Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
0wning the Internet of Trash
Darren Martyn
Xiphos Research
darren.martyn@xiphosresearch.co.uk
whoami
• Darren Martyn / infodox
• Penetration Tester & Researcher @ Xiphos Research Ltd
• Forensics & Chemistry Student @...
This talk…
• Hacking embedded devices – a gentle introduction.
• Both hardware and software explorations
• Examining explo...
wtf
Today we shall talk about…
• Obtaining firmware for embedded devices.
• Basics of UART identification and use 
• Extracti...
Firmware
Honest, this is what firmware looks like
Methods of getting firmware…
• Download from internet
> Vendor website
> random internauts
• Extract from device
• There a...
Methods of getting firmware… (D-Link FTP)
Methods of getting firmware… (netgear support)
Random Internauts…
Extracting from device…
• This is where we segue into the land of UART.
• Basically, get some kinda shell on the device
• ...
UART Basics…
• UART = “Universal Asynchonous Reciever/Transmitter”
• TL;DR basically serial
• Usually 4 pins, we only care...
Identify UART
Bastards removed the pins!
Interfacing with UART.
• Buspirate - ~15£, interfaces with bloody everything.
• Has disadvantage of being a bit of a pain ...
USB-TTL
Which pin goes where
• This is a hard one to explain. Best summary is below.
• http://www.devttys0.com/2012/11/reverse-eng...
Ok, all hooked up. Interaction time?
• Not yet. Gotta find the baudrate 
• I usually just use this, or do it by hand.
• h...
Connected!
Here we have a “Billion” routers
bootloader debug output coming
over serial from it :D
Sometimes we get a roots...
GET /FIRMWARE
• If you have a uBoot shell, you can often dump out the image
• Xfer to yourself over tftp
• With a rootshel...
A case study in firmware reversing && bug hunting…
• For this bit on extracting FW and finding bugs a case study is
best.
...
Because of scale we scripted binwalk…
Next up, scripting uncramfs…
Trigger Warning: Filthy Code Ahead
find . –name “vuln”
• Took a fairly blind approach to finding vulns
• “Grep and gripe” kind of things
• First off, looked ...
Anyone see why this prompted interest?
Scripting is Magic…
Scripting is Magic…
Some numbers
• All 108 were vulnerable to ShellShock
• All 108 had the same shitty CGI script
• 106 used thttpd rooting as...
Remote Root Everywhere
Further firmware analysis
• Lets look for more fun stuff in this firmware
• First off, we analyse the passwd files
• 4 uni...
The Hashes
• I have yet to crack these. People have been trying and failing
for about a month. Can you succeed?
root:$1$5j...
SSH Keys
• Protip: Hardcoded SSH Keys Suck
• They all have /etc/ssh/ keys. RSA and DSA
• They also have the same /etc/ssh_...
/etc/ssh_key
• Now, this is an odd one. It matches exactly two boxes in the
wild – both hosts in Germany
• As to wtf these...
Using SSH keys to fingerprint
Look! Duplicate Keys! Everywhere!
Let’s go after SSL keys…
• OpenVPN Keys: find . -name "*.key" (108)
> All identical
• SSL Keys: find . -name "*.pem" (973)...
SSL Keys
• 6 of them on each image. All identical across images:
> 7135ad5b7fd5fb2eb23f8dfecf74919d
> cb5199178e4649461928...
Popping Boxes/xdev
• Most of the vulns you will find are remote root
• A lot of them will be command injection bugs.
• Mos...
Popping Boxes/xdev –Se0wned
Popping Boxes/xdev –dloser 0day
Greetz to imax who actually bought a NAS back when we
wrote the early versions of this exp...
Popping Boxes/xdev
• Getting a shell is just step 1.
• Better payloads (tshd, for example) allow file transfer.
• This mea...
Router Malware
• This stuff is being done ITW
• I had nice screenshots and pictures, but /tmp ate them
• So I’ll TL;DR it ...
LinuxFlasher.A
• Discovered by myself and _ta0 in the wild.
• Firmware flashing malware, installed malicious firmware that...
Hydra/Aidra Family
• Worm/Botnet, IRC controlled.
• Spreads via telnet (and SSH) bruteforcing, also a D-Link config
bug.
•...
Moon
• Linksys only affected vendor.
• Discovered by some SANS handler (Johannes).
• Used a remote root command execution ...
Post Exploitation
• Exposed embedded devices put you firmly within an affected
targets network
• Often (routers) in a priv...
Post Exploitation - Building Toolkits
• We need to statically link things so they will run on these
devices.
• Uclibc.org ...
Post Exploitation - Requirements
• C&C – So we can manage the devices
• Robust tools for getting shell access, transferrin...
Post Exploitation – C&C
• For C&C, we should practice excellent OPSEC.
• Use Tor. Cross compiling static Tor is hard. I wi...
Post Exploitation – Access
• We need to be able to run commands, interactive shell, and
transfer files.
• Tshd by Christop...
Post Exploitation – Hack The Planet
• Tcpdump && Ettercap && socat && nmap
• Its been done before
• We have to catch up 
...
Persist
• How does firmware work?
• Its infectous!
• Unlesss you reflas…… Permapened
• “RPEF” by Michael Coppola are ITW ...
Rootkit Firmwares
• They exist
• They are using them
• If you believe otherwise you are an idiot.
• …
Tl;dr
• Embedded = owned
• Harass vendors
• Embedded rootshells are embedded root shells
• 
Thanks 
• Coworkers and such for tolerating weirdness
• F1nux, Alastair, digininja, `k, getting me talking
• Router mfg’s...
Q&A
Questions & Comments & Abuse?
Contact:
@info_dox (twitter)
darren.martyn@xiphosresearch.co.uk (email)
infodox@jabber.c...
Upcoming SlideShare
Loading in …5
×

Steelcon 2015 - 0wning the internet of trash

2,010 views

Published on

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices.

This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

Published in: Software

Steelcon 2015 - 0wning the internet of trash

  1. 1. 0wning the Internet of Trash Darren Martyn Xiphos Research darren.martyn@xiphosresearch.co.uk
  2. 2. whoami • Darren Martyn / infodox • Penetration Tester & Researcher @ Xiphos Research Ltd • Forensics & Chemistry Student @ GMIT
  3. 3. This talk… • Hacking embedded devices – a gentle introduction. • Both hardware and software explorations • Examining exploitation ITW and post exploitation 
  4. 4. wtf
  5. 5. Today we shall talk about… • Obtaining firmware for embedded devices. • Basics of UART identification and use  • Extraction of firmware/finding vulnz • Popping boxes (exploit development). • Boxes being popped (router malware case studies) • Post exploitation  • Future ideas… (I promise, no more walls of text after this!)
  6. 6. Firmware Honest, this is what firmware looks like
  7. 7. Methods of getting firmware… • Download from internet > Vendor website > random internauts • Extract from device • There are other methods, but not going to get into that here.
  8. 8. Methods of getting firmware… (D-Link FTP)
  9. 9. Methods of getting firmware… (netgear support)
  10. 10. Random Internauts…
  11. 11. Extracting from device… • This is where we segue into the land of UART. • Basically, get some kinda shell on the device • And copy the rootfs (the bit we give a damn about for now). • Two main ways this happens for todays purposes…
  12. 12. UART Basics… • UART = “Universal Asynchonous Reciever/Transmitter” • TL;DR basically serial • Usually 4 pins, we only care about 3 really. • RX, TX, VCC, GND. We usually can ignore VCC.
  13. 13. Identify UART
  14. 14. Bastards removed the pins!
  15. 15. Interfacing with UART. • Buspirate - ~15£, interfaces with bloody everything. • Has disadvantage of being a bit of a pain to use at times. • Save money and cost! • USB-TTL converter for 2£ from ebay 
  16. 16. USB-TTL
  17. 17. Which pin goes where • This is a hard one to explain. Best summary is below. • http://www.devttys0.com/2012/11/reverse-engineering-serial- ports/ • Get a multimeter or oscilloscope… • GND pin, will positively continuity test with … a grounded bit • VCC is tied high at +3.3V or +5V usually • TX fluctuates between 3.3V and 0V as it… Transmits. • RX… Good fucking luck 
  18. 18. Ok, all hooked up. Interaction time? • Not yet. Gotta find the baudrate  • I usually just use this, or do it by hand. • https://code.google.com/p/baudrate/ • Then just ‘screen /dev/ttyUSB0 <baudrate>’ 
  19. 19. Connected! Here we have a “Billion” routers bootloader debug output coming over serial from it :D Sometimes we get a rootshell… Othertimes we get a “uBoot” shell.
  20. 20. GET /FIRMWARE • If you have a uBoot shell, you can often dump out the image • Xfer to yourself over tftp • With a rootshell… xfer back to yourself over tftp the entire rootfs 
  21. 21. A case study in firmware reversing && bug hunting… • For this bit on extracting FW and finding bugs a case study is best. • I presented the end result of this at Bsides Hannover. • We start with Moovbox firmware, end up with rootshells!
  22. 22. Because of scale we scripted binwalk…
  23. 23. Next up, scripting uncramfs… Trigger Warning: Filthy Code Ahead
  24. 24. find . –name “vuln” • Took a fairly blind approach to finding vulns • “Grep and gripe” kind of things • First off, looked at the web interface of device. How does it work. Whats its config. Etc.
  25. 25. Anyone see why this prompted interest?
  26. 26. Scripting is Magic…
  27. 27. Scripting is Magic…
  28. 28. Some numbers • All 108 were vulnerable to ShellShock • All 108 had the same shitty CGI script • 106 used thttpd rooting as root • 2 ran lighttpd. Also as root
  29. 29. Remote Root Everywhere
  30. 30. Further firmware analysis • Lets look for more fun stuff in this firmware • First off, we analyse the passwd files • 4 unique hashes
  31. 31. The Hashes • I have yet to crack these. People have been trying and failing for about a month. Can you succeed? root:$1$5jjAfVIS$dIG6AvGNwq8EENjTHnfpK/ root:$1$jb.3W.1D$8FeBW.T/x2wwJVB.lp.gv1 root:$1$bw7WuzHj$aU6V7omf9zBWA2sEaJv9p1 root:$6$W74jOIhT$QaYoDDN.N1SRgyG5ALymJHcYc9TmXKcITXyCstG DdK9cXOssLOTMQPl2uRm.wsNZ7oE5byOOrdNlvNxyguqVs/
  32. 32. SSH Keys • Protip: Hardcoded SSH Keys Suck • They all have /etc/ssh/ keys. RSA and DSA • They also have the same /etc/ssh_key privkey, which is a bit unusual...
  33. 33. /etc/ssh_key • Now, this is an odd one. It matches exactly two boxes in the wild – both hosts in Germany • As to wtf these are, I have no idea • If anyone can figure it out, it would be great ;) • 89.110.151.186 & 89.110.148.26 (who is this?)
  34. 34. Using SSH keys to fingerprint
  35. 35. Look! Duplicate Keys! Everywhere!
  36. 36. Let’s go after SSL keys… • OpenVPN Keys: find . -name "*.key" (108) > All identical • SSL Keys: find . -name "*.pem" (973) > 2e465be3c06ea7db968347aaa3df7d37 > Also all the same...
  37. 37. SSL Keys • 6 of them on each image. All identical across images: > 7135ad5b7fd5fb2eb23f8dfecf74919d > cb5199178e4649461928356c7cbdae74 > de2c6949bd1bca55c20d9610510a08d1 > 905a7590ee039a788a08d4dfd15d2582 > a926c2beaa439f37bc62a5678a4e5906 > 35a569e0e768495554c4cbddd787f9e4
  38. 38. Popping Boxes/xdev • Most of the vulns you will find are remote root • A lot of them will be command injection bugs. • Most people just enable telnetd and leave it at that. • More fun to be had…
  39. 39. Popping Boxes/xdev –Se0wned
  40. 40. Popping Boxes/xdev –dloser 0day Greetz to imax who actually bought a NAS back when we wrote the early versions of this exploit!
  41. 41. Popping Boxes/xdev • Getting a shell is just step 1. • Better payloads (tshd, for example) allow file transfer. • This means we can upload tools and exfil files easily  • (A POSIX Meterpreter that worked on ARM/MIPS/PPC would be nice and all… Just sayin’)
  42. 42. Router Malware • This stuff is being done ITW • I had nice screenshots and pictures, but /tmp ate them • So I’ll TL;DR it and explains some examples.
  43. 43. LinuxFlasher.A • Discovered by myself and _ta0 in the wild. • Firmware flashing malware, installed malicious firmware that included a password sniffer (dsniff) and exfil scripts using wput. • Sent very little network traffic, un-killable unless you reflashed. • Crude, held together with bash scripts, but highly effective.
  44. 44. Hydra/Aidra Family • Worm/Botnet, IRC controlled. • Spreads via telnet (and SSH) bruteforcing, also a D-Link config bug. • Mainly used by script kiddies for DDoS purposes…
  45. 45. Moon • Linksys only affected vendor. • Discovered by some SANS handler (Johannes). • Used a remote root command execution 0-day to spread. • Functionality mostly unknown. Had hardcoded target ranges. Just spread… And spread. Possible test run?
  46. 46. Post Exploitation • Exposed embedded devices put you firmly within an affected targets network • Often (routers) in a privileged position (routing all traffic!) • So much potential for pivoting, sniffing, etc… Going beyond rootshells… • Persisting is a harder problem we will address!
  47. 47. Post Exploitation - Building Toolkits • We need to statically link things so they will run on these devices. • Uclibc.org – excellent cross compiler toolchains, 10/10 recommend. • Now what tools do we actually need to do fun stuff?
  48. 48. Post Exploitation - Requirements • C&C – So we can manage the devices • Robust tools for getting shell access, transferring files. • Tools for sniffing, spoofing, doing things. • Persistence.
  49. 49. Post Exploitation – C&C • For C&C, we should practice excellent OPSEC. • Use Tor. Cross compiling static Tor is hard. I will publish the build guide in a week or so on Github  • Set up Tor to be a hidden service pointing at tshd bindshell. • There was a screenshot, but bloody /tmp ate it 
  50. 50. Post Exploitation – Access • We need to be able to run commands, interactive shell, and transfer files. • Tshd by Christopher Devine fits the bill for this. • Encrypted file xfer/PTY/command exec, bind and reverse connect modes. • Will publish the build-toolchain later 
  51. 51. Post Exploitation – Hack The Planet • Tcpdump && Ettercap && socat && nmap • Its been done before • We have to catch up  • Will publish the build-toolchains later 
  52. 52. Persist • How does firmware work? • Its infectous! • Unlesss you reflas…… Permapened • “RPEF” by Michael Coppola are ITW  • Firmware infections here to stay
  53. 53. Rootkit Firmwares • They exist • They are using them • If you believe otherwise you are an idiot. • …
  54. 54. Tl;dr • Embedded = owned • Harass vendors • Embedded rootshells are embedded root shells • 
  55. 55. Thanks  • Coworkers and such for tolerating weirdness • F1nux, Alastair, digininja, `k, getting me talking • Router mfg’s for making such products  • 
  56. 56. Q&A Questions & Comments & Abuse? Contact: @info_dox (twitter) darren.martyn@xiphosresearch.co.uk (email) infodox@jabber.ccc.de (jabber, use OTR else /ignore) 

×