 Today we're going to do a talk on the project that three of us worked on. We are with the Tri Valley Security Group that is a non-profit security organization formed out of the Bay Area. Just East Bay. We have Spider who acquired the hardware for us. We had Mystic here who basically kept us organized. And my name's Otto. I did the software development. The concept is we need a way to break into knatted networks. And the best way to do that is to put something inside there so we can own them from the inside out. So we wanted to place a stealth, a hostile packet sniffer on a victim network. We wanted to make it blend in, hide in plain sight, make it as a UPS. This here right here is our second model UPS. You take a look at it from all exterior purposes. It looks completely stock. We maintain the same connectivity and everything. The power switch works. It's sort of tough. Careful. Zoom in. They don't have any video, so use your eyes and zoom in. There you go. Thank you. We'll have it around afterwards if you want to take a look at it. We'll shut it down and you can play with it or something. Everyone, especially in California, with all the rolling blackouts we had and all the brownouts and shit, sorry, stuff. Everyone had one of these on their desk because we just like, oh, you run up and we'd have to shut down and stuff. So this, they have the nice land jacks on the back because, you know, lightning strikes and you have the integrated Knicks on your laptops. Those things are money to replace. So you want to plug it in and plug it into your corporate network and we own you. So let's see here. So we'll talk more about that. So like I said, today is a prototype. This is a Mark II. The Mark I was kind of ugly. And really, this isn't undetectable. I'm sorry if you came here to see the newest Uberly thing. This is mostly undetectable. Depending on what mode you put it in, it could be very, very, very quiet, but it would have no IP and you'd have to dead drop it in and then go back later and dead drop it out. If you actually wanted to exfiltrate data, obviously you have to make network noise. Someone might be listening, you never know. We're working on getting more hardware, more software to reduce the risk and increase on edge. So we've been introducing and we're going to talk about integration. I'm going to pass over to Mystic for integration. Spider here will talk about the hardware he gave. Oh, you're doing integration? Oh, okay. See how organized we are? Yeah. So then I'll talk about the software. We'll do a little demo and then we'll do a little Q&A. So if you're going to do one of these things yourself, do little case mods. Those of you who do case mods, you know about this. Ampskill. They will hurt you very badly and then you will die. So if you're going to open up stuff or get live power, keep this in mind. Okay. Okay. One of our biggest goals on this UPS unit was to make it look as stock as possible. I actually worked for an embedded computer company in the Bay Area, so I had access to a lot of really cool equipment, but a lot of things that people don't understand about embedded computers are easy to use. Embedded computers are basically an entire system that's been miniaturized into one system. My apologies. Okay. An embedded system is an entire computer that's been modified to fit into a very small space. The board that we're using in here currently houses a Pentium 166 with 128 megabytes of RAM and a... Sorry. What? Sorry on it. Okay. And a one gigabyte hard drive. I mean, you can attach any laptop hard drive in there so your storage capacity is unlimited. So really one of the most important things when we're building this unit is to keep it looking out from the outside as stock as possible while on the inside getting the maximum functionality and getting everything to run as smooth as possible. All right. There was four things we needed for this design. We needed obviously the UPS, the box itself. We basically stripped out the entire insides, the battery, everything that was in there and replaced it with our stuff. So this isn't a functioning UPS. It really is just deployed. It just is hard to, you know, hard to see and no one really thinks to look inside a UPS for anything hostile. It's a lead case mine. The power supply is just used for taking our AC voltage and converting it into DC. All computers run on DC. Embedded systems especially. There's only a couple voltages that computers really run at. They're either running at 5 volt, 3.3 volt or 12 volt. So as far as power supplies go, I mean eBay is a great place to pick up really cheap power supplies. If you're doing any work with electronics, you know, computer equipment, having power supplies just handy, small compact power supplies is really useful. Okay. The other thing you can do if you don't have a lot of money, embedded systems, you can start looking at them for around $200. But a lot of the times I know people want to get it even cheaper than that. HP has made a model of machines called the e-machines. I'm sure a lot of people are familiar with them. The e-machines are basically like a really tiny computer that HP made and the really nice thing about them is if you look inside, they've got an integrated motherboard that has everything included in it. So you can go on eBay and pick up like one of these e-machines for $30 and go and rip the motherboard out and you've got basically an embedded computer for $30. You want to get back on? Sorry. Oh, there's some pictures of our first prototype. As you can see, it's a lot bigger and it was hard to mod. But really the first prototype, we just wanted to make sure this idea was going to work before continuing on. Auto actually was responsible for the design of the second unit here. Okay, the board that we've picked to use comes from Contron. If you want to get into embedded computers, I'd recommend just visiting some of the sites. We've got some links on the CD. We picked this. It's a Pentium 166. It's got 128 mega-gram in it. We've got two IDE channels so we can hook up to four devices. We can have CD ROMs. We can have extra hard drives. Really, when you're dealing with embedded systems, you are dealing with a PC. There's no reason to think outside of PC terms. It's really just the form factor and the way that it's been connected together. A really good example of this is embedded computer people will know a term called PC104. PC104 is basically an isobus, but we've carried it out into an embedded form factor. As far as it's concerned, the timing, everything's identical to it. The chipsets, you know, you're using chips and technology, 69,000s, you're using all-in-one. It's just that you're changing the form factor and you're changing the size of the unit to fit into an application. Our embedded system had only one Ethernet. That was mainly because I got the system for free and we didn't want to spend any money on it. Just because we wanted to keep it simple, we just ripped a 10-100 hub and placed it inside here, which just allowed traffic to go through it. Yeah, I made this slide, so it's kind of important. One of the problems with putting a hub in there instead of bridging through, well, it's good because even if the EPS, the embedded machine is still booting and it's not being told to bridge, your victim will still get through and you won't impede his traffic. But the bad thing is you can't do proxy architects. That'd be really cool, where instead of the client going out on his MAC address, if you can bridge it through your box and then everything goes on your MAC address, you can effectively take over his IP. That was a mode that I wanted to work on for the con but didn't get it in time because we couldn't do a bridge through the embedded machine. So if we could have done that, it would have been almost impossible to tell the victim traffic from our traffic because it had been exactly the same MAC address. So maybe next year. The ugly part is that you get a link from a UPS and I was supposed to do that. It's a dumb hub. So the bridge runs, the box just runs in premise cruise mode. Yes, the embedded machine itself has a variety of different processes running on it that all make the interface go in premise cruise mode. I'll talk about those in just a quick sec. Okay, transition to software now. I used Red Hat 7.2. I know people don't like Red Hat, but sorry, I know it works. 7.2 was the first one that had the EXT file system, the EXT3 file system, the journaling. So I can yank at the power supply and it just dies and it doesn't really hurt the hard drive too much, which is kind of cool. I used a lot of scroll scripts and shell scripts and then added neat fun tools. I used Netcat by Hobbit. That's like standard issue these days. The core of the unit as far as actually acquiring victim traffic and it's a really cool tool. I recommend you check it out. Of course we use Nmap by Fyodor and at the last minute, I threw in the hacker's choice, the TCHRU there for network discovery works great. Okay, so many things still hot. This is used for basically for the plumbing. I wrote the scripts. I wrote them without any network code in them just to make it easier and I basically just Netcat everything. I used it over UDP53 which to a normal firewall would look exactly like a DNS request so it would let it through. The problem with a DNS request is not really DNS. It's encrypted but it doesn't look like a DNS request so an IDPS or an IDP system would notice this. This is not UDP, DNS traffic doesn't even look like it. If you sniff this traffic and then you use it's real to read it, it will go 10,000 requests, 5,000 replies and it's one packet. So tunneling alternatives. I could be more elite and then do port 80 TCP and actually mask the UPS requests and HB URLs and have the replies be web pages. At the last minute, I also found some really cool Perl scripts out there on the web that do exactly this but I didn't have a chance to integrate them. Another alternative, I really do like DNS because they use packets, that's a real issue. No one uses internal DNS. They always allow it out. It's pathetic. But it would be really cool if I could make you look more like a DNS request to DNS replies but that's next year. So back on the D sniff now. This is an incredibly cool and it's actually kind of old. It's been out for a couple of years now so if you haven't heard about it go and find it. You might need to do a little tweaking to the Berkeley path because they're expecting an older version of the Berkeley so we were set. Here's the tools that we use from D sniff actually on the box. Use Mac off. In the D sniff suite, the Mac off is actually the port of the Perl script Mac off. It starts spamming out a whole bunch of packets with forged Mac addresses. This allows you to break open a typical switch. Switches have CAM tables that keep track of every Mac address on a physical interface and they only have so much buffer space to hold those and if they overflow that they go I can't keep track of all these stupid Mac addresses so I'm just going to put everything down this port. That basically gives you access to the traffic transfers and the entire switch. It's kind of cool. D sniff. Clear text authentication extractor. It decodes approximately 20 to 25 clear text protocols. Pop3, telnet HTTP off. SNMB. SQL. It's brutal. Files snarf does NFS interceptor. If someone copies an NFS file across their box it saves a copy of the file locally. Email interceptor is mail snarf and we actually have a little test of that we're going to show a little later. I had already ran this earlier and snarfed off some email so I'll show you how that looks. Interceptor is URL snarf and instant messenger is MSM snarf. Of course the hackers toolkit thanks for your rock. It came with RPMs so we didn't have to do anything. We use it for the network connectivity with the box to make sure it can actually call out. If it can't call home it won't try to. Then I made a whole bunch of Perl scripts. The first Perl script is the master control script. It starts on boot up and it handles all the other processes that the UPS does as far as turning on SIFR process, turning off SIFR process, calling home, that kind of a thing. This is what it does. When it boots up it loads the config. I don't use the Red Hat network configuration scripts. I just used everything myself. That way it has a unified interface for the different modes that I use for IP addresses which I'll talk about in a second. It configs the network. Make sure everything is good and then tries to call home. From there it does an endless loop. Calls the home, works on what it gets. Calls home every number of seconds. The IP we have four different modes. Mode number one is what I talked about earlier when I said that it's almost undetectable. That's no IP where it won't respond to anything. It sits there and it sniffs. You have to be able to sneak in, put the box in place, hope it comes up okay and start sniffing. You have to turn on all the sniffing you want ahead of time and hope that your hard drive doesn't go full and come back later and get it. That's really stealthy but it's not really fun. You have to go in twice. Fixed IP mode is really good for testing. Here's your IP. DCP mode is not very stealthy though because if you're on a network that doesn't have a DHP server or they don't have a lot of nodes and they have registered MAC addresses for all their DCP nodes and they start asking for an IP address. They're going to know who's this. That's not very cool. Mode four was the most elite mode but it's also extremely noisy at layer two. It actually will... Well, here, let's do this. It watches the network for ARP requests. At first it starts listening for ARP requests and it listens to the requester. Obviously if I hear an ARP request from someone on my wire that means that they're on my local layer two subnet. It takes that IP as a seed. It turns around and uses the Hacker's Choice RU there. For that you can generate ARP requests for anything you want. I use it as a seed. I do a Class B. That's typical. Most networks should be less than a Class B and it doesn't take that much longer to do a Class B than a Class C in this way. You'll get supernets this way. The Hacker's Choice TEC RUT it can do 3,000 ARPs in parallel. This doesn't take that long. Maybe 5-10 seconds for a whole Class B. It's brutal. It'll do ARPs for every single IP in a Class B segment that it detects from the top part and then it sees everything that's there. It finds an IP that's not in use. It's in the range and just picks it. That's kind of fun. Another thing I didn't write in here, the next thing it does is then it turns around and it listens again for more ARPs but now it listens for who they're asking for. It counts about 20 or 30 packets. It's listening for who is everyone trying to find. Nine times out of 10, the most popular ARP target on a network is the default gateway. We do a little statistical analysis there and say the top one is the default gateway. If it doesn't work, the whole thing has a check here at the end where it'll try to go out, try to go out, tries to contact the listening post even. If it fails, it comes back here and starts again. Another cool thing about mode 3, the DHCP mode, if you do set it for mode 3 and there is no DHCP server, there is no spoon, it'll keep the fact that it's in mode 3 so it'll always try DHCP but if it can't get out, it'll try mode 4 as well, which is kind of fun. And there's other neat stuff, little house cleaning scripts, that kind of stuff. The actual... Let me just skip ahead real quick and show you the concept here. So you have a UPS behind a firewall and you have an attacker out there anywhere on the internet. You also have a listening post which can be the same as the attack but you can allow it to point to different directions. The UPS will add intervals, try to contact the listening post. The listening post is actually a command queue server. It will... It can actually support multiple nodes and when a UPS calls home, it will then identify itself by its node. The listening post will say, do I have any commands for this node? And if it goes yes, then it feeds the commands one at a time and each time the listening post asks for the next command, it comes back down. When it's done, it says I'm done and disconnects and it then goes to sleep for a specified amount of time and then tries again. One of the commands is call this guy and the call this guy by default is TCP port 80 and since the connection is being initiated outbound through the firewall, generally that's permitted too. Not a whole lot of people have proxy servers behind them so they'll allow clients to go out on HTTP. So I have a deal set up where it connects out to the attacker on HTTP. Again, thank you, Netcat. And provides the ConnectE with Bashel. Something that wasn't there in my connection structure and you just want to get something done, there you go. So we'll back up here a little bit. So now that you know what the client server is, what I'm talking about here, this is the DNS-like beacon that goes out by default every 20 seconds, but it's user-setable. It's desencrypted, it has randomly generated keys for each session and there's also a pre-shared key system. Each side has a pre-shared string that they will do an MD5 hash of real quick and then use that along with another randomly generated string and put those both together as the actual crypto key. They only exchange the first part, the part that they randomly generate on the fly for that session. It's not the pre-shared secret ahead of time, so even if you see this in flight and you see a key is going back and forth, you still can't decrypt it because you don't know what the pre-share is. That's kind of cool. So the client connects at intervals control, the master control script to the server, the check to command queue for changing the configure behavior. Like I said, it goes out of our UDP for configing and then a reverse shell on TCP-8-ing. Looking towards next year to add attachments to send out SMTP as well. That's a really good expectation, but I just didn't have enough time to finish it. So you saw this, it's pretty. So in the listing post, of course, SSH, so you can command to it. Just real quick, this is uh-oh. It's not happy. Oh, no. So there's what the encryption looks like, by the way. Actually, that's the key exchange. My listing post thinks it's trying to send data, and it's the LP is trying to send its key instead, so it should recover here in a little sec. But anyways, we're not ready for that yet. Oh, yes we are. That rocks. So okay, so I want to switch over to the victim here. Okay. So what died? Okay. I'm answering technical difficulties, please wait. Thank you. Okay, so something unplugged? Just a moment please, thank you. Sorry.