Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IoT Cyber+Physical+Social Engineering Attack Security


Published on


IoT Cyber+Physical+Social Security

An encyclopedic compendium of tools, techniques, and practices to defend systems that sit at the intersection of the cyber and physical domains; chiefly building automation systems and the Internet of Things.

Published in: Technology
  • New E-book Reveals Unique Holistic Strategies to Cure Acne. Discover How To Quickly And Easily Cure Acne Permanently...Even If Everything Else You Tried had Failed... Without Drugs, Without Over The Counters, and Without Nasty Side Effects - Guaranteed! ▲▲▲
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

IoT Cyber+Physical+Social Engineering Attack Security

  1. 1. protecting facility operations in the era of the Internet of Things mike parks | v0.0.2 an encyclopedia compendium of offensive and defensive tools, tactics, techniques, and procedures cyber, physical, and social engineering attack security
  2. 2. encyclopedia compendium. ● this slide deck is meant to be a quick-look up of ideas, best practices, tools, techniques, and resources found in the main presentation ● do not read this slide deck alone and grant yourself master status. ● WARNING: This is for educational purposes only. Never perform any sort of penetration test or vulnerability assessment on systems that you do not own and have not been given explicit permission to test. Prior to any commencing any assessment work, document the rules of engagement to govern the test in writing. Have the rules signed by both parties. Always seek to do no harm. Failure to do so could leave in a world of hurt from a legal liability perspective. ● goal is to make defenders better, not prove how l33t we are ● i am a lifetime student, not an expert
  3. 3. cyber/physical/social security: a team effort Building Automation Cyber / Physical / Social Security Skill Sets Facility Management IT Security Physical Security IoT Device Design, Manufacture, Install, Maintenance (OEMs / Installers / Service Providers) Environmental and Safety OT Operations and Security
  4. 4. social engineering skills + physical access attacks + digital hacks ____________________________________________ access, compromise, denial of use, misuse, and destruction of physical objects and processes that may result in loss of life, limb, or property. bottom line: we aren’t just worried about losing bits of data any more.
  5. 5. simple truths of a digital world. ● everything is getting on the internet (iot or internet of things) cause its’ cheap (esp8266) and allows devices to be updated. also provides companies a new revenue stream through service/subscriptions business models. convenience will outweigh individual risk. get over it. ● building system equipment is going digital too. ○ usb ports for diagnostics. or perhaps some other serial interface. ○ firmware at minimum. perhaps full blown os+software stack. ● tools that are useful for security professionals to defend are also good for bad guys to attack. tools are cheap too. some bring their own network interface (BYON or out-of-band channel)
  6. 6. more truth. ● good guys need to think and defend against every possible attack method. (attack chains or attack webs) ● bad guys need one vulnerability. (weakest link) ● it’s highly asymmetric. risk, cost, consequences. ○ Cost of Hack Tools << Cost of Safeguards but Cost of No Safeguards >> Cost of Safeguards ○ Tools have legitimate sysadmin uses too, so elimination is not possible ● weakest link is typically wetware (e.g. humans) and is very susceptible to social engineering.
  7. 7. possible outcomes of an ics attack. ● mal-operating the process ● change set points ● damage ICS components ● damage physical equipment ● suppress safety system and protections ● cause loss of view ● block control ● spoof operators ● modify or even spoof input to logic
  8. 8. 3 key first steps for a good defense. > inventory. inventory. inventory. if you don’t have a complete inventory of IT/OT assets (hardware and software), build that first. you cannot defend what you don’t know you have. > it’s gold (images) Keep gold images of OS, software, and firmware for all systems. > log all the things (and events) ensure that logging is turned on for all systems. cloud based logging is even better than local logging. INVENTORY DATA FIELDS FOR EVERY DEVICE Physical · Location · Asset Name / Asset ID Number · Description of Function · Model/Manufacturer · Serial Number Communications · IP Address · MAC Address · Means of connectivity to the network · Protocol(s) and Ports used Software · OS Version / Firmware Version · Patches Installed · Configured and active services Performance and Diagnostics · Device-level diagnostic and prognostic details · Performance data · Event logs · Baseline Network Traffic
  9. 9. next steps in a good defense. > remove unauthorized hardware and software from network > control use of administrative privileges. limit 3rd party access to narrow times then shutdown ports after work is done. call ahead to coordinate > implement strong authentication mechanisms and educate your employees on how to protect those credentials. > secure all network and internet connections to the control systems and minimize this connectivity wherever possible. secure wireless and remote access and minimize who has authorization to use it. > secure and harden the hardware and software configurations of mobile devices, laptops, workstations, servers, industrial networks, endpoints, and control systems > increase defense‐in‐depth layers to secure industrial control system (ICS) systems, including network segmentation and the creation of secure zones, maintaining logging, and controlling who has access (physical and electronic) > continuously monitor, assess and respond to change at the endpoints, control system levels, and new vulnerabilities > establish, apply, and communicate security policies and then monitor changes against those policies. increase cyber security awareness with training and enforce policies with employees, contractors, and visitors to your facilities.
  10. 10. types of testing. > vulnerability assessment: heavy involvement from system developer and/or operator working alongside security professionals. full access to design documents > penetration test: minimum involvement from system developer or operator, but are aware and provide some rules of engagement and or key data (e.g. ip addresses) but otherwise leave security professionals alone. communication between parties throughout test. > red team: rule of engagement set between security professional and developer/operator ahead of test. otherwise no contact except for rare exceptions (e.g. red team finds system has already been hacked) and red team does no harm.
  11. 11. Cloud Infrastructure Desktop, Mobile, Web Applications Networking / Communications Protocols Firmware Operating System / Bootloader Hardware Installed Environment Internet IoT Attack Stack Other IoT Devices humans - users - bad actors - service techs IoT: Internet of Things supply chain 1010
  12. 12. Cloud Infrastructure Desktop, Mobile, Web Applications Networking / Communications Protocols Firmware Operating System / Bootloader Hardware Installed Environment Internet IoT Attack Stack Other IoT Devices humans “Traditional” IT Cybersecurity Hardware Security Social Engineering Security Physical Security
  13. 13. 1. Weak Guessable, or Hardcoded Passwords 2. Insecure Network Services 3. Insecure Ecosystem Interfaces 4. Lack of Secure Update Mechanism 5. Use of Insecure or Outdated Components 6. Insufficient Privacy Protection 7. Insecure Data Transfer and Storage 8. Lack of Device Management 9. Insecure Default Settings 10. Lack of Physical Hardening
  14. 14. Vulnerability Attack Surface Summary Username Enumeration •Administrative Interface •Device Web Interface •Cloud Interface •Mobile Application •Ability to collect a set of valid usernames by interacting with the authentication mechanism Weak Passwords •Administrative Interface •Device Web Interface •Cloud Interface •Mobile Application •Ability to set account passwords to '1234' or '123456' for example. •Usage of pre-programmed default passwords Account Lockout •Administrative Interface •Device Web Interface •Cloud Interface •Mobile Application •Ability to continue sending authentication attempts after 3 - 5 failed login attempts Unencrypted Services •Device Network Services •Network services are not properly encrypted to prevent eavesdropping or tampering by attackers Two-factor Authentication •Administrative Interface •Cloud Web Interface •Mobile Application •Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner Poorly Implemented Encryption •Device Network Services •Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 Update Sent Without Encryption •Update Mechanism •Updates are transmitted over the network without using TLS or encrypting the update file itself Update Location Writable •Update Mechanism •Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users Denial of Service •Device Network Services •Service can be attacked in a way that denies service to that service or the entire device
  15. 15. Vulnerability Attack Surface Summary Removal of Storage Media •Device Physical Interfaces •Ability to physically remove the storage media from the device No Manual Update Mechanism •Update Mechanism •No ability to manually force an update check for the device Missing Update Mechanism •Update Mechanism •No ability to update device Firmware Version Display and/or Last Update Date •Device Firmware •Current firmware version is not displayed and/or the last update date is not displayed Firmware and storage extraction •JTAG / SWD interface •In-Situ dumping •Intercepting a OTA update •Downloading from the manufacturers web page •eMMC tapping •Unsoldering the SPI Flash / eMMC chip and reading it in a adapter •Firmware contains a lot of useful information, like source code and binaries of running services, pre- set passwords, ssh keys etc. Manipulating the code execution flow of the device •JTAG / SWD interface •Side channel attacks like glitching •With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls. •Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device Obtaining console access •Serial interfaces (SPI / UART) •By connecting to a serial interface, we will obtain full console access to a device •Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed. Insecure 3rd party components •Software •Out of date versions of busybox, openssl, ssh, web servers, etc.
  16. 16. unique aspects of iot security testing. > physical access attack - potentially requires no tech skills - easy to damage or steal - attacker must be physically present, high risk > traditional i.t. or network attacks - requires some tech skill but many tools out for non-coders - not easily detectable - less risky to attacker, need not be physically present > embedded system attacks - requires significant tech skill - attacker may or may not need to be physically present - can be almost impossible to detect until attacked
  17. 17. AIC CIA OT IT vs availability integrity confidentiality
  18. 18. o.t. lingo for i.t. people ICS: industrial control system SCADA: supervisory control and data acquisition PLC: programmable logic controller DDC: direct digital control DCS: distributed control system MTU: master terminal unit RTU: remote terminal unit HMI: human-machine interface Historian Data Acquisition Server Data Diode Ladder Logic EWS: engineering workstation BAS: building automation system BMS: building management systems PID: proportional, integrative, differential process variables set point Inputs: sensors, switches Outputs: actuators, electric motors, console lights, valves and contactors
  19. 19. i.t. lingo for o.t. people FTP: file transfer protocol HTTP: hypertext transfer protocol MQTT: message queuing telemetry transport SMTP: simple mail transfer protocol SSH: secure shell Telnet: teletype network NTP: network time protocol TCP: transmission control protocol UDP: user datagram protocol IP: internet protocol LAN: local area network WAN: wide area network VLAN: virtual LAN ICMP: internet control message protocol ARP: address resolution protocol PPP: point-to-point protocol MAC: media access control Ethernet Gateway Router Switches Bridges Hubs
  20. 20. i.t. lingo for o.t. people 5 Layer Transmission Control Protocol/Internet Protocol (TCP/IP) Model HOST LAYERS 5. Application: FTP, HTTP, MQTT, SMTP, SSH, Telnet, NTP, Modbus, BACnet (Application Gateway: protocol converter) 4. Transport: TCP, UDP (Transport Layer Gateway: connects dissimilar networks) MEDIA LAYERS 3. Network: IP address, ICMP, ARP (Router: connects similar networks, subnets) 2. Data Link: Ethernet, PPP, Mac address (Bridges: connect two parts of one network, VLAN) 1. Physical: RF, Cat5, WiFi, RS232, RS485, Fiber (Repeater: Buffers signal)
  21. 21. protocol examples. network TCP/IP UDP HTTP FTP SCP embedded UART JTAG SWD SPI I2C 1-Wire industrial CAN RS485 RS422 RS232 4-20mA OBD2 wireless Zigbee Zwave Bluetooth WiFi Cellular automation Modbus BACnet LonWorks DNP3 Profinet EtherCat OPC facility management systems Tridium - Niagra Framework Johnson Control - MetaSys Automated Logic - WebCTRL Delta Controls - enteliWEB security controls SWHouse – C*Cure Keri – Doors.NET Schlage - HandNet Pelco - IP and CCTV American Dynamics - DVR
  22. 22. let’s dig in. > begin a survey of tools but warning… > don’t get sucked into acquiring tools upfront. skills first. tools will you more efficient after foundational skill acquired > that said, tool demos are a great way to get organizational leadership to appreciate the risks. and shows how little adversaries need invest (especially as opposed to cost of defensive countermeasures) if they intend to attack.
  23. 23. traditional i.t. and network tools.
  24. 24. wifi pineapple Scan: Command the WiFi landscape and direct attacks from a live recon dashboard, passively monitoring all devices in the vicinity. Target: Limit the audit to specified clients and access points within the scope of engagement and ensure zero collateral damage. Intercept: Acquire clients with a comprehensive suite of WiFi man-in-the-middle tools specializing in targeted asset collection. Report: Record and analyze logs, generate emailed reports at set intervals, and identify vulnerable devices in your organization.
  25. 25. portable ethernet switch and wireless router
  26. 26. lan turtle The LAN Turtle is a covert Systems Administration and Penetration Testing tool providing stealth remote access, network intelligence gathering, and man-in-the-middle surveillance capabilities through a simple graphic shell. Housed within a generic "USB Ethernet Adapter" case, the LAN Turtle’s covert appearance allows it to blend into many IT environments. OUT OF BAND REMOTE ACCESS: Bring your own back- haul with the LAN Turtle 3G. Simply load a SIM card to provide the LAN Turtle 3G with it's own Internet connection. Then drop on a target network for an instant reverse shell or VPN endpoint and completely bypass the perimeter firewall. Systems Administrators, never fear losing remote access in the event of a network outage. Penetration Testers, this is the plug and play reverse shell you've been waiting for.
  27. 27. packet squirrel The man-in-the-middle that's nuts for networks The Packet Squirrel is a stealthy pocket-sized man-in-the-middle. This Ethernet multi-tool is designed to give you covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.
  28. 28. r00tabaga combines the functionality of a "Pentest Drop Box" with the man-in-the-middle capabilities of "Hot-Spot Honeypot“ into an integrated battery-powered device.
  29. 29. bash bunny The Bash Bunny by Hak5 is a simple and powerful multi- function USB attack and automation platform for penetration testers and systems administrators. It's easy setup & deployment with a simple "Bunny Script" language, multi-position attack switch and a centralized repository of payloads. It's powerful with multiple attack vectors including HID keyboard, USB Ethernet, Serial and Mass Storage. Simultaneously perform keystroke injection attacks, bring- your-own-network attacks and intelligent exfiltration.
  30. 30. usb rubber ducky Nearly every computing devices accepts human input from keyboards, hence the ubiquitous HID specification - or Human Interface Device. Keyboards announce themselves to computers as HID devices and are in turn automatically recognized and accepted. The USB Rubber Ducky delivers powerful payloads in seconds by taking advantage of the target computers inherent trust all while deceiving humans by posing as an ordinary USB drive.
  31. 31. usb ninja Similar to a rubber ducky, remotely controlled via bluetooth using hardware remote or smartphone app.
  32. 32. malduino Another keystroke injection tool, programmable via the Arduino IDE.
  33. 33. malduino Another keystroke injection tool, programmable via the Arduino IDE.
  34. 34. maltronics wifi deauther A deauther allows you to disconnect devices from a WiFi network. Even if you're not connected to that network. Deauthers take advantage of a weakness in the 802.11 protocol which allows the sending of deauthentication frames by unauthorised devices. Deauthers come with other features such as Beacon Spamming (spamming WiFi network names) and Probe Spamming
  35. 35. poisontap (raspberry pi zero w) siphons cookies, exposes internal router & installs web backdoor on locked computers
  36. 36. cactus whid remotely inject keystrokes or mouse inputs remotely via a smartphone application.
  37. 37. pwnie
  38. 38. plunder bug A pocket-sized LAN Tap that lets you "bug" Ethernet connections with USB-C convenience. Coupled with cross-platform scripts and an Android root app, this smart network sniffer enables passive recording or active scanning.
  39. 39. lan trap throwing star The Throwing Star LAN Tap is a passive Ethernet tap, requiring no power for operation. There are active methods of tapping Ethernet connections (e.g., a mirror port on a switch), but none can beat passive taps for portability. To the target network, the Throwing Star LAN Tap looks just like a section of cable, but the wires in the cable extend to the monitoring ports in addition to connecting one target port to the other.
  40. 40. usb keylogger Intercept keystrokes from a keyboard and either store the keystrokes locally or transmit wirelessly.
  41. 41. inputstick remotely inject keystrokes or mouse inputs remotely via a smartphone application.
  42. 42. rainbow tables precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a password (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space–time tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack infeasible. 1. Starting from the hash ("re3xes") in the image below, one computes the last reduction used in the table and checks whether the password appears in the last column of the table (step 1). 2. If the test fails (rambo doesn't appear in the table), one computes a chain with the two last reductions (these two reductions are represented at step 2) Note: If this new test fails again, one continues with 3 reductions, 4 reductions, etc. until the password is found. If no chain contains the password, then the attack has failed. 3. If this test is positive (step 3, linux23 appears at the end of the chain and in the table), the password is retrieved at the beginning of the chain that produces linux23. Here we find passwd at the beginning of the corresponding chain stored in the table. 4. At this point (step 4), one generates a chain and compares at each iteration the hash with the target hash. The test is valid and we find the hash re3xes in the chain. The current password (culture) is the one that produced the whole chain: the attack is successful.
  43. 43. yubikey (2FA)
  44. 44. physical access tools.
  45. 45. magspoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work "wirelessly", even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.
  46. 46. mag card reader/writer read and write (duplicate) the data stored as magnetic stripes on credit cards.
  47. 47. keysy Keysy allows the user to copy up to four low frequency (125kHz) RFID keycards/keyfobs. Keysy can then emulate these keycards/keyfobs when placed in front of the RFID reader. In addition, Keysy has the ability to duplicate any previously read keycard/keyfob onto a blank rewritable keyfob/keycard.
  48. 48. proxmark3 The Proxmark3 is a powerful general purpose RFID test instrument designed to snoop, listen and emulate everything from Low Frequency (125kHz) to High Frequency (13.56MHz) tags. The Proxmark is the only research and development platform targeting NFC and RFID that is capable of both transmitting and receiving while meeting the timing requirements of most proximity protocols. The Proxmark also provides full control over the radio layer in addition to software support for several higher-level protocols
  49. 49. chameleon mini rfid The ChameleonMini is a versatile contactless smartcard emulator compliant to NFC, ISO 14443 and ISO 15693. It has been designed and maintained by the Chair for Embedded Security of the Ruhr-University in Bochum. The freely programmable platform can be used to emulate and virtualize cards (perfect clones including the UID), for practical penetration testing.
  50. 50. lockpicking ● A126 ● 16120 ● CH751 ● EK222 / EK333 / EK2233X ● FEO-K1 ● C415A ● 222343 ● 1284X ● Jigglers / Skeleton / Bump Keys / Lock Picks ● Jumper Wire
  51. 51. lock bypassing Instead of picking a lock, sometimes it’s easier to bypass the locking mechanism to gain entry into a secured space. ● under door tool ● shims ● thumb lock bypass ● crash bar tool
  52. 52. blekey BLEKey is a Bluetooth Low Energy (BLE) enabled tap for the Wiegand protocol, which is the most widespread protocol for proximity card reader systems. BLEKey can be installed in a reader to passively sniff Wiegand data, and can emulate cards on that reader. All data can be offloaded to a phone with BLE support.
  53. 53. dji spark drone tiny drone is good for surveillance, delivery physical payloads such as a wifi pineapple.
  54. 54. usb endoscope look under doors or around corners
  55. 55. wireless tools.
  56. 56. hackrf one HackRF One from is a Software Defined Radio (SDR) peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz. Designed to enable test and development of modern and next generation radio technologies, HackRF One is an open source hardware platform that can be used as a USB peripheral or programmed for stand-alone operation.
  57. 57. yardstick one YARD Stick One (Yet Another Radio Dongle) can transmit or receive digital wireless signals at frequencies below 1 GHz. Capabilities: ●half-duplex transmit and receive ●official operating frequencies: 300-348 MHz, 391-464 MHz, and 782-928 MHz ●unofficial operating frequencies: 281-361 MHz, 378-481 MHz, and 749- 962 MHz ●modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK YARD Stick One comes with RfCat firmware installed, courtesy of atlas. RfCat allows you to control the wireless transceiver from an interactive Python shell or your own program running on your computer.
  58. 58. ubertooth The Ubertooth One is the world's first affordable Bluetooth monitoring and development platform.
  59. 59. crazyradio pa crazyradio PA is a long range open USB radio dongle from Nordic Semiconductor. It features a 20dBm power amplifier, LNA and comes pre- programmed with Crazyflie compatible firmware. The power amplifier boosts the range, giving a range of more than 1km (line of sight).
  60. 60. rtl-sdr dongle RTL-SDR is a very cheap ~$25 USB dongle that can be used as a computer based radio scanner for receiving live radio signals in your area (no internet required). Depending on the particular model it could receive frequencies from 500 kHz up to 1.75 GHz. The origins of RTL-SDR stem from mass produced DVB-T TV tuner dongles that were based on the RTL2832U chipset.
  61. 61. embedded system tools.
  62. 62. jtagulator JTAGulator is an open source hardware tool that assists in identifying On-chip debug (OCD) connections from test points, vias, or component pads on a target device. OCD interfaces can provide chip-level control of a target device and are a primary vector used by engineers, researchers, and hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.
  63. 63. analog discovery 2 Digilent Analog Discovery 2 is a USB oscilloscope and multi-function instrument that allows users to measure, visualize, generate, record, and control mixed-signal circuits of all kinds. Can perform functions such as arbitrary function generator, network analyzer, spectrum analyzer, data logger, protocol analyzer, impedance analyzer, power supply.
  64. 64. black magic probe a JTAG and SWD Adapter used for programming and debugging ARM Cortex MCUs
  65. 65. bus pirate a troubleshooting tool that communicates between a PC and any embedded device over 1-wire, 2-wire, 3-wire, UART, I2C, SPI, and HD44780 LCD protocols - all at voltages from 0-5.5VDC. This product eliminates a ton of early prototyping effort when working with new or unknown chips. Working with the Bus Pirate is simple and effective - type commands into a terminal on your computer, those commands are interpreted by the Bus Pirate and sent via the proper protocol.
  66. 66. teensy or arduino micro roll your own rubber ducky. The Micro board is similar to the Arduino Leonardo in that the ATmega32U4 has built- in USB communication, eliminating the need for a secondary processor. This allows the Micro to appear to a connected computer as a HID device (mouse and keyboard), in addition to a virtual (CDC) serial / COM port. It also has other implications for the behavior of the board; these are detailed on the getting started page.
  67. 67. great fet one a hardware hacker’s best friend. With an extensible, open source design, two USB ports, and 100 expansion pins, GreatFET One is your essential gadget for hacking, making, and reverse engineering. By adding expansion boards called neighbors, you can turn GreatFET One into a USB peripheral that does almost anything. Whether you need an interface to an external chip, a logic analyzer, a debugger, or just a whole lot of pins to bit-bang, the versatile GreatFET One is the tool for you. Hi-Speed USB and a Python API allow GreatFET One to become your custom USB interface to the physical world. programmable digital I/O serial protocols including SPI, I2C, UART, and JTAG logic analysis analog I/O (ADC/DAC) data acquisition debugging versatile USB functions including FaceDancer high-throughput hardware-assisted streaming serial engine
  68. 68. saleae logic analyzer used by electrical engineers, firmware developers, enthusiasts, and engineering students to record, measure, visualize, and decode the signals in their electrical circuits.
  69. 69. ftdi friend / segger j-link / pickit 4 / µart
  70. 70. opticspy + tomu also ultrasonic exfiltration possible with arduinos and hc-05 ultrasonic sensor hardware.
  71. 71. chip whisperer ● ChipWhisperer is an open source toolchain dedicated to hardware security research, side-channel power analysis and glitching attacks.. This toolchain consists of several layers of open source components: ● Hardware: The ChipWhisperer uses a capture board and a target board. ● Firmware: Three separate pieces of firmware are used on the ChipWhisperer hardware. The capture board has a USB controller (in C) and an FPGA for high-speed captures (in Verilog) with open-source firmware. ● Software: The ChipWhisperer software is made up of a capture program to control the hardware and an analyzer program to process captured data.
  72. 72. obd2 (automobile interface) Onboard Diagnostic 2 ports (OBD2) are standard on all cars since mid-1990s. USB, wifi, or Bluetooth OBD2 interfaces let computer or smartphone tap into a car’s CANbus.
  73. 73. ifixit kit
  74. 74. security screw bits philips and flathead aren’t the only types of screws around. many electronic devices use special security screws
  75. 75. more tools. facedancer21 usb condom 3g/4g usb modem
  76. 76. websites.
  77. 77.
  78. 78.
  79. 79.
  80. 80.
  81. 81.
  82. 82.
  83. 83.
  84. 84. other websites. protonmail cybrary github/gitlab openvpn canarytokens
  85. 85. other websites. Shodan
  86. 86. other websites. ● ● ● references.html ● ● research-project/ ● ● testing/landing-page/ ● ●
  87. 87. more websites.
  88. 88. software.
  89. 89. kali linux / parrot os
  90. 90. control things platform
  91. 91. security onion ● Full packet capture - Tcpdump/Wireshark/NetworkMiner ● Extracted content – Xplico/NetworkMiner ● Session data – Bro/FlowBAT ● Transaction data – Bro ● Statistical data – Capinfos/Wireshark ● Metadata – ELSA (Whois) ● Alert data – Snort, Suricata, Sguil, Snorby
  92. 92. kali linux nethunter
  93. 93. hak5 c2 server running on desktop vs. raspi vs. vps (aws or azure)
  94. 94. more software tools. ics network mapping and packet inspection ● wireshark ● TCPdump ● mitmproxy ● Sophia ics network monitoring ● security onion ● GUIL ● ELSA ● Bro ● Snort network forensic analysis tool ● NetworkMiner ● SiLK + FlowBAT ics protocol inspection ● CyberLens open source intelligence ● Maltego ● Shodan ● Google Dorks ● The Harvester ● Metagoofil ● Recon-ng ● Check Usernames ● TinEye ● SearchCode ● Recorded Future ● Nessus ● Qualys ● Nexpose ● OpenVAS ● nmap
  95. 95. more software tools. firmware tools ● Firmadyne ● Firmwalker ● Angr ● Firmware-mod-toolkit ● Firmware analysis toolkit ● GDB ● Hopper ● Binary Analysis Tool (BAT) ● BinWalk ● X84dbg ● binary ninja ● IDA ● RADARE+Cutter ● QEMU software reverse engineering ● Immunity Debugger ● NSA Ghidra ● PLASMA Disassembler ● Hexinator web application software tools ● Burp Suite ● OWASP Zed Attack Proxy (ZAP) ● REST Easy Firefox plugin ● Postman Chrome extension android testing virtual machine distribution ● Android SDK ● Android emulator ● Enjarify ● JD-Gui ● Mob-SF ● SQLite browser ● Burp Suite ● OWASP ZAP http proxy ● OWASP ZAP ● Burp Suite
  96. 96. more software tools. wifi hacking ● Kismet ● Aircrack-NG ● airoDump-NG ● Technitium MAC Address Changer ● Airgeddon attack frameworks ● BEEF ● Metasploit + Armitage GUI ● PowerSploit ● CANVAS password exploits ● john the ripper ● Hydra ● Mimikatz hunt teaming framework ● RITA threat modeling ● Microsoft Threat Modeling Tool 2016
  97. 97. more software tools. arp spoofing / mitm ● Bettercap ● Ettercap red team framework ● Cobalt Strike fuzzing ● QEMU ● American Fuzzy Lop command and control ● Hak5 C2 ● Gcat / Gdog hardware analysis software ● OpenOCD ● Spiflash ● Minicom ● Baudrate ● flashrom radio analysis software ● KillerBee Framework ● Attify ZigBee Framework ● GNU Radio ● BLEAH ● GQRX ● Blue Hydra ● EZ-Wave ● scapy ● Inspectrum Analyzer Software ● Universal Radio Hacker iot vulnerability scanner ● Princeton IoT Inspector ● BItDefender IoT Home Scanner automobile tools ● TOAD OBD2
  98. 98. other software tools. ● netcat ● sqlmap ● pfSense ● putty ● veracrypt ● keepass / lastpass ● termius ● etcher ● winscp ● hexchat / discord / slack ● vmware ● vncviewer ● openvpn ● powershell / ubuntu for windows ● Netstat ● whois, traceroute ● hping ● Yara ● Bro/zeke ● Sguil ● Redline/Memoryze, DumpIt, dd/LiME, FTK ● Timesketch and Plaso ● Cobalt Strike
  99. 99. other software tools. Kansa DNScat2 warvox Cain and Abel NetStumbler inSSIDer Kismet Search Diggity Microsoft Port Reporter Chef Bloodhound Kon-Boot Inception LAN Turrtle + Responder ettercap Bettercap Arpspoof MiTM Framework Let's Encrypt: Free SSL certs Responder: LLMNR attacks Masscan Poison Ivy backdoor trojan Ghost Rat Social Engineering Toolkit Stego Tools JSteg MP3Dtego S-Mail Invisible Secrets Stash Hydan OpenStego SilentEye OpenPuff Acunetix WVS Netsparker W3af Nikto Veil Framework strings Memory Dumps D5 P22 Mandiant's Memoryze MemoryDD.bat HBGary's fastdump Matthieu Suiche's win32dd winpmem FTKImager ManTech's mdd Voltaile System's Voltatility Framework *** Google Rekall****** Rootkits chkrootkit Rootkit Hunter rkhunter** Rootkit Revealer** Sophos Antirootkit McAfee Rootkit Detective rootkit creation tool: suterusu DropSmack Powershell Empire EXIFTOOL Sysmon AI Hunter
  100. 100. other software tools. Software/Firmware Reverse pestr, peframe, PeStudio, Process Hacker, Process Monitor, Regshot, ProcDOT, x64dbg, API Monitor, and INetSim. Fiddler, SpiderMonkey, box-js,,,, scdbg,,,, and jmp2it. Detect It Easy, Exeinfo Pe, Bytehist, CFF Explorer, Scylla, OllyDumpEx, ands Volatility. FLOSS,, ScyllaHide, and pe_unmapper, among others.
  101. 101. social engineering. tactics. techniques. procedures.
  102. 102. social engineering attacks 1. Phishing Emails/Phonecalls: Seek to obtain personal information, such as names, addresses and social security numbers. Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate. Incorporates threats, fear and a sense of urgency to manipulate the user into acting promptly. If targeted, called spear phishing. If a value target also called whaling attack. 2. Pretexting: Attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. 3. Baiting: Similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site. 4. Quid Pro Quo: Quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good. One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates. 5. Watering Hole: Attack consists of injecting malicious code into the public Web pages of a site that the targets used to visit. The method of injection is not new, and it is commonly used by cyber criminals and hackers. The attackers compromise websites within a specific sector that are ordinary visited by specific individuals of interest for the attacks. 6. Tailgating: Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area. A bad actor impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorized to enter the company. 7. Fake Credentials: Bad actor attains credentials of a third-party contractor and impersonates personnel (e.g. telephone service repairman, HVAC technician, or safety inspector) to gain access to restricted areas. Based on report from TripWire
  103. 103. open source intelligence (osint)
  104. 104. physical access attacks. tactics. techniques. procedures.
  105. 105. embedded systems reverse engineering. tactics. techniques. procedures.
  106. 106. tips for making iot devices a bit more secure. ●Segment home network, put IoT devices on separate network. In a pinch, use router guest network for IoT home devices. ●Change passwords every now and then. ●Secure by Default ○ No default passwords shared between devices, or weak out of the box passwords. Strong passphrases with numb3rs, LeTtErS, and $pecial ch@rs. ○ All passwords should be randomly created using high quality random number generators. ○ Advanced features used by small percentage of users should be turned off (VPN, Remote Administration, etc.) ●Secure by Design ○ Firmware should be locked down so serial access is not available. ○ Secure Element (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware. ○ All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions. ○ NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removed and dumped), or other methods to prevent physical attacks. ●Zero Trust Computing ○ The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised and still maintain protection methods. This can be done with prompts to the users to accept handshakes between devices trying to access other devices on their networks. ○ Communication between devices should be encrypted to prevent MitM attacks and sniffing/snooping. ●Privacy ○ Consumer PII not shared with manufacturers or partners ○ Usage data on individual consumer is never shared with partners or advertisers. ○ Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven to not be traceable back to the individual consumers. ○ Data collection policy, type of data collected and usage of data is clearly documented on site.
  107. 107. traditional i.t. hacking tactics. techniques. procedures.
  108. 108. FUTURE STUFF HERE………..
  109. 109. other things and stuff.
  110. 110. laws. policies. guidance. Family Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA) Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) North American Electric Reliability Corporation (NERC-CIP) Payment Card Industry Digital Security Standards (PCI-DSS) Federal Financial Institutions Examination Council (FFIEC) General Data Protection Regulation (GDPR) NIST SP 800-53 Cybersec Framework NIST SP 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security UFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS, WITH CHANGE 1
  111. 111. where to buy stuff.
  112. 112. security podcasts and youtube channels Security Weekly Black Hills Podcast Hak5 Risky Business The Unsupervised Learning Podcast Down the Security Rabbithole Hacker Public Radio Open Source Security Podcast SANS StormCast CyberWire The Social-Engineer Podcast DevelopSec
  113. 113. good reads. ● Burglars Guide to the City by Geoff Manaugh ● Ghost in the Wires, The Art of Invisibility, The Art of Intrusion, The Art of Deception by Kevin Mitnick ● Hacking the Xbox, Hardware Hacker by Bunnie Huang ● Hackers by Stephen Levy ● The Cuckoo’s Egg by Cliff Stoll ● Predictably Irrational by Dan Ariely ● Freakonomics by Steven D. Levitt, Stephen J. Dubner ● Fire in the Valley by Paul Freiberger
  114. 114. training labs and ranges. ● ●
  115. 115. other skillz ● communicate orally ● write good reports ● translate the business impacts of vulnerabilities
  116. 116. collaborate with me. ● @mbparks ● ● ● ● ●