Fuck 0-days We Wil Pwn You with HW, mofos!

Fuck 0-days We Wil Pwn You with HW, mofos!
Fuck 0-days,
we will pwn u with
hardware mofos
MC & Yaniv Miron
Security 1337s in Fcon²Labs @ FortConsult
Powerpoint Templates
Page 1
/ About MC
• Intercontinental man of mystery and
security consultant
• Performs security testing and
assessments on most continents
• Works in Fcon²Labs at FortConsult in
Copenhagen, Denmark
• From Peahi, Maui
• Used to rock the house on the ones and
Powerpoint Templates
Page 2
/ About Yaniv Miron
• Yaniv Miron aka Lament
• Security Researcher and Consultant @
Fcon²Labs @ FortConsult @ Copenhagen,
• Found security vulnerabilities in IBM,
Oracle, Microsoft and Apache products as
in other products
• CISO Certified from the Technion (Israel
Institute of Technology)
• Certified Locksmith
Powerpoint Templates
Page 3
/ About FortConsult
• Founded in 2002 by Ulf Munkedal
• Located @ Copenhagen, Denmark
• Fcon²Labs << doing cool stuff for real
• Go ahead - challenge us
Powerpoint Templates
Page 4
• WTF?! is hardware hacking (dude, it’s
not moding…come on)
• Hardware hacking today
• Our hardware hacking tools
• Build your own hardware hacking toolkit
• 5 for real hardware hacking DEMOs – we
know Confidence does not like theoretical
Powerpoint Templates
Page 5
Things to Know Ahead
• 0-day – well…
• pwn – check in the dictionary
• mofos – check in the dictionary
• 1+1=3 for high values of 1
Powerpoint Templates
Page 6
Pimpin’ aint easy
Powerpoint Templates
Page 7
Hacking ? Use Hardware
• OWASP Top 10? When was the last time
you have pwned something with it?
• Fast – go go go
• Unexpected and unchecked
• When was the last time somebody
bought a hacking test with hardware?
Powerpoint Templates
Page 8
Hacking – Long Tail
Powerpoint Templates
Props to ReL1k at trustedsec.com for the diagram
Page 9
How to Build Your Kit
•You need some $$$ - not much but…
•You need us to tell you what to buy
•You need a shipping address
•You need some learning time
•You need a lab to practice
Powerpoint Templates
Page 10
• Apple's name for the IEEE 1394 High
Speed Serial Bus
• FireWire supports multiple hosts per bus,
plug and play and hot swapping
• FireWire versions >> 400 and 800
• Supports Direct-Memory-Access (DMA)
• FireWire can have communication in both
directions at the same time
Powerpoint Templates
Page 11
FireWire – Security
• In SBP-2 (Serial Bus Protocol 2) used by
FireWire the controlling device sends a
request by remotely writing a command to
specified area of the target's FireWire
address space
• Mapping between FireWire "Physical
Memory Space" and device physical
memory is done in hardware
• No operating system intervention
• What could possibly go wrong ; )?
Powerpoint Templates
Page 12
FireWire – Hardware
• FireWire / Thunderbolt / ExpressCard /
PCMCIA / interface on attack and victim
machine >> servers PCIe etc
• No native FireWire plug? >> add adapter
to expand PCIe bus and hotplug it
• Firewire cable to connect interfaces
Powerpoint Templates
Page 13
FireWire – History
•Dornseif et al 2004 at various cons
•Metlstorm’s Winlockpwn – Ruxcon 2006,
Kiwicon 2008
• Unofficial tweaks and updates
• Linux Kernel 2.6.22 new Juju FireWire
• FTWAutopwn now called Inception
Phat props to @metlstorm (Adam Boileau) and @breaknenter (Carsten Maartmann-Moe)
Powerpoint Templates
Page 14
FireWire – Software
• Inception tool
• Requires Linux with JuJu IEEE FireWire
stack e.g. Ubuntu 11 and later
• Python 3
• Libforensics1394
• Pwns WinXP SP2-3, Win7 SP0-1, Vista
SP0 SP2, Win 8 SP0, Mac OSX Snow
Leopard Lion Mountain Lion, Ubuntu 11.04
11.10 12.04 x86 and x64
Powerpoint Templates
Page 15
FireWire – Pwnage
• Inception tool
• Patch victim memory to bypass password
• Dump victim memory (4Gb limit due to
FW 32-bit limitation)
• Pick pocket mode >> auto dump from
victims that connect to FireWire or
Thunderbolt daisychain
• This means typical corporate laptop with
Win7 Bitlocker full disk crypto is often
Powerpoint Templates
Page 16
FireWire – Pwnage (cont.)
• Search pwned memory dump or hard
drive for credentials, keys, hashes etc
• Use volatility tool to carve valuable data
from memory dump to plan and execute
other attacks
• Use obtained data loot to penetrate other
systems e.g. move laterally into
organization and pwn systems the victim
had access
Powerpoint Templates
Page 17
FireWire – Pwnage (cont.)
Powerpoint Templates
Page 18
FireWire – Demo
Powerpoint Templates
Page 19
FireWire – Recipe
• HW: FireWire PCMCIA / PCExpress card,
eBay or Amazon
• HW: Firewire cable (400/800) with
4/6/9 pole connector to connect attack
laptop to victim, eBay or Amazon
• SW: Linux with IEEE1394 Juju Stack
• SW: libforensics driver, Python 3
• SW: Inception
Powerpoint Templates
Page 20
FireWire – Recipe (cont.)
• Find victim laptop and insert FW card
(PCMCIA/PCExpress) if there is no FW
• Connect Linux attack machine to victim
over FW and run inception to bypass login
• Rape and pillage hard drive >> login
credentials, emails, budgets, contracts etc
• If there is a pre-boot auth password wait
until the machine is booted and locked
with screen saver before attacking
• If login bypass fails, then dump memory
and rinse and repeat as above
Powerpoint Templates
Page 21
• The Teensy is a complete USB-based
microcontroller development system, in a
implementing many types of projects. All
programming is done via the USB port. No
special programmer is needed, only a
standard "Mini-B" USB cable and a PC or
Macintosh with a USB port.
Powerpoint Templates
Page 22
Teensy – What Is It ?
• A very fast keyboard in our case
• A cool hardware hacking device
• Our little friend when somebody turns
around for a sec…
Powerpoint Templates
Page 23
Teensy – Software
• So we need the Teensy App
• And the Arduino 1.0.1
Powerpoint Templates
Page 24
Teensy – Coding
Powerpoint Templates
Page 25
Teensy – Coding (cont.)
Powerpoint Templates
Taken from illwill @ http://www.nesit.org board
Page 26
Teensy – Coding (cont. 2)
Powerpoint Templates
Page 27
Teensy – Coding (cont. 3)
Powerpoint Templates
Page 28
Teensy – XP vs 7
• cmd vs rcmd
• This is like a human
keyboard…don’t do TYPOS
• But you know… Teensy will pwn them
Powerpoint Templates
Page 29
Teensy – Hardware
• There are different teensy
• We are using Teensy 2.0
Powerpoint Templates
Page 30
Teensy – Demo
Powerpoint Templates
Page 31
Teensy – Recipe
• Buy it here:
• Install the loader application:
• (remember that the orange light should
blink at first use)
• Download the Arduino Software
• Code some cool stuff and upload it
• Attack!
Powerpoint Templates
Page 32
• Many business use proximity cards to
control physical access
• Many such implementations use cards
that can be cloned
• If the implementation is not secure then
cloned cards can be used to gain physical
• Companies may have shiny expensive
prox card equipment but the security
features may be misconfigured or not
Powerpoint Templates
Page 33
RFID (cont.)
• Most prox card use proprietary encoding
and data formats
• This talk >> Limited to Low Frequency
125KHz cards using Frequency Shift
Keying (FSK) technology
• Numerous vendors e.g. HID, Honeywell,
Keyscan and others offer such solutions
• These solutions are popular and often
implemented in corporate environments
Powerpoint Templates
Page 34
RFID (cont. 2)
• Systems consists of tags, readers and a
backend control system
• Tags contain an antenna and a chip and
are usually passive
• Passive cards require the reader to
provide power for communication
Powerpoint Templates
Page 35
RFID (cont. 3)
• One of the most popular commercial
solutions is HID ProxCard
• Still used despite security weaknesses
• Card stores a 44-bit value sent to the
backend via a reader to grant or deny
• Only 26-bits are used for authentication
• What could possibly go wrong ; ) ?
Powerpoint Templates
Page 36
RFID – Pwn Time
• Reading a victim's prox card means the
attacker knows the 26-bits
• Roll your own or buy a reader
• Add battery pack to power reader for
• Maximize read range for maximum
• Most readers requires card to be within
3-4 inches >> GTFO, pedro!
Powerpoint Templates
Page 37
RFID – Pwn Time
• HID Maxiprox 5375 long-range reader
• Reads ProxCards II at ~24 inches
powered with 12V
• Data is output through Wiegand interface
Props to Carl at proxclone.com for this awesome idea
Powerpoint Templates
Page 38
RFID – Protocols
• Wiegand interface connects readers
(RFID and magstripe) to physical security
control backend control systems
• Wiegand has two data wires (Data0 and
Data1) and ground
• No data sent >> Data0 and Data1 is
pulled up to high voltage +5V
• Data sent >> one line is pulled to low
Powerpoint Templates
Page 39
RFID – Protocols (cont.)
• Wiegand data format is 26 bits
• Facility code is 8 bits
• Card number (user ID) is 16 bits
• Parity bit leading and trailing
• Proprietary preamble bits (HID)
Powerpoint Templates
Page 40
RFID – Mod Time
• Add Pro Micro 16Mhz 5V for decoding
Wiegand output from reader
• Add battery pack and SD card module to
save read prox card loot
• Upload code to Pro Micro to read
Wiegand output, decode to binary and
save to SD card
to colligomentis.com for Arduino code bits
Page 41
RFID - FrankenClone
Powerpoint Templates
Page 42
RFID - Demo
• Our friends at airport security do not love
and cherish Frankenclone ...
Powerpoint Templates
Page 43
RFID – Cloning
• FrankenClone read victim cards and the
26-bits required to authenticate to the
• We g0tz an SD card with facility and user
• T55x7 cards to the rescue
• Emulation of most 125Khz RFID tags
possible with T55x7 cards
• 100K+ rewrites after initial programming
•HID preamble bits can be added
Powerpoint Templates
Page 44
RFID – Card Cloning
• Programming T55x7 cards with facility
and user IDs requires a writer
• Roll own or buy one
• Russian options include Keymaster Pro 4
and Proxy Key T5
Powerpoint Templates
Page 45
RFID – Emulation
• Proxmark3 can emulate T55x7 cards
• More phun though is the possibility to
emulate cards and brute force code
• If a facility and user IDs is known then
trying nearby numbers is useful since
employees may have different physical
access rights.
Props to brad antoniewicz at foundstone for proxbrute
Powerpoint Templates
Page 46
RFID – Recipe
• HW: HID Maxiprox, eBay
• HW: Pro Micro 5V 16Mhz,
• HW: SD card module,
• HW: Battery holder, eBay
• HW: Micro USB male connector, eBay
• HW: Wires, eBay
• HW: Rechargeable AA batteries, eBay
• SW: Base Arduino code – tweak it!,
Powerpoint Templates
Page 47
RFID – Recipe (cont.)
• HW: Keymaster Pro RF 4, Google Russia
or Ukraine
• HW: Prox Key T5, Google Russia or
• HW: Proxmark3 eBay or
Powerpoint Templates
Page 48
RFID – Recipe (cont. 2)
• Turn on FrankenClone and throw it in a
• Goto to a lunch area or elevator where
targets hangout and sweep for prox cards
• Use gathered facility and site codes to
clone prox cards with prox card writer and
T55x7 cards
• Take cloned cards and enter facility
• Alternatively use Proxmark3 to emulate
cards and bruteforce ranges to gain access
to additional areas
Powerpoint Templates
Page 49
• What is a KeyLogger?
• Keystroke logging (more often called
keylogging or "keyloggers") is the
action of tracking (or logging) the
keys struck on a keyboard, typically
in a covert manner so that the person
using the keyboard is unaware that
their actions are being monitored.
There are numerous keylogging
methods, ranging from hardware and
-Thanks wikipedia
Powerpoint Templates
Page 50
KeyLoggers - Past
• You need physical access
• You need to plug it to the keyboard
• Usually PS2 or USB
• Sometime the logs are hard to read
• You can’t see the mouse
• You can’t see virtual keyboard
• Software keyloggers
Powerpoint Templates
Page 51
KeyLoggers - Future
• Instead of reading logs, I’ll just see what
you are doing
Powerpoint Templates
Page 52
KeyLoggers - Screens
• Almost any screen could be monitored
• Very simple and easy
• We just need to plug the video and USB
connector and we are ready
Powerpoint Templates
Page 53
KeyLoggers - InSide
• Anyone open their keyboard lately?
• Small things, but still we need space for
• Not that fast installation
• Without
• With
Powerpoint Templates
Page 54
KeyLoggers – InSide
• We need some tools:
• Crimp Connector Housing: 0.1 inch
pitch 1x4
• Female Crimp Pins for 0.1" Housings
• Crimping Tool: 0.1-1.0 mm² Capacity,
16-28 AWG SN-28B
Powerpoint Templates
Page 55
KeyLoggers – InSide
(cont. 2)
• This is an open keyboard with the
Powerpoint Templates
Page 56
KeyLoggers - Serial
• Yes, there are also serial keyloggers
• Printers keyloggers
• Payment devices keyloggers
Powerpoint Templates
Page 57
KeyLoggers - Demo
Powerpoint Templates
Page 58
KeyLoggers - Recipe
• VideoGhost:
• https://www.keelog.com/hardware_
• Plug it between the screen and the
• Plug the USB from the cable to the
Powerpoint Templates
Page 59
KeyLoggers - Recipe
• Keyboard – just a simple one with
enough space
• Open the keyboard
• User guide:
•B K S – the magic letters (change them!)
Powerpoint Templates
Page 60
• Cracking WEP or WPA key >> boring
• Inverse war driving more fun
• Let victims connect and MITM them
• Works well, most people are cheapskates
and love free wifi
• Target rich areas are airports, hotels,
coffee shops and so on
• Also corporate environments that do not
offer wifi for private or guest use
Powerpoint Templates
Page 61
PineApple – History
• 2004 Karma tool Shane Macaulay & Dino
Dai Zovi
• 2008 Karmetasploit HD Moore
• 2008 Jasager on OpenWRT Fon 2100
Robin Wood and Hak5
• Since then many upgrades, tweaks and
• Netbooks with Atheros or Prism54
chipset, Pineapple, Pwnphone etc
Powerpoint Templates
Page 62
PineApple – History
Powerpoint Templates
Page 63
PineApple Laptop Tools
• Laptop with Linux e.g. Ubuntu
• Wifi interface supporting monitor mode
and injection e.g. Atheros
• Aircrack-NG
• DHCP server
• Metasploit framework
• Database backend
• EEE900 with built-in Atheros and Linux
installed one option
Powerpoint Templates
Page 64
PineApple – Standalone
• Alfa AP121U running OpenWRT flashed
with Pineapple mk4 firmware
• Nokia 900 with injection driver and
manually installed tools or Pwnphone
• Legacy – Fonera 2100 with Jasager
• Legacy – Alfa AP51 flashed with
Pineapple mk3
• Roll own using TPLink WR703N
Powerpoint Templates
Page 65
PineApple – UnBricking
• Bricked routers or with no OpenWRT
need to be reflashed
• Always check the MD5 before flashing
• Acquire USB/serial to UART cable for low
level serial firmware flashing
• PL2303 or Silicon Labs CP210x chipset
Powerpoint Templates
Page 66
PineApple – UnBricking
Powerpoint Templates
Page 67
PineApple – UnBricking
(cont. 2)
• Disconnect power on router
• Remove two front rubber feet on bottom
of the router
• Remove two screws and open case
• Connect RX, TX and GND pins on router
to adapter (some cheapskate adapters
may have TX and RX labels flipped)
• Do not connect VDD use the router power
Pic from wifipineapple.com
• Follow steps described at
Powerpoint Templates
Page 68
PineApple – Web Gui
Powerpoint Templates
Page 69
PineApple – Weaponized
Powerpoint Templates
Page 70
PineApple – Luvz Hak5
NOT !!!
• Haha Shannon, haha
Powerpoint Templates
Page 71
PineApple - Demo
Powerpoint Templates
Page 72
PineApple - Recipe
• HW: Alfa Hornet AP121U w/ OpenWRT
• HW: USB to UART TTL adapter PL2303 or
CP210x chipset on eBay e.g.
• HW: Rechargable battery pack 12V e.g.
Astro3 Anker 10000mAh on Amazon
• SW: Wifipineapple.com
Powerpoint Templates
Page 73
PineApple – Recipe
• HW+SW: Alternatively get small
notebook with Atheros chipset e.g. Asus
EEE900 on eBay
• HW+SW: Alternatively get Nokia N900 on
eBay and load PwnPhone community
ity-downloads or install tools manually
with package manager
Powerpoint Templates
Page 74
PineApple – Recipe
(cont. 2)
• Attach Pineapple to battery pack, add
USB storage and swap space
• Enable Karma mode, connect Pineapple
to Linux machine with Internet access
(wifi or 3G) and share it with Pineapple
• Run SSLstrip or make a nice phishing
page tailored for your main target or code
evil java script injection payload
• Goto an airport, hotel or coffee shop
where your targets hangout and free wifi
is scarce
• Rape and pillage target with MITM
Powerpoint Templates
Page 75
To Wrap It All Up
• Hardware hacking is phun
• You don’t need to have tons of $$$ to use
• It gets simpler and simpler
• Build hardware tools and pwn stuff
Powerpoint Templates
Page 76
# E [0] F #
Yaniv Miron aka Lament
ymt [at] fortconsult.net (work)
lament [at] ilhack.org (private)
mc [at] fortconsult.net (work)
Powerpoint Templates
Page 77
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF