C I R C O
Cisco Implant Raspberry Controlled Operations
https://circo.cc
Slide 2
Slide 2 text
• My name is Emilio and I’m hacker
• I like to play with packets, networks, electronics and 3D printers
• I presented security tools at various conferences (DEF CON, BlackHat
Asia, AV Tokyo HIVE, SECCON, HITB, etc)
• Sorry, I’m not a native programmer or English/Japanese speaker J
Helloこんにちは
https://circo.cc
Slide 3
Slide 3 text
▪ Allow existing IP-Phone to co-exist with CIRCO
▪ Eliminate template files (craft all packets)
▪ Support NTP exfiltration
▪ Software encrypted via Bluetooth (prevent forensic)
▪ Self destroy and alarm switch (thanks Will)
▪ Bypass fingerprinting (NAC)
▪ Credentials integration into Faraday (thanks Fran)
https://circo.cc
What’s new? 新機能
Slide 4
Slide 4 text
▪ Cisco DNA (Digital Network Architecture)
▪ Infoblox NetMRI
▪ Micro Focus® Network Automation (formerly HP NA)
▪ Service Now Discovery*
▪ ForeScout CounterACT (NAC)
▪ Trusted network administrators
▪ Others
* SNMP discovery only
https://circo.cc
Who we target? ターゲットは?
Slide 5
Slide 5 text
https://circo.cc
CIRCO Evolution 進化
Slide 6
Slide 6 text
Demo Box v1
https://circo.cc
Production Box v1.4
Slide 7
Slide 7 text
Production Box v1.5
https://circo.cc
Slide 8
Slide 8 text
▪ Components
□ CIRCO: Implant (hardware & software)
□ CARPA: Credentials Receiver (Internet VPS, software and domain NS)
□ JAULA: Wireless Credentials Receiver (software)
▪ Python 2
□ Mainly Scapy for packet manipulation
□ Migration into Python 3 started…
▪ Features:
□ Honeypots services to behave as a Cisco Switch or IP-Phone
□ Trick NAC systems (nmap, Phone whitelisted, Golden MAC)
□ OSfooler-NG (https://github.com/segofensiva/OSfooler-ng/)
▪ Exfiltration via cover channel protocols
□ ICMP (ping), Traceroute, NTP, HTTP, HTTPS, DNS, Proxy (DNS) and Wireless
▪ Extra: Get plain credentials if a PC is plugged into the IP-Phone
□ net-creds (https://github.com/DanMcInerney/net-creds) https://circo.cc
Software ソフトウェア