 Hey everybody! If you're standing next to a round table, you're in the wrong place. If you're sitting in a chair, you're in the correct place. If there's a chair next to you, put your hand up and make a friend. Everyone not sitting down, that's where your chairs are. There's lots of them. Please come in and sit down. And I'll tell you why. Because this fine man is going to teach you about more than you could possibly imagine in the next... How long did I actually give you? I told you 15 minutes? 12 minutes. He's got 12 minutes and he's going to go over how to build a root kit on open work. It's going to be amazing. Take notes. You can play the recording back at one-tenth speed and it will be amazing. So yeah, definitely watch the long version of this talk when you get home. The short version is going to be fun. I'm going to get out of the way and I'm going to let this fine gentleman talk. But seriously, everybody sit down. There are plenty of seats and you really want to hear this. Nishan, please. Thank you all for coming. Coming from a talk and thanks to the... Oh! So he told me that... Oh, see? He told me that this one. Okay. So they already told me that the mic is a little hot. This one. And this one is cold. So I was supposed to stay a little bit far from that. Again, thanks for coming for the workshop that I will be delivering. Thanks for the wireless village people, for all the good work, for bringing all of us wireless fans together. So as you can observe on the screens, the title of the workshop is Developing Wi-Fi Access Point Root Kits. My name is Nishant Sharma. As you can read, I work for Pentastore Academy. Have you guys heard of it? Just show our fans. Oh, nice. Catch you after the talk. So yeah, we are a cybersecurity training company. We run pentastoreacademy.com. We run attackdefense.com. A little bit about me so that you know why to trust me, right? When I'm teaching you, you need that credibility. So I work as R and D manager and the lead trainer at Pentastore Academy. I conduct trainings on Wi-Fi for private clients just five days before I was conducting it for the black hat here, the Wi-Fi master class. Before joining Pentastore Academy, I worked as firmware engineer with one of the providers. My job was to create formwits for the access points as well as for the wireless intrusion prevention systems. I have a master's degree in Infosec. You know, doesn't matter still. I have been publishing my research in black hat, Defcon, and other venues for the last four years. My prime area is Wi-Fi and today we will be talking about a space, a specific space in the Wi-Fi which no one is giving importance to. So you know some of the pretty logos just so that you know. This is the Pentastore Academy.com. It's a online library. This is the attackdefense.com. It's our online cyber range. The main thing about it is dedicated instances. Every player got dedicated instances, no VPN, only the browser. We have multiple scenarios as well, not restricted to one user, one lab, you know, multiple labs, multiple machines, and done with a promotion. So as you know, the workshop outline as you can observe, right, we'll talk about the rootkits. I am going to take OpenWRT as the main system on which we are going to do it. The reasons we will be covering. First, we will talk about OpenWRT. So just for the lay of the land, right, how many of you are already aware of OpenWRT? Show of hands. Oh, that's good. That's better than, you know, than the other audiences. Yeah, cool. So yeah, we will talk about OpenWRT. I'll quickly run through the introduction so that those people who do not know about it, it's a wonderful project. You should know about it if you are in Wi-Fi or even if you are concerned about your security. Then we will talk about how we actually create firmware. Those of you guys who haven't created a firmware before, you know, you know that it comes from the vendor's website or, you know, it comes pre-installed. There is a third way of doing that and we will be covering that. We'll talk about the user space applications, how you can compile them in firmware. Apart from that, then we will also talk about the kernel-based rootkits. That's the main takeaway. But to get there, this is the, these are the steps, right? These are the baby steps that you take. And I will try to cover as much as possible in this one hour, which apparently is now, came down to 50 minutes to see what all I can teach you. So, access point security, right? Everyone is talking about Wi-Fi security, especially the enterprises, right? WPA-3 standard just came out. WPA-2, PSK enterprise, pretty secure, right? WEP was the bad one, all already out of the market. But when it comes to the security of Wi-Fi routers, not everyone is that aware. When we talk about enterprise-grade access points, yes, they are doing a good job. How good, again debatable. But still, when we talk about the SOHO routers, right, as we like to call them, SOHO stands for your small office, home office, right? You use them at your home, you use that at the small business venues that you have, right? Most of the time you're running WPA-2 PSK. The thing is, once you buy a router at such place, most of the times you don't have a dedicated guy to take care of them, right? So they run for years till the time they break. And they're running and you're just happy that you have a good password on WPA-2 PSK and you think that you are unhackable, right? So that is something that is not right. We have seen multiple reports, multiple events in which Wi-Fi routers were hacked. There are multiple vectors. Some of you don't change their default password. Some of the routers have vendor installed firmware backdoors. Some of them are using weak passwords. Some of them are exposed to Internet over SSH or Web UI or there are multiple ways. So the problem is once your router is compromised, there is a plethora of attacks that other people can do. So it's like giving the command and control of your Internet to somebody who you don't know, right? Some of the issues can be the passive monitoring because it's the router that sends all the traffic out, all the Wi-Fi traffic out. So once they are on it, just one line change can direct all of your traffic to their server. They can do passive analysis there. They can do active MITM there. And on top of that, for few years, for few past years, we have seen occurrences where botnets were there who actually took over the routers, then infected other things that were running on the network. And then they are using it to attack some third party, which is obviously not good. It's your infrared. They should not be able to do that. So what kind of malware are there and what they can do? We have already discussed, you know, worms. We have seen worms. We have seen root gates, spires, stojans, all kinds of things are now moving to the router space as well. The problem is because they are neglected, no antivirus or heads is running on most of the routers, you don't even know if you get hacked, right? So that's one of the issues. Access point root gates, one of the subparts of the other malware, it's important because this is the one which actually helps all of the payload, all of the other payload to stay hidden. So we will see how actually they are doing it. We only will be able to see two to three things, but it will give you a lay of the land how exactly the things are happening there. A special case of root gates is boot gates. If you are interested, really good things. So you are coming to OpenWRT. OpenWRT is an embedded operating system which again is based on Linux. It uses Linux kernel. Utils like you have in your Linux. So for all other practical purposes, if you SSH into it, if you log in into it, it will look like a Linux from file system angle, from the utilities. The only difference is everything just so that it can run on a cheap hardware is cut down on the functionality. It has less command, it has less power, all of that. It comes with the hash cell just like you use your bash or SSH on Linux, it comes with ASH. It uses busybox for all the commands, all the commands put in one binary so that it's lightweight, all only that. It uses lucy as its web UI so that you can configure it easily. And just like your Ubuntu has APT get, it has OPKG. So you can actually install things on it. It supports routers, residential gateways, smart phones and that was one of the reasons why we actually chose this one to do all of this. It's the most popular open source firmware out there. Currently it has 3,500 plus packages. So when I say packages, these are the kind of software tools that are already there. You just need an OPKG install to install them and run them. It supports more than 1200 devices. These devices are of each range. You have devices which are for 20 or 30 dollars. You have devices which can go up to 1000 dollars as well. So depending on the need that you have, you can use this thing to create your custom gadgets. You can create your custom snippers because 11 AC is coming in. So the Wi-Fi monitoring that you use to do on your conventional ABG or N, now that has become more different, more difficult. So all of this can be helped. All of this is that OpenWRT can help, but that is not the topic. So what we will discuss about first is the OpenWRT build system. A lot of people who are using OpenWRT, even they don't like to compile their own firmware. Why? Because it is messy or that's what people think. It's not, but that's the way things are. So what we will learn is how you can actually create your own build system. Don't worry about noting down the commands. I'll make sure that these PPT, all the slides are available to you. So you can actually use them. I have simplified everything so that you don't get run into errors. You can use them to build your own things. And for now, I have already created build system that you guys can also use if you like to. You can go back. You can use it at that time if that is the case. So first, for the simplest scenario, we go with the Ubuntu because Ubuntu is the simplest. You do your APT get and update and upgrade. Pretty standard. Then these are the dependencies that you have to install to build the system. The reason of explaining all of this is so that you can do it. It's a workshop. It's not the cutting edge research talk that we give. That you are used to. But this is something that you can actually go back and do on your own. After that, you add a low privilege user because otherwise it creates problems when you build some packages. You switch to its home repository. And as I said, OpenWRT is open source. So it is on GitHub. You can download the latest stable version. I will always recommend you to go for the stable version. Don't go for the trunk. Don't go for the branch that is under development. It has active bugs. It has build issues. So you know, most of the time you will be wasting your time. So go for the stable one. Current stable one is 18.06.4. The one I am using here is .2. Doesn't matter. Not that much of difference. First you take it. You unzip it. Why? Because you know it's zip. You have to. And then we use Mac, make menu config command to select the hardware that we want to build for it. Don't worry. These are just the steps. We are going to see how to do it in practical as well. You have to then update the feeds and install them. Feeds are nothing but the kind of software tools that you can, you know, add while you are building all of this. And I have a build ready set up here. So I will be using that. And the internet is back. That's a good thing. So this is the attack defense lab I was talking about. It's the community section of attack defense lab. So what I have done is if you guys want to try it, you know, back home, you can actually go, you can log in with your Google account. You don't need a paid subscription. Just go here, relabs. And here I have created a build system so that if you want to use it, if you want to try it out, you can. You choose the servers next, you know, which is nearest to you, obviously for the latency reasons. You give it 25 seconds. In 25 seconds it will spin a dedicated, you know, thing for you. If you are doing it right now, you will get another, you know, thing. I'll get another set up. So that's how it is. So if you want to do all of the setup at your place, what I have done is I have put all the commands that we discussed here. So you can actually directly copy paste them and they will work because I have ran them like for 50 to 100 times I have used them. So they work. Once the lab is ready, you go inside the lab. So the lab is only to practice. If you really want to create your own, you have to do it on your own machine because for security reasons, our labs are contained. Nothing goes in. Nothing comes out. It's like that. So now what I have done here is I have created, I have taken the code from GitHub. This is how the build system looks like. Now as I was telling you, we have to do a make menu config. So all the commands before it, they only tell you how to build this setup. Once the setup is ready, now we are focusing on the part where you select what you want to be in your firmware but you don't want to be. You do make menu config, it will throw a small UI so that you can select stuff. As you can see here, first step as you can observe is to select the card that you have, the kind of card or the kind of architecture your machine supports. Very easy to guess. You can directly use your box to check for it. You will see if you see QCA or Qualcomm athros, it means you are using athros of some kind. If you check the data sheet or the book sheet that comes with it, you will be able to find this number. So here I am using for this one. This is the target one. If you don't know what you are doing, don't touch it. Generic will work for everything. No need to touch it. Target profile, here are the device profiles that are under that architecture. So from here, you can select the device that you want to build it for. So I am using AR750. It's a pretty thrifty device. This is the one. It's a travel router, very cheap, $50. You can get it on Amazon or any other website. The delivery is throughout the world. So first you do that. Now if you pay attention here, you will see multiple kind of things. If I go to the base system, all of these things are the packages. Now the second question is how would you know which package to install and which not to? So all of this documentation is available on openwrt.org. All the main things that you need for mounting the USB, mounting something else, like SD card or something, you search for it. Openwrt community is well backed by people. You will find a lot of documentation more than that you can handle. So from here, what I will suggest is don't mess with the base system. Most of the things there, until and unless you know these are the kernel modules that you need, don't go there. Because the things that you need are here. So if you are talking about building your own attack gadget, if you go here, you will see Aircraft, Airmon, Host and what not. So this is how you actually select the things that you want to add. So right now as you can see, Host is checked. This means it will be built as a part of the firmware when I build the firmware. You exit from it, again exit from it. Similarly, you have multiple options. So it is more than that I get covered even if it is a one day class. All you have to do is browse. Just browse for it. You select the package. All the dependencies will be automatically selected by the build system and it will build it for you. After that, you do exit, you do exit and it will save the file. Sometimes when you make changes, it will show you a pop-up in which it will ask you if you want to save it or not. Obviously, save it. So all the changes that we just did went into this file. So you can observe that this is the chipset. If you go down, if you search for, say, Aircraft, you will see that all the packages that we have selected have Y in front of them. Y means they are selected. They will be built. After this, you don't have to do anything. Just do a make minus j8. So minus j8 is nothing but to run it in parallel. So it will be using eight threads to compile it on parallel. Build systems are pretty heavy things. When you build them for the first time, you should have a powerful machine. Otherwise, it is going to take you hours. But that's the first run. Once you build all the basic things, the second run will be faster. So I won't do the whole thing here because even after building it, this thing is going to take at least 10 to 15 minutes because the system that I'm using is not that powerful. It is for the demo. It is not the main development machine that I use. So once you do that, now what you have to find is the firmware that is created. So in this case, I have already created it. But as soon as you run make minus j8, it will be created for you. So the firmware images, they come with this extension called dot bin. And that is it. And what I'm doing is I'm also grabbing for the name of the device so that, you know, I don't get a lot of garbage. And this is the firmware that you can now download and flash your device with. Just make sure when you're flashing the firmware, the size of the firmware is not more than the memory that you have on your device, right? Because sometimes people, you know, they see this first time, they go crazy. They're like, I'll put everything on the world in this. And then they build a big firmware. They're flashing it. Some of the devices are not smart enough to detect that you are building a bigger firmware for a smaller device. So when you will flash it, it will reflect. It will not work. So don't blame me then. Make your size before. So this is how you do it. Now, coming to the main part that that's the talk is about, right? So second thing that we want to build now, this is how you will be able to compile your, you know, your own code. You can put it in the build system. There is a ton of documentation on it, how to do it. It is pretty easy. They have standard stuff. You have to put it here. Then you have to add line here. All of five to four things you have to do and you will be able to build your own code. For all the available packages, you just need to select and you just need to run it. Now coming to the third part, this is the user space we are talking, right? So now boot kits or root kits, when we are talking about them, we are more interested in the kernel based root kit. So just to summarize again the same stuff, selected it. You make a download directory when you are doing it on your system. Then you do a make download. When you do a make download, it will download all the packages that you have selected from the internet. And again, the last thing to do is make minus j eight. If you want to build only one package, instead of selecting it with space, you select it with M. So M will make sure that it will be modernized. So thing is, if you don't want to flash the complete device, you have option that you can create a package. You can take that package to your device and you can install that using O.P.K.G. Installed package name. Just like you do for one, two using your, you know, D.P.K.G. for Debian packages. So in that case, you just need to do this. It will appear as M and then this is the command where you have to mention the name of the package and only this package will be compiled. So I'm not doing that because, you know, we are running late on time. Now why kernel modules? Kernel modules, because they, when you load them, they are inserted into kernel, they run in kernel and due to that thing, they can access the kind of structures, the kind of memory that is there in the kernel side. So no user process can actually do this. Even if it is privileged, it has to do, it has to use a kernel module to make all of these changes. And that is what we are going to leverage to hide your processes, to make sure that you can see all the package that the machine is sending and even to make sure that you can create something which is, which will be, you know, hidden from the user space. Even if you are running a demo or something on the user space, it will be hidden. It will be replying. It will be taking orders from, from other things. So that, that's why the kernel modules are important here. Now second question can be, can we directly insert kernel modules on your Linux system if you don't have root? No, you cannot. But that's the problem. That's one of the problems that most of your SOHO routers, which are Linux based, when you log in into them, they directly drop you into root. So if anything, any malware, any worm, if it breaches my router, which is running on OpenWRT or some other Linux, he is going to get the root and he can then, you know, insert his kernel module inside. So we have build system ready. After that, you need the kernel code, kernel module code that we have, you know, created here just to show you. After that, you need to make sure that, you know, your kernel code, when you are compiling it can link to the build system because build system is the one that you will be using to do all of this. You have to make sure that everything is in the path. All of these are just steps. You just need to file these commands on the build system. And just to make sure that I don't type a big command to make it, I'll just create alias which will pass the MIPS architecture because this thing here, it runs on MIPS. Almost all of your these devices, small devices, they run on ARM MIPS, you won't find a lot of these specially built things running on X86 or X8664. So for that reason, you have to cost compile it. Cost compile sounds difficult, but it is not. It's just one word that you have to define if you know, you know, what the word is. So once you do that, you are ready. Once you have the kernel module, you can insert it using INS mod. That's the command to insert it. LS mode is used to list it. And RM mode is used to remove the kernel module once you are done. So what we will do now is we will see a hello world module which we have, you know, written just for this class. So this is how it looks. You know, if you are familiar with the C language, these are the header files that we use. These are important here because your module in it defines the function which will be executed as soon as your kernel module loads in. Similarly, you can also define a function which will run when you take it out. So these are these are the basic things and it will even this knowledge is more than enough to create something which can, you know, do pretty nasty stuff. This is the example here because you know, obviously it's a hello world. It will just print, you know, kernel logs. So here we have two functions. First one here is the init function which will be called when we insert it. It will just print, you know, hello cruel world of kernel programming to the kernel logs just to make sure it's a POC, right? If it works, you can go forward, you can go for the more powerful code. Similarly, this one will run when you exit it. So let's do one thing. Let's see all of that. So in the root kit code, you will find two folders. For now, you can just ignore the kernel space program. You go into kernel fun. You go into hello world. So if you do ls minus l, it will show you two files. Let's first check the hello world.c. It's the same file that we just saw. It has two simple functions and these are the declarations. So the code is written by my boss, you know, for this thing. His name is Vivek. So that's why the name is Vivek. I'm not stealing code from third party just so that you know. And then to compile these files, you use make file. Make file is nothing but it is a way by which we programmers make things easier to compile when you're dealing with a lot of source code. So this is the simplest possible make file one can make. And because all of other things are already there and we have this alias set, we have to just do mix make and it will automatically link everything. Okay, so it actually ran into some error. Pretty strange. Must be missing some link. So in normal scenario, because you know the demo got right, it was working in the morning. That's why I put it inside the machine. So thing is on running mix make, it should run if all the links are correct. So you have to make these four links as I was showing you here. One of these links are currently not working. So you export staging directory, the path and the kernel route. If one of these is messed up, then you know, it will fail just like it is failing right now. You have to make sure the kernel that you are targeting, you are only running it on the same kernel. You cannot compile it for 4.9.152 and run it on something else. It won't work. So that is one of the things that you have to do. You have to make sure. But if you're compiling a firmware, you're installing the same firmware on the device, whatever you compile here, it will directly work on the box out of the box. So what we will do now is I have compiled this already because I have to show you how they run. And instead of using your own machines, because for them the kernel will be different. So even if you download them and you try to run it, it won't run. So what we have done here is we have emulated and opened up the system inside the lab. So in this, it will behave just like this device, apart from the Wi-Fi thing, because obviously no physical antennas. For all other practical reasons, it is web, it is behaving like a complete Linux system. So again, after 25 seconds, it will give me a console on which I will be able to see all the kernel module that I have compiled and I can directly interact with them. I can see what they do. First we do the hello world, then we will move to the most more advanced one, which are of the interest. Hello world, you all know it's just the POC, right? So this one is the router, the same firmware, but this one has the kernel different one. That's why I had to compile it again. This one uses 4.9.53, I think. That one is different. So as soon as you press this, it will boot just like the device. If I go to the root directory, kernel modules, I have already compiled these kernel modules and kept here just so that demo gods do this to me. Now, before inserting it, you can use LS mode to check what are all the kernel modules already there. Now if you do NSMOD for the hello world kernel module, you will observe that this is the kernel log that is being printed. It is coming on console because, you know, as of now, we haven't set the debugging level. So if I do n minus one, it will not come anymore. We will be able to see it using Dmessage, which shows the kernel messages, right? So this is the POC thing, right? Now if I want to check if it was inserted, I'll just do LSMOD and I'll grab for the hello world. And there it is. I can again remove it using the hello world. And if I do Dmessage, it will also show that it has it, right? So that's the basic POC code that we do for, you know, whenever you start programming, this is the first thing that you learn. Now coming to something, you know, which looks like hackish, right? Which looks like something of use. So suppose you're running something in the user space, right? You're running your own back door or you're running something which you don't want the user to notice even when it is coming in the PS output, right? So what you do, you change name of that. If you change name of that, if you make it look something official, most of the users or almost everyone is not going to suspect on it. They will just assume that it is one of the system, you know, things that run on Linux and that is beyond my understanding, right? That's what we do. So let's do that. So if I do PS here, I should be able to see all of these, right? So let's do one thing just to make sure that, you know, you are able to understand the effect, the change. What we have done is the kernel module, it does not change the name, but it append something to the name. It's the same thing. If we can append something to the name, we can already always, you know, go and completely wipe it out and use the use the name that is there. So in this one, I have to do INS mod. And then after that, I have to, you know, so, you know, it is a big command. So I have actually written it here. Change mode is the kernel module here. In the PID, we have to provide the PID of the process for which we want to change the name. So for example, this one here is a server daemon. So let's do it for this. It's 1, 4, or it's 2, 1, 1, 0. So 2, 1, 1, 0. You do this. You do PS. And there you go. Right? So here we appended it so that we can find it easily. You can see it visually. We can also change it completely. We can make it look like something like this, right? Something gibberish that, you know, that the user will not be able to make sense out of. So that's the first kind of thing that you can do. If we talk about another thing, one more thing that we can do is we can use netfilter hooks through our kernel module to make sure that we can monitor all the packets that are sent by the machine or that are coming to machine. So for that, we will be using netfilter hook NFIP local out, which will correspond to all the packets that this machine is generating and sending out. So here is a quick, you know, description of netfilter architecture. It has multiple points where you can put hooks. These are also called hooks. So you can see when the packet comes in, it's checked if it is coming for this machine, it will be sent here. That's the two, denoted by two. That's the in hook because it is coming to the machine. Similarly, if machine generates the packets, it goes out from here and it hits the 0.5. 0.5 is the NFIP local out, which is the packet generated by the machine. So suppose, you know, even from the defender's perspective, if you want to see what kind of packets your machine is sending, right? So this kind of module can actually help to do that. So let's go back and let's do a quick ls-l. So the one that we are talking about is the network kernel object. You just do a nsmod network.co and you are good to go. If you do the message, in this case, you won't be able to see anything here because for specific reasons, for this one, we haven't put any logs. If you don't put the logs, you won't see anything here. I'm just showing this so that, you know, for the last kernel modules, you were seeing logs. So you can always come back and say that, you know, hey, whatever you are doing, there are logs. So because you can observe here, there are no logs, right? Now, suppose if someone on this machine starts to dial out using net care. So, you know, random IP, anyway it won't connect because the lab is completely boxed in. So let's see what happens. It's doing something. Now if we do dmessage, what you will find here is the hook was executed and it is showing you all the packets, udp packets that were going out. Also some of the tcp packets here, right? So this is how you can actually monitor something like this. Now the third demo that I have for this one is a network stack backdoor. So suppose you have a virus, you have two parts of the virus. First part is the one which execute commands on the system. That's the execution stuff or execution stuff, right? The other part is the one which maintains that it is hidden. It does not have to open any socket to listen because when we talk about it normally, if you want to receive a packet from some other process, if you want to get commands from, you know, from a remote machine, you have to open a socket, you have to make sure that the guy, whoever is issuing the command, is sending those commands to your socket, right? But if you open a socket, it will be listed when you do netstat, right? So you don't want that. You want something which can intercept packets directly in the kernel level. It can parse them and it can execute commands from that. So the execution stuff is not implemented here but the other sub is which actually looks, you know, into the kernel part. So what I will do is I will connect this guy because, you know, we want a packet coming from other machine which, you know, our lab won't be able to do. So I'll just plug it in, plug in the power. This guy is so small that, you know, you can actually power it using the USB itself. So you plug it in, yeah, you plug in this thing into an ethernet so that this can communicate and after that you wait. So this is what is going to happen now, right? We are going to insert the cover.cove module on the one side and then we are going to use nping on the host machine to send specific packets. So now if we talk about the code of this, the specific packets that we are talking about, the code is written in such a manner that this thing will see all the packets that are coming to this machine but it will only pass those packets which will have source and destination port as 9999. So that's the signature that we are creating here. So main thing here to notice is we are not opening any socket but still we are able to monitor a specific packet which will contain command for us. So for example when we send something like this here, it contains the command here, right? The cat, it is a shadow just to see the contents of the shadow file and when you will do demessage you will find something like this. So this one actually intercepted it, it got the command. Now this command can be passed to the user level thing that is running there and that can get your stuff, right? So this should be online now. So if you don't like SSH you can always use something called TTYD. It will drop you right into the box, this box. So now let's see the IP address. You already know, right? It's 10.1. It's 10.1 so I can see the module here. I do INS mod, cohort, it's inserted and now if I open this power shell and fire this command here, nping commands come as a part of nmap so if you don't have nmap installed you won't have this one. Here what I'm defining is we have to, we need to set the TCP flags as sin and rest and the port needs to be 9999 for the for the source as well as for the destination. So this is nothing but this is the signature that we have. We don't want it to listen to any packet and do you know whatever it is doing. We want it to be specific. That's why the flags as well as the port combo will make it so unique that it will only hear whatever we will send it, right? So now you can observe, right? I'm not running anything on the user side. I'm not running any socket. That's the main part here. There is no socket. Most of the people then when they check for the back doors, they do and net stat what is listening, right? Now this thing will not appear because it is not opening any socket. It's just scanning the packets, right? And that's the concept behind this. This is only one example. You can actually make sure that you know the process is hidden. You can make sure that process can not be killed by the user space kill minus nine. You can do all of that. But you know because of the time limits that we have, this is all we are going to cover. So it has sent the packet. Now if you go here, you do de-message, you'll find something like this here. So this is the part which is undetectable. It will write it somewhere. It will pass it using a channel or a hook to the user space if something is running there. Or you can actually add code here itself to run these commands. You can intercept all the syscalls. You can see which command or which system or which programmer or program is making the syscalls. You can intercept them. If you want, you can actually block them too. So that's the power of current level toolkits or rootkits. That most of the people don't talk about or don't understand when they talk about Wi-Fi security in the router's context. So all of this is there. I can show you code as well if you like. Just let me grab the LAN again. But again the router level code is it's not the simplest thing that you can see. The main point of showing this thing in workshop is to tell you that these are the possibilities. Even when you are not able to see program in PS or if you are not able to see it in netstat, it can still be there. It can still listen for the command. It can still reply. It can still do DOS. It can still make sure that anyone or the hacker who has this backdoor can actually get into your system anytime as he likes. So that's the main getaway that we that we are talking about here. But still if you'd like to see the code, just a quick code walk through. Colonel Fun. So let's talk about a simple one first. The prepend process name, right? You open the c file here. Just like your hello world, we are registering two functions. We are taking some arguments because you know we want to take the PID from the user. We want to take the new name of the process from the user. So that's why these things are here. And when you go up, what you will find here is, so it's very important to understand that all the processes, they are stored as a task structure in Colonel. So what we are doing here is we are going over all of the processes that are running. We are matching the PID because that is the identifier that we have. And as soon as it is matched, we are overwriting the name of the command. Or we are not overwriting here. We are just adding it in the front to the structure that is there. So that's all. You cannot do this thing from user mode. Why? Because the thing, the structure, that the memory that we are playing with right now, it is in Colonel. And there are boundaries. You cannot reach them without using something like a zero to exploit or something. Similarly, if we talk about the covert network thing, this one is a little bit more complex because obviously it's doing the complex thing. But let's do a walkthrough. So what it is doing here is it is registering its hook with the net filter because you have to do that. Because if you don't do that, net filter is not going to pass the packets to you. Once that is done, this is the definition. This is the hook that we are using. This one stands for incoming packets as we just discussed. We are only doing it for IPv4 and the priority is last. So our hook will execute in the end in order to worry still if it is going to get all the packets. So now, if you go here, what it will do is it will look for specific packet which has the specific port which we have defined and it will also check for the ECP header flags. Because ports can be replicated by other people also. It can be the thing that for some reason some process is using 9999. And now those packets will start intercepting like our channel. It should not happen. So that's why we have made it more complex. Once that is there, this is the code that you saw printed. So all of these things are being printed. You can then pass this command to some other module that you have or to some other function that you have here. So it's that simple. That easy once you know what to do. Going back. Similarly, now, you know, the second logical question is this is how we do it for the vendor. This is how we do it for the OpenWRT. But not everyone runs OpenWRT. So how we can compile it for the vendor firmware. And that's a great question. So most of the time what you have to find for this is the code for the vendor firmware. Now you will say that the vendors they don't give their code out, right? That's partially correct. Some of vendors have to because they're using GPL and by the license terms of GPL they have to give out all the modifications that they make. You find it and then you use the same way. You create their own build system. You use the kernel. You use their cost compiler to compile everything. And then in this way you can compile it for them. So all of this research was done when we were creating this course for our customers. And all of the details all of if you want to go extended into it it is available there. You can go and learn. This is the only thing that that was possible to be covered in one hour. But for all the other details you can always refer to the course if you like. Again, community labs if you want to try this out whatever we have done I'll make sure that the PPT is available with the wireless village so that you guys can download you guys can see all the commands. Or you can directly go and you know do them here. So that's all. If you have any questions I'll be taking those or if you come with some question after the talk or the workshop you can always mail me on this. Thank you.