CIRCO Def CON 27 PHV (11-Aug 2019)

Transcript

1. C I R C O Cisco Implant Raspberry Controlled Operations

   https://circo.cc

2. https://circo.cc • My name is Emilio or
    and I’m

   hacker • I like to play with packets, networks, electronics and 3D printers • I presented tools at various conferences (BlackHat Asia, HITB, AV Tokyo, SECCON, HamaSec, Hacker’s Party) and now DEF CON PHV/Demo Labs too! • Sorry, I’m not a native programmer or English speaker J Hello, Friend

3. https://circo.cc Designed under Raspberry Pi and aimed for Red Team

   Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials! What is CIRCO?

4. ▪ Allow existing IP-Phone to co-exist with CIRCO ▪ Eliminate

   template files (craft all packets) ▪ Support NTP exfiltration ▪ Software encrypted via Bluetooth (prevent forensic) ▪ Self destroy and alarm switch (thanks Will) ▪ Bypass active & passive fingerprinting (NAC) ▪ Credentials integration into Faraday (thanks Fran) https://circo.cc What’s new?

5. ▪ Cisco DNA (Digital Network Architecture) ▪ Infoblox NetMRI ▪

   Micro Focus® Network Automation (formerly HP NA) ▪ Service Now Discovery* ▪ ForeScout CounterACT (NAC) ▪ Trusted network administrators ▪ Others * SNMP discovery only https://circo.cc Who we target?

6. NASA hacked: 500 MB of mission data stolen through a

   Raspberry Pi computer ”The account was compromised by a hacker who used a Raspberry Pi to gain unauthorized access to the JPL network” “The system administrators also did not properly track the devices added to the network” 2019-June-22 https://www.digitaltrends.com/computing/hackers-steal-500-mb-nasa-data-raspberry-pi/ https://oig.nasa.gov/docs/IG-19-022.pdf https://circo.cc For example…

7. https://circo.cc Problems: ▪ Power Options □ Battery Life □ PoE

   ▪ IP-Phone unplugged □ Suspicious ▪ Forensics □ Encryption Keys □ Case Open

8. https://circo.cc Paper Idea: ▪ Use IP-Phone as the active PoE

   client ▪ Tap from 48V PoE ▪ Convert 48V to 5V ▪ Power-up Raspberry with 5V ▪ Micro USB-Hub ▪ 2nd Ethernet adaptor ▪ Use bridging between LAN adaptors ▪ Ignore all TIA/network standards ▪ Pray it doesn’t blow up J

9. https://circo.cc Let’s Breadboarding!

10. https://circo.cc Breadboard Testing

11. https://circo.cc It actually works!

12. https://circo.cc PCB Prototyping ▪ Cross-talk? □ Naaa, for 100Mb we

    good ▪ Raspberry Pi Hat? ! □ Experimenting ▪ Any PCB designers around? □ Raise your hand! ▪ More research here □ TBD…. Mk1

13. https://circo.cc CIRCO Evolution

14. CIRCO Demo Box (v1 - 2018) ▪ Raspberry Pi Zero

    W ▪ USB LAN Adapter ▪ USB Hub ▪ Wireless Dongle (WLI-UC-GNM2S) ▪ PoE LAN Adapter (12V) ▪ Bucket Regulator (12V-5V) https://circo.cc

15. CIRCO Production Box #1 (v1.4) ▪ Raspberry Pi 3B ▪

    PoE LAN Adapter (5V) https://circo.cc ▪ Quad RJ45 Wall Faceplate ▪ Desk/Mount Box Network Outlet

16. CIRCO Production Box #2 (v1.4) ▪ Raspberry Pi Zero W

    ▪ PoE LAN Adapter (5V) ▪ USB LAN Adapter https://circo.cc ▪ 1 RJ45 Socket ▪ Desk/Mount Flat Network Outlet

17. CIRCO Production Box #1 (v1.5) § Quad RJ45 Wall Faceplate

    § Desk/Mount Box Network Outlet § Raspberry Pi 3B+ § Magnets mount (3D printed) § USB LAN Adapter § DC-DC LM2596HVS (56V-5V) § Magnetic switch and magnet (4mm) § USB Wireless Adapter https://circo.cc

18. CIRCO Production Box #2 (v1.5) ▪ Raspberry Pi Zero ▪

    DC-DC LM2596HVS (56V-5V) ▪ 2 x USB LAN Adapter ▪ Micro USB HUB https://circo.cc ▪ 2 x RJ45 Socket ▪ Desk/Mount Flat Network Outlet ▪ Push switch

19. ▪ LM2596HVS (DC-DC 56V/5V) = $3 (Amazon) ▪ 2 x

    USB LAN Adapter = $18 (Amazon) ▪ Raspberry Pi Zero W = $10 (Adafruit) ▪ Micro USB Hub = $9.99 (Tindie) ▪ Flat Network Outlet = $9 (eBay) https://circo.cc Hardware Cost (v1.5) Get CIRCO for $49.99 bucks!

20. ▪ Components □ CIRCO: Implant (hardware & software) □ CARPA:

    Credentials Receiver (Internet VPS, software and domain NS) □ JAULA: Wireless Credentials Receiver (software) ▪ Python 2 □ Mainly Scapy for packet manipulation □ Migration into Python 3 started… ▪ Features: □ Honeypots services to behave as a Cisco Switch or IP-Phone □ Trick NAC systems (nmap, Phone whitelisted, Golden MAC) □ OSfooler-NG (https://github.com/segofensiva/OSfooler-ng/) ▪ Exfiltration via cover channel protocols □ ICMP (ping), Traceroute, NTP, HTTP, HTTPS, DNS, Proxy (DNS) and Wireless ▪ Extra: Get plain credentials if a PC is plugged into the IP-Phone □ net-creds (https://github.com/DanMcInerney/net-creds) https://circo.cc Software

21. ▪ Cisco CDP & LLDP Advertisement (as IP-Phone & Network

    Switch) ▪ Cisco SNMP Agent ▪ Cisco Telnet CLI (IOS 15.x) ▪ Cisco SSH CLI (IOS 15.x) ▪ Mimic packets format like IOS to avoid NAC/IDS/IPS https://circo.cc Fake Services (Honeypots)

22. https://circo.cc Logic Flow (single mode)

23. https://circo.cc Logic Flow (bridge mode)

24. https://circo.cc MACCHERONI ! Minimal Access Cisco Case Housing Extended Raspberry

    Overlay Network Infrastructure ”Because not all PASTA cost ~$28,000” Only ~$200

25. https://circo.cc Lab Network Diagram

26. https://circo.cc Exfiltration Format ▪ Telnet □ t,<username>,<password>,<src_IP> □ t,e,<enable_password>,<src_IP> ▪

    SSH □ s,<username>,<password>,<src_IP> □ s,e,<enable_password>,<src_IP> ▪ SNMP (v1/v2) □ p,<community>,<src_IP> ▪ net-creds* (optional) □ n,<credentials>,<src_IP> * Under development

27. https://circo.cc Show Time!

28. ▪ ICMP (IP.id & ICMP.seq fields) ▪ Traceroute (IP.id field

    & UDP payload) ▪ HTTP and HTTPS (IP.id & TCP.window fields) ▪ NTP (NTP.stratum, NTP.poll, NTP.tx.timestamp) ▪ DNS (NS query evil.sub.domain) ▪ DNS (A query) via Proxy (DHCP Option 252, WPAD.<domain>, PAC Guessing via DNS) ▪ Wireless* (SSID Name & Dot11.beacon, Dot11.SC and Dot11.interval) https://circo.cc Network Exfiltration Techniques * Proximity required Credentials & IP address are encrypted with AES256 before sending

29. https://circo.cc IP Header

30. https://circo.cc ICMP Packet

31. https://circo.cc ICMP Exfiltration Flow

32. https://circo.cc Traceroute Packet

33. https://circo.cc Traceroute Exfiltration Flow

34. https://circo.cc TCP Header

35. https://circo.cc HTTP/HTTPS Exfiltration Flow

36. https://circo.cc NTP Packet

37. https://circo.cc NTP Packet “Fraction”

38. https://circo.cc NTP Exfiltration Flow

39. https://circo.cc DNS Packet

40. https://circo.cc DNS Exfiltration Flow

41. https://circo.cc Proxy (DHCP) Exfiltration Flow

42. https://circo.cc Proxy (WAP) Exfiltration Flow

43. Proxy (DNS Guessing) Exfiltration Flow https://circo.cc

44. https://circo.cc Wireless Exfiltration Flow

45. Emilio ekio_jp https://github.com/ekiojp/circo https://circo.cc Thank You!

46. Questions? https://circo.cc

47. https://circo.cc • The tool is provided for educational, research or

    testing purposes • Using this tool against network/systems without prior permission is illegal • The author is not liable for any damages from misuse of this tool, techniques or code • The author is not affiliated with Cisco Systems® Disclaimer