1 / 37

UPS

UPS. The Undetectable Packet Sniffer. Introducing the TVSG Dev Team. AutoNiN – Software, Team Lead Spyder~1 – Hardware Mystic – Integration JustaBill – Organization. Concept. Place a stealthed hostile packet sniffer on a victim network. Physical concealment

Download Presentation

UPS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. UPS The Undetectable Packet Sniffer

  2. Introducing the TVSG Dev Team • AutoNiN – Software, Team Lead • Spyder~1 – Hardware • Mystic – Integration • JustaBill – Organization

  3. Concept Place a stealthed hostile packet sniffer on a victim network. Physical concealment is to hide in plain sight - posing as an Uninterruptible Power Supply (UPS). Network concealment involves clandestine exfiltration methods like Auto-IP Detection and encrypted UDP tunneling.

  4. Caveat - Prototype • Unit presented today is a prototype (mk II) unit demonstrating basic concepts. Unit is really not "Undetectable" but should be difficult to detect, even in its nascent state. • Additional hardware and software features are being researched to further decrease detectibility and increase attack effectiveness.

  5. Undetectable? • Not really… • Takes advantage of today’s overworked, under-resourced, over-managed and under-trained Information Technology staff • Completely blocked by proxies (but we’ll fix that soon enough!)

  6. Overview • Introduction • Integration • Hardware • Software • Practical Demonstration • Questions & Answers

  7. Integration • Overarching Goal – Stealth: • Tried to maintain 'Stock' look as much as possible.

  8. Hardware Requirements • 486 or Higher CPU • 64Mb or More RAM • 1Gb or More Hard Drive • No moving parts • Small form factor • Integrated network • Most Important: Cheap!

  9. System Components • UPS Chassis • Power Supply • Embedded Computer • Network Hub

  10. Physical Components Embedded PC Power Supply 110v AC Chassis RJ-45’s Hub Ethernet 5v DC In Out

  11. UPS Chassis • Tried several UPS Chassis before we found one that worked well

  12. Power Supply • Needed to convert the 110v AC provided by the wall to 3.3v, 5v, and/or 12v DC needed by the other components in the system. Most UPS power supplies are trickle-charge systems that cannot produce enough power to run our covert system.

  13. Variety of Embedded Systems • Older, Slower, Larger Systems are the Cheapest • Popular Embedded Manufacturers: • http://www.advantech.com • http://www.kontron.com • http://www.ampro.com • http://www.emj.com

  14. Our Selected Mainboard: • Kontron's Coolmonster: • Pentium-166 with passive cooling heatsink • 128MB PC-100 SDRAM • 44-Pin IDE Channel for temporary CD-ROM Drive • 40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive • Single 10/100 Ethernet port • PS/2 Keyboard & Mouse ports, VGA Port • PISA Interface (bus expansion)

  15. Network Hub Our embedded system had only 1 Ethernet port, so we could not bridge two interfaces together. For simplicity's sake, we ripped a 10/100 hub out of its case and placed it inside ours. Runs off 5v DC, just like the embedded PC.

  16. Network Connections • Repeater hub connected to both wall and client RJ45 jacks. Embedded PC also connected to hub. • Good: Client can still access network even if UPS is booting or down • Bad: Can't do Proxy-ARP attacks, client sees all UPS traffic • Ugly: Either way, client gets Ethernet 'Link' from the UPS, which is odd

  17. Software • OS is Redhat 7.2 patched & stripped • Custom Perl and Shell Scripts • Additional Malware added: • NetCat by Hobbit & Weld • dSniff by Dug Song • Nmap by Fyodor • thcrut by The Hacker’s Choice

  18. Malware Installation - NetCat • Many thanks to Hobbit & Weld for this incredibly versatile tool. • Used for UPS <-> Listening Post Communications. • Default configuration sends it over UDP port 53 to exploit firewall rules that permit outbound DNS queries from desktop clients. http://freshmeat.net/projects/netcat/?topic_id=150

  19. Issues - UDP/53 Tunneling • Modern IDS/IDP systems can detect UDP tunneling • Layer 7-Aware sniffers can detect that while the traffic is going over UDP/53, the payload is decidedly not DNS

  20. Tunneling Alternatives • Simple Port 80/HTTP Tunneling • Mask UPS requests in HTTP URL's • LP replies in HTML WebPages • Advanced DNS Tunneling • Mask UPS requests in DNS requests • LP replies in DNS replies

  21. Malware Installation - DSniff • Many thanks to Dug Song for his excellent suite of Sniff/Snarf/Spy tools. • Minor tweak in the makefile for the Berkeley DB path and we were set! http://www.monkey.org/~dugsong/dsniff/

  22. What We Used - DSniff • macof - MAC address flooder - stuffs CAM table • dsniff - Cleartext authentication extractor • filesnarf - NFS interceptor • mailsnarf - Email interceptor • urlsnarf - URL interceptor • msgsnarf - Instant Messenger interceptor

  23. Malware Installation - Nmap Thanks Fyodor, you rock! • Comes as an RPM with Redhat 7.2, no installation really necessary • Awesome portscanning/host locating tool, used to detect permitted connectivity outbound through victim firewall http://www.insecure.org/nmap/

  24. Custom Scripts • A variety of Perl scripts were developed to handle UPS <-> Listening Post communications, command and control, including IP Address Mode, Active Scan Commands and Exfiltration Methods. http://www.tvsg.org/ups

  25. Custom Scripts ups.pl - Master Control Script • Started as a service on UPS boot time and health checked by a cron job, this script is responsible for monitoring UPS-specific processes and initiating connections to the command queue server.

  26. UPS Process Flow Load Config Configure Network Auto-Identify Network (if Configured) Confirm Network Confirm/Update System Settings Contact Listening Post Get Commands Process Commands

  27. IP Modes 4 Different Methods of Configuring IP: 1. No IP Mode (Dumb Sniffer) 2. Fixed IP Mode (Good for Testing) 3. DHCP Mode (Not very Stealthy!) 4. Stealth IP Mode (Auto-find Subnet/Gateway)

  28. Custom Scripts netsnarf.pl • Required for IP Mode 4 – automatic network discovery • Watches the network for ARP requests and replies for network information to determine local network topography • Uses The Hacker’s Choice “R U There” (thcrut) to ARP scan IP’s on the same layer 2 segment

  29. Custom Scripts netcheck.pl • Uses nmap and host to probe Internet targets to verify external connectivity. • Nmap 3 popular websites (HTTP) • Unix ‘host’ command to 3 DNS Root Servers • Nmap to Listening Post on UDP/53

  30. Custom Scripts Various Shell Scripts • Other scripts for UPS process management, task automation, and other cool stuff...

  31. Command and Control Internet LP UDP/53 NAT/Firewall Corporate Network TCP/22 (SSH) TCP/80 Attacker UPS

  32. Custom Scripts client.pl & server.pl • Remote command fetch system with DES encryption, randomly generated keys, and pre-shared key system. • Client connects at intervals controlled by the master control script to Server to check command queue for changes in configured behavior.

  33. UPS Connectivity 2 Different Methods of Communicating: 1. UDP/53 (looks like DNS) beacon to config server 2. TCP/80 (looks like HTTP) reverse shell to LP

  34. Demonstration • Our demonstration will place the UPS behind a NAT device along with a victim PC • We will place a Listening Post outside the NAT and command our unit to monitor the user • We will then exfiltrate the captured data to the LP

  35. Victim Demonstration Lab Server External Network LP Server NAT/Firewall Attacker Internal Network UPS Username: Loser Password: password Username: Loser Password: password Email Data: Subject: Watch out for hackers!

  36. How to Defeat? • Inspect all items entering the premises • Deny clients direct outward access (DNS, HTTP, ICMP, etc) • Require the use of internal servers for all services – HTTP, DNS, Mail, etc. • Use encrypted services like SSH, HTTPS, POP3S, SMTPS, or even IPSEC for internal as well as external traffic.

  37. Questions? • Thanks for Attending…

More Related