 Welcome to offensive embedded exploitation getting your hands dirty with IoT and embedded devices. So the agenda, before we start with the talk, I would like to tell you that I'm conducting a training. I would like to thank Mr. Omer and Mr. Joseph for allowing me to conduct a training with the Defcon Red Team Village, which is on Devon. So I request you to, if you want, if you like this talk, if you want to attend this in more deeper manner, you can attend tomorrow's training. Okay, so let's start with the agenda of today's talk. Today we'll first have an introduction to IoT, then we will do preparing the arsenal that is setting up our requirement. Then we will have recon, then showtime, that is a firmware analysis, then getting hands dirty, dynamic testing. And lastly, we will touch base upon purging, reverse engineering and exploit development. Okay, so let me introduce myself. I'm Kosta Padwad from India, also known as Security Beast on Twitter. I have dozens of exploits listed on GitHub and CVE details on IoT. Also, I'm a security researcher at Reliance Geo, that is Geo Platform now, Geo Platform Limited, where we conduct a device security testing for all of the Geo Platform devices. Also, I'm a SINAC Red Team member to keep myself updated and to solve the two-hack into the toughest infrastructure. I, SINAC is a great learning platform and also I do bug bounty there. And I like to share my knowledge, so I'm a speaker, I speak at conferences. And now it's time to get started with the topic. So the, I have classified IoT in a three style. One is industry IoT, second a human IoT, and third IoT for others, that is animals. So we'll see I have classified here all the industry in this image is taken from sources mentioned. Here I have listed all the industries like manufacturing industry, smart government, mobile network, mobility and Wi-Fi, smart digital citizens, that is us. Then open data, health is a key element in IoT, then smart agriculture and smart building, smart transportation. So these things are getting smart with the help of IoT. Major like for example, a transportation industry, Tesla is building, Tesla is the best example for IoT based car. Even for a logistic, IoT is getting used in very huge manner to track their shipments that to ensure the data, the packages which is shipping should not get tampered. They are putting tampered detection based on IoT. So it's like, simply if someone opens the door, that means it is tampered. And as the door is open, that small IoT device will send a generate an alert and send to the respective logistic person. Manufacturing industries are using IoT to improve their services or to improve their production, product qualities. So there should be a zero error product development, we can say with the manufacturing industry. And government, like government should implement IoT. In my training, I have an excellent example, which I covered there in my training. So like let's assume that you, you, every city have a straight lights, hundreds and thousands of straight light, which is running from a night, which is running whole night, right? So if you install one small IoT module of let's say $5 cost to that light, then it then the, then that light will become smart and it will turn on only when the vehicle is passing through. And the rest of the time it will stay in an ideal state, let it power off state. So that $5 module can save your $500 electricity bill for every month, right? So it makes sense is, it makes sense of using IoT in government, government covered areas or government entities, mobility and Wi-Fi, they are key provider for the IoT. As I said in mobility, as government needs or let's say if you want to create IoT environment, so mobility is the best. They provide us a NB IoT, Narrowband IoT and LTE IoT. So these two ways they can provide us IoT connectivity to everywhere. Health is the key element, we are discussing this here. And agriculture, one of my friends have built IoT based water system to his farm. So like it detects a soil dryness, it detects a wind speed, it detects a temperature and accordingly it turns on his water pump. So it will automatically use water to the plants, plants to his farm also. And smart building, there is an excellent example in the next slide for smart building and transportation as we just talked about Tesla. Now in human IoT, so devices are getting inside the body, like for example a pacemaker. Pacemaker is a medical device, medical IoT device. It's a really critical device in IoT aspect or in any aspect and insulin pumps and these are other devices which can be, which is currently using inside the body. There could be a more, but as of now I corrected this many. Now you can trigger insulin shots to your loved ones remotely with this insulin pump. You can check if there is what we say abnormal behavior of heart or abnormal behavior inside the body. These pacemakers are also smart, they can send data to doctor that it is not behaving good. Or you can, as we know pacemaker is a critical medical device. It controls your heartbeat. Now why cow is here? So IoT's animals are getting smarter. So like if your pet lost direction then there are some patterns which they trigger every time if they feel like lost. Or if they are not, let's say you are not with your pet all a complete day and suddenly he developed a fever then what? So some guys are working on the solution which will be a kind of belt inside their body, inside their neck, tied to their neck. And that that belt will keep analyzing their behavior. Are they behaving normal? Are they feeling like lost? Is their temperature is normal so that you can take appropriate care of your loved one pet. And you can track your animals also like your pet also. If they are lost or if they are lost then you can track them. So IoT is a major part of our body, IoT is an emerging field and IoT is too much powerful than we imagine. So with the great power, great responsibilities also come that we will discuss in a further section. Now let's have a look of smart building, how one can implement IoT in a smart building. The self-checking machine, like the gas mobile check-in, like the robot service and the Timer Genius voice battler, the purpose of this kind of service and technology is to improve the efficiency of the service and the consistency of the service quality. As you can see a smart building, a brilliant example of smart building IoT in action. So I would definitely like to go there and check in to test the services. So with the great news, great responsibilities do come. So what I think is why IoT security assessment or why embedded devices security assessment is important. I have collected some hot news, this is IoT hot news where we can see of multiple threats and risk that currently associated with IoT. The first and most important risk here, risk with IoT in a medical field. So when I was a kid, my grandparents used to tell us that there is a witchcraft and there is a black magic kind of stuff which can remotely kill someone. So I don't believe on that but here you can see with IoT you can do it. Let's say if instead of giving 10 ML pump shots, if I trigger 100 ML pump shots, then who can save you? Instead of setting your heart rate to the normal heart rate, if I set it to 3000 bits per second, you will suffer from a major cardiac arrest. So as we can see this are inside the body and these are very critical devices. So security assessment for these devices must be done in a very aggressive way. I believe that if such kind of devices are manufactured by a very renowned vendor, it should be tested country-wide. It should be offered to the expertise all across the globe and then you can ensure that this product is secured or not. Because everything have a different mindset to test everything. So same thing. Now you brought an IoT product that is a surveillance robot to secure your house and to take care of your loved ones when you are not in the home. And hackers use that robot for spying you. Here you can see hackers break into smart home, play inappropriate music and communicate with a resident via camera. It's a horrible thing. It's a scary thing. Like if someone is continuously watching you and someone is talking with your speakers only, how it feels, right? It's scary, super scary. And this one, this attack, it is an industry-grade attack. Someone discovered remake of Mirai Botnet. It was the OMG attack was discovered by Fortinet. It was a second Mirai. So Mirai is the biggest attack, biggest IoT attack till now. You can read about it. It's a really interesting attack. This is again like you brought a surveillance system to watch your home and that surveillance system is watching, is watched by hackers. So this device was running one video talk protocol, which was sending the audio, which was recording the audio by mic and sending it to the one who connects over video talk to the camera. It is again scary, right? I believe there should be some system which will ensure that how this product is secure on scale of 10. So it will be easy to judge whether we should buy it or not. Like a product rating, there should be a security rating also should be there. And this is the major threat. FDA recalls nearly half a million pacemakers over hacking fear. This is a really critical issue. So as you see, the life risk is associated with the risk of with the IoT devices. So that's why the security assessment of such a product is really crucial and really important. It should be done right now. Now my case study for this is can this recent looking IP phone change into a botnet? What do you think? Can you can turn this device into a botnet? Most of the guys will thinking how this can be possible. Or if there are experts who have already played with it may know the trick what I'm going to do. Now one day, one fine day I was thinking about which device should I pick up for the training for Deaf 100 team? And which device should I pick up for the brief? So I was staring at IP phone and suddenly it comes in my mind that why not this IP phone only? As every corporate have IP phone, right? So let's say our corporate is one of the biggest large corporate. So we have at least 40,000 IP phone of same brand inside our office and Mumbai is a corporate hub. So I guess that there should be more than corrodes of IP phone will be there in Mumbai of same brand. I'm not talking about multiple brands. Let's say if vendor X is producing X type of IP phone that same type of IP phone you will find at least one corrod IP phone in the city. And if you target a specific like call center or BPO and KPO then their business is IP phone, right? So if you target that you will get lots and lots and lots of target. So if you are able to remotely compromise one IP phone you can you are able to compromise a corrodes of IP phone. At least same types of corrodes of IP phone using this technology. So if you have hacked two organizations having 50-50,000 IP phones each that will create a 1 lakh that creates your 1 lakh bots. Maybe it could take 8 days, 10 days, 15 days. But within 15 days you will get a 1 lakh computers, 1 lakh bots. Basically what IP phone is inside. It's an ARM machine or MIPS machine, right? So you may get 1 lakh bots in just 8 to 15 days. Now let's say if you target complete a city you may ended up with 50 lakhs IP phones, right? In a city you will definitely get. Now let's say if you target cities, multiple cities then you can let's say if you India have 4 big corporate hub. Mumbai, Delhi, Chennai and Bangalore. So if you hack even those poor cities, poor corporate hub and Hyderabad also sorry. So this 5 cities you may ended up with at least 5 corrodes IP phones. Now let's assume if that 5 corrodes IP phones you are instructing those 5 corrodes IP phones to make a 10 request per second to the facebook.com. So 5 into 10 is 50, 50 corrodes request per second to the Facebook. You think how long it can survive or let's say any big provider Facebook, Google or for how long time it can hold such a low. Even you can increase a 10 to 20 request per second that is around 100 corrodes request per second, right? It could be a biggest loss and I am just talking about 5 cities of one country. Now let's say if you target a multiple country with the same attack, you can create a biggest TBPS attack in the history, right? So I build a case studying how can we make this possible? But before that we need to set up our machine to test it. Most of the time when I give a talk to a conference or seminar or chapters like null chapters or somewhere, they ask me, Sir I want to start with IoT but I don't have enough requirement machines. So this is like, you know, you need nothing, literally nothing to set up a basic setup for IoT test. Here I have shortlisted to get started kit. What all you need is a Linux. Why Linux? Because Linux is smooth with virtualization of ARM and MIPS devices and all IoT devices binary, not all most of the binary work with the ARM technology or MIPS technology. So to smoothly virtualize it, you need a Linux. Secondly, Linux gives you lowest level access to the operating system. So if you connect a device to USB port, it will definitely give you something like the manufacturer, product ID, vendor ID, device type ID, something it will give. It won't tell you like a window that unknown device, right? That's why a Linux and there are more reasons which we are, which you may get in a training section. This device is the JTAGulator. So JTAG is an interface which some devices don't have any interface. No UART, no console cable, no USB, no LAN port, no LAN port. So in that case, what you should use to interact with device, right? Our target is to get into the device. That is our first target as an IT guy. So in that case, what you can do is you can use JTAGulator to connect with the JTAG ports of the device. Now you may say, why not no JTAG in the device? Because this is not the case. JTAG is present in most of the devices because it is used for purely factory debugging process or factory QA process. Let's say device is an assembly line, it gets manufactured, it puts a required data and now before going to production, device needs to done a QA. So nobody is going to check manually that hundreds and lakhs and millions of devices with manually checking 1, 1, 1, 1 pin, right? No. What it do is it will generate, it will connect the JTAG pins to the device and it will test all the functionality with their JTAG testing suite. So JTAG is present. You may not find the JTAG pins on the device but you will find the points where you can solder the pins and you can connect a JTAGulator and identify the appropriate JTAG pins. Now, as the IoT comes in the mind, second thing come is a wireless. IoT gives you a wireless reader. So like now the device, two sensor and one server is not connected over wire. These will be connected with the wireless technology. For example, our ZigBit protocol, Z-Wave protocol. So to test this kind of protocol, we need some specific hardware which will identify those frequencies. So this API motor is a gadget which can, which allow you to perform a ZigBit testing like ZigBit packet injection, ZigBit packet replay attack. So you may see building lights. These are controlled, most of the lights are controlled by ZigBit. And connectors, finally, they seriously, they are live. You will, without connector, you cannot test. We need at least one extra LAN card. We need at least one LAN card. We need an additional Bluetooth adapter. We need one screwdriver set. We need a skira because skira is all-in-one connector. So instead of spending for individual connectors, if you can spend, that's fine. But instead of spending on this multiple, you can buy one skira connector which supports GPIO communication, which support JTAC communication, which support UR communication and also SPI communication. So if you buy this one product, your all problem will get solved. And lastly, to hack the radio frequencies, we need a hack RF device. So this is the minimum thing you need to get started with the IoT test. Okay. Now, this is a basic setup. Now, what about advanced setup? This. You can buy endless stuff. As new device will come, you need to buy something. As new device may have other way to communicate, you have to build your own PCB boards to communicate with that device. So there was one device which is not directly connected over USB. So there was a mediator chip in between. So like you have to connect that device to that mediator chip. That mediator chip was converting those signals into UR and then UR to USB converter and that to laptop. So this was a complete setup. So there is no limitation for advanced setup. You can build up to whatever you want. Now, we are done with the hardware part. What about software? Which tools are required? Are those tools are expensive? Are those tools are paid? Are those tools are really too much heavy that one cannot afford? No. This is not the case. This I called as a weapons. And this are the minimal weapon which are needed for testing. One is a bin lock. So bin lock is a great tool. You can do a firmware extraction. Bin lock is basically give a firmware to bin lock. Bin lock will extract you if there is an uncompressed, sorry, unencrypted firmware. We need a Fermadine. So Fermadine is a collection of multiple tools. Fermadine consists of bin lock, QMOO and Postgres database. And it's a properly organized framework for emulating the firmware. Okay. So we need a Fermadine to emulate the device firmware in case you don't have a device and you have only the firmware and you want to test it. Burbsuit, I hope everyone is familiar with it. Burbsuit is the great software tool we have. And we need a Python because most of the tasks we have to do it on repeated basis. So to automate that stuff, Python is the great and easy to write line. And lastly, IDA Pro. So if you can't afford IDA Pro, it's okay. You can buy IDA Community Edition or you can use some open source tools like Radare or NSA Ghidra also. NSA Ghidra is also a great tool to reverse engineer. But trust me, reverse engineering is the life. In reverse engineering is the life and reverse engineering is the most important aspects of device. So there are a few things that comes in the mind when someone asks why you need to reverse engineer the binary. Hard-coded backdoor account. Some devices, recently when there is a news on, I forgot the name of that router OS. But that router OS as having seven major issues was recently identified. And most of it was a hard-coded backdoor account. That too listening on a van interface. So let's say if your device is running a telnet on van interface and if there is a backdoor account, you never know how one can enter in your network. So this one, this is one aspect. Second is identifying the critical vulnerabilities like remote code execution. As in embedded device, there is very limited space. So you have to fit everything in that small space. So application logic and application code is inside the web application binary only. So once, so to identify that binary, the best way is to reverse engineer that binary and get assembly code out of it. And then perform an assembly analysis to identify where the native vulnerable calls like sprintf or system call, fopen, popen kind of calls are in use. Okay, so to reverse engineer, we need a idop flow. Now let's move towards, once you have set up everything, we start with the first stage is always the recognition of pen testing. In IoT also, it's not exceptional. It is first stage is recon. I split this recon section into two parts. First active recon and second passive recon. So generally in pen testing, we perform active recon first and then passive recon. Here we have to do reverse. Like first we have to identify, we have to do a passive recon. Let's say if you got one device, for example, this headset, and now the manufacturer of this headset is saying that this device does not support a Wi-Fi. So how can you ensure it? Just because he said this doesn't support Wi-Fi, you are going to believe that this doesn't support Wi-Fi? No, you have to read their specifications. So each device have one unique FCC ID. And if you search that FCC ID into the FCC ID database, it will come up with all the specification or exist with the device. So sometimes vendor may lie to you that this functionality is not supported at hardware level and they can disable it. Like this happens with me with one product that vendor was saying, sir, this device doesn't support Wi-Fi. And on FCC ID device, they have mentioned that this device supports Wi-Fi. So we had a long debate and lastly I ended up with creating custom firmware which loads the Wi-Fi driver. So basically they just disabled the Wi-Fi driver. That's why Wi-Fi is not coming up of that device. So first we have to do a FCC ID analysis. Second, documents. You should ask for as much as possible documents. So that document could be a security architecture document. That document could be a product data sheet. That document could be a project description sheet or could be a user manual of the product. So these are the things that you should do first and then you should touch to the device. And then once you touch to the device, first thing is to know your device. So if I give you something like you have to test this device, what you will do? Like in web application, we see what technology it is built on, like LAN stack is there, or what other direct keys are in use, what is the server. So same way in device security testing or IoT friend testing, we have to identify the multiple entry points to the device. For example, a LAN port, in this device there is a LAN port, there is a console port, or there could be a Wi-Fi, this IP phone might be using, and some like if device is running on Android, there could be a ADB running on it. Some advanced devices that I told you about, narrow band IoT, they could be using an IDD interface to communicate with the server. No IP on network basically, no IP data delivery network. And then you can check for the UART, if UART is present, console port is present, if Android is there, then ADB is present, if classic ports are there, then LAN port is there, console port is there. So first thing is to know your device, how can you interact with that device, how can your Linux, your fantastic machine can interact with the device. And once you know that you can interact with device with specific way, you should go through the document. So here are some glimpse that will help you in identifying why document review is important. So here in this document, vendor is saying that this device supports SIP version 2 and RTP. That means this device does not support SIP TLS. So if someone is able to sit in the MITM attack, he could able to clear your traffic, hear your call, which you had worked with. Here you can see this device support TR069. So most of the classic guys who is working on Windows, on Linux, on network pentesting are not familiar with the TR069. So TR069 is the protocol through which you can provision and reconfigure device complete using ACR server. And here is a user I am sorry. Here is a user manual. That user manual tells us that firmware of device is upgradable. Device have a password management, device have a local and remote syslog, device is having auto provisioning using TFTP, STTP and STTP. And also multi user level. So if owner of device have changed the password from device to admin admin to admin admin at 1 to 3, still, though it is upgradable, still there could be a multiple users like support, like a tech, this kind of user you may find generally inside the product and their password will be same as a username. So this you can identify from the manual itself. Now, this is one algorithms. Algorithms, reviewing algorithms is one of the most critical part in IoT. You may be thinking what we have to do with an algorithm. So the practical example for this is let's say vendor acts have decided to produce a router. So as per the standard or minimal requirement, all routers Wi-Fi SSID should be unique or Wi-Fi SSID should be random or at least the password to connect that SSID should be random. So how you think that for one core devices how you are going to do a password? You are going to write a C program for that? No, right? Or even if you write, so you are going to maintain the unique password for every device with you? No, right? So what you are doing here is you are using one algorithm to generate a SSID password. So basically four digits of your MAC address and last four digits of your last four digits of your serial number plus current date and time could be a password for SSID. So if you search for the Belkin password generation hack password generation algorithm hack, you may come up with what you may get what I am trying to say here. So if they design the poor algorithm just by adding first four digits of MAC address, last four digits of serial number, anyone can generate a password for any device, right? Or MAC address plus date on time. So like, you know that if vendor X is generating a password based on MAC address and date on time, so what you do is you set a packet capture, you capture a beacon, you get that MAC address first four digits and you add a current DDMM format and connect with the password to the SSID if the SSID is on default password, right? So to ensure that they are not doing such a silly mistake, we have to review the algorithms and lastly, the magic number. So what the magic number is? You know, you found some fault in your device, for example set top box or for example in any of your device, let's say router, if you are a non taking guy, you take that router or hey man, this router is not working, it's not showing up you take that router to the respective service center that service center guy connects to the router and enter some to code and in 15 minutes, he will give you that, sir, it is working. So how you think it is possible? So every device have some specific additional access mode that we called what we call it developer mode or debugger mode or engineer mode. So to access those modes, you need to enter some secret code, which is also generated by algorithm. So it calls a magic number generation algorithm. So you have to review it, like there was one USB which was supporting, which is locked to support with specific ISP X for internet for internet providing. And let's then you want to unlock it and you want to use it over other network. So how you can do it? You access the engineering mode of that device you remove that restriction, maybe a PLM and lock is there, maybe some MCC MNC code or widely studied inside that device or it could be a single like only name of ISP is written there on this network only if you find so you can easily modify it. So to access this additional modes you need this magic number so magic number generation logic should be top to identify. Otherwise once this logic is leaked you are over. Now this is the most interesting aspect of the commentary accredentious to access the device. Here you can see 20 part default PC port connection type is bridge okay that's fine. Default username for user mode is admin default sorry for admin mode it's admin okay that's okay default username for user mode is user. Default password for web is null wow like they set up a complete web UI they set up a user they set up a password policies and now they are setting password to null that means all you need to do is you have to identify the IP address once you identify the IP address you type admin in your admin you type a user and you are a user isn't it so funny and here is the default web login port so they are giving you everything in their documents so you should review those documents you should search for the word like ENC so if there is encryption logic it will pop up. You should search for the word SEC like CQ so security related stuff is there it will pop up because sometimes user manual is of 400 to 500 pages to quickly review it as if you are a device tester you may get limited time of 5 to 10 days to complete one device security or something so in that case you need to follow such kind of tricks now active recon of the device so active recon here is not just identifying open port okay but when it comes to open port you should do a port scan of all port for device because they always use non standard here is one device which I scanned this was the IP address of it on 2017 I did scan on this device Monday and I found this port was open 1380 after reversing that binary which was associated to this port I was able to perform a remote code execution on this device and this is an end user device so multiple users is having access so I could have execute a code on maybe a 70,000 people in a city same way I discovered this crash on 4046 port so if I fired one command on random IP addresses so wherever it connects to 4046 the devices will get crash and I could cause a disruptive dinner of service and this was also an interesting interesting crash I identified on 415654 after reversing that binary oh I forgot to hide this Mac address that's okay so this is active recon but if we don't stop here for recognition we have to identify what is the underlying OS of this device so let's say you saw of one fine working android TV so you know that under language is android now what about ip phone what do you think ip phone is running ip phone most of the run mostly all of this embedded device runs on a Linux and they use busybox as a kernel and busybox to save the space because as I told you we have a very short space associated with it so to save space this embedded devices uses busybox and why busybox is false in a recon because busybox itself has some vulnerabilities so if you search a CV details for busybox you may end up with a vulnerability and underlying operating system will tell you what are the vulnerabilities are associated with that operating system so basically if say the device is using Linux kernel of version 2 2.10 to 2.15 then in this 5 versions there could be lots of things that you can exploit later so identifying underlying operating system identifying a busybox version identifying all open ports tcp udp and apart from this what we can do is like accessible locations like let's say consoles if root console is running without password with the ur all you need is to connect one cable using ur to us we convert that so this is an active recon for embedded devices now we will touch base some more aspects of recon in our upcoming training now the great part of device testing is when you are testing device as a wide box approach you may get with a firmware so there are two types of firmware basically in encrypted firmware compressed firmware so agenda for this firmware analysis talk is to identify what is firmware obtaining firmware ways to obtain the firmware unpacking firmware and finding vulnerability inside the firmware so here the best part of device testing if you are doing a wide box then you get a firmware that will help you identifying the the directories or entry points or network services running on it using the firmware itself so you don't have to do just a brute force using ffu app or you don't have to do a content discovery in a very large way like you have to perform analysis here not a content discovery so that section get really skip from recon and here you if this is a wide box testing ok so what is the firmware firmware is the file which contains a file system of device a kernel for the device and a boot loader and this firmware are of two types one is a full firmware second is a delta firmware so let's say you are using mobile like I am using a samsung mobile so you are using a samsung version firmware version 1.1 1.1 now there was a issue when you open a dialer it gets crashed so this is a small issue maybe developer messed it somewhere now samsung want to send an update so do you think samsung is going to send you a 3gb update for complete operating system for one small patch no what they will do is they perform the respective changes at file system if it's a file system level then that delta part they will calculate of kb's and mb's and that will shift to your device so that is called a partial update so that is a delta firmware and that firmware you receive over the air to your hands for update perspective ok so this is a these are the types of firmware now what are the ways to train the firmware so here are a few ways I listed down we are going to touch this on more ways in the training so first is downloading from the website like here you can see the firmware is listed on their website you can click on download you will get a firmware complete firmware second is like you set up a bridge like this is your device this is the LAN card of your pc this is your additional LAN card you can set up a bridge connection and this is your ISP cable now on device end click on check for update if there is a firmware available start wireshark capture here on your bridge and click on download so what happened that capture will get stopped here and you can download the firmware from the update now extracting for a device I told you like some device don't have literally any way to connect with a device so in that case you can connect the jetag and you can dump the firmware using jetag then google docs so like if you search index of or ftp of a product name you may come with a firmware and lastly analyzing device traffic so believe me some devices most of the devices most of the devices which we use like smart watch or mobile phone gets a silent update so what that silent update is device is checking periodically whether the firmware update is available or not with a respective vendor so let's say it on one fine night device checks for the update now that update requires restart and device is restarted so I woke up with my phone and saying why my phone is restarted as it was charged full how so these are the tricks that vendor pushed the firmware silently that is called silent update so to obtain such kind of update you need to keep eye on device traffic so basically you can set up one interception server itself so that all the device which at your home are connected to that interception server and that server is downloading everything from you can have a track of all the things that is getting downloaded at your home okay now you got a firmware what now so everyone knows that binwalk happened you can extract the firmware that is the most inappropriate approach to extract the firmware first thing you should do is an entropy analysis so some firmware are compressed and some firmware are encrypted so if you run a binwalk on encrypted firmware it will create a garbage it may literally fills your GBs and TBs of data with a garbage you will get nothing so first way first proper way is to perform an entropy analysis on firmware with binwalk happen capital E it will generate a graph like this as you can see here a line is completely on the one that means the firmware is very nicely encrypted but here you can say some part is here is not encrypted so now what now we can run a DD on this part and we can download this particular information to our device and we see what is there present so believe me once I found a private key to decrypt that firmware in this part once I found a password so that is that is a fun to identify the firmware entropy and with that password I was able to open that firmware now to sometimes in Hexdom only you will see the password of firmware it happens to me and then you can perform a signature analysis so like if you are able to perform a signature analysis you may come up with knowing which type of file system are in use so like in windows we have FAT, NTFS, in Linux we have XT, XT1234 and RazerFS and same way in device you may never find this in AXT4 you will find operating file system like GramFS, UBFS SquashFS, SquashFS is majorly I have seen till now and YZFS so these are the very small file systems are in use because due to the restriction of space ok now once you are able to extract the file system from the firmware now what to look inside it right we are going to touch our details aspect of this in our tomorrow's training but as of now what are the most critical aspect that you should look first obviously a passability file to get a credentials and decode that hash to login inside the device second you should look for the document so what are the web pages are there some hidden pages which is not listed in GUI those hidden pages may use to access a device core functionality or execute a root level command then as I told you in this application binary and the docu application logic is built inside the web binary so that binary should be downloaded and reverse engineer for the purpose of identifying vulnerability and lastly this is the first command which I run on firmware find slash name .sh with the type of file and having permission 777 so this is the most important aspect as you can see there are Quran jobs running with a root a root and that was a shell script and it was having a permission of 777 what you want you are root now you can edit that shell script put add user command and once that script is run you get your user is added so you can backdoor that device or as it is 777 and having SS type so you can execute it yourself so this kind of interesting stuff you can look what are the shell script files are there you can look up for the email addresses we are taking this in a deeper manner in tomorrow's training so these are the crucial part of the program for now here in document root you may end it up source code review for web application completely and in application binary itself also you can review source code review of the application binary to execute a command from a web interface now getting hands dirty first thing is like obvious you are running a port scan once you remember we conducted a documentary where we found default credentials is admin now I ran a port scan on this one find device one find ip phone it was an ip phone and I found that telnet was open and simply connecting to telnet and running admin admin I got this here you can see uid0 jd0 we got a root over this device now we see that atn 443 is running also as we know that web server is running on document I found this two new ports from port scan that 7547 is there and 53 is filtered on the device so generally this device don't have a capacity to host a DNS server so they use a very fine utility called dnsmark almost in every device you find a dnsmark which is running on a port 53 that dnsmark itself as acts as a dhp server also in device and I found one new port that is 7547 port so after studying a lot I come to know that that is a cwm pc port which was doing a device management on 7547 port and here you can see operating system is linux turner 2.6 just google about linux turner 2.6 exploit I believe you may find a 5 to 6 pages oxybee details with the exploit available on the device and here is a specific version 2.6.17 to 2.6.37 so you may find more critical vulnerability and now you have a deeper angle and you have deeper aspects so all you need is to look into 17 to 18 exploits like 18 versions and exploit for that 18 version of it so you may use it for remote code execution if exploit is supporting rt or you may end up with a privilege escalation vulnerability now obviously as we seen in the port scan the device is running web server I connected to that device and found this index.asp I entered username and password here you can see username is traveling and password is traveling but what I am think something is missing here so what is missing that missing part is nothing but an extreme option adder now you are thinking why I am making a critical issue why I am asking this as a critical issue I will tell you in the next slide next few slides but keep in mind that we have no extreme option here so that means these devices are vulnerable for click jacking vulnerability ok then after further accessing or after further obtaining a few from this device I got to this one request that this one request could manage a complete device so I can with this one request I can manipulate every parameter of device here you can see user type is admin user name is admin admin password is admin then dbidclcd language is zero management use vpn zero remote web login is one that means remote web login is enabled or disabled ok so you can change it also as you have in one request only wireless access zero LAN port is 80 dbid web port is 80 dbid web SSL port is 443 and remote web remote legal ip is everything so every remote web is legal ip then remote telnet is one telnet security code and local telnet is one telnet port is 23 telnet remote legal ip is 0.0.0.0 so anything any characters anyone can connect to device over a telnet as this device is listening 0.0.0.0 and hostname was there radius access is there ip performances log enable device plan event so as you can see here everything is controlled in just one request ok and can you notice something here so this is interactive session generally I'll tell you there is a no uniqueness in this request as you can see apart from this cookies there is no uniqueness so that means this device is vulnerable for request forgery also now we have a click checking vulnerabilities and request forgery vulnerability so we can do a cross-site request forgery to this device now let's look at last part here these devices have some one page called diagnostic to perform this kind of operation like to ping the device or to see whether the device is properly configured in a network so like you can't do the SSH to the device and ping for the device so these guys generally give such kind of option in web and here you can see here was a ping option I just put a id command in backtake and it returns me id so basically we have a code execution vulnerabilities or say code execution vulnerabilities on the device now we have a click checking we have a cross-site request forgery and we have a code execution now if you put some logic that this is an ip phone it is connected to the laptop now laptop is directly connected to ip phone in most of the company wherever you see ip phone network and laptop network are same generally ip phone itself gives ip to using that cable to laptop so that means your laptop is reachable to ip phone now let's make some fancy page of to retain this organization employment you have to agree to policy means to continue with employment you have to continue with those policies if you want to get terminated you can or in case you want to leave the organization you can click on id securing now add a click checking using click checking make a request to the ip phone with the default credential it works most of the time and instead of that id parameter change that value with the curl facebook.com let's say let's add a cron job let's add a cron job using command execution vulnerability like for i in 1 is to 100 do curl have an ik hdps facebook.com or any any website for example .com and once you once this request is fired that bot is under your control or you can add a back door to the device and those will become your destructive bots isn't it easy this is how we can turn a simple ip phone into a bot that's all here is the poc which i done on my laptop this was connected to a laptop ip phone i just clicked on i agree and it executed id command on the device using this simple now what i need to use this i need to hold this test poc to one server and all i need to do is send that server link to anyone means to send that server link to user so that once user click on that link it will create a using click checking it will create a request to device and with the csrf and default credential and command execution it will authenticate and executes the command so this was all getting hands dirty with iot now we will touch base upon a fuzzing reverse engineering and exploit development we have a complete one hour section in tomorrow's training or in my training at day one of fuzzing on this fuzzing reverse engineering and exploit development in this brief due to lack of time we are just touching base on this so first thing is to get the shell before we start fuzzing or debugging we need to install the debugging tool on the device so for that we need to get access to the root or we need at least some shell to device for testing this second what are the ways to obtain this shell it is like one I show demonstrated just now with web vulnerability instead of id command you can execute mpf and lvp on force for force for you will get a bind shell bind shell to the device second is firmware analysis in firmware analysis you may come up with a hard coded account backdoor account or you may come up with a way to execute a command some binaries might be there which is listening silently and there is some clients to connect that device third is document review in document dimension that in case of emergency you need to connect on this port by this way or by pressing this button multiple times you may get a shell and last default credential is always good and reverse engineering the binary default credential we used in earlier our telnet server we are exploiting web vulnerability also we use right now and lastly reverse engineering the binary so this looks complicated earlier but when I start exploring this it is not as complicated so there was one fine admin panel I just put admin admin on it I intercepted this and I found this this are the request username logoff login time login time 0 and login value password wrong password password 2 is wrong password this is the input I typed here and again there is a user password is wrong password so I saw multiple fields there as a password and I decided to first make sure whenever you are pressing a device you should press each and every request you never know when you got a surprise then I created this first list here A 2 times A 5 times say 10 times A 20 times say 50 times say 100 times say 200 times say and I loaded it into both so payload payload and I fired this into there now here you can see this is a missed part here you can say the responses is here but here it is missing again the device started response so let's see what happened in a background here is a logoff device what you can see here can you see something interesting here so the boa server was running here on the then there is a extra body it got what it got a buffer overflow here a static buffer overflow dumping core in flash tmp now what again boa server started with a different PID 1170 1169 and what here extra radio body again it got 6 up again dumping core in tmp now again it got crash again it started so someone might be wondering that if we are able to crash if the device is getting crash how this is how this binary is getting up it's because there are proxmox kind of activities are running inside the device which will keep eyes on process like if the web interface is up or not if the SIP interface is up or not if a LAN interface is up or not so whenever we are crashing this with our payload as you can see here here when we send a 210 5000 is as a password to the device device get crashed again we send it 20,000 10,000 it is getting crashed again we send 20,000 it is getting crashed again with the 50,000 it is getting crashed ok so this is how we are getting crashes here so first thing is once you got a once you got a server you need to you need to first all each and every request with each and every parameters you you may get a surprise anytime so this is a first thing with SDP protection we are doing now now you got a crash right but you have to identify at what level device is getting crash so here you may see when you are sending a 5000 a their device is getting crash so what you have to do now with MSF you have to generate a payload of 5000 and you have to copy that payload into a request and you have to send that payload to identify those offsets at at which which point device is getting crash to develop a successful exploit now how you can achieve it so first thing is as you have a root shell first thing is to grape for the process ID which process is running now you have to install the gdb server we are taking this in deeper manner that how we are going to install a gdb in training and you have to attach the process here with gdb now gdb is listening to this process and then you have to connect gdb gdb means we need a gdb multi architecture here to connect this and once you connected to gdb you have to regenerate the crash as the device is crash you can see here the registers from gdb it is upon gdb i used to use as here you can see from register s0 to s3 these 4 registers are in our control then here you can see of t4 register and t7 register are in our control and also we have a control over return address so once we got this much of access now you know what to do right just get a dirty shellcode for reverse shell for bind shell and fire it and once you fired it the device so this is the owning the device so here is an exploit which is a simple exploit i developed here for this ip phone only here you can see user name is buffer overflow and password is equal to a into 999 times this is the padding till t4 then first register comes as t4 then again we have a t7 here then t6 you can see s0 register s1 register, s2 and s3 register right so all you need to do is you have to hold this register here in s0 to s4 and then you have to give some padding here again till return address and some padding and then you have to call the return address and by this way you can own the device without any interaction just by knowing the IP address once you perform an extensive research to this so as i am available with you for a long time on this art still you have a question you can mail me at kinkoswetme.com and you can follow me at twitter at security thanks a lot hope you like this talk and hope i can see you again for tomorrow's training