CIRCO - HIVE AV Tokyo 2018

Transcript

1. CIRCO Cisco Implant Raspberry Controlled Operations Emilio / @ekio_jp

2. What is CIRCO? Designed under Raspberry Pi Zero and aimed

   for cover red-team Ops, we take advantage of SecNetDevOps tools to capture network credentials in a stealth mode. Using a low profile hardware/electronics and different methods for credentials exfiltration The tools use a combination of honeypots and information gather to lure Automation Systems into reveling network credentials to us

3. Where we can use CIRCO? ▪ Ideal for Cisco Enterprise

   Networks ▪ Red Team & Pentesting Assessments ▪ CTC Exercise (Capture The Credentials) ▪ First Stage Attacks ▪ For fun & “educational” purpose

4. Goals & Objectives ▪ What we need, to be quiet

   and avoid detection ▪ What we are, ”An Implant” ▪ What we pretend to be, “Humble Cisco IP Phone” ▪ What we become, “A New Cisco Switch” ▪ What we do, “Get Your Network Credentials” Thanks You! J

5. Targets ▪ Cisco DNA (Digital Network Architecture) ▪ Micro Focus®

   Network Automation (formerly HPNA NA/Opsware) ▪ Service Now Discovery* ▪ ForeScout CounterACT (NAC) ▪ Infoblox NetMRI ▪ Others * SNMP discovery only

6. Cisco DNA Config Example https://www.youtube.com/watch?v=kNexwbmjRIQ

7. Hardware Architecture ▪ Raspberry Pi Zero ▪ USB LAN Adapter

   ▪ Active PoE splitter ▪ DC-DC buck converter (12V to 5V) ▪ USB Wifi Adapter (optional) ▪ USB Hub (optional) ▪ Plastic enclosure

8. Software Architecture https://github.com/ekiojp/circo ▪ circo_v1.py ▪ carpa_v1.py ▪ jaula_v1.py ▪

   sshd-fake.py ▪ telnetd-fake.py ▪ Pcap/snmpwalk templates ▪ Requirements: – snmposter (fork https://github.com/ekiojp/snmposter) – Scapy 2.4 (https://github.com/secdev/scapy) – paramiko, pyaes, pyscrypt, ipcalc, TwistedSNMP, Twisted, pysnmp-se ▪ Optional: airmon-ng, pygame, Adafruit TFT display

9. Cisco Services ▪ CDP (Phone & Switch) ▪ SNMP (community

   public*) ▪ Telnet ▪ SSH * Future release will support ”any” community

10. Network Topology DHCP/DNS Gateway Firewall carpa_v1.py jaula_v1.py circo_v1.py Automation

11. DEMO TIME!

12. Exfiltration Methods ▪ ICMP (ping) ▪ Traceroute (UDP > 33434)

    ▪ DNS (NS query) ▪ HTTP ▪ HTTPS ▪ Wireless* * Proximity required

13. IP Packet Fields 0 16 32 bits Version 8 IHL

    4 DSCP ECN 14 18 Flags Total Length Fragment Offset Time to Live Protocol Identification Header Checksum Source Address Destination Address Options

14. ICMP Packet Fields 0 16 32 bits Type Code Checksum

    Identifier Optional Data Sequence Number 8

15. UDP Packet Fields 0 16 32 bits Destination Port Length

    Checksum Optional Data Source Port

16. DNS Packet Fields 0 16 32 bits Query ID QR

    Answer Count Authority RR Count Question Count Additional RR Count DNS Question or Answer Data Opcode AA TC RD RA Z Rcode

17. TCP Packet Fields 0 16 32 bits 7 4 18

    Destination Port Data offset Sequence Number Control Flags Checksum Optional Data Source Port Acknowledgement Number Reserved Windows Size Urgent Pointer

18. Thanks!    

19. Questions?