CIRCO - Hackers Party

Transcript

1. C I R C O Cisco Implant Raspberry Controlled Operations

   https://circo.cc

2. https://circo.cc Designed under Raspberry Pi and aimed for Red Team

   Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials! What is CIRCO?

3. ▪ Cisco DNA (Digital Network Architecture) ▪ Infoblox NetMRI ▪

   Micro Focus® Network Automation (formerly HP NA) ▪ Service Now Discovery* ▪ ForeScout CounterACT (NAC) ▪ Trusted network administrators ▪ Others * SNMP discovery only https://circo.cc Who we target?

4. NASA hacked: 500 MB of mission data stolen through a

   Raspberry Pi computer ”The account was compromised by a hacker who used a Raspberry Pi to gain unauthorized access to the JPL network” “The system administrators also did not properly track the devices added to the network” 2019-June-22 https://www.digitaltrends.com/computing/hackers-steal-500-mb-nasa-data-raspberry-pi/ https://oig.nasa.gov/docs/IG-19-022.pdf https://circo.cc For example…

5. CIRCO Demo Box (v1 - 2018) ▪ Raspberry Pi Zero

   W ▪ USB LAN Adapter ▪ USB Hub ▪ Wireless Dongle (WLI-UC-GNM2S) ▪ PoE LAN Adapter (12V) ▪ Bucket Regulator (12V-5V) https://circo.cc

6. CIRCO Production Box #1 (v1.4) ▪ Raspberry Pi 3B ▪

   PoE LAN Adapter (5V) https://circo.cc ▪ Quad RJ45 Wall Faceplate ▪ Desk/Mount Box Network Outlet

7. CIRCO Production Box #2 (v1.4) ▪ Raspberry Pi Zero W

   ▪ PoE LAN Adapter (5V) ▪ USB LAN Adapter https://circo.cc ▪ 1 RJ45 Socket ▪ Desk/Mount Flat Network Outlet

8. ▪ PoE LAN Adapter = $6 (eBay) ~ ¥650 ▪

   Raspberry Pi Zero W = £14 (Pimoroni) ~ ¥1,900 ▪ Flat Network Outlet = $9 (eBay) ~ ¥1,000 https://circo.cc Hardware Cost (v1.4) Get CIRCO for ¥3,550!

9. ▪ Cisco CDP & LLDP Advertisement (as IP-Phone & Network

   Switch) ▪ Cisco SNMP Agent ▪ Cisco Telnet CLI (IOS 15.x) ▪ Cisco SSH CLI (IOS 15.x) https://circo.cc Fake Services (Honeypots)

10. https://circo.cc Logic Flow

11. ▪ ICMP (IP.id & ICMP.seq fields) ▪ Traceroute (IP.id field

    & UDP payload) ▪ DNS (NS query evil.sub.domain) ▪ HTTP (IP.id & TCP.window fields) ▪ HTTPS (IP.id & TCP.window fields) ▪ DNS (A query) via Proxy (DHCP Option 252, WPAD.<domain>, PAC Guessing via DNS) ▪ Wireless* (SSID Name & Dot11.beacon, Dot11.SC and Dot11.interval) https://circo.cc Network Exfiltration Techniques * Proximity required Credentials & IP address are encrypted with AES before sending

12. https://circo.cc Lab Network Diagram

13. https://circo.cc ICMP Exfiltration Flow

14. https://circo.cc Traceroute Exfiltration Flow

15. https://circo.cc DNS Exfiltration Flow

16. https://circo.cc HTTP/HTTPS Exfiltration Flow

17. https://circo.cc Proxy (DHCP) Exfiltration Flow

18. https://circo.cc Proxy (WAP) Exfiltration Flow

19. Proxy (DNS Guessing) Exfiltration Flow https://circo.cc

20. https://circo.cc Wireless Exfiltration Flow

21. https://circo.cc IP Header

22. https://circo.cc ICMP Packet

23. https://circo.cc Traceroute Packet

24. https://circo.cc TCP Header

25. https://circo.cc DNS Packet

26. Emilio ekio_jp https://github.com/ekiojp/circo https://circo.cc Thank You! ありがとうございます

27. https://circo.cc • The tool is provided for educational, research or

    testing purposes • Using this tool against network/systems without prior permission is illegal • The author is not liable for any damages from misuse of this tool, techniques or code • The author is not affiliated with Cisco Systems® Disclaimer