.org/ups Demonstration Lab Internal Network External Network LP Attacker NAT/Firewall UPS Victim Server Username: Loser Password: password Username: Loser Password: password Email Data: Subject: Watch out for hackers! Server
Tri Valley Security Groupwww.tvsg.org/ups How to Defeat? Inspect all items entering the premises Deny clients direct outward access (DNS, HTTP, ICMP, etc) Require the use of internal servers for all services – HTTP, DNS, Mail, etc. Use encrypted services like SSH, HTTPS, POP3S, SMTPS, or even IPSEC for internal as well as external traffic.
Tri Valley Security Groupwww.tvsg.org/upsQuestions? Thanks for Attending…