CIRCO - HAMASEC - Feb 2019

Transcript

1. CIRCO Cisco Implant Raspberry Controlled Operations https://github.com/ekiojp/circo

2. What is CIRCO? Designed under Raspberry Pi Zero and aimed

   for cover Red Team Ops, we take advantage of ‘Sec/Net/Dev/Ops’ enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware + electronics and different methods for credentials exfiltration This tool gathering information and use a combination of honeypots to trick Automation Systems to give us network credentials! CISCO   
   " &% '( #  CIRCO
   #! # $  https://github.com/ekiojp/circo

3. Targets / 
    ▪ Cisco DNA (Digital Network Architecture) ▪

   Micro Focus® Network Automation (formerly HPNA NA/Opsware) ▪ Service Now Discovery* ▪ ForeScout CounterACT (NAC) ▪ Infoblox NetMRI ▪ Others * SNMP discovery only https://github.com/ekiojp/circo

4. Network Topology / 
   
   carpa_v1.py jaula_v1.py circo_v1.py Automation https://github.com/ekiojp/circo

   PoE Switch

5. Demo Box /  
    https://github.com/ekiojp/circo

6. Daemon / 
    ▪ Cisco CDP & LLDP (Phone &

   Switch) ▪ Cisco SNMP (community public*) ▪ Cisco Telnet ▪ Cisco SSH * Future release will support ”any” community https://github.com/ekiojp/circo

7. Exfiltration Methods ▪ ICMP (IP.id + ICMP.seq fields) ▪ Traceroute

   (IP.id + UDP data payload) ▪ DNS (NS query subdomain) ▪ HTTP (IP.id + TCP.window fields) ▪ HTTPS (IP.id + TCP.window fields) ▪ Wireless* (SSID + Dot11.beacon) * Proximity required https://github.com/ekiojp/circo * Credentials encrypted with AES and split by 16 bits *

8. Thank You! https://github.com/ekiojp/circo