SlideShare a Scribd company logo

Hacking Tokens PoC

RootedCON
RootedCON

The document describes a proof of concept for a hacking token that can perform various WiFi attacks. It discusses implementing hardware including a microcontroller and wireless capabilities into a power bank form factor. The software is designed as modular attacks that can store data, perform WiFi scans, create fake captive portals to intercept credentials, and retrieve stored data over encrypted connections. The proof of concept was able to successfully capture credentials through a fake captive portal and estimate locations through Google APIs based on nearby WiFi access points.

Technology
1 of 51
Download to read offline
Hacking Tokens: A Massive PoC Ismael Benito | Arnau Gàmez
Agenda 2 ● About us ● Hacking Token Concept ● Hardware ● Software ● Results ● Conclusions ● Questions
About us 3
● Founded in late 2016 ● Faculty of Mats & CS @ UB ● Ethical and social aspects of infosec ● Use and creation of FLOSS ● Technical workshops and talks in wireless security, IoT, RE, stego, etc. 4 https://hackinglliure.org info@hackinglliure.org @HackingLliure Arnau Gàmez i Montolio | @arnaugamez ● 20yo. From Benigànim, València ● President of Hacking Lliure ● Maths & CS student @ UB ● Worked as software developer in research groups @ UB ● Participated in many CONs ● r2 evangelist ● Also interested in music: pianist
● Founded in 2011 ● Faculty of Physics @ UB ● Aims to promote electronics & robotics among students. ● Several activities during the course such as courses, workshops 5 http://fisitronica.net fisitronica@gmail.com @Fisitronica Ismael Benito Altamirano | @ismansiete ● 26yo. From Nou Barris, Barcelona ● Former president of Fisitrónica ● B. Physics & Electronics Eng. @ UB ● MSc. in Photonics @ UPC ● Predoctoral researcher @ UB ● Assistant professor @ UB ● Also interest in politics, magic tricks, photography, all sci-fi Netflix series...
Hacking Token Concept 6
Hacking Token: from RootedCON 2017 7 Sweet Tools O’Mine by Hugo Teso: https://youtu.be/G8bccS3wla0
Hacking Token: candidates 8
Hacking Token as a PowerBank 9 General specs of PowerBanks: ● Portables ● Charging & discharging circuits integrated ● LiPo Bat. up to >20000 mAh ● Charger current up to >2A ● USB and Micro-USB ports ● At least a ON/OFF Button ● LEDs (Interface & linter) ● Not yet idIoTized ○ Battery pack for charging smartphones and other USB charge-capable devices. ○ Extra powerful 20000 mAh charge capacity. ○ Uses quality battery cells from well-known manufacturers. ○ Dual USB ports, including one 2.4 A port for quick charging tablets and similar devices. ○ Battery status indicator.
Hardware 10
Hardware 11 ● Learn about PowerBank internal circuits ● Charge and discharge a LiPo battery ● Protection circuit ● Typical schematics Reversing a PowerBank
Hardware: reversing a PowerBank 12
Hardware: reversing a PowerBank 13 Block diagram Protection GNDBAT VBAT = 3.6 V - 4.2 VCharge VmUSB = 5V VUSB = 5V Step-Up GND GND GND VBAT
Hardware: reversing a PowerBank 14from several datasheets Charge circuit: ○ Models: LTC4056, TP4056... ○ Battery detection ○ Match the correct Icharge for LiPo/Li-Ion Batteries Protection circuit: ○ Models: AP9101C, BQ2970, FS312F-G, S820A ○ Overcharge voltage detection ○ Overdischarge current detection ○ Disconnects GNDBAT from GND when needed
Hardware: Microcontrollers 15 Block diagram Protection GNDBAT VBAT = 3.6 V - 4.7 VCharge VmUSB = 5V VUSB = 5V Step-Up GND GND GND VBAT Microcontroller Wi-Fi ? ?
Hardware 16 ● State of the art ● Choose low-power uC ● uC placement inside a PowerBank Microcontrollers (uC)
Hardware: Microcontrollers 17
Hardware: Microcontrollers 18 Arduino (Pro) Micro (Atmega32u4): ○ Arduino-compatible ○ Several factor forms: Micro, Leonardo, Esplora... ○ Works with 5V and 3.3V logic ○ USB stack NodeMCU v3 (ESP8266): ○ Arduino-compatible ○ Several factor forms: NodeMCU, Weedemos, Adafruit Huzzah... ○ Works only with 3.3V logic ○ WiFi + TCP/IP stack
Hardware: Microcontrollers 19 Block diagram Protection GNDBAT VBAT = 3.6 V - 4.7 VCharge VmUSB = 5V VUSB = 5V Arduino Micro GND GND GND VBAT Step-Up NodeMCU
Hardware: Microcontrollers 20 Block diagram (Power) Protection GNDBAT VBAT = 3.6 V - 4.7 VCharge VmUSB = 5V VUSB = 5V Arduino Micro GND GND GND VBAT Step-Up NodeMCU Sense
Hardware: Microcontrollers 21 Block diagram (Communications) Arduino Micro NodeMCU Sense mUSB Data + mUSB Data - USB Data + USB Data - SCASCL
Hardware: demo 22
Software 23
Software 24 ● Reprogram hardware ● Store data ● Retrieve data ● Modular/plugineable attacks Basic Needs
Software: Designing a general Wifi Attack 25 IDLE SAVE LOOP ATTACK 0 ATTACK N
Software: Designing an attack for our Hacking Token 26 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
Software: Designing an attack for our Hacking Token 27 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
Loop state 28 ● Hacking Token as wifi client ● Scan for available wifi ● Will get ESSID, BSSID and PWR ● Use SPIFFS to store data Wifi Scan
SPIFFS ● File system stored on the same flash as the program ● Store sketch data, config files, web server content... ● FS size depends on the flash chip size ● Uploading a new sketch does not modify FS ● Same access modes as fopen in C: r, r+, w, w+, a, a+ ● Some limitations: 31 chrs per file path, mandatory /data folder... 29 https://github.com/esp8266/Arduino/blob/master/doc/filesystem.rst |--------------|-------|---------------|--|--|--|--|--| ^ ^ ^ ^ ^ Sketch OTA update File system EEPROM WiFi config (SDK) Flash layout
Software: Designing an attack for our Hacking Token 30 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
Attack module 31 ● Hacking Token as AP ● Captive files on SPIFFS ● DNS serverCaptive
DNS server ● Serve fake captive files on AP’s gateway IP ● Resolve all requests to gateway ● WiFi sign in notification appears ● Captive portal handlers don’t care about HTTPS 32 NodeMCUClient Where is *.* ? It is here: xx.xx.xx.xx (gateway IP)
Software: Designing an attack for our Hacking Token 33 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
Retrieve Data 34 ● Hacking Token as client ● Connect to a reliable AP ● Send stored file ● Empty log file - ● Server overview: ○ Built over python’s BaseHTTPRequestHandler ○ Encrypted traffic ○ Unique id. with BasicAuth ○ Creds hased with PBKDF2 Push Data
Fork us! 35 - PlatformIO core (CLI utility) - Official IDEs over Atom and VS - Serial port monitor - Library management system - Multi-project - Theme support - Cross-platform support - CI & Remote unit testing “An Open Source ecosystem for IoT development” @HackingTokens PlatformIO
Results 36
Results 37 ● Fake UB’s captive portal ● Able to capture and log credentials data ● No real users data has been storedEvil twin (fake captive portal)
Results: Evil twin (fake captive portal) 38
Results: Evil twin (fake captive portal) 39
Results 40 ● Google API ● Trace route based on WiFi APs ● Compare with real routes Geolocation
Results: Geolocation 41
Results: Geolocation 42
Results: Geolocation 43
Results 44 Bonus: Open AP (BadUSB) ● Simple BadUSB ● Focused on Android devices ● Some limitations/requirements ● Funny AP
Bonus: Open AP (BadUSB) 45
Conclusions 46
Conclusions 47 ○ Successful PoC study ○ Hardware viability ○ Dedicated and isolated vector attacks ○ Two direct attacks proved ○ One post-processed attack
TODO 48 ○ Atmega32u4 @ 3.3V 8MHz ○ Better current sensing ○ Internal SPI/I2C protocol ○ LED/LCD/TFT output - ○ OTA Firmware updates ○ Wi-Fi Monitor mode ○ USB Host (MAX3421E) ○ Bluetooth (ESP32)
Acknowledgments 49 ● Paul Charbonneau | PCB design ● Alejandro Codina | IT support ● Gerard Finol | WifiScan module and data processing ● Enric Florit | Server development and management ● Isaac Godoy | Hardware development and integration ● David Martínez | Modules integration and project refactor - ● Universitat de Barcelona | Subsidized some of the materials and allowed us to perform PoCs on its network
Questions 50
@ismansiete ibenito@el.ub.edu isman7 @arnaugamez arnau@hackinglliure.org arnaugamez Hacking Tokens: A Massive PoC Ismael Benito | Arnau Gàmez Thank you!

Recommended

Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]RootedCON
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Cryptography
CryptographyCryptography
CryptographySri Manakula Vinayagar Engineering College
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardBishop Fox
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 

Recommended

Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]RootedCON
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Cryptography
CryptographyCryptography
CryptographySri Manakula Vinayagar Engineering College
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardBishop Fox
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsReCrypt
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful National Cheng Kung University
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 
IoT Session Thomas More
IoT Session Thomas MoreIoT Session Thomas More
IoT Session Thomas MoreKevin Van den Abeele
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas MoreJWORKS powered by Ordina
 
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...Next Big Thing AG
 

More Related Content

What's hot

Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsReCrypt
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 

What's hot (19)

Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
 
Under the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanismsUnder the hood of modern HIPS-es and Windows access control mechanisms
Under the hood of modern HIPS-es and Windows access control mechanisms
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools ii
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
 

Similar to Hacking Tokens PoC

The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...Next Big Thing AG
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for MonitoringGLC Networks
 
Multipilot pres-ufficiale def
Multipilot pres-ufficiale defMultipilot pres-ufficiale def
Multipilot pres-ufficiale defRoberto Navoni
 
IPv6 with Mikrotik
IPv6 with MikrotikIPv6 with Mikrotik
IPv6 with MikrotikGLC Networks
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to productionMender.io
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1GLC Networks
 
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptxRedwan Ferdous
 
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...eMadrid network
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOSGLC Networks
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17Python0x0
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to ProductionMender.io
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
Using protocol analyzer on mikrotik
Using protocol analyzer on mikrotikUsing protocol analyzer on mikrotik
Using protocol analyzer on mikrotikAchmad Mardiansyah
 
MediaTek Linkit Smart 7688 Webinar
MediaTek Linkit Smart 7688 WebinarMediaTek Linkit Smart 7688 Webinar
MediaTek Linkit Smart 7688 WebinarMediaTek Labs
 
Socket Programming with Python
Socket Programming with PythonSocket Programming with Python
Socket Programming with PythonGLC Networks
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with MikrotikGLC Networks
 
HKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoTHKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoTLinaro
 

Similar to Hacking Tokens PoC (20)

IoT Session Thomas More
IoT Session Thomas MoreIoT Session Thomas More
IoT Session Thomas More
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas More
 
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
The Crucial Component of IoT Products by Aravinth Panchadcharam [ Senior Embe...
 
IoT: LoRa and Java on the PI
IoT: LoRa and Java on the PIIoT: LoRa and Java on the PI
IoT: LoRa and Java on the PI
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
Multipilot pres-ufficiale def
Multipilot pres-ufficiale defMultipilot pres-ufficiale def
Multipilot pres-ufficiale def
 
IPv6 with Mikrotik
IPv6 with MikrotikIPv6 with Mikrotik
IPv6 with Mikrotik
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to production
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptx
 
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to Production
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! night
 
Using protocol analyzer on mikrotik
Using protocol analyzer on mikrotikUsing protocol analyzer on mikrotik
Using protocol analyzer on mikrotik
 
MediaTek Linkit Smart 7688 Webinar
MediaTek Linkit Smart 7688 WebinarMediaTek Linkit Smart 7688 Webinar
MediaTek Linkit Smart 7688 Webinar
 
Socket Programming with Python
Socket Programming with PythonSocket Programming with Python
Socket Programming with Python
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with Mikrotik
 
HKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoTHKG18-219 - Threat Modeling for IoT
HKG18-219 - Threat Modeling for IoT
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Hacking Tokens PoC

  • 1. Hacking Tokens: A Massive PoC Ismael Benito | Arnau Gàmez
  • 2. Agenda 2 ● About us ● Hacking Token Concept ● Hardware ● Software ● Results ● Conclusions ● Questions
  • 4. ● Founded in late 2016 ● Faculty of Mats & CS @ UB ● Ethical and social aspects of infosec ● Use and creation of FLOSS ● Technical workshops and talks in wireless security, IoT, RE, stego, etc. 4 https://hackinglliure.org info@hackinglliure.org @HackingLliure Arnau Gàmez i Montolio | @arnaugamez ● 20yo. From Benigànim, València ● President of Hacking Lliure ● Maths & CS student @ UB ● Worked as software developer in research groups @ UB ● Participated in many CONs ● r2 evangelist ● Also interested in music: pianist
  • 5. ● Founded in 2011 ● Faculty of Physics @ UB ● Aims to promote electronics & robotics among students. ● Several activities during the course such as courses, workshops 5 http://fisitronica.net fisitronica@gmail.com @Fisitronica Ismael Benito Altamirano | @ismansiete ● 26yo. From Nou Barris, Barcelona ● Former president of Fisitrónica ● B. Physics & Electronics Eng. @ UB ● MSc. in Photonics @ UPC ● Predoctoral researcher @ UB ● Assistant professor @ UB ● Also interest in politics, magic tricks, photography, all sci-fi Netflix series...
  • 7. Hacking Token: from RootedCON 2017 7 Sweet Tools O’Mine by Hugo Teso: https://youtu.be/G8bccS3wla0
  • 9. Hacking Token as a PowerBank 9 General specs of PowerBanks: ● Portables ● Charging & discharging circuits integrated ● LiPo Bat. up to >20000 mAh ● Charger current up to >2A ● USB and Micro-USB ports ● At least a ON/OFF Button ● LEDs (Interface & linter) ● Not yet idIoTized ○ Battery pack for charging smartphones and other USB charge-capable devices. ○ Extra powerful 20000 mAh charge capacity. ○ Uses quality battery cells from well-known manufacturers. ○ Dual USB ports, including one 2.4 A port for quick charging tablets and similar devices. ○ Battery status indicator.
  • 11. Hardware 11 ● Learn about PowerBank internal circuits ● Charge and discharge a LiPo battery ● Protection circuit ● Typical schematics Reversing a PowerBank
  • 12. Hardware: reversing a PowerBank 12
  • 13. Hardware: reversing a PowerBank 13 Block diagram Protection GNDBAT VBAT = 3.6 V - 4.2 VCharge VmUSB = 5V VUSB = 5V Step-Up GND GND GND VBAT
  • 14. Hardware: reversing a PowerBank 14from several datasheets Charge circuit: ○ Models: LTC4056, TP4056... ○ Battery detection ○ Match the correct Icharge for LiPo/Li-Ion Batteries Protection circuit: ○ Models: AP9101C, BQ2970, FS312F-G, S820A ○ Overcharge voltage detection ○ Overdischarge current detection ○ Disconnects GNDBAT from GND when needed
  • 15. Hardware: Microcontrollers 15 Block diagram Protection GNDBAT VBAT = 3.6 V - 4.7 VCharge VmUSB = 5V VUSB = 5V Step-Up GND GND GND VBAT Microcontroller Wi-Fi ? ?
  • 16. Hardware 16 ● State of the art ● Choose low-power uC ● uC placement inside a PowerBank Microcontrollers (uC)
  • 18. Hardware: Microcontrollers 18 Arduino (Pro) Micro (Atmega32u4): ○ Arduino-compatible ○ Several factor forms: Micro, Leonardo, Esplora... ○ Works with 5V and 3.3V logic ○ USB stack NodeMCU v3 (ESP8266): ○ Arduino-compatible ○ Several factor forms: NodeMCU, Weedemos, Adafruit Huzzah... ○ Works only with 3.3V logic ○ WiFi + TCP/IP stack
  • 19. Hardware: Microcontrollers 19 Block diagram Protection GNDBAT VBAT = 3.6 V - 4.7 VCharge VmUSB = 5V VUSB = 5V Arduino Micro GND GND GND VBAT Step-Up NodeMCU
  • 20. Hardware: Microcontrollers 20 Block diagram (Power) Protection GNDBAT VBAT = 3.6 V - 4.7 VCharge VmUSB = 5V VUSB = 5V Arduino Micro GND GND GND VBAT Step-Up NodeMCU Sense
  • 21. Hardware: Microcontrollers 21 Block diagram (Communications) Arduino Micro NodeMCU Sense mUSB Data + mUSB Data - USB Data + USB Data - SCASCL
  • 24. Software 24 ● Reprogram hardware ● Store data ● Retrieve data ● Modular/plugineable attacks Basic Needs
  • 25. Software: Designing a general Wifi Attack 25 IDLE SAVE LOOP ATTACK 0 ATTACK N
  • 26. Software: Designing an attack for our Hacking Token 26 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
  • 27. Software: Designing an attack for our Hacking Token 27 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
  • 28. Loop state 28 ● Hacking Token as wifi client ● Scan for available wifi ● Will get ESSID, BSSID and PWR ● Use SPIFFS to store data Wifi Scan
  • 29. SPIFFS ● File system stored on the same flash as the program ● Store sketch data, config files, web server content... ● FS size depends on the flash chip size ● Uploading a new sketch does not modify FS ● Same access modes as fopen in C: r, r+, w, w+, a, a+ ● Some limitations: 31 chrs per file path, mandatory /data folder... 29 https://github.com/esp8266/Arduino/blob/master/doc/filesystem.rst |--------------|-------|---------------|--|--|--|--|--| ^ ^ ^ ^ ^ Sketch OTA update File system EEPROM WiFi config (SDK) Flash layout
  • 30. Software: Designing an attack for our Hacking Token 30 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
  • 31. Attack module 31 ● Hacking Token as AP ● Captive files on SPIFFS ● DNS serverCaptive
  • 32. DNS server ● Serve fake captive files on AP’s gateway IP ● Resolve all requests to gateway ● WiFi sign in notification appears ● Captive portal handlers don’t care about HTTPS 32 NodeMCUClient Where is *.* ? It is here: xx.xx.xx.xx (gateway IP)
  • 33. Software: Designing an attack for our Hacking Token 33 IDLE PUSH DATA WIFI SCAN CAPTIVE COMM
  • 34. Retrieve Data 34 ● Hacking Token as client ● Connect to a reliable AP ● Send stored file ● Empty log file - ● Server overview: ○ Built over python’s BaseHTTPRequestHandler ○ Encrypted traffic ○ Unique id. with BasicAuth ○ Creds hased with PBKDF2 Push Data
  • 35. Fork us! 35 - PlatformIO core (CLI utility) - Official IDEs over Atom and VS - Serial port monitor - Library management system - Multi-project - Theme support - Cross-platform support - CI & Remote unit testing “An Open Source ecosystem for IoT development” @HackingTokens PlatformIO
  • 37. Results 37 ● Fake UB’s captive portal ● Able to capture and log credentials data ● No real users data has been storedEvil twin (fake captive portal)
  • 38. Results: Evil twin (fake captive portal) 38
  • 39. Results: Evil twin (fake captive portal) 39
  • 40. Results 40 ● Google API ● Trace route based on WiFi APs ● Compare with real routes Geolocation
  • 44. Results 44 Bonus: Open AP (BadUSB) ● Simple BadUSB ● Focused on Android devices ● Some limitations/requirements ● Funny AP
  • 45. Bonus: Open AP (BadUSB) 45
  • 47. Conclusions 47 ○ Successful PoC study ○ Hardware viability ○ Dedicated and isolated vector attacks ○ Two direct attacks proved ○ One post-processed attack
  • 48. TODO 48 ○ Atmega32u4 @ 3.3V 8MHz ○ Better current sensing ○ Internal SPI/I2C protocol ○ LED/LCD/TFT output - ○ OTA Firmware updates ○ Wi-Fi Monitor mode ○ USB Host (MAX3421E) ○ Bluetooth (ESP32)
  • 49. Acknowledgments 49 ● Paul Charbonneau | PCB design ● Alejandro Codina | IT support ● Gerard Finol | WifiScan module and data processing ● Enric Florit | Server development and management ● Isaac Godoy | Hardware development and integration ● David Martínez | Modules integration and project refactor - ● Universitat de Barcelona | Subsidized some of the materials and allowed us to perform PoCs on its network