Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And...
Transcript of Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And...
![Page 1: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/1.jpg)
Ghost TunnelCovert Data Exfiltration Channel to Circumvent Air Gapping
Hongjian CAO, Kunzhe CHAI, Jun LIPegasusTeam, 360 Security TechnologyApril 12, 2018
![Page 2: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/2.jpg)
Who We Are
2
360 Security Technology is a leading Internet security company in Asia. Our core products are anti-virus security software for PC and cellphones.
PegasusTeam was founded in 2015. we focus on the wireless security and wireless penetration testing.
![Page 3: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/3.jpg)
Agenda• Introduction• Previous research on Air-Gapped attack• Ghost Tunnel Introduction• Ghost Tunnel implementation• demo
3
![Page 4: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/4.jpg)
Introduction• Air-Gapping• Attack events
![Page 5: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/5.jpg)
Air Gapping
5
• Air gapping - Wikipedia: “air gapping[1] is a network security measure
employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.[2] The name arises from the technique of creating a network that is physically separated (with a conceptual air gap) from all other networks.”
• Air gapping aims to avoid the intrusion and data leakage through network connections
![Page 6: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/6.jpg)
Air-Gapped Network
6
• Considered to be the most secure
![Page 7: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/7.jpg)
Nothing Is Impossible
• Attack Vectors- Malicious USB- Employee's laptop
7
![Page 8: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/8.jpg)
• Attacking initiated via an infected USB drive
• Designed to sabotage centrifuges used at a uranium enrichment plant in Iran
8
Stuxnet Worm (2010)
![Page 9: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/9.jpg)
• COTTONMOUTH-I- A USB hardware implant- Air-Gap bridging- Extracting data from
targeted systems via RF signals
9
NSA Leaks (2013)
![Page 10: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/10.jpg)
Previous research on Air-Gapped attacks
![Page 11: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/11.jpg)
Previous research - 1
• Using radio frequencies to transmit data from a computer- Computer monitor- Mobile phone FM radio receiver
11url: https://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html
![Page 12: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/12.jpg)
Previous research - 2
• A covert bi-directional communication channel between two close by air-gapped computers communicating via heat
12url: https://thehackernews.com/2015/03/hacking-air-gapped-computer.html
![Page 13: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/13.jpg)
Previous research - 3
• Data exfiltration via RF signal by attacking Siemens PLCs
13url: https://www.blackhat.com/eu-17/briefings.html#exfiltrating-reconnaissance-data-from-air-gapped-ics-scada-networks
![Page 14: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/14.jpg)
Ghost TunnelA Covert Data Exfiltration Channel Using WiFi
14
![Page 15: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/15.jpg)
Air-gapped Attack
• Implant- Malicious software/hardware
• A covert communication channel- Any medium that can carry data is possible
15
![Page 16: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/16.jpg)
Ghost Tunnel
16
Implant malware• USB HID attack• BashBunny
Setup C&C tunnel• Via 802.11 beacon
and probe request & response
Exfiltrate data• Execute Command
![Page 17: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/17.jpg)
Ghost Tunnel
• Can bypass firewalls• Cross-Platform support• Allow up to 256 clients • Effective range up to 50 meters
17
![Page 18: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/18.jpg)
The Usual Wifi Connection Process
18
![Page 19: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/19.jpg)
Ghost Tunnel – No WiFi Connection
19
![Page 20: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/20.jpg)
802.11 State
20
![Page 21: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/21.jpg)
Class 1 Frames
21
![Page 22: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/22.jpg)
Scanning for Wifi Networks
22
![Page 23: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/23.jpg)
Ghost Tunnel – No WiFi Connection
23
• A covert WiFi channel using Beacon, Probe Request, Probe Response
• A special SSID as the identifier
![Page 24: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/24.jpg)
Ghost TunnelImplementation
24
![Page 25: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/25.jpg)
802.11 Frame
25
• Control frame• Management frame• Data frame
FrameControl
Duration/ID
Address1
Address2
Address3
SequenceControl
Address4
QoSControl
HTControl
FrameBody
FCS
Octets: 2 2 6 0 or 6 0 or 6 0 or 2 0 or 6 0 or 2 0 or 4 variable 4
Frame header
![Page 26: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/26.jpg)
802.11 Management Frame Body
26
• Management Frame Body- Fields- Information Elements
![Page 27: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/27.jpg)
The components of Information Element
27
• Element ID: 1 Byte• Length: 1 Byte• Information: 0-255 Bytes
- SSID- Vendor Specific
Element Format
Element ID Length Information(payload)
Octets: 1 1 variable
![Page 28: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/28.jpg)
SSID Element
28
• Identity of an ESS or IBSS• SSID length 0-32 Bytes
Element ID Length SSID(Payload)
Octets: 1 1 0-32
![Page 29: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/29.jpg)
Vendor Specific Element
29
• ID = 221• Organization Identifier• Vendor-Specific content
Element ID Length Organization Identifier Vendor-specific contentOctets: 1 1 3 or 5 variable
Payload
![Page 30: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/30.jpg)
Key Problem
30
• How to send and receive 802.11 data frames through local wireless network interface in user space ?
• Wireless network interface mode- Master (Acting as an AP)- Managed (Station)- Monitor (Monitor all traffic)- …
![Page 31: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/31.jpg)
Through Operating System WiFi API
31
• Windows- Native Wifi API
• Mac OSX- coreWLAN
• Linux- nl80211 & libnl
![Page 32: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/32.jpg)
Windows Client: Send And Receive
32
DWORD WINAPI WlanScan( _In_ HANDLE hClientHandle, _In_ const GUID *pInterfaceGuid, _In_opt_ const PDOT11_SSID pDot11Ssid, _In_opt_ const PWLAN_RAW_DATA pIeData, _Reserved_ PVOID pReserved );
• scan for available wireless networks- pDot11Ssid, specifies the SSID of the network to be scanned- pIeData != NULL�send probe request- pIeData == NULL�not send probe request
![Page 33: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/33.jpg)
Packet payload Format
• DOT11_SSID- Contains the SSID - The maximum length is 32
• WLAN_RAW_DATA- Contains the elements data- Not exceed 240 bytes
33
dwDataSize Element ID Length Information (payload)
DataBlob
uSSIDLength ucSSID (payload)
![Page 34: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/34.jpg)
Windows Client : Receive
DWORD WINAPI WlanGetNetworkBssList(
_In_ HANDLE hClientHandle, _In_ const GUID *pInterfaceGuid, const PDOT11_SSID pDot11Ssid, _In_ DOT11_BSS_TYPE dot11BssType, _In_ BOOL bSecurityEnabled, _Reserved_ PVOID pReserved, _Out_ PWLAN_BSS_LIST *ppWlanBssList );
• Retrieve available wireless networks list
• ppWlanBssList- Receive the returned list of of BSS entries
34
![Page 35: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/35.jpg)
Windows Client : Receive
• WLAN_BSS_LIST- An array of WLAN_BSS_ENTRY structures that contains
information about a network
35
dwTotalSize
dwNumberOfItems
wlanBssEntries
wlanBssEntries[0]
wlanBssEntries[1]
…
wlanBssEntries[n]
dot11Ssid
uPhyId
dot11Bssid
…
ulIeOffset
ulIeSize
WLAN_BSS_LISTWLAN_BSS_ENTRY
IE [0]
IE [1]
…
IE [221]
Payloads
![Page 36: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/36.jpg)
Mac Client : Send
• CWInterface- func scanForNetworks(withSSID: Data?)
36
![Page 37: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/37.jpg)
Mac Client : Receive
• CWInterface- func scanForNetworks(withSSID: Data?)- func cachedScanResults() -> Set<CWNetwork>?
• CWNetwork- informationElementData: Data?
37
![Page 38: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/38.jpg)
C&C Server: Send And Receive
• Modified hostapd and hostapd_cli• USB WiFi card
38
![Page 39: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/39.jpg)
Demo
39
![Page 40: Ghost Tunnel - Hack In The Box Security Conference · -nl80211 & libnl. Windows Client: Send And Receive 32 DWORD WINAPI WlanScan( _In_HANDLE hClientHandle, _In_constGUID *pInterfaceGuid,](https://reader033.fdocuments.us/reader033/viewer/2022050515/5f9fac0fa3d43559073f10a5/html5/thumbnails/40.jpg)
Thanks!Any questions?
40