Csi Netsec 2006 Poor Mans Guide Merdinger

Poor Man's Guide To Network Espionage Gear Shawn Merdinger Independent Security Researcher CRT-9 Computer Security Institute NetSec 2006 2006.06.14

Obligatory Speaker Slide Shawn Merdinger Independent security researcher & corporate irritant Current indy projects VoIP device & Emergency communications systems Former positions TippingPoint Cisco Systems STAT (Security Technologies Assessment Team) Web: www.io.com/~shawnmer

Warnings and Stuff This is academic research...the “how” not the “why” This is “dangerous information”...however You have the right/need to know I have the right/need to talk Oh yeah...and remember Devices (in context) may be illegal...don't use Activities (in context) may be illegal...don't do I’m not a lawyer…

Objectives Academic information exchange My favorite cheap and mean gear Attacks & countermeasures Resources

Agenda Objectives Attackers Network Espionage Devices (NEDs) Gettin' Spooky with IT Countermeasures Looking forward

Got bad soup? Devestating yet “simple” attack

Attacker Goals Attacker wants to accomplish... Gain internal access via a device at victim location Attack internal/external hosts via TCP/IP Attack phone/PDA/PC via Bluetooth Passively gather information via sniffing Establish other internal and external access Impersonate services – Webserver, Database Target a user's service – VIP VoIP connection

Attack Tools Typical opensource methods and tools Scanning & Probing Sniffing Exploiting Covert communications Multiple protocols and entry points Wired LAN 802.11b/g wireless Bluetooth

NEDs My favorites Linksys WRT54G Nokia 770 Gumstix PicoTux Plenty others! Access Points PDAs Game platforms

NED Characteristics Small, unobtrusive, ubiquitous, “cute” Low-cost, disposable at victim's location Minimal power requirements Power over ethernet, battery, solar potential Multiple attack vector capability Wired, Wireless, Bluetooth, RFID Traditional forensics very difficult Ephemeral filesystems running in RAM & device access Try that with Encase!

NED Characteristics Outbound reverse connections back to attacker Crypto tunnels bypass firewalls, IDS “Under the radar” common protocols like DNS requests, ICMP, HTTP/S Proxies, anonymizers, etc. Ported attack tools and exploits ARM processor-based Some hardware and software limitations and trade-offs Dependent libraries, GUIs, etc. E.g. Don't expect a full Nessus client/server on Linksys routers

NED OS & Software Stripped-down Linux BusyBox shell SSH, HTTP/S management Features like VPN tunnels, mesh networking On-the-fly software install as “packages” DNS, Apache, Asterisk Attack tools and exploits Powerful scripting languages: Python, Ruby Customizable

Linksys WRT54G Cheap, cute Secure with default Linksys firmware? Ubiquitous = the “new Windows” Very likely unpublished exploits in the wild Opensource alternatives to Linksys firmware OpenWRT Package system Sveasoft Mesh netwkorking Un-leashing the WRT54G....

FairuzaUS for Linksys FairuzaUS: www.hackerpimps.com Treo 650 SSH into FairuzaUS into compromised Windows box Command line interface over SSH

Nokia 770 Basics US $300 Slow CPU, low RAM 802.11b & Bluetooth Virtual touchscreen keyboard Debian Linux PDA Software Lots of development via Maemo project Many security tool packages by independent folks Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit

Gumstix Ultra-small computers ($120 +) Expandable “snap in” boards CF storage and 802.11b wireless Single and dual Ethernet with POE MITM hardware device with dual ethernet Bluetooth USB, serial, PS/2 connectors Used in BlueSniper, UltraSwarm Developer CDs and environment

PicoTux Picotux 100 and 112 (US $100 +) World's smallest Linux computer 35mm×19mm×19mm (size of RJ45 connector) Power over ethernet Telnet and HTTP server Developer CDs and environment Attacks One of these in the plenum off a Cisco CAT switch “Serial to ethernet connector”

Spooky: Device Enclosures Free water cooler offer ;) Potential for power source Legitimate reason for physical presence..and returning Office décor Flower safe with X-mas tree & lights...plug 'n play Exit Sign, fire extinguisher *Dangerous to mess with emerg. gear

Spooky: 0wn3d Mesh Network Municipal networks beware! Build It EVDO gateway for Internet Drive-by/Walk-by AP 0wn4g3 Senao AP w/ YAGI = Sweeper Run It Karma = DHCP for everybody Shared crypto keys, cron jobs, remote ssh-fs mounts Own it Attack everything , browser exploits on capture portal

Spooky: In-Transit “Marketing” Airports, train stations, bus stations, subways, etc. Bluetooth spamming with “scary” message content 0wn3d wifi networks & Windows Messaging Multiplier-effect Simultaneous at multiple hubs in US “Scary message” Huge productivity costs Wrong message Used as diversion, secondary attack, etc.

Spooky: Long-distance, the next best thing to being there Home-built Bluetooth/Wifi “Sniper” setups Bluetooth targets up to one mile 802.11b targets up to...?

How far? 802.11b over 125 miles

Countermeasures Know the risks and threats Know your network devices and traffic User education, buy-in, ownership of the problem Policy and “best practices” Planned response Other measures Honeypots, Honeynets, Bluetooth-honeypot Calling the cavelry (private specialists, Johnny Law) Hack-backs

Looking Forward More devices with network access It's only going to get worse.... “Why is my refrigerator scanning my network?” Same old issues: poor QA and security, outsourced, lack-of ownership, fixes/patching, etc. Tied into critical applications Tele-medicine, mobile data Emergency Communications Infrastructure Vonage over Linksys box was NO lifeline post-Katrina Plenty others...stay tuned!

Questions? Thanks! Contact: shawnmer @ gmail.com

Csi Netsec 2006 Poor Mans Guide Merdinger

More Related Content

What's hot (18)

Viewers also liked (20)

Similar to Csi Netsec 2006 Poor Mans Guide Merdinger (20)

Recently uploaded (20)

Csi Netsec 2006 Poor Mans Guide Merdinger