The goal of the workshop is to provide a hands-on introduction to key pen-testing tools and concepts that white-hat and black-hat hackers utilize to find and exploit vulnerabilities in real-world embedded devices.
3. About Dark Labs
BoozAllen Dark Labs is an elite team of security researchers,
penetration testers, reverse engineers, network
analysts, and data scientists, dedicated to stopping
cyber attacks before they occur.1
(1 http://darklabs.bah.com)
4. I. Motivation: Ubiquity of embedded devices
II. Objectives ofWorkshop
III. WorkshopOverview
IV. TheWorkshop: Hacking a consumer router
Session I: Obtaining Initial Remote Access
Session II: Exploitation
Session III: pwnage
V. Conclusion
Outline
5. Motivation
Ubiquity of Embedded Devices
Critical Infrastructure
(Nuclear Power Plant)
Life Critical Systems
(Pace Maker)
Financial Infrastructure
(Banking & Investing)
Internet ofThings (IoT)
(IoT Gadgets)
Commercial Products
(Network Switch)
Transportation Systems
(Jeep)
9. Objectives of Workshop
Explore practical applications of reverse engineering
Discuss concepts/techniques that hackers utilize to uncover
vulns in real-world embedded devices.
Provide a hands-on introduction to key pen-testing tools
10. Workshop Overview
Want to understand the process of hacking/ pentesting a
sophisticated embedded system such as a car?
11. Workshop Overview
A first step is to first learn how to hack a consumer router
Why?
Its cheaper, so if you make a mistake and brick it, you won’t be
out of +60k
Although a simpler system and easier target, the core
pentesting principles and processes are similar
12. Workshop Overview
We’ll focus on a Belkin router (F5D7234-4 version 5)
Its pretty cheap (<$20) and is a pretty soft target that is
suitable for individuals new to embedded hacking
13. Workshop Overview
Overall Hacking Objective:
Compromise an initial target (e.g wifi router) and then use that
target as leverage to compromise other targets
14. Workshop Overview
Steps to Achieve Hacking Objective:
1) Obtain Initial remote access to the device
Wifi Router Context: This means the ability to connect to its
network, which often requires knowledge of the wpa password
15. Workshop Overview
Steps to Achieve Hacking Objective:
2) Escalate privileges on device to admin/root
Wifi Router Context: Administrative privileges can allow us to
control/manipulate the IP traffic of clients connected to device
16. Workshop Overview
Steps to Achieve Hacking Objective:
3) Exploit privileges to compromise other devices
Wifi Router Context: Send clients malicious IP traffic that allows
us to compromise them also
17. Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
17
WorkshopOverview
Pwned
18. WorkshopOverview
The workshop will be organized into three sessions that
capture the pen-testing phases of going from discovery to
p0wnage
Session I: Discovery of a vulnerability in theWPS
implementation to obtain initial access on device
Session II: Exploring weaknesses in the web management
interface to gain administrative access
Session III: Development of a proof of concept that
demonstrates how aWindows 7 user can be p0wned via web
browser with a maliciously configured router
19. Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
19
WorkshopOverview
Pwned
Session I
20. Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
20
WorkshopOverview
Pwned
Session II
21. Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
21
WorkshopOverview
Pwned
Session
III
24. Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
25. Session I: Overview (tldr)
WPS pin method is on by default on virtually all consumer routers
Design flaw inWPS allows pin to be brute forced in under 11000
attempts
Once aWPS pin is known, a tool such as Reaver can be utilized to
retrieve the WPA key instantaneously (see next slide)
On some routers (including F5D7234-4), the default pin can be
computed by reverse engineering the pin generation algorithm
26. Session I:The Big Picture
Overall goal is to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
27. Session I:The Big Picture
Overall goal is to figure out what the router’s WPA
password so that we can gain initial access to router
and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 1
28. Session I:The Big Picture
Overall goal is to figure out what the router’s WPA
password so that we can gain initial access to router
and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 2
29. Session I:The Big Picture
Overall goal is to figure out what the router’s WPA
password so that we can gain initial access to router
and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 3
30. End Result: Gain Access to Management Interface
Session I: The Big Picture
31. Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
31
Session I:The Big Picture
Pwned
Session I
32. Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
33. Session I: Background
1. WPS Design Flaw Explained
2. Exploiting Belkin’s PIN Generation Algorithm
3. IDA Pro
34. Background:WPS Explained
Wi-Fi Protected Setup (WPS) was created byWi-Fi Alliance in 2006
Goal to make it easy for home users to add new devices securely to
network w/o entering long passphrases
One of the modes allowed for user to enter the router’s 8 digit pin
to connect a desired device to network
35. Background:WPS Explained
Design Flaw Explained
WPS has an 8 digit pin numeric pin (0-9)
Number of attempts to bruteforce an 8 digit pin
1 2 3 4 5 6 7 8
108 = 100 million
36. Background:WPS Explained
Design Flaw Explained
The 8th digit pin is a checksum
Number of attempts to bruteforce a 7 digit pin
1 2 3 4 5 6 7 8
107 = 10 million
37. Background:WPS Explained
Design Flaw Explained
Pin split into two groups and a Nack/ack is sent that indicates if the pin
for that group is correct
Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3)
1 2 3 4 5 6 7 8
104 + 103= 11000
Nack/ Ack Nack/ Ack
38. We could exploit this design flaw for the Belkin
router that we are targeting to obtain pin
However, there is aWPS implementation flaw,
specific to this router, that allows us to get the pin
in 1 try vs 11,000
Background:WPS Explained
39. Background: Belkin Pin Generation Exploit
Pin generation exploit material presented in this workshop is
based on the write-up by Craig @ www.devttys0.com
/DEV/TTYS0 provides excellent material on embedded hacking
in general and router hacking in particular
40. Background: Belkin Pin Generation Exploit
BelkinWPS Pin Algorithm
Note: Serial ID and WLAN MAC can be obtained by sniffing
certain packets that are broadcast by the router
PinGeneration
Algorithm
12345678
Serial ID
WLAN MAC
41. Background: IDA Pro
De facto tool for disassembling, decompiling, and debugging
binaries
Supports a wide array of processor architectures that include the
following:
MIPS
ARM
X86/x64
42. Code Flow of Routine (sub_43A53C)
Background: IDA Pro Features
43. Code Flow of Routine (sub_43A53C)
For loop
Loop back Here
nch taken to
ectively exit
ction if
referenced
ue is ‘0’
44. Background: IDA Pro Features
IDA Scripting support
Supports python scripting, which is known as IDAPython
Provides a power way to add extensive utilities and features to python
Also has a native language, IDC, which is a “C-like” language
45. Decompiling with Hex-Rays (x86,x64, andARM)
Background: IDA Pro Features
47. For more information on IDA, there is a pretty awesome book
written by Chris Eagle
Background: IDA Pro Features
48. Professional Edition : $1500
Pro + Hex-rays decompiler (x86/x64 + ARM): $5500
Freeware version (link)
Very old edition w/o newer features including IDAPython
only x86 disassembler support
Still a good starting point
Background: Acquiring IDA Pro
49. Binary Ninja (link)
License: $99.00 (Personal License)
Up and coming legitimate alternative/competitor to IDA Pro
Supports x86/x64 , ARM, and MIPS
Decompiler support
OS Platforms:Windows, OSX , and Linux
Background: IDA Pro Alternatives
51. I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
52. Required Material
Software
Kali LinuxVM 1.X
IDA Pro
Vmware/VirtualBox
Hardware
Belkin F5D7234-4 version 5
Wifi adapter w/ monitor mode
(e.g.TP-LINKTL-WN722N)
54. I. Overview
II. Background
III. Required Material
IV. Big Picture
V. Lab 1: Firmware Data Extraction
VI. Lab 2: Reversing/Bug Hunting with IDA Pro
VII. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
55. Lab 1: Firmware Data Extraction & Analysis
Overall goal is to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 1
56. Lab 1: Firmware Data Extraction & Analysis
Steps for Extraction & Analysis
1. Install squashfs-tools if not installed
2. Perform initial analysis of firmware w/ Binwalk
3. Extract firmware data
4. Explore the squash file system folder
66. Lab 1: Q&A
Why are we using Dlink firmware instead of Belkin?
Dlink has symbols (e.g. function names) which makes it easier to follow for
those newer to reversing
Stripped firmware (i.e. no symbols) can be very difficult and take a substantial
amount of time to reverse
Pin generation algorithm is conceptually similar between the Dlink and Belkin
routers
What is a technique that can be used to help reverse engineer
stripped binaries?
Make use of the debug strings found in binary to build intuition about what a
routine is doing
67. Lab 1: Q&A
How did we know theWPS pin generation logic could be found
at the following location: /sbin/ncc?
Can create an IDAPython script that iterates through the binaries in the
filesystem to search for specific symbols and strings
Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin
generation” , etc….
How can the firmware be acquired?
[Easy] Manufacturer’s website
[Difficult] Manual extraction from the device via JTAG or the serial port (see
next 2 slide)
Note: Forge Hackerspace has a workshop on manual firmware extraction !!
71. I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
72. Lab 2: Reversing with IDA Pro
Overall goal is to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 2
73. Description
In this lab, we will take a look at the binary ncc, located in /sbin of the
squash filesystem
Since ncc has quite a bit ofWPS logic, which includes the pin generation
algorithm, we’ll do some exploring
We’ll walk through the process of locating a code segment of interest (wps
algorithm) and illustrate the process of reversing the segment into C code
Lab 2: Reversing with IDA Pro
74. Steps for Bug Hunting and Reversing
1. Load the binary ncc into IDA Pro for analysis
2. Hunt for the pin generation algorithm
3. Analyze the inputs of the algorithm
4. Reverse algorithm segment into C code
Lab 2: Reversing with IDA Pro
75. 1) Load the binary ncc into IDA Pro for
analysis
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)
80. Load the binary ncc into IDA Pro
1e. Wait for IDA to finish analyzing the binary
81. Load the binary ncc into IDA Pro
1f. IDA indicates auto analysis has been finished
Auto analysis
complete
82. 2) Hunt for the pin generation
algorithm
(Next Slide)
Reversing with IDA Pro (Steps)
83. Hunt for the pin generation algorithm
1a. See if you can find the pin generation routine
84. Hunt for the pin generation algorithm
a. (Hint:What happens when I search for “router” in the Function Window)
Note: Ctrl+F brings up search box
Term “router” entered into the function name
filter
85. a. (Hint:What happens when I search for “router” in the Function Window)
Hunt for the pin generation algorithm
Term “router” entered
into the function
name filter
86. a. (Hint:Try some search terms relevant to the algorithm we’re trying to find)
Try your own search
terms???
Hunt for the pin generation algorithm
87. a. (Try a few more keywords before you go to the next slide!!!)
Try your own
search terms
???
Hunt for the pin generation algorithm
88. Hunt for the pin generation algorithm
b. Let’s try the keyword “default” and see what we get
This looks interesting
89. Hunt for the pin generation algorithm
c. Double click on “get_default_pin”
90. Hunt for the pin generation algorithm
c. (Continued…)
91. 3)Analyzing the pin algorithm in
subroutine get_default_pin
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)
93. Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm
A call is made to a
sub-routine that
appears to get some
information
Subset of data from
lockAndGetInfo_log
will be formatted as
follows: “%c:%:c%:c%….”
94. Any guesses on what “%c:%c…” might be?
Hunt for the pin generation algorithm
b. Lets take a closer look at the sprintf call
Decompiling by
hand to pseudo C
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
95. Hints
Its 12 characters with a “:” in between each pair of 2 characters
This is a networking device
What is something (e.g. identifier) that each networking devices
typically has that would be a good seed for a pin generation
algorithm?
Hunt for the pin generation algorithm
c. Figure out what type of data could “%c%c…:%c%c” represent
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
96. Answer: MAC address
Unique across all networking devices
12 bytes
Often used in combination with other values to seed various algorithms
Hunt for the pin generation algorithm
c. Figure out what type of data could “%c%c:..:%c%c” represent
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
97. 4) Reverse algorithm segment into C
code
(Next Slide)
Extraction and Analysis (Steps)
98. As we will see, reversing assembly into C can be a tedious
and arduous process
We will reverse the following code segment:
Reverse algorithm segment into C code
a. Reversing an example snippet of code
99. Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
MIPS Instruction ‘li’:
Loads a constant value into a register
Value will be used for future arithmetic operation
100. Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
MIPS Instruction ‘multiu’:
Multiply two 32-bit values (e.g. a3 & v0)
Registers `hi’ & ‘lo’ store the resulting 64-bit product
hi (upper 32-bits) lo (lower 32-bits)
64-bit product
101. Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
MIPS Instruction ‘mfhi’:
Move value in ‘hi’ register to specified register (e.g. v0)
This is equivalent to right shifting the 64-bit product of
v0 & a3 by 32-bits
102. Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
v0 = v0 >> 1;
= ((a3 * 0x38E38E39) >>32) >> 1
MIPS Instruction ‘srl’:
Shift right logical
Logical means that the bit that replaces the most upper
bits as the shift occurs is the value ‘0’
Lower bits that get shifted out are discarded
103. Observations
The net result of the assembly instructions is a complex looking
expression
It turns out that this can be simplified quite a bit
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
104. Observations
Logical shifts have an associative property
e.g. (v1>> 32) >> 1 == v1 >> 33
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
105. Observations
Right shifting a number by 1 has the effect of dividing that
number by 2.
Therefore right shifting a number by 33 has the effect of
dividing that number by 2^33 = 8589934592
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
106. Observations
(954437177)10 = 0x38E38E39
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
107. Observations
1/9 ~=(954437177)/8589934592
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
= (a3)(1/9)
108. Observations
As the above example illustrates, the disassembly performs operations such
as shifts to do multiplication and division
What looks complex may be able to be decompiled into something much
simpler
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
v0 = ($a3)/9
Disassembly C code
109. Luckily someone else (Craig) did all the grunt work in
decompiling the disassembly for us
But we’ve seen how the general process for reversing works,
so in theory we could do it
On the next slides, we’ll show the complete C
implementation of the get_default_pin algoritm
Reverse algorithm segment into C code
b. Reversing the entire algorithm
110. dd /*
* The largest possible remainder for any value divided by 10,000,000
* is 9,999,999 (7 digits). The smallest possible remainder is,
* obviously, 0.
*/
pin = pin % 10000000;
/* The pin needs to be at least 7 digits long */
if(pin < 1000000)
{
/*
* The largest possible remainder for any value divided by 9 is
* 8; hence this adds at most 9,000,000 to the pin value, and at
* least 1,000,000. This guarantees that the pin will be 7 digits
* long, and also means that it won't start with a 0.
*/
pin += ((pin % 9) * 1000000) + 1000000;
}
/*
* The final 8 digit pin is the 7 digit value just computed, plus a
* checksum digit. Note that in the disassembly, the wps_pin_checksum
* function is inlined (it's just the standard WPS checksum
implementation).
*/
pin = ((pin * 10) + wps_pin_checksum(pin));
sprintf(buf, "%08d", pin);
return pin;
}
get_default_pin (Dlink router)
unsigned int generate_default_pin(char *buf)
{
char *mac;
char mac_address[32] = { 0 };
unsigned int oui, nic, pin;
/* Get a pointer to the WAN MAC address */
mac = lockAndGetInfo_log()->wan_mac_address;
/*
* Create a local, NULL-terminated copy of the WAN MAC
(simplified from
* the original code's sprintf/memmove loop).
*/
sprintf(mac_address,
"%c%c%c%c%c%c%c%c%c%c%c%c", mac[0],
mac[1],
mac[2],
……
mac[11]
sscanf(mac_address, "%06X%06X", &oui, &nic);
/* Do some XOR munging of the NIC. */
pin = (nic ^ 0x55AA55);
pin = pin ^ (((pin & 0x0F) << 4) +
((pin & 0x0F) << 8) +
((pin & 0x0F) << 12) +
((pin & 0x0F) << 16) +
((pin & 0x0F) << 20));
111. We could follow a similar process to reverse the Belkin Pin
algorithm
Yet again, Craig has spared us the trouble
On the next slide is the reversed C implementation of the
Belkin algorithm
Reverse algorithm segment into C code
c. Reversing the Belkin Pin Generation Algorithm
113. Lab 2: Q&A
Why are weaknesses in implementation of a security design not
discovered before product released?
Companies care more about time-to-market
Subscribe to the notion of security through obscurity
How long does the reverse engineering process take?
Depends on the device and the skills of the personnel
Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and
they are pretty experienced
114. Lab 2: Q&A
Is the reverse process always this tedious?
In general…yes, if not more so.
What things can make reversing harder?
Stripped binaries (e.g. no symbols)
Anti-debugging techniques
Code obfuscation
Writing original code in C++
What is an ELF (Executable and Linkable Format)?
Standard file format on Unix-like systems
115. Lab 2: Q&A
Why is MIPS still popular in embedded devices?
Licensing costs for MIPS is cheaper than ARM
Why couldn’t we decompile using IDA Pro?
IDA only supportsARM and x86/64
No reliable decompilers for MIPS in general.
116. Additional Resources
Reversing D-Link’sWPS Pin Algorithm:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
Lab 2: Reversing with IDA Pro
117. I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark
& Reaver
Session I: Outline
118. Lab 3: Obtaining initial access
Overall goal is to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 3
119. Description
In this lab, we will explore how to use our knowledge of the pin generation
algorithm to derive the WPA Key
Specifically, we will first need to acquire relevant input information into the
algorithm by using Wireshark, and then run the algorithm to compute the
WPS PIN
Then we’ll need to use Reaver to derive the WPA key from the WPS PIN
Lab 3: Obtaining initial access
120. Steps forObtaining initial access
1. Acquire serial and wlan mac w/ Wireshark
2. Compile & execute wps pin generation algorithm
3. Run Reaver to obtain theWPA key
4. Connect to the router utilizing obtained WPA key
Lab 3: Obtaining initial access
121. 1) Acquire Serial and WLAN MAC with
Wireshark
(Next Slides)
Lab 3: Obtaining initial access
122. We’ll need a wifi adapter that supports monitor mode
Monitor mode enables monitoring of all traffic received
Normally, the wifi adapter will filter out traffic not destined for it
An example wifi adapter that supports monitor mode is theTP-LINKTL-WN722N
(pictured above); cost about $12
Acquiring serial and wlan information
a. Attach Wifi adapter (monitor mode support) to PC
123. b. Connect wifi adapter to guest Kali-Linux VM
Acquiring serial and wlan information
Click this
124. b. Connect wifi adapter to guest Kali-Linux VM
Acquiring serial and wlan information
ClickThis
125. c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9
Acquiring serial and wlan information
$ sudo iwconfig
Wireless
Interface Name
126. d. Bring the wireless interface down so we can configure it
Acquiring serial and wlan information
$ sudo ifconfig wlanx down
127. e. Change the wifi mode to monitor
Acquiring serial and wlan information
$ sudo iwconfig wlan0 mode monitor
128. f. Set the channel of wireless interface to channel y, where y in 1-12
Acquiring serial and wlan information
$ sudo iwconfig wlan0 channel %y%
129. g. Bring the wireless interface back up
Acquiring serial and wlan information
$ sudo ifconfig wlan0 up
163. h. Connection is established
Connect to router with WPA key
Success!!
164. h. Connect to web management server (Obtained Initial Access!!)
Connect to router with WPA key
165. i. Log into web management interface (Preview of next session)
Connect to router with WPA key
We’ll figure out how to gain
admin access in Session II
166. Lab 3: Q&A
What’s the difference between monitor mode and promiscuous
mode?
Promiscuous mode allows packets to be sniffed only on the AP the wifi
adapter is currently connected to
Monitor mode allows all packets on a particular channel to be sniffed if
packets are in listening range
Are there any other interesting wifi modes?
Master mode, which allows the wifi adapter to behave as an access point
TheTP Link adapter also supports this mode
168. Recap
Overall goal was to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
169. Recap
Overall goal was to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 1
170. Recap
Overall goal was to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 2
171. Recap
Overall goal was to figure out what the router’s WPA
password is so that we can gain initial access to
router and the connected clients
Reverse
engineer
algorithm
Extract
Firmware to find
pin algorithm
Obtain inputs to
algorithm by
sniffing traffic
Generate pin
and use reaver
to get password
Lab 3
172. Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
174
Recap
Pwned
Session I
173. Conclusion
In this session, we were able to obtain initial remote access to
the target device
The next step is to elevate our privileges on the target to that
of an adminsitrator.
This device uses client side authentication for admin
privileges, which we will exploit in Session II
Session III will be focused on utilizing admin privileges from
Session II to compromise aWindows 7 device connected to
the Belkin router