Embed Size (px)
Citation preview
HiddenNetwork:DetectingHiddenNetworkscreatedwithUSBDevices
ChemaAlonso:[email protected]
PabloGonzálezPérez:[email protected]éRamírezVicente:[email protected]
ExecutiveSummaryMany companies and government agencies today have communications isolatednetworks orwith data flow restricted through different networks. These computersnetworks are created for particular situations, as these can be very special or havecritical information such as, factory control system, highly-secured environments forprocessing of certain data, or networks complyingwith a safety standard. In recentCyber-securityhistory, ithasbeenprovenhowthismalicioussoftwarecalledStuxnetinfiltrated into an isolated network at aNuclear Power Plant. In light of this fact, itcouldbeseenthathavingacomputersnetworknotconnectedthroughEthernetcableor WiFi to other networks is not enough. Any type of external connection forcomputersmayconstituteathreat.Thispaperreflectsthepossibilitiesprovidedbytheso-calledHiddenNetworkandhowthesecanbeidentifiedandfocusedonprotectionoftheseissuesinsideacorporatenetwork.
1.TherisksoftheconnectionsRegardingthesafetyofdatanetworks,thereisatrendtosketchnetworksthroughtheconnectionsatlinkslevel,suchasEthernet,WiFiconnections,etc.Corporatenetworksare much more complex than this and they require analysis from differentperspectives.The traffic analysis on a corporate data network is the major tool provided tounderstandwhat isgoingonwith it. Inaddition, it is themoreconsistentoption forsearchingnetworknodesseizingthemostusedprotocols,whicharenodesconformedby the most essential services or those who act as bottlenecks. Given thesestatements,itcanbeextrapolatedthatarisks-basednetworkanalysisprovidesagreatdealofdataandinformationbasedondifferentguidelines.Mapping a network in an aestheticallymanner is right for understanding the nodesand network settings, therefore, a telemetry analysis is critical to contain and bepreparedforsuchhazards.Duetothesedealofdata,wecanachieveagreaterlevelofunderstandingregardingthenetworkandthethreatsinsideit.
Figure1:AnetworkmapsimulationwithdifferentnodesandconnectionsbetweenthemNodesrepresentationandconnectionstructuresarevitaltocomprehendalldifferentborders inside the network in order to mitigate intrusions, detecting attacks, orpreventivelycarryouttheimplementationofsafetymeasures.Theproblemismoreacaseofunderstandingthatthisisanetwork.Inmanycases,anetwork is defined as a group of computers connected with the possibility tocommunicatewith each other across different technologies and protocols. Onmostoccasions,usersorsystemandnetworkadministratorsconsideragoodthinghavinganetwork connected through Ethernet orWiFi connection on different organizationcomputers.Thisisnotthecasehere,asoneorganizationnotimplementingpreventionmeasures regarding the use of USB devices, may enforce what is known asHidden
Networks. These networks are created through the use of USB devices and allowcommunicationbetweenphysicallyorlogicallyisolatedcomputers.
1.1. NetworkIsolationandUSBConnectionTo understand the hazards about Hidden Networks, which are created from USBdevices,hereisasimpleexample.Assuminganorganizationhaveanetworkformedby3typesofVLANs.ThefirstVLANcontains:
• AcomputercalledA.ThiscomputerhasconnectivitywithotherscomputersofthesameVLAN.
• AcomputercalledB.ThiscomputerhasconnectivitywithotherscomputersofthesameVLAN.
ThesecondVLANcontains:
• AcomputercalledC.ThiscomputerhasconnectivitywithotherscomputersofthesameVLAN.
• AcomputercalledD.ThiscomputerhasconnectivitywithotherscomputersofthesameVLAN.
• AcomputercalledE.ThiscomputerhasconnectivitywithotherscomputersofthesameVLAN.
ThethirdVLANcontains:
• AcomputercalledF.ThiscomputerhasconnectivitywithotherscomputersofthesameVLAN.
Ifweobservethenetworksoutlineonthe imagebelow,wecanseehowcomputersare isolated through different VLANs. Assuming employees of this organizationexchangedatabymeansofUSBdevices,thereisahighprobabilityforthisinformationtopassfromoneVLAN’scomputertoanother.AddingtheUSBdeviceisitselfasourceofthreats,ahiddennetworkisbeingcreatedinsidetheorganization.
Figure2:NetworkoutlinewithcomputersconnectedtodifferentVLANsAssumingthatusersofcomputersFandEareexchanginginformationthroughaUSBdevice,ahiddennetworkisbeingcreatedbetweenbothcomputers.Thisinformationcan be represented with two nodes, E and F , and an arc projected between thecomputerfirstintroducedtheUSBdeviceandthesecondcomputer.
Figure3:Hiddennetworkoverlappingonthepreviousnetworkoutline
2. USBDeviceConnectionsintheComputerSystemWhenaUSBdeviceisconnectedfromonecomputertoanother,theterm“Pollination”emerge. This concept is similar to the one used on other areas and is relatedwithcarrying the threat or risk from one USB device among different computers, evenwhentheseareconnectedtodifferentnetworks.WhenauserconnectsaUSBdevice,aseriesofentriesarecreatedinthesystemoftheWindows registry. This type of information is valuable, for example, in a forensicanalysis,inordertoknowwheretheinformationleakagecomesfromorwheredidthethreatenterinaPost-Mortem.TheUSBStorkeycreatedintheWindowssystemregistrysaveinformationregardingalldifferent devices inserted in the computer. If USB N devices were inserted in a Ncomputer, such N devices will be found at theUSBStor key, which contains all theinformationneededtoidentifythedevice.
Figure4:RegistryvisualizationoftheUSBdevicesinsertedThe following information can be collected from USB devices connected to onecomputer:
• Devicename.• Class.• ClassGUID.• HardwareID.• Serviceprovidedbythedevice,e.g.aharddisk.• Driver.• Etc.
2.1. HiddenLinks:DetectionofTheseKindofNetworksBy knowing where and how the information of one USB device is stored within aMicrosoftoperativesystem,youcouldknowwhoissharingtheUSBdevice,andwithwhom.Inthisway,wecangeneratetwonodesrepresentingtwocomputersandonearc which identifies the connection between both computers. A hidden network isbeing uncovered thanks to the Hidden Link. Besides, you can identify in whichcomputerwasconnectedapriori,asaresultofthemanyeventsthatcanbeobtainedfromanoperativesystem.Thisishowthearcbetweennodesisdirected.ToperformanautomationoftheHiddenLinksdetection,thefollowingplanhasbeenproposed:
Figure5:ScriptreleasediagraminanAD(ActiveDirectory)Intheaboveimage, itcanbeseenhowtheapplication isexecutedinacentralnodeand how this is able to use severalMicrosoft technologies to execute commands ineachof the computerswithin thedomain.Theexamined technologies,which fit thesolutiondesignareasfollows:
• WinRM.• SMB(ServerMessageBlock).• WMI.
Powershellisanobject-orientedcommandlinefromMicrosoft,whichhasasimpleandpowerfulinteractionwithanystructureinsideaMicrosoftoperativesystem.
Figure6:CollectionofUSBdevicesconnectedtoPowershell
2.2. USBHiddenNetworksforWinRMThe script WinRM version in PowerShell requires the activation of the WindowsRemote Management (WinRM) service in each of the network computers to beaudited:
Figure7:WinRMServiceFurthermore, the script has been testedon a single-Domain networkwith anActiveDirectory (AD) to automate the information collection asmuch as possible. Domainadministratorcredentialsareusedtoapproveexecutiononremotecomputersinthelocalnetwork.Credentialswillberequiredwhenexecutingthescript.
Figure8:Credentialsrequirementregardingthescriptusage
The script primary implementation is performed through the“LaunchUSBHiddenNetworks.ps1”program, which connects remote computers usingthe script known as “RecollectUSB.ps1”, which is passed as parameter to collectinformationfromUSBdevices.Thus,thescriptshallbeexecutedindividuallyineachofthecomputersassigned.2.2.1. Script:LaunchUSBHiddenNetworksThe execution of this command is based on the PowerShell’s command “Invoke-Command”.ThiscommandallowstoconnectwithacomputerinthenetworkpassingtheFQDN, computernameor IPaddressasparameters,andon theotherhand, thescriptofPoweShelltobeexecuted:$salida=invoke-command -ComputerName (Get-Content servers.txt) -FilePath 'PathToScript\RecollectUSBData.ps1'-Credential testdomain\administrador With the –ComputerName parameter, the name of computer(s) to be audited isassigned inside our AD. It is possible to directly introduce the name of computersfollowed by commas, but in this case, a TXT (servers.txt) file with a list of thecomputershasbeenusedandpassedasparameter.The -FilePath parameter assign the path for the script on PowerShell that will beperforming the data collection. Finally, the–Credentialparameter allows the use ofdomain administrator credentials to approve the execution of remote computer, inwhichcase,domainis“testdomain”anduser“administrator”.Theoutcomeoftherunisstoredintheobject$salida.TheinformationretrievedwillbestoredlikewiseinaCSVfilecalled“USBDATA.csv”asfollows:$salida | Out-File USBDATA.csv TheformattingofCSVfilehasthefollowingstructureafterrunningthescript:Nameofthecomputer,IP(onIPv4format),USBname,ID(uniqueidentifier)
Figure9:ResultsobtainedinCSVformatWith this information, we could create a graph like the one shown belowwith theGephiapplication:
Figure9:GraphrepresentinghiddenconnectionsofUSBdevicesinanetwork2.2.2. Script:RecollectUSBDataThis script is responsible for gathering all information referring the USB devicesconnectedtothecomputeranditrunslocallyinthecomputerstobeaudited.ThedataisretrievedfromaparticularbranchoftheWindowsregistry.$USBDevices = @() $USBContainerID = @() $USBComputerName = @() $USBComputerIP = @() $SubKeys2 = @() $USBSTORSubKeys1 = @() The matrixes, where information related to the audited computer is going to bestored, and for thedata referred toUSBdevices stored in the registry or thatwereconnectedatsomepointintimetothecomputer,arelaunched.$Hive = "LocalMachine" $Key = "SYSTEM\CurrentControlSet\Enum\USBSTOR" $Hiveand$Keystorethecompletepathfortheregistrybranchwherethedatasearchrelated toUSBdevices is takingplace.Thevariable$Hivewith“LocalMachine”valueequalstoHKLMorHKEY_LOCAL_MACHINE.$ComputerName = $Env:COMPUTERNAME $ComputerIP = $localIpAddress=((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
The name of local computer is stored, as well as the IP address and variables$ComputerNameand$ComputerIP.$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($Hive,$Computer) $USBSTORKey = $Reg.OpenSubKey($Key) $nop=$false On$Reg object, the registry query is run using the commandOpenRemoteBaseKey,using variables$Hive y$Computer as parameters, which establish the branch to beconsulted.Thevariable$nopwillbeusedlatertocontroltheexecutionflow.Try { $USBSTORSubKeys1 = $USBSTORKey.GetSubKeyNames() } Catch { Write-Host "Computer: ",$ComputerName -foregroundcolor "white" -backgroundcolor "red" Write-Host "No USB data found" $nop=$true } The Try – Cath block is responsible for managing errors in case no informationregarding USB devices can be found. If no information is found, the value $true isassigned to the $nop variable in order to avoid execution of the whole process ofidentificationandretrievingofUSBdevicedata.if(-Not $nop) In case there is any entry associatedwith theUSB device connection,$nop a$truevariable,thefollowingblockswillberun:Block1:ForEach($SubKey1 in $USBSTORSubKeys1) { $Key2 = "SYSTEM\CurrentControlSet\Enum\USBSTOR\$SubKey1" $RegSubKey2 = $Reg.OpenSubKey($Key2) $SubkeyName2 = $RegSubKey2.GetSubKeyNames() $Subkeys2 += "$Key2\$SubKeyName2" $RegSubKey2.Close() } EachoftheexistingitemsintheregistrybranchwherethesearchistakingplaceisadifferentUSBdevice.Eachitemisstoredinthematrix@Subkeys2.Block2:ForEach($Subkey2 in $Subkeys2) { $USBKey = $Reg.OpenSubKey($Subkey2) $USBDevice = $USBKey.GetValue('FriendlyName')
$USBContainerID = $USBKey.GetValue('ContainerID') If($USBDevice) { $USBDevices += New-Object -TypeName PSObject -Property @{ USBDevice = $USBDevice USBContainerID = $USBContainerID USBComputerName= $ComputerName ComputerIP = $ComputerIP } } $USBKey.Close() } ThisblockexploreeveryUSBdevicepreviouslyidentifiedintheBlock1andstoredatthe@Subkeys2matrix.Foreveryitemhavingavalueatthe$USBDevicefield,theUSBdevice ID is being retrieved; USBContainerID. The name and IP address of thecomputeritisalsoassignedinordertoaddthislatertotheoutputCSVfile.
Figure10:RegistrybranchwheretheUSBdevicesareBlock3:for ($i=0; $i -lt $USBDevices.length; $i++) { $IDUnico=$USBDevices[$i] | Select -ExpandProperty "USBContainerID" $USBNombre=$USBDevices[$i] | Select -ExpandProperty "USBDevice" Write-Host "Computer: ",$ComputerName -foregroundcolor "black" -backgroundcolor "green" Write-Host "IP: ",$ComputerIP
Write-Host "USB found: ",$USBNombre Write-Host "USB ID: ",$IDUnico Echo "$ComputerName,$ComputerIP,$USBNombre,$IDUnico" } Finally,thisblockdisplayspertinentinformationobtainedfromtheremotecomputer.TheWrite-Hostprintcommandisusedontheserverscreen,wherethescriptwasrun.TheEchocommandisusedasdataoutputtosubsequentlywritethedataintheCSVfile.
Figure11:Outputafterthescriptrunning
2.3. USBHiddenNetworksforSMBconPSExecInordertorunthescriptthroughSMB,itwillbenecessarytohavePSToolspreviouslyinstalled,specificallytoexecutethePSExeccommandinthecomputerstobechecked.TheoperatingphilosophywillbepracticallythesameoftheWinRMversion.Itwillbeconnectedfromtheservertotheremotecomputerandthescriptshouldberunfromtheserverwithdomainadministratoraccount,thentheUSBdatacollectionscriptwillbeexecuted.The main script LaunchUSBHiddenNetworks.ps1 will have a few modifications to fitwith this new type of connection. The primary modification is that this time, thecommand Invoke-Command is not used to remotely run the script. A shell fromPowershellwillnowbeopened,andthescriptshouldberunfromit.Thescriptwillbedownloaded from the network location, preferably from a web server that wouldexecute download through some HTTP protocol. In this way, subsequent problemswithexecutionpolicyandpermits,whichyoumay findbyaccessing the local sharedresource,areavoided.Similar to the previous version ofWinRM, results should be stored in a CSV file. Toavoidsynchronizationproblemsandallowtimefortheprogramtorunontheremotecomputer,somedelayshavebeenincludedasdescribedinthecodeanalysisbelow:
2.3.1. Script:LaunchUSBHiddenNetworks$computers = gc "C:\scripts\HiddenNetworks\PSExec\USBHiddenNetworks_for_SMB\servers.txt" $url = "http://192.168.1.14/test/RecollectUSBData.ps1" $sincro = 40Severalvariablesareassigned.ThematrixwheretheservernamesorIPaddresseswillbe stored, $computers, which are at the servers.txt file, the $url variable showingwherethescriptRecollectUSBData.ps1isand,ultimately,thewaitingtimetosynctheoperation. It should also be taken into consideration that this number may varydependingontheenvironmentwherethescriptisrun.Thefollowingisanexampleofexecution:
Figure12:PowershellandscriptrunningthroughthePSEXECtool.Theservers.txtfilewillhavethecomputersnamesordirectlytheIPaddressesstoredaswecanseebelow:
Figure13:Listofcomputerstobeanalyzedforeach ($computer in $computers) { $Process = [Diagnostics.Process]::Start("cmd.exe","/c psexec.exe \\$computer powershell.exe -C IEX (New-Object Net.Webclient).Downloadstring('$url') >> C:\scripts\HiddenNetworks\PSExec\USBHiddenNetworks_for_SMB\ usbdata.csv") $id = $Process.Id sleep $sincro
Write-Host "Process created. Process id is $id" taskkill.exe /PID $id } In this loop,eachof thecomputers tobeanalyzed ischecked,whichalsohavebeenloadedwith$computersvariablesfromtheservers.txtfile.Theexecutionmainbodyisfocused intheobject$Process. In it,aremotecomputerconsole isopened,which inturn will launch other Powershell console, passing the file RecollectUSBData.ps1 asparameter,whichisatthelocationdesignatedbythe$urlvariable. Iscriticaltohaveproperlyconfiguredthelocationpathsforeachofthefilesbeforerunningthescript.Beforemovingontothefollowingcomputerinthelist,itwillbenecessarytobesureaboutterminationoftheinformationcollectionprocess.Thereareseveralmannerstooptimizethisoperation,butinthisillustrationthechoiceissimplyaddinganXsecondsdelaybetweeneachrunningbymeansofthesleepcommand.Oncethedatacollectionof thecomputertobeaudited is terminated,weerasetheexecutionprocessbeforemovingon to thenextwith taskkill command. For informationpurposes, the IDandresultofthisoperationisscreen-printed,aspicturedinthefollowingsnapshot:
Figure14:ScriptrunninginPowershell2.3.2. Script:RecollectUSBDataThis script has only beenmodified at the last block (Block 3) in order to adapt theoutputtothenewexecutiontype.Ascanbeseeninthecodeshownbelow,commandEchohasbeenreplacedforaWrite-Hostwithvariables,eliminatingthescreenoutput: for ($i=0; $i -lt $USBDevices.length; $i++) { $IDUnico=$USBDevices[$i] | Select -ExpandProperty "USBContainerID" $USBNombre=$USBDevices[$i] | Select -ExpandProperty "USBDevice" Write-Host "$ComputerName,$ComputerIP,$USBNombre,$IDUnico" } ThegeneratedUSBData.CSVfilewillbeexactlythesameastheonepreviouslyshown.2.4. HistoricalInformation It is also possible to get the registration of the dates of first connection in thecomputer, in caseweneedmore information regarding the routeof theUSBdevice
inside the HiddenNetwork. At the event log, the branch capable of offering moreinformationisdisabledbydefaultinallWindowsversions.Suchbranchisasfollows:Windows Logs ->ApplicationsandServices Logs ->Windows ->DriverFrameworks-UserMode->OperationalThus,thewayweobtainthefirstconnectiondateoftheUSBdeviceinthecomputer,withoutaccessing thecomputerassessment, isbyanalyzing the following fileonthesystem:C:\Windows\inf\setuoapi.dev.logWithinthisfile,thetimeoffirstconnection,amongotherdata,hasbeenrecorded.ToproperlylocatetheUSBdeviceinserted,itwillbenecessarytostoreanewvaluewhilerunningthe“RecollectUSBData.ps1”script,andthisfieldvaluewouldbeDiskID:
Figure15:DiskIDkeysearchThis value is unique within the current Windows system, but it changes whenconnectedtoanothercomputer,unlikeContainerIdfield,whichisthesameoneachoftheWindows computers. TheUSB canbe identified inside the setupoapi.dev.log filewiththisvalue.Intheillustrationbelow,itslocationcanbeshownbyusingtheDiskIDandthedateoffirstinsertionwithintheauditedsystem:
Figure16:ObtainingtheconnectiondateoftheUSBdevice
2.5. HiddenLinksinOSXOn computer systems runningMacOS X ormacOS, theses have a file with a PLISTextension, which store this information over the USB devices connected to thecomputer. The file is named com.apple.finder.plist. On image below, an example ofinformationcaptureinOSXormacOSenvironmentscanbeseen.
Figure17:DatacollectioninUSBdevicesconnectedtoOSXsystems
2.6. MitigationOnewaytopreventthis“Pollination”betweencomputersinacorporatenetworkistorestrict the use of USB devices in computers.Mitigation or prevention through theforced use due to Active Directory policies, which restrict connection in a usercomputer to devices only approved by one user. The implementation of the safetypolicy alongwith awhite list of approveddevices for eachuser allows to avoid thiskindofHiddenLinks,butitiscomplexandexpensivetomaintain.
Figure18:TheuseoftheUSBdeviceisforbiddenonthiscomputerduetocompanypolicy
3. ConclusionsBeyond the possible leakage of corporate information, a Hidden Network is also aproblem for our computer’s integrity. Such USB devices may spread a malwaretowardsdifferent sectionswithin the infrastructure,where, in theory, the security ishigher. Having networks disconnected from the Internet provides this false securityfeelingregardingahigherlevelofprotectionbeforeanyincident,whichincreasesthesystemvulnerability.ThemalwareinfectionthroughUSBdevicesisarealandunderlyingproblem,notonlyregarding the historic Stuxnet case, but with others of greatest relevance such asBrutalKangaroousedbytheCIA.Due to the major impact such infections and information leakage may have in ourinfrastructure,wehavecreatedthispapertohelpinidentifyingthesehiddennetworksandtoofferatoolfortheircontrol.Thus,itwillbeeasiertopreventincidentsandalsotoprovideautilitycontainingusefulinformationforforensicanalysiscases. Referenceshttp://www.elladodelmal.com/2014/02/como-localizar-los-hidden-links-de-las.htmlhttp://www.elladodelmal.com/2017/06/script-powershell-winrm-para-descubrir.htmlhttps://blogs.technet.microsoft.com/heyscriptingguy/2012/05/18/use-powershell-to-find-the-history-of-usb-flash-drive-usage/http://www.elladodelmal.com/2017/06/brutal-kangaroo-y-la-infeccion-por-usb.html
https://github.com/ElevenPaths/USBHiddenNetworks
