Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Csi Netsec 2006 Poor Mans Guide Merdinger

853 views

Published on

"Poor Mans Guide To Network Espionage Gear" - Computer Security Institute NETSEC 2006

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Csi Netsec 2006 Poor Mans Guide Merdinger

  1. 1. Poor Man's Guide To Network Espionage Gear Shawn Merdinger Independent Security Researcher CRT-9 Computer Security Institute NetSec 2006 2006.06.14
  2. 2. British Spy Rock
  3. 3. First-Gen Spy Rock?
  4. 4. Obligatory Speaker Slide <ul><li>Shawn Merdinger </li></ul><ul><ul><li>Independent security researcher & corporate irritant </li></ul></ul><ul><ul><li>Current indy projects </li></ul></ul><ul><ul><ul><li>VoIP device & Emergency communications systems </li></ul></ul></ul><ul><ul><li>Former positions </li></ul></ul><ul><ul><ul><li>TippingPoint </li></ul></ul></ul><ul><ul><ul><li>Cisco Systems </li></ul></ul></ul><ul><ul><ul><ul><li>STAT (Security Technologies Assessment Team) </li></ul></ul></ul></ul><ul><ul><li>Web: www.io.com/~shawnmer </li></ul></ul>
  5. 5. Warnings and Stuff <ul><li>This is academic research...the “how” not the “why” </li></ul><ul><li>This is “dangerous information”...however </li></ul><ul><ul><li>You have the right/need to know </li></ul></ul><ul><ul><li>I have the right/need to talk </li></ul></ul><ul><li>Oh yeah...and remember </li></ul><ul><ul><li>Devices (in context) may be illegal...don't use </li></ul></ul><ul><ul><li>Activities (in context) may be illegal...don't do </li></ul></ul><ul><ul><li>I’m not a lawyer… </li></ul></ul>
  6. 6. Objectives <ul><li>Academic information exchange </li></ul><ul><li>My favorite cheap and mean gear </li></ul><ul><li>Attacks & countermeasures </li></ul><ul><li>Resources </li></ul>
  7. 7. Agenda <ul><li>Objectives </li></ul><ul><li>Attackers </li></ul><ul><li>Network Espionage Devices (NEDs) </li></ul><ul><li>Gettin' Spooky with IT </li></ul><ul><li>Countermeasures </li></ul><ul><li>Looking forward </li></ul>
  8. 8. Got bad soup? <ul><li>Devestating yet “simple” attack </li></ul>
  9. 9. Attacker Goals <ul><li>Attacker wants to accomplish... </li></ul><ul><ul><li>Gain internal access via a device at victim location </li></ul></ul><ul><ul><li>Attack internal/external hosts via TCP/IP </li></ul></ul><ul><ul><li>Attack phone/PDA/PC via Bluetooth </li></ul></ul><ul><ul><li>Passively gather information via sniffing </li></ul></ul><ul><ul><li>Establish other internal and external access </li></ul></ul><ul><ul><li>Impersonate services – Webserver, Database </li></ul></ul><ul><ul><li>Target a user's service – VIP VoIP connection </li></ul></ul>
  10. 10. Attack Tools <ul><li>Typical opensource methods and tools </li></ul><ul><ul><li>Scanning & Probing </li></ul></ul><ul><ul><li>Sniffing </li></ul></ul><ul><ul><li>Exploiting </li></ul></ul><ul><ul><li>Covert communications </li></ul></ul><ul><li>Multiple protocols and entry points </li></ul><ul><ul><li>Wired LAN </li></ul></ul><ul><ul><li>802.11b/g wireless </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul>
  11. 11. NEDs <ul><li>My favorites </li></ul><ul><ul><li>Linksys WRT54G </li></ul></ul><ul><ul><li>Nokia 770 </li></ul></ul><ul><ul><li>Gumstix </li></ul></ul><ul><ul><li>PicoTux </li></ul></ul><ul><li>Plenty others! </li></ul><ul><ul><li>Access Points </li></ul></ul><ul><ul><li>PDAs </li></ul></ul><ul><ul><li>Game platforms </li></ul></ul>
  12. 12. NED Characteristics <ul><li>Small, unobtrusive, ubiquitous, “cute” </li></ul><ul><li>Low-cost, disposable at victim's location </li></ul><ul><li>Minimal power requirements </li></ul><ul><ul><li>Power over ethernet, battery, solar potential </li></ul></ul><ul><li>Multiple attack vector capability </li></ul><ul><ul><li>Wired, Wireless, Bluetooth, RFID </li></ul></ul><ul><li>Traditional forensics very difficult </li></ul><ul><ul><li>Ephemeral filesystems running in RAM & device access </li></ul></ul><ul><ul><li>Try that with Encase! </li></ul></ul>
  13. 13. NED Characteristics <ul><li>Outbound reverse connections back to attacker </li></ul><ul><ul><li>Crypto tunnels bypass firewalls, IDS </li></ul></ul><ul><ul><li>“Under the radar” common protocols like DNS requests, ICMP, HTTP/S </li></ul></ul><ul><ul><li>Proxies, anonymizers, etc. </li></ul></ul><ul><li>Ported attack tools and exploits </li></ul><ul><ul><li>ARM processor-based </li></ul></ul><ul><ul><li>Some hardware and software limitations and trade-offs </li></ul></ul><ul><ul><ul><li>Dependent libraries, GUIs, etc. </li></ul></ul></ul><ul><ul><ul><ul><li>E.g. Don't expect a full Nessus client/server on Linksys routers </li></ul></ul></ul></ul>
  14. 14. NED OS & Software <ul><li>Stripped-down Linux </li></ul><ul><li>BusyBox shell </li></ul><ul><li>SSH, HTTP/S management </li></ul><ul><li>Features like VPN tunnels, mesh networking </li></ul><ul><li>On-the-fly software install as “packages” </li></ul><ul><ul><li>DNS, Apache, Asterisk </li></ul></ul><ul><ul><li>Attack tools and exploits </li></ul></ul><ul><ul><li>Powerful scripting languages: Python, Ruby </li></ul></ul><ul><ul><li>Customizable </li></ul></ul>
  15. 15. Linksys WRT54G <ul><li>Cheap, cute </li></ul><ul><li>Secure with default Linksys firmware? </li></ul><ul><ul><li>Ubiquitous = the “new Windows” </li></ul></ul><ul><ul><li>Very likely unpublished exploits in the wild </li></ul></ul><ul><li>Opensource alternatives to Linksys firmware </li></ul><ul><ul><li>OpenWRT </li></ul></ul><ul><ul><ul><li>Package system </li></ul></ul></ul><ul><ul><li>Sveasoft </li></ul></ul><ul><ul><ul><li>Mesh netwkorking </li></ul></ul></ul><ul><li>Un-leashing the WRT54G.... </li></ul>
  16. 16. FairuzaUS for Linksys <ul><li>FairuzaUS: www.hackerpimps.com </li></ul>Treo 650 SSH into FairuzaUS into compromised Windows box Command line interface over SSH
  17. 17. Nokia 770 <ul><li>Basics </li></ul><ul><ul><li>US $300 </li></ul></ul><ul><ul><li>Slow CPU, low RAM </li></ul></ul><ul><ul><li>802.11b & Bluetooth </li></ul></ul><ul><ul><li>Virtual touchscreen keyboard </li></ul></ul><ul><ul><li>Debian Linux PDA </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><ul><li>Lots of development via Maemo project </li></ul></ul></ul><ul><ul><ul><li>Many security tool packages by independent folks </li></ul></ul></ul><ul><ul><ul><ul><li>Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit </li></ul></ul></ul></ul>
  18. 18. Gumstix <ul><li>Ultra-small computers ($120 +) </li></ul><ul><li>Expandable “snap in” boards </li></ul><ul><ul><li>CF storage and 802.11b wireless </li></ul></ul><ul><ul><li>Single and dual Ethernet with POE </li></ul></ul><ul><ul><ul><li>MITM hardware device with dual ethernet </li></ul></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>USB, serial, PS/2 connectors </li></ul></ul><ul><ul><li>Used in BlueSniper, UltraSwarm </li></ul></ul><ul><ul><li>Developer CDs and environment </li></ul></ul>
  19. 19. PicoTux <ul><li>Picotux 100 and 112 (US $100 +) </li></ul><ul><ul><li>World's smallest Linux computer </li></ul></ul><ul><ul><li>35mm×19mm×19mm (size of RJ45 connector) </li></ul></ul><ul><ul><li>Power over ethernet </li></ul></ul><ul><ul><li>Telnet and HTTP server </li></ul></ul><ul><ul><li>Developer CDs and environment </li></ul></ul><ul><li>Attacks </li></ul><ul><ul><li>One of these in the plenum off a Cisco CAT switch </li></ul></ul><ul><ul><li>“Serial to ethernet connector” </li></ul></ul>
  20. 20. Spooky: Device Enclosures <ul><li>Free water cooler offer ;) </li></ul><ul><ul><li>Potential for power source </li></ul></ul><ul><ul><li>Legitimate reason for physical presence..and returning </li></ul></ul><ul><li>Office décor </li></ul><ul><ul><li>Flower safe with X-mas tree & lights...plug 'n play </li></ul></ul><ul><li>Exit Sign, fire extinguisher </li></ul><ul><ul><li>*Dangerous to mess with emerg. gear </li></ul></ul>
  21. 21. Spooky: 0wn3d Mesh Network <ul><li>Municipal networks beware! </li></ul><ul><li>Build It </li></ul><ul><ul><li>EVDO gateway for Internet </li></ul></ul><ul><ul><li>Drive-by/Walk-by AP 0wn4g3 </li></ul></ul><ul><ul><li>Senao AP w/ YAGI = Sweeper </li></ul></ul><ul><li>Run It </li></ul><ul><ul><li>Karma = DHCP for everybody </li></ul></ul><ul><ul><li>Shared crypto keys, cron jobs, remote ssh-fs mounts </li></ul></ul><ul><li>Own it </li></ul><ul><ul><li>Attack everything , browser exploits on capture portal </li></ul></ul>
  22. 22. Spooky: In-Transit “Marketing” <ul><li>Airports, train stations, bus stations, subways, etc. </li></ul><ul><ul><li>Bluetooth spamming with “scary” message content </li></ul></ul><ul><ul><li>0wn3d wifi networks & Windows Messaging </li></ul></ul><ul><li>Multiplier-effect </li></ul><ul><ul><li>Simultaneous at multiple hubs in US </li></ul></ul><ul><ul><li>“Scary message” </li></ul></ul><ul><ul><ul><li>Huge productivity costs </li></ul></ul></ul><ul><ul><li>Wrong message </li></ul></ul><ul><ul><ul><li>Used as diversion, secondary attack, etc. </li></ul></ul></ul>
  23. 23. Spooky: Long-distance, the next best thing to being there <ul><li>Home-built Bluetooth/Wifi “Sniper” setups </li></ul><ul><ul><li>Bluetooth targets up to one mile </li></ul></ul><ul><ul><li>802.11b targets up to...? </li></ul></ul>
  24. 24. How far? 802.11b over 125 miles
  25. 25. Countermeasures <ul><li>Know the risks and threats </li></ul><ul><li>Know your network devices and traffic </li></ul><ul><li>User education, buy-in, ownership of the problem </li></ul><ul><li>Policy and “best practices” </li></ul><ul><li>Planned response </li></ul><ul><li>Other measures </li></ul><ul><ul><li>Honeypots, Honeynets, Bluetooth-honeypot </li></ul></ul><ul><ul><li>Calling the cavelry (private specialists, Johnny Law) </li></ul></ul><ul><ul><li>Hack-backs </li></ul></ul>
  26. 26. Looking Forward <ul><li>More devices with network access </li></ul><ul><ul><li>It's only going to get worse.... </li></ul></ul><ul><ul><ul><li>“Why is my refrigerator scanning my network?” </li></ul></ul></ul><ul><ul><ul><li>Same old issues: poor QA and security, outsourced, lack-of ownership, fixes/patching, etc. </li></ul></ul></ul><ul><li>Tied into critical applications </li></ul><ul><ul><li>Tele-medicine, mobile data </li></ul></ul><ul><ul><li>Emergency Communications Infrastructure </li></ul></ul><ul><ul><ul><li>Vonage over Linksys box was NO lifeline post-Katrina </li></ul></ul></ul><ul><ul><ul><li>Plenty others...stay tuned! </li></ul></ul></ul>
  27. 27. Questions? <ul><li>Thanks! </li></ul><ul><li>Contact: shawnmer @ gmail.com </li></ul>

×