steelcon 2015 - 0wning the internet of trash
TRANSCRIPT
whoami
• Darren Martyn / infodox
• Penetration Tester & Researcher @ Xiphos Research Ltd
• Forensics & Chemistry Student @ GMIT
This talk…
• Hacking embedded devices – a gentle introduction.
• Both hardware and software explorations
• Examining exploitation ITW and post exploitation
Today we shall talk about…
• Obtaining firmware for embedded devices.• Basics of UART identification and use • Extraction of firmware/finding vulnz• Popping boxes (exploit development).• Boxes being popped (router malware case studies)• Post exploitation • Future ideas…
(I promise, no more walls of text after this!)
Methods of getting firmware…
• Download from internet> Vendor website> random internauts
• Extract from device
• There are other methods, but not going to get into that here.
Extracting from device…
• This is where we segue into the land of UART.
• Basically, get some kinda shell on the device
• And copy the rootfs (the bit we give a damn about for now).
• Two main ways this happens for todays purposes…
UART Basics…
• UART = “Universal Asynchonous Reciever/Transmitter”
• TL;DR basically serial
• Usually 4 pins, we only care about 3 really.
• RX, TX, VCC, GND. We usually can ignore VCC.
Interfacing with UART.
• Buspirate - ~15£, interfaces with bloody everything.
• Has disadvantage of being a bit of a pain to use at times.
• Save money and cost!
• USB-TTL converter for 2£ from ebay
Which pin goes where
• This is a hard one to explain. Best summary is below.
• http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/
• Get a multimeter or oscilloscope…• GND pin, will positively continuity test with … a grounded bit• VCC is tied high at +3.3V or +5V usually• TX fluctuates between 3.3V and 0V as it… Transmits.• RX… Good fucking luck
Ok, all hooked up. Interaction time?
• Not yet. Gotta find the baudrate
• I usually just use this, or do it by hand.
• https://code.google.com/p/baudrate/
• Then just ‘screen /dev/ttyUSB0 <baudrate>’
Connected!
Here we have a “Billion” routersbootloader debug output coming over serial from it :D
Sometimes we get a rootshell…
Othertimes we get a “uBoot” shell.
GET /FIRMWARE
• If you have a uBoot shell, you can often dump out the image
• Xfer to yourself over tftp
• With a rootshell… xfer back to yourself over tftp the entire rootfs
A case study in firmware reversing && bug hunting…
• For this bit on extracting FW and finding bugs a case study is best.
• I presented the end result of this at Bsides Hannover.
• We start with Moovbox firmware, end up with rootshells!
find . –name “vuln”
• Took a fairly blind approach to finding vulns
• “Grep and gripe” kind of things
• First off, looked at the web interface of device. How does it work. Whats its config. Etc.
Some numbers
• All 108 were vulnerable to ShellShock
• All 108 had the same shitty CGI script
• 106 used thttpd rooting as root
• 2 ran lighttpd. Also as root
Further firmware analysis
• Lets look for more fun stuff in this firmware
• First off, we analyse the passwd files
• 4 unique hashes
The Hashes
• I have yet to crack these. People have been trying and failing for about a month. Can you succeed?
root:$1$5jjAfVIS$dIG6AvGNwq8EENjTHnfpK/
root:$1$jb.3W.1D$8FeBW.T/x2wwJVB.lp.gv1
root:$1$bw7WuzHj$aU6V7omf9zBWA2sEaJv9p1
root:$6$W74jOIhT$QaYoDDN.N1SRgyG5ALymJHcYc9TmXKcITXyCstGDdK9cXOssLOTMQPl2uRm.wsNZ7oE5byOOrdNlvNxyguqVs/
SSH Keys
• Protip: Hardcoded SSH Keys Suck
• They all have /etc/ssh/ keys. RSA and DSA
• They also have the same /etc/ssh_key privkey, which is a bit unusual...
/etc/ssh_key
• Now, this is an odd one. It matches exactly two boxes in the wild – both hosts in Germany
• As to wtf these are, I have no idea
• If anyone can figure it out, it would be great ;)
• 89.110.151.186 & 89.110.148.26 (who is this?)
Let’s go after SSL keys…
• OpenVPN Keys: find . -name "*.key" (108)
> All identical
• SSL Keys: find . -name "*.pem" (973)
> 2e465be3c06ea7db968347aaa3df7d37> Also all the same...
SSL Keys
• 6 of them on each image. All identical across images:
> 7135ad5b7fd5fb2eb23f8dfecf74919d> cb5199178e4649461928356c7cbdae74> de2c6949bd1bca55c20d9610510a08d1> 905a7590ee039a788a08d4dfd15d2582> a926c2beaa439f37bc62a5678a4e5906> 35a569e0e768495554c4cbddd787f9e4
Popping Boxes/xdev
• Most of the vulns you will find are remote root
• A lot of them will be command injection bugs.
• Most people just enable telnetd and leave it at that.
• More fun to be had…
Popping Boxes/xdev –dloser 0day
Greetz to imax who actually bought a NAS back when we wrote the early versions of this exploit!
Popping Boxes/xdev
• Getting a shell is just step 1.
• Better payloads (tshd, for example) allow file transfer.
• This means we can upload tools and exfil files easily
• (A POSIX Meterpreter that worked on ARM/MIPS/PPC would be nice and all… Just sayin’)
Router Malware
• This stuff is being done ITW
• I had nice screenshots and pictures, but /tmp ate them
• So I’ll TL;DR it and explains some examples.
Linux\Flasher.A
• Discovered by myself and _ta0 in the wild.
• Firmware flashing malware, installed malicious firmware that included a password sniffer (dsniff) and exfil scripts using wput.
• Sent very little network traffic, un-killable unless you reflashed.
• Crude, held together with bash scripts, but highly effective.
Hydra/Aidra Family
• Worm/Botnet, IRC controlled.
• Spreads via telnet (and SSH) bruteforcing, also a D-Link config bug.
• Mainly used by script kiddies for DDoS purposes…
Moon
• Linksys only affected vendor.
• Discovered by some SANS handler (Johannes).
• Used a remote root command execution 0-day to spread.
• Functionality mostly unknown. Had hardcoded target ranges. Just spread… And spread. Possible test run?
Post Exploitation
• Exposed embedded devices put you firmly within an affected targets network
• Often (routers) in a privileged position (routing all traffic!)
• So much potential for pivoting, sniffing, etc… Going beyond rootshells…
• Persisting is a harder problem we will address!
Post Exploitation - Building Toolkits
• We need to statically link things so they will run on these devices.
• Uclibc.org – excellent cross compiler toolchains, 10/10 recommend.
• Now what tools do we actually need to do fun stuff?
Post Exploitation - Requirements
• C&C – So we can manage the devices
• Robust tools for getting shell access, transferring files.
• Tools for sniffing, spoofing, doing things.
• Persistence.
Post Exploitation – C&C
• For C&C, we should practice excellent OPSEC.
• Use Tor. Cross compiling static Tor is hard. I will publish the build guide in a week or so on Github
• Set up Tor to be a hidden service pointing at tshd bindshell.
• There was a screenshot, but bloody /tmp ate it
Post Exploitation – Access
• We need to be able to run commands, interactive shell, and transfer files.
• Tshd by Christopher Devine fits the bill for this.
• Encrypted file xfer/PTY/command exec, bind and reverse connect modes.
• Will publish the build-toolchain later
Post Exploitation – Hack The Planet
• Tcpdump && Ettercap && socat && nmap
• Its been done before
• We have to catch up
• Will publish the build-toolchains later
Persist
• How does firmware work?
• Its infectous!
• Unlesss you reflas…… Permapened
• “RPEF” by Michael Coppola are ITW
• Firmware infections here to stay
Rootkit Firmwares
• They exist
• They are using them
• If you believe otherwise you are an idiot.
• …
Thanks
• Coworkers and such for tolerating weirdness
• F1nux, Alastair, digininja, `k, getting me talking
• Router mfg’s for making such products
•
Q&A
Questions & Comments & Abuse?
Contact:@info_dox (twitter)[email protected] (email)[email protected] (jabber, use OTR else /ignore)