SlideShare a Scribd company logo
1 of 45
Download to read offline
Social-Engineering
Pentesting over Power lines

Dave Kennedy (@Dave_ReL1K)
Rob Simon (@KickenChicken57)
   http://www.secmaniac.com
About Rob
•  Application Security Engineer, Fortune 1000
•  Penetration Tester
•  Source Code Analysis
•  Spare time plays with home automation gear
•  C/C++/C#
•  Also hugs..
About Me
•  Creator of the Social-Engineer Toolkit
•  Founder of DerbyCon
•  Author of new book from NoStarch Press on Metasploit
•  Back|Track Development Team
•  Exploit-DB Development Team
•  Exploit Writer
•  Penetration Tester
•  Chief Information Security Officer, Fortune 1000
•  I give hugs..
Before we start…a slight detour
Introduction on the Teensy

•  Originally covered by Adrian Crenshaw (irongeek)


•  Morphed into a weapon last year at Defcon.


•  The ability to emulate any keyboard and leverage full character
   sets with on-board storage.
The Teensy Device
Teensy, Teensy ++, Customized
Motion Sensor Teensy (thnx. Garland)
Let’s walk through some basics

•  In order to get a binary to the system we need to convert it to
   keyboard-acceptable characters.


•  Our choice was leveraging binary to hex conversion methods.
   Conversely you could easily use base64.
Some code
Okay now we got some hex…

•  Okay, now we have some hex… We need a way to convert it
   back to a binary when its written to a file on the system through
   the teensy..


•  You could leverage vbs, we decided on PowerShell as it’s
   pretty much on every Windows XP instance and integrated into
   Vista and Windows 7 and can’t be removed.
Some more code
Moving it to Teensy
Moving it to Teensy Pt. 2
Bummer…

•  So unfortunately, this method didn’t work, after breaking it
   down to hex or base64, the file was above what the Teensy++
   could handle.


•  So we looked at another alternative…
Shellcodeexec

•  Works on DEP/NX enabled systems by storing shellcode as
   +rwx.


•  Supports alphanumeric encoded payloads which means a
   meterpreter stager will be extremely small character wise.
Testing it out…

•  Custom compile shellcodeexec and convert to hex


•  Create a meterpreter reverse_tcp via alphanumeric shellcode


•  Execute shellcode exec and launch alphanumeric shellcode
   into memory without ever touching disk
DEMO
That’s not all…

•  We then soldered on the SDCard mount and were able to get
   the teensy to read off the microcontroller and put as large of a
   file as we want onto the system..
Defcon 2011 - Penetration Testing Over Powerlines
Okay…back on track sorry. Squirrel…
Introduction

•  We’ll be covering three main categories.
      •    IEEE 1901-2010 Standard for Broadband over Power Lines (published February 2011)
      •    IEEE 1675-2008 Standard for Broadband hardware installation
      •    G.hn is a competing standard (for example AT&T uses this)
      •    X10, Crestron, Lutron, Z-Wave
      •    New tools release



•    How to leverage these in penetration testing


•    New things to come that are currently in development
Broadband over Power Lines (BPL)

•    Speeds around 500KB to 135MBPS based on price (home plug
     certification).


•    Leveraged for Ethernet over power lines.


•    Mostly used as residential areas for home networking however used
     in some corporate environments.


•    Homeplug 2005 AV specification increased the peak data from 14
     MBPS to 200 MBPS.


•    Homeplug PHY is used for smart grid infrastructures (100 bucks for
     the specification…just Google for it :P) but is mostly being used for
     smart grids as well as home use.
Understanding BPL

•    Normal wiring systems were designed for the transmissions of
     AC power.
      •    Drawbacks are it has a limited to carry higher frequencies



•    Most home/corporate security uses 56bit DES :P


•    Typically transmits via medium to high frequencies (1.6 to
     80mhz) for more corporate use and 20 and 200khz for home
     use.


•    BPL is actively being used in car network communications,
     HVAC systems, security systems, network communications and
     much more.
PHY Smart Grids

•    Allows long range transmissions of network
     signals through multiple power lines.


•    Used by virtually every country due to its low
     cost implementation.


•    Allows communications on both wired and
     wireless based transmissions.
      •    The PHY Alliance and Zigbee Alliance has came
           together to create a single standard for a combined
           infrastructure.
Home Ethernet over Power

•    Generally support DES (ew) or AES.
      •    Turned off by default.



•    Allow as many devices you want to plug in to
     support power of Ethernet.


•    Awesome for penetration testing.
Real World Scenario

•    Physical penetration test on CompanyX.


•    You place the BPL device next to a
     company within the corporate
     environment.


•    You can now find a place inside the
     organization or outside exposed power
     jacks to perform your penetration test.
Home Automation

•    We’ll be covering the two main ones:
      •    X10 (60 Hz over powerlines)
      •    Z-Wave (900 MHz)



•    There are a number of other ones including
     proprietary/commercial:
      •    Crestron
      •    Lutron (433 mhz)
      •    Zigbee (2.4ghz, 915 MHz, and 868 MHz)
      •    Insteon (dual band powerlines and RF)
Home Automation Basics

•    Home automation is used in a number of large businesses, homes and other facilities.


•    Provides interconnectivity to multiple systems and allows automated responses to occur
     based on if a criteria is met.


•    Gaining major momentum in most organizations.
Basics of X10
•    Still highly used within home automation.


•    Provides easy access to communicate between devices through power lines and
     some through RF.


•    Some equipment used by X10 include:
      •    HVAC
      •    Motion Sensors
      •    Lights
      •    Cameras
      •    Security systems
      •    Doors
Some drawbacks of X10




•    Lack of encryption (ouch)
•    Only allows 256 devices
•    Could have heavy interference
X10 Codes
0000   All units off      Switch off all devices with the house code indicated in the message

0001   All lights on      Switches on all lighting devices (with the ability to control brightness)

0010   On                 Switches on a device

0011   Off                Switches off a device

0100   Dim                Reduces the light intensity

0101   Bright             Increases the light intensity

0111   Extended code      Extension code

1000   Hail request       Requests a response from the device(s) with the house code indicated in the message

1001   Hail acknowledge   Response to the previous command

101x   Pre-set dim        Allows the selection of two predefined levels of light intensity

1101   Status is on       Response to the Status Request indicating that the device is switched on

1110   Status is off      Response indicating that the device is switched off

1111   Status request     Request requiring the status of a device
X10 Kit
Testing the jammer/sniffer
The Arduino Device
New Tool Release – X10 Blackout

•    In the Social-Engineer Toolkit v2.0


•    Jams X10 based signals in order to prevent security systems from triggering or other
     devices.


•    Easy to do with RF however illegal  but…hypothetically…
New Tool Release – X10 Sniffer

•    In the Social-Engineer Toolkit v2.0


•    Sniffs all X10 bases traffic and sends you the information. We’ve been playing around
     with it sending over Verizon via text messages, almost done… Right now it writes to
     external storage.


•    Ability to trigger on certain events, for example if a security system is armed and
     triggers, it will send a jamming signal to prevent it from alerting.


•    A lot of the security systems use RF which is identical to jam, just via a airwaves.
Z-Wave
•    Leverages Mesh networks in order to communicate between devices


•    Support for AES however we haven’t found a device that uses it (we’ll talk about this).


•    Similar devices can be leveraged via Z-Wave and is considered one of the more
     prominent home automation standards.
Z-Wave

•    Jamming is very simple and can cause significant disruptions (illegal? :P)


•    Transmission on the Z-Wave network is relatively easy and the SDK provides a Z-Wave
     sniffer for “troubleshooting”.


•    Easy to develop Z-Wave based-sniffer that jams signals based on certain criteria, i.e.
     motion sensors, cameras, etc.


•    Ability to inject seamless data into the Z-Wave network including replay of camera feeds,
     and such.
AES Encryption Exposure

•    During initial pairing of devices, the
     AES initialization key can be
     captured allowing decryption and
     tampering of communications.


•    Not leveraging standard FIPS
     compliant-based transmission of
     AES key.
New Tool Release

•    The Social-Engineer Toolkit v2.0 is now being released.


•    Includes all of the code to automatically generate all of this for you.
Coming soon….

•    Sniffer based on Z-Wave initialization encryption keys.


•    Sniffer and Z-Wave injector that will send information to the systems.
Defcon 2011 - Penetration Testing Over Powerlines
DerbyCon)
•  Three)day)conference)with)
   training)
•  Insanely)stacked)line9up)
•  September)30)9)October)2nd))
•  Louisville)Kentucky)9)Hyatt)
   Regency)

http://www.derbycon.com!

info@derbycon.com!
davek@social-engineer.org
   Twitter: dave_ReL1K

More Related Content

What's hot

Embedded Web Server based Home Automation using Raspberry PI
Embedded Web Server based Home Automation using Raspberry PIEmbedded Web Server based Home Automation using Raspberry PI
Embedded Web Server based Home Automation using Raspberry PIEditor IJMTER
 
Introduction to Home Automation
Introduction to Home AutomationIntroduction to Home Automation
Introduction to Home AutomationRuslan Ulanov
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Wireless lan
Wireless lanWireless lan
Wireless lanchalalux
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitVasily Ryzhonkov
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
 
FreshLoc Core Product Specifications
FreshLoc Core Product SpecificationsFreshLoc Core Product Specifications
FreshLoc Core Product SpecificationsKevin MacKenzie
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
The Arduino WiFi Shield
The Arduino WiFi ShieldThe Arduino WiFi Shield
The Arduino WiFi Shieldkellison00
 
2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2Len Noe
 
Track 1 session 8 - st dev con 2016 - smart factories
Track 1   session 8 - st dev con 2016 -  smart factoriesTrack 1   session 8 - st dev con 2016 -  smart factories
Track 1 session 8 - st dev con 2016 - smart factoriesST_World
 
Practical Examples of LoRaWAN in Action
Practical Examples of LoRaWAN in ActionPractical Examples of LoRaWAN in Action
Practical Examples of LoRaWAN in ActionRobin Harris
 
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testingnooralmousa
 
謝續平
謝續平謝續平
謝續平9577601
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Ce hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesCe hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesVi Tính Hoàng Nam
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Codemotion
 

What's hot (20)

Embedded Web Server based Home Automation using Raspberry PI
Embedded Web Server based Home Automation using Raspberry PIEmbedded Web Server based Home Automation using Raspberry PI
Embedded Web Server based Home Automation using Raspberry PI
 
Introduction to Home Automation
Introduction to Home AutomationIntroduction to Home Automation
Introduction to Home Automation
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
 
Wireless lan
Wireless lanWireless lan
Wireless lan
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT Devkit
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
FreshLoc Core Product Specifications
FreshLoc Core Product SpecificationsFreshLoc Core Product Specifications
FreshLoc Core Product Specifications
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
The Arduino WiFi Shield
The Arduino WiFi ShieldThe Arduino WiFi Shield
The Arduino WiFi Shield
 
2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2
 
Track 1 session 8 - st dev con 2016 - smart factories
Track 1   session 8 - st dev con 2016 -  smart factoriesTrack 1   session 8 - st dev con 2016 -  smart factories
Track 1 session 8 - st dev con 2016 - smart factories
 
Practical Examples of LoRaWAN in Action
Practical Examples of LoRaWAN in ActionPractical Examples of LoRaWAN in Action
Practical Examples of LoRaWAN in Action
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
 
謝續平
謝續平謝續平
謝續平
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
 
Ce hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesCe hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologies
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 

Similar to Defcon 2011 - Penetration Testing Over Powerlines

2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)Mike Svoboda
 
Gab 2015 aymeric weinbach azure iot
Gab   2015 aymeric weinbach azure iot Gab   2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Aymeric Weinbach
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn UCICove
 
Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01
Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01
Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01Anhbaatar Aagii
 
Embedded system and its platforms
Embedded system and its platformsEmbedded system and its platforms
Embedded system and its platformsMrunal Deshkar
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshopNitesh Malviya
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
6-IoT protocol.pptx
6-IoT protocol.pptx6-IoT protocol.pptx
6-IoT protocol.pptxPratik Gohel
 
Global Azure boot camp 2015 - Microsoft IoT Solutions with Azure
Global Azure boot camp 2015 - Microsoft IoT Solutions with AzureGlobal Azure boot camp 2015 - Microsoft IoT Solutions with Azure
Global Azure boot camp 2015 - Microsoft IoT Solutions with AzureVinoth Rajagopalan
 
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...Edge AI and Vision Alliance
 
Smart Home Tech Short
Smart Home Tech ShortSmart Home Tech Short
Smart Home Tech Shortchowfei
 
Network Multitenancy in Xen-Based Clouds-XPUS13 Vittal
Network Multitenancy in Xen-Based Clouds-XPUS13 VittalNetwork Multitenancy in Xen-Based Clouds-XPUS13 Vittal
Network Multitenancy in Xen-Based Clouds-XPUS13 VittalThe Linux Foundation
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaNicolas Lesconnec
 
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptxConnecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptxssuser52b751
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 

Similar to Defcon 2011 - Penetration Testing Over Powerlines (20)

2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
Gab 2015 aymeric weinbach azure iot
Gab   2015 aymeric weinbach azure iot Gab   2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
 
Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01
Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01
Smarthometechshort 13304126815608-phpapp01-120228010616-phpapp01
 
hdl
hdlhdl
hdl
 
Embedded system and its platforms
Embedded system and its platformsEmbedded system and its platforms
Embedded system and its platforms
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
6-IoT protocol.pptx
6-IoT protocol.pptx6-IoT protocol.pptx
6-IoT protocol.pptx
 
Global Azure boot camp 2015 - Microsoft IoT Solutions with Azure
Global Azure boot camp 2015 - Microsoft IoT Solutions with AzureGlobal Azure boot camp 2015 - Microsoft IoT Solutions with Azure
Global Azure boot camp 2015 - Microsoft IoT Solutions with Azure
 
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
 
Java & IoT
Java & IoTJava & IoT
Java & IoT
 
Smart Home Tech Short
Smart Home Tech ShortSmart Home Tech Short
Smart Home Tech Short
 
Network Multitenancy in Xen-Based Clouds-XPUS13 Vittal
Network Multitenancy in Xen-Based Clouds-XPUS13 VittalNetwork Multitenancy in Xen-Based Clouds-XPUS13 Vittal
Network Multitenancy in Xen-Based Clouds-XPUS13 Vittal
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - Barcelona
 
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptxConnecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
Connecting_Things_2.01_Instructor Supplemental Materials_Chapter4.pptx
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 

More from Michael Smith

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)Michael Smith
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...Michael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)Michael Smith
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKMichael Smith
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersMichael Smith
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksMichael Smith
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYMichael Smith
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingMichael Smith
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersMichael Smith
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesMichael Smith
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingMichael Smith
 

More from Michael Smith (20)

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
 

Recently uploaded

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 

Recently uploaded (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 

Defcon 2011 - Penetration Testing Over Powerlines

  • 1. Social-Engineering Pentesting over Power lines Dave Kennedy (@Dave_ReL1K) Rob Simon (@KickenChicken57) http://www.secmaniac.com
  • 2. About Rob •  Application Security Engineer, Fortune 1000 •  Penetration Tester •  Source Code Analysis •  Spare time plays with home automation gear •  C/C++/C# •  Also hugs..
  • 3. About Me •  Creator of the Social-Engineer Toolkit •  Founder of DerbyCon •  Author of new book from NoStarch Press on Metasploit •  Back|Track Development Team •  Exploit-DB Development Team •  Exploit Writer •  Penetration Tester •  Chief Information Security Officer, Fortune 1000 •  I give hugs..
  • 4. Before we start…a slight detour
  • 5. Introduction on the Teensy •  Originally covered by Adrian Crenshaw (irongeek) •  Morphed into a weapon last year at Defcon. •  The ability to emulate any keyboard and leverage full character sets with on-board storage.
  • 7. Teensy, Teensy ++, Customized
  • 8. Motion Sensor Teensy (thnx. Garland)
  • 9. Let’s walk through some basics •  In order to get a binary to the system we need to convert it to keyboard-acceptable characters. •  Our choice was leveraging binary to hex conversion methods. Conversely you could easily use base64.
  • 11. Okay now we got some hex… •  Okay, now we have some hex… We need a way to convert it back to a binary when its written to a file on the system through the teensy.. •  You could leverage vbs, we decided on PowerShell as it’s pretty much on every Windows XP instance and integrated into Vista and Windows 7 and can’t be removed.
  • 13. Moving it to Teensy
  • 14. Moving it to Teensy Pt. 2
  • 15. Bummer… •  So unfortunately, this method didn’t work, after breaking it down to hex or base64, the file was above what the Teensy++ could handle. •  So we looked at another alternative…
  • 16. Shellcodeexec •  Works on DEP/NX enabled systems by storing shellcode as +rwx. •  Supports alphanumeric encoded payloads which means a meterpreter stager will be extremely small character wise.
  • 17. Testing it out… •  Custom compile shellcodeexec and convert to hex •  Create a meterpreter reverse_tcp via alphanumeric shellcode •  Execute shellcode exec and launch alphanumeric shellcode into memory without ever touching disk
  • 18. DEMO
  • 19. That’s not all… •  We then soldered on the SDCard mount and were able to get the teensy to read off the microcontroller and put as large of a file as we want onto the system..
  • 21. Okay…back on track sorry. Squirrel…
  • 22. Introduction •  We’ll be covering three main categories. •  IEEE 1901-2010 Standard for Broadband over Power Lines (published February 2011) •  IEEE 1675-2008 Standard for Broadband hardware installation •  G.hn is a competing standard (for example AT&T uses this) •  X10, Crestron, Lutron, Z-Wave •  New tools release •  How to leverage these in penetration testing •  New things to come that are currently in development
  • 23. Broadband over Power Lines (BPL) •  Speeds around 500KB to 135MBPS based on price (home plug certification). •  Leveraged for Ethernet over power lines. •  Mostly used as residential areas for home networking however used in some corporate environments. •  Homeplug 2005 AV specification increased the peak data from 14 MBPS to 200 MBPS. •  Homeplug PHY is used for smart grid infrastructures (100 bucks for the specification…just Google for it :P) but is mostly being used for smart grids as well as home use.
  • 24. Understanding BPL •  Normal wiring systems were designed for the transmissions of AC power. •  Drawbacks are it has a limited to carry higher frequencies •  Most home/corporate security uses 56bit DES :P •  Typically transmits via medium to high frequencies (1.6 to 80mhz) for more corporate use and 20 and 200khz for home use. •  BPL is actively being used in car network communications, HVAC systems, security systems, network communications and much more.
  • 25. PHY Smart Grids •  Allows long range transmissions of network signals through multiple power lines. •  Used by virtually every country due to its low cost implementation. •  Allows communications on both wired and wireless based transmissions. •  The PHY Alliance and Zigbee Alliance has came together to create a single standard for a combined infrastructure.
  • 26. Home Ethernet over Power •  Generally support DES (ew) or AES. •  Turned off by default. •  Allow as many devices you want to plug in to support power of Ethernet. •  Awesome for penetration testing.
  • 27. Real World Scenario •  Physical penetration test on CompanyX. •  You place the BPL device next to a company within the corporate environment. •  You can now find a place inside the organization or outside exposed power jacks to perform your penetration test.
  • 28. Home Automation •  We’ll be covering the two main ones: •  X10 (60 Hz over powerlines) •  Z-Wave (900 MHz) •  There are a number of other ones including proprietary/commercial: •  Crestron •  Lutron (433 mhz) •  Zigbee (2.4ghz, 915 MHz, and 868 MHz) •  Insteon (dual band powerlines and RF)
  • 29. Home Automation Basics •  Home automation is used in a number of large businesses, homes and other facilities. •  Provides interconnectivity to multiple systems and allows automated responses to occur based on if a criteria is met. •  Gaining major momentum in most organizations.
  • 30. Basics of X10 •  Still highly used within home automation. •  Provides easy access to communicate between devices through power lines and some through RF. •  Some equipment used by X10 include: •  HVAC •  Motion Sensors •  Lights •  Cameras •  Security systems •  Doors
  • 31. Some drawbacks of X10 •  Lack of encryption (ouch) •  Only allows 256 devices •  Could have heavy interference
  • 32. X10 Codes 0000 All units off Switch off all devices with the house code indicated in the message 0001 All lights on Switches on all lighting devices (with the ability to control brightness) 0010 On Switches on a device 0011 Off Switches off a device 0100 Dim Reduces the light intensity 0101 Bright Increases the light intensity 0111 Extended code Extension code 1000 Hail request Requests a response from the device(s) with the house code indicated in the message 1001 Hail acknowledge Response to the previous command 101x Pre-set dim Allows the selection of two predefined levels of light intensity 1101 Status is on Response to the Status Request indicating that the device is switched on 1110 Status is off Response indicating that the device is switched off 1111 Status request Request requiring the status of a device
  • 36. New Tool Release – X10 Blackout •  In the Social-Engineer Toolkit v2.0 •  Jams X10 based signals in order to prevent security systems from triggering or other devices. •  Easy to do with RF however illegal  but…hypothetically…
  • 37. New Tool Release – X10 Sniffer •  In the Social-Engineer Toolkit v2.0 •  Sniffs all X10 bases traffic and sends you the information. We’ve been playing around with it sending over Verizon via text messages, almost done… Right now it writes to external storage. •  Ability to trigger on certain events, for example if a security system is armed and triggers, it will send a jamming signal to prevent it from alerting. •  A lot of the security systems use RF which is identical to jam, just via a airwaves.
  • 38. Z-Wave •  Leverages Mesh networks in order to communicate between devices •  Support for AES however we haven’t found a device that uses it (we’ll talk about this). •  Similar devices can be leveraged via Z-Wave and is considered one of the more prominent home automation standards.
  • 39. Z-Wave •  Jamming is very simple and can cause significant disruptions (illegal? :P) •  Transmission on the Z-Wave network is relatively easy and the SDK provides a Z-Wave sniffer for “troubleshooting”. •  Easy to develop Z-Wave based-sniffer that jams signals based on certain criteria, i.e. motion sensors, cameras, etc. •  Ability to inject seamless data into the Z-Wave network including replay of camera feeds, and such.
  • 40. AES Encryption Exposure •  During initial pairing of devices, the AES initialization key can be captured allowing decryption and tampering of communications. •  Not leveraging standard FIPS compliant-based transmission of AES key.
  • 41. New Tool Release •  The Social-Engineer Toolkit v2.0 is now being released. •  Includes all of the code to automatically generate all of this for you.
  • 42. Coming soon…. •  Sniffer based on Z-Wave initialization encryption keys. •  Sniffer and Z-Wave injector that will send information to the systems.
  • 44. DerbyCon) •  Three)day)conference)with) training) •  Insanely)stacked)line9up) •  September)30)9)October)2nd)) •  Louisville)Kentucky)9)Hyatt) Regency) http://www.derbycon.com! info@derbycon.com!
  • 45. davek@social-engineer.org Twitter: dave_ReL1K