Post on 12-Nov-2014
description
transcript
Poor Man's Guide To Network Espionage Gear
Shawn MerdingerIndependent Security Researcher
CRT-9Computer Security Institute
NetSec 20062006.06.14
British Spy Rock
First-Gen Spy Rock?
Obligatory Speaker Slide
● Shawn Merdinger– Independent security researcher & corporate irritant– Current indy projects
● VoIP device & Emergency communications systems
– Former positions● TippingPoint ● Cisco Systems
– STAT (Security Technologies Assessment Team)
– Web: www.io.com/~shawnmer
Warnings and Stuff
● This is academic research...the “how” not the “why” ● This is “dangerous information”...however
– You have the right/need to know – I have the right/need to talk
● Oh yeah...and remember– Devices (in context) may be illegal...don't use– Activities (in context) may be illegal...don't do– I’m not a lawyer…
Objectives
● Academic information exchange● My favorite cheap and mean gear● Attacks & countermeasures● Resources
Agenda
● Objectives● Attackers● Network Espionage Devices (NEDs)● Gettin' Spooky with IT● Countermeasures● Looking forward
Got bad soup?
Devestating yet “simple” attack
Attacker Goals
● Attacker wants to accomplish...– Gain internal access via a device at victim location– Attack internal/external hosts via TCP/IP– Attack phone/PDA/PC via Bluetooth– Passively gather information via sniffing– Establish other internal and external access– Impersonate services – Webserver, Database– Target a user's service – VIP VoIP connection
Attack Tools
● Typical opensource methods and tools– Scanning & Probing– Sniffing– Exploiting– Covert communications
● Multiple protocols and entry points– Wired LAN– 802.11b/g wireless– Bluetooth
NEDs
● My favorites– Linksys WRT54G– Nokia 770– Gumstix– PicoTux
● Plenty others!– Access Points– PDAs– Game platforms
NED Characteristics
● Small, unobtrusive, ubiquitous, “cute”● Low-cost, disposable at victim's location● Minimal power requirements
– Power over ethernet, battery, solar potential● Multiple attack vector capability
– Wired, Wireless, Bluetooth, RFID● Traditional forensics very difficult
– Ephemeral filesystems running in RAM & device access– Try that with Encase!
NED Characteristics
● Outbound reverse connections back to attacker– Crypto tunnels bypass firewalls, IDS– “Under the radar” common protocols like DNS
requests, ICMP, HTTP/S – Proxies, anonymizers, etc.
● Ported attack tools and exploits– ARM processor-based– Some hardware and software limitations and trade-offs
● Dependent libraries, GUIs, etc.– E.g. Don't expect a full Nessus client/server on Linksys routers
NED OS & Software
● Stripped-down Linux● BusyBox shell● SSH, HTTP/S management● Features like VPN tunnels, mesh networking● On-the-fly software install as “packages”
– DNS, Apache, Asterisk– Attack tools and exploits– Powerful scripting languages: Python, Ruby– Customizable
Linksys WRT54G● Cheap, cute● Secure with default Linksys firmware?
– Ubiquitous = the “new Windows”– Very likely unpublished exploits in the wild
● Opensource alternatives to Linksys firmware– OpenWRT
● Package system
– Sveasoft● Mesh netwkorking
● Un-leashing the WRT54G....
FairuzaUS for Linksys● FairuzaUS: www.hackerpimps.com
Treo 650 SSH into FairuzaUS
into compromised Windows box
Command line interface over SSH
Nokia 770
● Basics– US $300– Slow CPU, low RAM– 802.11b & Bluetooth– Virtual touchscreen keyboard– Debian Linux PDA– Software
● Lots of development via Maemo project● Many security tool packages by independent folks
– Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit
Gumstix
● Ultra-small computers ($120 +)● Expandable “snap in” boards
– CF storage and 802.11b wireless– Single and dual Ethernet with POE
● MITM hardware device with dual ethernet
– Bluetooth– USB, serial, PS/2 connectors– Used in BlueSniper, UltraSwarm– Developer CDs and environment
PicoTux
● Picotux 100 and 112 (US $100 +)– World's smallest Linux computer– 35mm×19mm×19mm (size of RJ45 connector)– Power over ethernet– Telnet and HTTP server– Developer CDs and environment
● Attacks– One of these in the plenum off a Cisco CAT switch– “Serial to ethernet connector”
Spooky: Device Enclosures
● Free water cooler offer ;)– Potential for power source– Legitimate reason for physical presence..and returning
● Office décor– Flower safe with X-mas tree & lights...plug 'n play
● Exit Sign, fire extinguisher– *Dangerous to mess with emerg. gear
Spooky: 0wn3d Mesh Network● Municipal networks beware!● Build It
– EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3– Senao AP w/ YAGI = Sweeper
● Run It– Karma = DHCP for everybody– Shared crypto keys, cron jobs, remote ssh-fs mounts
● Own it – Attack everything, browser exploits on capture portal
Spooky: In-Transit “Marketing”
● Airports, train stations, bus stations, subways, etc.– Bluetooth spamming with “scary” message content– 0wn3d wifi networks & Windows Messaging
● Multiplier-effect– Simultaneous at multiple hubs in US– “Scary message”
● Huge productivity costs
– Wrong message● Used as diversion, secondary attack, etc.
Spooky: Long-distance,the next best thing to being there
● Home-built Bluetooth/Wifi “Sniper” setups
Bluetooth targets up to one mile 802.11b targets up to...?
How far? 802.11b over 125 miles
Countermeasures
● Know the risks and threats● Know your network devices and traffic● User education, buy-in, ownership of the problem● Policy and “best practices”● Planned response ● Other measures
– Honeypots, Honeynets, Bluetooth-honeypot– Calling the cavelry (private specialists, Johnny Law)– Hack-backs
Looking Forward
● More devices with network access– It's only going to get worse....
● “Why is my refrigerator scanning my network?”● Same old issues: poor QA and security, outsourced, lack-of
ownership, fixes/patching, etc.
● Tied into critical applications– Tele-medicine, mobile data– Emergency Communications Infrastructure
● Vonage over Linksys box was NO lifeline post-Katrina● Plenty others...stay tuned!
Questions?
Thanks!
Contact: shawnmer @ gmail.com