 Hello, welcome to Defcon 28 demo labs today. I'm going to show you a tool called a circle version 2 Hello virtual friend, my name is Emilio I'm from Argentina. I currently Located in Japan and I have a background of hacking networks for wall packets electronics Bit of 3d printing as well. I present tools in various conference around Asia US Europe bit here and there and I'm Actually 16 hours ahead Defcon, so I'm in the future As you can see my English is very Argentinian and I'm definitely not a native programmer So let's move on to circle All right before actually move on Let's talk about the legal disclaimer this tool is a Provided for educational research or testing purpose using this tool again against network system without prior permission is illegal Radio waves are per country regulated So you must check your own country to see if that you're doing within compliance regulations I'm not Responsible for any good or bad things you do with it blah blah blah. Okay, great Wait, what is circle version 1 if this is version 2? All right, so circle virtual Circle version 1 is actually based on Python 2. It was a network implant using cheap hardware like a Raspberry Pi and the idea is to Exploit the zero trust that the network automation tools has these days The whole concept of if I'm the network automation's tool Auto discovery things like Cisco switches, for example So what about if I am a Cisco switch that means that they will try to connect to me to grab my configurations Exactly. So the whole concept of that was okay I built with cheap hardware and Cisco switch Behaviour as a Cisco switch as a honeypot, basically and then I wait for automation tools to connect to me So once they connect to me and they give me the credentials. Thank you very much I will actually exfiltrate it to the internet to my own internet server For that I come up with a few different techniques for exfiltration and also some additions of encryption on the for Antiforensics, etc Over the past year actually 2019 most of the features and Techniques used here were we are actually feedback from when I was presenting this tool in various Conference and friends and people suggesting things and so improve over the time so Just to show you how it looks actually version one Term of the camera so version one used to be like a network outlet that you have these things On top of your desk or under your nest where you put the network ports here And inside was actually things like this right Raspberry Pi and some electronics buttons, etc Also, there's a bigger box of it similar concept of the network ports here, right and you actually inside of this Let me see if you can open like that You will have a Raspberry Pi and electronics and PoE, etc, etc So that's pretty much what was done with version one, right? Okay, great good to know so What's version two about it? Well, based basically Python 2 doesn't it was supposed to be allegedly end-of-life Blah blah blah, so I need to be Python 3 so my I Dedicated time I migrate everything to Python 3 which is not that simple as replacing Python with Python 3 on the top. Nope doesn't work like that So most of his stuff was recoded probably 70 80 percent of the code was recoded So I took the opportunity and make it modular code So that will be allow me to easily add all Features and exfiltration techniques using modular code, right? Also, I add a couple of features that people suggest over the past for example Mac IP addresses spoofing when you do exfiltration also, I Been suggested to actually because I'm tapping but I'm running the middle between a phone and a network Can I also record calls like getting audio files? I do I Add support for a tool called net credits which actually capture unencrypted the credential or hashes Ntlm HTTP SMTP IMAP, etc. Garberos as well, right? Various ones I add as well before I used to use either magnet or push buttons to detect is someone open the alarm and now I'm using a LDR, which is a light sensor basically And I add an extra exfiltration method using FM Because this the phone itself will authenticate. I also collect in that zip authentication hash And I add a new camouflage hardware, which will be Something very familiar to you if you recall this is a Power injector for from Cisco use it for phones or also for APs as well So I'm actually going to use this as a new camouflage hardware instead using Instead using these boxes that were outlets. I'm going to use one of these. Why not? For that I Add also the TCP exfiltration Before used to be HTTP HTTPS Now I send it to people you wouldn't like to use 80 40 25 whatever Because I'm using a new method for a filtration FM So you will probably need one of this which is you are actually an SDR dungle, right to be able to capture those radio waves and also improve a lot of the Cisco iOS and Honeypots the telnet when I recoded I improve the telnet the SSH there's a CDP and LDP Demons, right? Okay, so Back to here, right? These are all the things that been added in version 2 Which will go today just to recap we have What honeypots we provide as a Cisco services? Remember we're trying to emulate the Cisco switch So we do provide CDP and LDP advertisements as a Cisco switch on actual phone if you want to run in single mode We also provide an SNMP agent So you can actually pull that idea of the automation system to pull the SNMP communities SNMP MIPS from the Cisco switch. So we We have one of those we provided CLI via telnet and SSH with quite a few commands And also a TCP stack. So when we get fingerprinting we can actually reply saying that we are a Cisco switch indeed For a filtration when we exfiltrate data We actually send it the the honeypots will send the either they come the credentials via telnet or SSH or SNMP So we have different various formats, right? The T for telnet the telnet enable the SSH Enable SNMP and also because now we are sniffing credentials that the actual Phone could be cascade to a PC behind it. So We're using net credits. So that will be the end and also the zip which is the voice hashes that we actually Capture So I didn't want to make this longer. So now demo labs demo time, right? Okay, so Behind me you will see I set up a lab actually We'll explain you with the lab concession the lab actually has On this side this case you see here. This is actually the whole network infrastructure I have a the blue box on the top is actually my internet server The yellow box is actually my network automations or network administration server inside the network The Cisco switch real one or TK It's called SH SHT KY01 and also have a black box, which is my foul my Proxy DNS DHCP Pack file server, etc on This side I have connect this in an IP phone cascaded to a PC, right? And on the middle you will see this box, right? This which is contained one cable going to the phone white cable, right? And the other the other cable going to the infrastructure, right? And of course power because this is using a magic power cable, right? Are we good? Yes. Okay. Okay, so Let's move on Okay on the right side. I got access to my yellow box Which is my network automations on the bottom. I have access to my blue box Which is my internet server, which will be receiving call kappa, right? We'll be receiving the credential from the internet and on the top. I have access to the Circo which is actually be out of ban. So first of all, let's start kappa verbose internet internet TCP-05 let's say TST, okay And before I start Circo, I want to connect to the real switch This is the real Cisco switch on my infrastructure Switch Tokyo-01 So CDP neighbors. Okay, I have a CDP which is the phone actually that you saw on the back LDP Nothing because that phone only speak CDP right, so I'm going to start Circo in verbose mode bridge mode and actually Maybe pink, right? As an ex filtration, so I will explain you before Before this happened what I do is actually collect CDP details and LDP from the actual PR switch just to get the names. I'm going to derivate the name So if similar name to what they already exists Okay, I changed my MAC address get an IP address from the From the server I start a few as a sniffer create a template and bring all the honeypots which is All of these CDP, LDP, IOS, Telnet, SSH, SNMP and they also the name of OS Fuller to the TCP fingerprint Service is actually fingerprinting right and ex filtration. I select pink, right? Okay, so now if I do show CDP neighbor from the real switch I can see there is another switch here Okay, so CDP neighbor details. I Can see the switch is called SWT KY03 has a 10.10.10.152 And it's 2960 ATC So what about LDP? DP neighbors Okay, LDP as well. I can see the same switch connected via CDP and LDP if I do the details I can see the the chassis which match the macadres. I'm setting up the interface the name the software version running Capabilities from the switch itself and the villain ideals right a standard LDP information you get All right, so I'm in my automation tool Let's see if I can ping that one five two 10.10.10.152. Yes, I can ping it All right So let's try a 10.10.10.152 Okay, I connect so let me type username On a password. Okay, I got access to a Cisco switch show version Give me a version of the Cisco switch if you see on the circuit self You start to say sending credentials via ping that means that he got credentials So those credentials will appear on the bottom screen on carpet, right? Because they're coming via ping carpet in the internet and circle is on the internal network, right? show inventory Show IP route show interface description behave like a Cisco show ARP show macadres show in status All right, as you can see on the bottom of this screen you see that Credentials coming from the protocol tenant username Ola password desktop You see what about if I do enable now? I can enable as well. I can do some commands like show Show run and give me a configuration But I cannot do some commands. I'm still I'm not authorizing because I didn't call the whole iOS Honeypot just enough for automations tool to find out Similar should work by SSH You can see in carpet now carpet receive a credential via tenant and the credential was secret Lead mode, right? So I can also I should be able to SSH as well Yep, I got this is the SSH same thing same commands VSH and tenant are provided right inventory Also, I can put enable again and get the same commands, right? so What else we can do or we can do an SNMP walk, right? Version 2 community. Here's a trick, right? Automations tool will try first their own community the internal community they're using all devices if that fail they will Switch to public, right? So let's try immunity 10.10.10.152, right? Should escape that wrong key So what happened here? You can see on the carpet in the meantime that credentials start to arrive My pass SSH user admin my pass right when I do When I do an SNMP walk for this community, I don't get any answer However, I did capture it So automations tools will try public if they will fail back to public, right? And if I do that cut it When I do a public it actually Reply as a Cisco switch with the name SWT KY03, right? So behave as a Cisco switch Okay, what else we can try in the oh by the way, let me show you all those credentials that Karpi is a Storing a text file there you go the naval password All those credentials have been storing a text file, of course, but they're also being pushed to Faraday So if I look to my father dashboard If I go to manage hosts, you will create automatically a host and you also add credentials to it So you see that cause it has a telnet the username and the password The E is time for enable of course, right? So those are being pushed automatically from Karpi into Faraday, right? oops all right The SNMP did not arrive yet. She'll arrive soon. I Think I'm cycling the credentials every 60 seconds 30 seconds. I can't remember So what about now they try in nmap SV for 10.10.152 and this is funny you will see some When I run an M for service in emulation you may see paramico some Errors here, but that there's nothing wrong with it. It's just because this debug mode is showing that but Nothing crush on circle still running so once I do the end map. Let's see what mb Say I have running on that 10.10.10.152, which is my fake Cisco switch, right? Okay, so it has recognized I have an SSH and a telnet, which is a Cisco demons and also they connect the device as a Cisco iOS router Not bad. Here you go I got the community as well here by the SNMP community and that should be also push Here, let me refresh this No, not push it should be coming up. I need to refresh that. Oh, maybe I'm excluding actually Yeah, most likely I need to add it. All right. No big deal Okay, what else? Let's stop this for a second So those are pretty much all the features that we've been running in the past So now I'm going to show you the new features we being working on it. Okay. First of all let me Let's bring up circle with the DNS Right, and I'm going to connect to my PC on the back, right? But I'm going to connect remotely and I'm going to There you go I'm going to generate this is a PC running on the back and I'm going to generate some FTP and Kerberos traffic That's a good to replay some traffic some pickups basically So when I start Cisco, I'm thinking we see the minus D DNS, right a filtration DNS, for example And here it's a starting net credits sniffer, right? So when I think I the PC now is using FTP and Kerberos, etc. From the PC, right? So because I'm sniffing the traffic that come from the PC. I'm also going to exfiltrate that traffic too That that's just running on until they all the packets run, right? so You clearly find some credentials because I need exfiltrated by DNS. There you go the end for Net credits, username and a password and the actual FTP and port Destination that those credentials work that's important because here is the source port of the automation tool or Whoever connected, right? But in net credits, I'm using the I care about the destination What else I have to show you I Actually should have some Let's move on into Something else, right? Let me cut this you get the sense Stop this Okay, so I'm going to show you the show you the spoofing feature, right? TCP 25 for exfiltration and minus spoof, right? For that I'm going to connect into I I need to specify I'm going to connect into the gateway, which is a black box on the On the lab, which is my foul, right? So I'm filtering for port 25, right? So originally my MAC address is this one, right? And my IP was 152 10 to 10 to 152 But because I specify my my minus minus spoof, right? I'm actually starting the spoof Discovery what it does is is look in the other interface for packets and mac address combination and use those When I do exfiltration, right? Okay for that, I probably Okay, I found a mac address which is 100 and this mac address So on 25 so what I'm going to do is I can ping this so I'm going to connect again just to generate some credentials So I that should trigger some credentials and if I check The actual packet captures the hidden to here No, so I'm capturing packets. There you go. I start to see packets coming in and as you can see the source IP is 100 and The actual mac address is matching. This is actually the PC the PC behind me, okay? Something when Characters Okay So that this don't there so now I'm going to do is I'm going to show you the boy features, right? Right for that we use And boys Boy, I think it's boy. Yes for this I will need the I will need to make a phone call actually Right on actually login. Yep. It is actually So what I'm going to do is start carpa Exfiltration is DNS and I'm sick hash collector, right and RTP captures. Okay, so I'm going to make a phone call I make a call Great as you can see now. It's a sending credentials via DNS This is because that phone probably sent a zip request. So that means that it's going to get a zip hash, right? So Here you go. Yeah zip credentials, right? So those should be arriving in carpa and they should have the format with a B There you go. This is a zip hash actually, right? These two Pieces and this is actually the register of the zip the username the username and the type of phone system so because we actually keep the captures of The RTP stream and the zip for control. So what we can do We cannot actually trade this because they are big files But what we can do is once we pick up Cisco after the assessment, we can actually grab the pickups Pick up to what pick up to what? I'm going to use the RTP stream and I'm going to use Pick up to what pick up to what was it P? Okay? RTP RTP RTP P and Mix, okay, so this will generate a WAP file. I should be able to Play it back Of course, I need to extract it, right? so Let's copy this to my actually 10.10.1.1.7 username as well is not 20.30. There you go. Okay There you go. So if I do play of that file Hello, hello As you can see there you go you get your WAP file great so I Got one more feature to show you which is let's bring up Cisco this time with FM and wireless exfiltration But for here I'm need to show you Howler Howler is actually my Different computer different laptop running a wireless and the str dangle. So here I will run these Verbose I will specify the frequency 7 the wireless interface And a log file. All right So before I run that I want you to understand that I'm going to be This in FM so I bring up a Screen so you can see it Let me bring this up channel 10 for wireless and frequency for FM This is the decoder and for RDS. Let me do that Okay, let me there, right So now I'm going to go back to my screen Actually start Circo, I'm starting with the wireless and the FM Modules on let me see if you can do something else here All right, this is started. So I'm going to tell it again And I'm going to put some credentials all right, so Starting exfiltration, so I'm going to switch to my howler you see the silence now You can see that there is a new station called Circo with different program types and different PI Which is this is the RDS type of the FM protocol Well, not the FM protocol, but the RDS protocol on the bottom you can see I already start to To actually Exfiltrate credentials here the Wi-Fi one telnet the username Mundo I clearly type it wrongly And also from FM So you can see both credentials getting from FM and actually Let me cut it so we are not all deaf So we get the credentials by FM and actually by wireless as well. All right that is pretty much so Before we move on I want to explain you about one more thing let me Go Here, okay Close this And this starts it one more time bridge Spin there's one more feature, which is actually the light sensor, right? So for this I probably will Need to go to switch. Let me see once you start Carpice already on Okay, so I will need to move to back camera probably What is this stuff? It's up. Yeah, it's up All right, okay So this is what I'm going to do. I'm going to open this box, right? Okay Okay, what do we have inside? See if maybe I do a bit like that There you go So we have a Raspberry Pi power components on the bottom here. We have a light sensor, right? So if I switch back you will see And Carpice receiving alarm and it actually Cisco Recognize the case has been open right circle So that's pretty much so one thing I want to show you guys Magic cable so the magic cable I told you was It looked like a cable like that, you know In Japan they come like that. This is for Earth, right? This This is no magic cable. There's no magic here You also can get magic here this type of cables, right? This is Earth or the British cables, which is this one, right? So where the magic come from? Well, the magic is like I'm using the GPO a pin in the Raspberry to modulate the FM frequency And I need basically an antenna so one way to get an antenna is actually there's an earth cable inside the power cable so if you look into the where that earth cable connect into the Circo you will see there is a white cable coming out this white cable You come out from earth and it goes to the GPO the Raspberry But it's my earth, right? So that basically That give me actually a two three meters and FM antenna, which great Great distance reach. So this is another method for exfiltrating when wireless is not an option due to 50-80 meters length, right You could go longer with FM All right, that's all guys so I hope you actually enjoy it and Let me know if it's anything Questions just shout out, right? Okay. Thanks. See ya