UPSUPSThe Undetectable Packet SnifferThe Undetectable Packet Sniffer
Tri Valley Security Group www.tvsg.org/ups
Introducing the TVSG Dev TeamIntroducing the TVSG Dev Team
AutoNiN – Software, Team LeadAutoNiN – Software, Team Lead
Spyder~1 – HardwareSpyder~1 – Hardware
Mystic – IntegrationMystic – Integration
JustaBill – OrganizationJustaBill – Organization
Tri Valley Security Group www.tvsg.org/ups
ConceptConcept
Place a stealthed hostile packet sniffer on a Place a stealthed hostile packet sniffer on a victim network. Physical concealment victim network. Physical concealment
is to hide in plain sight - posing as an is to hide in plain sight - posing as an Uninterruptible Power Supply (UPS). Uninterruptible Power Supply (UPS).
Network concealment involves clandestine Network concealment involves clandestine exfiltration methods like Auto-IP Detection exfiltration methods like Auto-IP Detection
and encrypted UDP tunneling.and encrypted UDP tunneling.
Tri Valley Security Group www.tvsg.org/ups
Caveat - PrototypeCaveat - Prototype
Unit presented today is a prototype (mk II) Unit presented today is a prototype (mk II) unit demonstrating basic concepts. Unit is unit demonstrating basic concepts. Unit is really not "Undetectable" but should be really not "Undetectable" but should be difficult to detect, even in its nascent state.difficult to detect, even in its nascent state.
Additional hardware and software features Additional hardware and software features are being researched to further decrease are being researched to further decrease detectibility and increase attack detectibility and increase attack effectiveness.effectiveness.
Tri Valley Security Group www.tvsg.org/ups
Undetectable? Undetectable?
Not really…Not really…
Takes advantage of today’s overworked, Takes advantage of today’s overworked, under-resourced, over-managed and under-resourced, over-managed and under-trained Information Technology staffunder-trained Information Technology staff
Completely blocked by proxies (but we’ll Completely blocked by proxies (but we’ll fix that soon enough!)fix that soon enough!)
Tri Valley Security Group www.tvsg.org/ups
OverviewOverview
IntroductionIntroduction
IntegrationIntegration
Hardware Hardware
Software Software
Practical DemonstrationPractical Demonstration
Questions & AnswersQuestions & Answers
Tri Valley Security Group www.tvsg.org/ups
IntegrationIntegration
Overarching Goal – Stealth:Overarching Goal – Stealth: Tried to maintain 'Stock' look as much as Tried to maintain 'Stock' look as much as
possible.possible.
Tri Valley Security Group www.tvsg.org/ups
Hardware RequirementsHardware Requirements
486 or Higher CPU486 or Higher CPU
64Mb or More RAM64Mb or More RAM
1Gb or More Hard Drive1Gb or More Hard Drive
No moving parts No moving parts
Small form factor Small form factor
Integrated networkIntegrated network
Most Important: Cheap!Most Important: Cheap!
Tri Valley Security Group www.tvsg.org/ups
System ComponentsSystem Components
UPS ChassisUPS Chassis
Power SupplyPower Supply
Embedded ComputerEmbedded Computer
Network HubNetwork Hub
Tri Valley Security Group www.tvsg.org/ups
Physical ComponentsPhysical Components
Pow
er
Pow
er
Sup
ply
Sup
ply
EmbeddedEmbedded
PCPC110v AC110v AC
5v DC5v DCHubHub
EthernetEthernetChassis Chassis RJ-45’sRJ-45’s
InIn
OutOut
Tri Valley Security Group www.tvsg.org/ups
UPS ChassisUPS Chassis
Tried several UPS Chassis before we Tried several UPS Chassis before we found one that worked wellfound one that worked well
Tri Valley Security Group www.tvsg.org/ups
Power SupplyPower Supply
Needed to convert the 110v AC provided Needed to convert the 110v AC provided by the wall to 3.3v, 5v, and/or 12v DC by the wall to 3.3v, 5v, and/or 12v DC needed by the other components in the needed by the other components in the system. Most UPS power supplies are system. Most UPS power supplies are trickle-charge systems that cannot trickle-charge systems that cannot produce enough power to run our covert produce enough power to run our covert system.system.
Tri Valley Security Group www.tvsg.org/ups
Variety of Embedded SystemsVariety of Embedded Systems
Older, Slower, Larger Systems are the Older, Slower, Larger Systems are the CheapestCheapest
Popular Embedded Manufacturers:Popular Embedded Manufacturers: http://www.http://www.advantechadvantech.com.com http://www.http://www.kontronkontron.com.com http://www.http://www.amproampro.com.com http://www.http://www.emjemj.com.com
Tri Valley Security Group www.tvsg.org/ups
Our Selected Mainboard:Our Selected Mainboard:
Kontron's Coolmonster:Kontron's Coolmonster: Pentium-166 with passive cooling heatsinkPentium-166 with passive cooling heatsink 128MB PC-100 SDRAM128MB PC-100 SDRAM 44-Pin IDE Channel for temporary CD-ROM Drive44-Pin IDE Channel for temporary CD-ROM Drive 40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive Single 10/100 Ethernet portSingle 10/100 Ethernet port PS/2 Keyboard & Mouse ports, VGA PortPS/2 Keyboard & Mouse ports, VGA Port PISA Interface (bus expansion)PISA Interface (bus expansion)
Tri Valley Security Group www.tvsg.org/ups
Network HubNetwork Hub
Our embedded system had only 1 Ethernet Our embedded system had only 1 Ethernet port, so we could not bridge two interfaces port, so we could not bridge two interfaces together. For simplicity's sake, we ripped together. For simplicity's sake, we ripped a 10/100 hub out of its case and placed it a 10/100 hub out of its case and placed it inside ours. Runs off 5v DC, just like the inside ours. Runs off 5v DC, just like the
embedded PC.embedded PC.
Tri Valley Security Group www.tvsg.org/ups
Network ConnectionsNetwork Connections
Repeater hub connected to both wall and Repeater hub connected to both wall and client RJ45 jacks. Embedded PC also client RJ45 jacks. Embedded PC also connected to hub.connected to hub. Good: Client can still access network even if Good: Client can still access network even if
UPS is booting or downUPS is booting or down Bad: Can't do Proxy-ARP attacks, client sees Bad: Can't do Proxy-ARP attacks, client sees
all UPS trafficall UPS traffic Ugly: Either way, client gets Ethernet 'Link' Ugly: Either way, client gets Ethernet 'Link'
from the UPS, which is oddfrom the UPS, which is odd
Tri Valley Security Group www.tvsg.org/ups
SoftwareSoftware
OS is Redhat 7.2 patched & strippedOS is Redhat 7.2 patched & stripped
Custom Perl and Shell ScriptsCustom Perl and Shell Scripts
Additional Malware added:Additional Malware added: NetCat by Hobbit & WeldNetCat by Hobbit & Weld dSniff by Dug SongdSniff by Dug Song Nmap by FyodorNmap by Fyodor thcrut by The Hacker’s Choicethcrut by The Hacker’s Choice
Tri Valley Security Group www.tvsg.org/ups
Malware Installation - NetCatMalware Installation - NetCat
Many thanks to Hobbit & Weld for this incredibly Many thanks to Hobbit & Weld for this incredibly versatile tool. versatile tool.
Used for UPS <-> Listening Post Used for UPS <-> Listening Post Communications. Communications. Default configuration sends it over UDP port 53 Default configuration sends it over UDP port 53 to exploit firewall rules that permit outbound to exploit firewall rules that permit outbound DNS queries from desktop clients.DNS queries from desktop clients.
http://http://freshmeatfreshmeat.net/projects/netcat/?topic_id=150.net/projects/netcat/?topic_id=150
Tri Valley Security Group www.tvsg.org/ups
Issues - UDP/53 TunnelingIssues - UDP/53 Tunneling
Modern IDS/IDP systems can detect UDP Modern IDS/IDP systems can detect UDP tunnelingtunneling
Layer 7-Aware sniffers can detect that Layer 7-Aware sniffers can detect that while the traffic is going over UDP/53, the while the traffic is going over UDP/53, the payload is decidedly not DNSpayload is decidedly not DNS
Tri Valley Security Group www.tvsg.org/ups
Tunneling AlternativesTunneling Alternatives
Simple Port 80/HTTP Tunneling Simple Port 80/HTTP Tunneling Mask UPS requests in HTTP URL'sMask UPS requests in HTTP URL's LP replies in HTML WebPagesLP replies in HTML WebPages
Advanced DNS TunnelingAdvanced DNS Tunneling Mask UPS requests in DNS requestsMask UPS requests in DNS requests LP replies in DNS repliesLP replies in DNS replies
Tri Valley Security Group www.tvsg.org/ups
Malware Installation - DSniffMalware Installation - DSniff
Many thanks to Dug Song for his excellent Many thanks to Dug Song for his excellent suite of Sniff/Snarf/Spy tools.suite of Sniff/Snarf/Spy tools.
Minor tweak in the makefile for the Minor tweak in the makefile for the Berkeley DB path and we were set!Berkeley DB path and we were set!
http://www.monkey.org/~http://www.monkey.org/~dugsongdugsong//dsniffdsniff//
Tri Valley Security Group www.tvsg.org/ups
What We Used - DSniffWhat We Used - DSniff
macof - MAC address flooder - stuffs CAM macof - MAC address flooder - stuffs CAM tabletable
dsniff - Cleartext authentication extractordsniff - Cleartext authentication extractor
filesnarf - NFS interceptorfilesnarf - NFS interceptor
mailsnarf - Email interceptormailsnarf - Email interceptor
urlsnarf - URL interceptorurlsnarf - URL interceptor
msgsnarf - Instant Messenger interceptormsgsnarf - Instant Messenger interceptor
Tri Valley Security Group www.tvsg.org/ups
Malware Installation - NmapMalware Installation - Nmap
Thanks Fyodor, you rock!Thanks Fyodor, you rock!
Comes as an RPM with Redhat 7.2, no Comes as an RPM with Redhat 7.2, no installation really necessaryinstallation really necessary
Awesome portscanning/host locating tool, used Awesome portscanning/host locating tool, used to detect permitted connectivity outbound to detect permitted connectivity outbound through victim firewallthrough victim firewall
http://www.insecure.org/nmap/http://www.insecure.org/nmap/
Tri Valley Security Group www.tvsg.org/ups
Custom ScriptsCustom Scripts
A variety of Perl scripts were developed to A variety of Perl scripts were developed to handle UPS <-> Listening Post handle UPS <-> Listening Post communications, command and control, communications, command and control, including IP Address Mode, Active Scan including IP Address Mode, Active Scan Commands and Exfiltration Methods.Commands and Exfiltration Methods.
http://www.tvsg.org/upshttp://www.tvsg.org/ups
Tri Valley Security Group www.tvsg.org/ups
Custom ScriptsCustom Scripts
ups.pl - Master Control Scriptups.pl - Master Control ScriptStarted as a service on UPS boot time and Started as a service on UPS boot time and health checked by a cron job, this script is health checked by a cron job, this script is responsible for monitoring UPS-specific responsible for monitoring UPS-specific processes and initiating connections to the processes and initiating connections to the command queue server. command queue server.
Tri Valley Security Group www.tvsg.org/ups
UPS Process FlowUPS Process Flow
Load ConfigLoad Config
Configure NetworkConfigure NetworkAuto-Identify Network (if Configured)Auto-Identify Network (if Configured)
Confirm NetworkConfirm Network
Confirm/Update System SettingsConfirm/Update System Settings
Contact Listening PostContact Listening PostGet CommandsGet Commands
Process CommandsProcess Commands
Tri Valley Security Group www.tvsg.org/ups
IP ModesIP Modes
4 Different Methods of Configuring IP:4 Different Methods of Configuring IP:
1. No IP Mode (Dumb Sniffer)1. No IP Mode (Dumb Sniffer)
2. Fixed IP Mode (Good for Testing)2. Fixed IP Mode (Good for Testing)
3. DHCP Mode (Not very Stealthy!)3. DHCP Mode (Not very Stealthy!)
4. Stealth IP Mode (Auto-find Subnet/Gateway)4. Stealth IP Mode (Auto-find Subnet/Gateway)
Tri Valley Security Group www.tvsg.org/ups
Custom ScriptsCustom Scripts
netsnarf.plnetsnarf.plRequired for IP Mode 4 – automatic Required for IP Mode 4 – automatic network discoverynetwork discoveryWatches the network for ARP requests Watches the network for ARP requests and replies for network information to and replies for network information to determine local network topographydetermine local network topographyUses The Hacker’s Choice “R U There” Uses The Hacker’s Choice “R U There” (thcrut) to ARP scan IP’s on the same (thcrut) to ARP scan IP’s on the same layer 2 segmentlayer 2 segment
Tri Valley Security Group www.tvsg.org/ups
Custom ScriptsCustom Scripts
netcheck.plnetcheck.plUses nmap and host to probe Internet Uses nmap and host to probe Internet targets to verify external connectivity.targets to verify external connectivity. Nmap 3 popular websites (HTTP)Nmap 3 popular websites (HTTP) Unix ‘host’ command to 3 DNS Root ServersUnix ‘host’ command to 3 DNS Root Servers Nmap to Listening Post on UDP/53Nmap to Listening Post on UDP/53
Tri Valley Security Group www.tvsg.org/ups
Custom ScriptsCustom Scripts
Various Shell ScriptsVarious Shell ScriptsOther scripts for UPS process Other scripts for UPS process management, task automation, and other management, task automation, and other cool stuff...cool stuff...
Tri Valley Security Group www.tvsg.org/ups
Corporate
Network
Command and ControlCommand and Control
Internet LP
Attacker
UDP/53
TCP/80
NAT/Firewall
UPS
TCP/22(SSH)
Tri Valley Security Group www.tvsg.org/ups
Custom ScriptsCustom Scripts
client.pl & server.plclient.pl & server.plRemote command fetch system with DES Remote command fetch system with DES encryption, randomly generated keys, and encryption, randomly generated keys, and pre-shared key system.pre-shared key system.
Client connects at intervals controlled by Client connects at intervals controlled by the master control script to Server to the master control script to Server to check command queue for changes in check command queue for changes in configured behavior.configured behavior.
Tri Valley Security Group www.tvsg.org/ups
UPS ConnectivityUPS Connectivity
2 Different Methods of Communicating:2 Different Methods of Communicating:
1. UDP/53 (looks like DNS) beacon to config 1. UDP/53 (looks like DNS) beacon to config serverserver
2. TCP/80 (looks like HTTP) reverse shell to LP2. TCP/80 (looks like HTTP) reverse shell to LP
Tri Valley Security Group www.tvsg.org/ups
DemonstrationDemonstration
Our demonstration will place the UPS Our demonstration will place the UPS behind a NAT device along with a victim behind a NAT device along with a victim PCPC
We will place a Listening Post outside the We will place a Listening Post outside the NAT and command our unit to monitor the NAT and command our unit to monitor the useruser
We will then exfiltrate the captured data to We will then exfiltrate the captured data to the LPthe LP
Tri Valley Security Group www.tvsg.org/ups
Demonstration LabDemonstration Lab
Internal Network
External Network LP
AttackerNAT/Firewall
UPSVictim
Server
Username: LoserPassword: passwordUsername: LoserPassword: passwordEmail Data:Subject: Watch out for hackers!
Server
Tri Valley Security Group www.tvsg.org/ups
How to Defeat?How to Defeat?
Inspect all items entering the premisesInspect all items entering the premises
Deny clients direct outward access (DNS, Deny clients direct outward access (DNS, HTTP, ICMP, etc)HTTP, ICMP, etc)
Require the use of internal servers for all Require the use of internal servers for all services – HTTP, DNS, Mail, etc.services – HTTP, DNS, Mail, etc.
Use encrypted services like SSH, HTTPS, Use encrypted services like SSH, HTTPS, POP3S, SMTPS, or even IPSEC for POP3S, SMTPS, or even IPSEC for internalinternal as well as external traffic. as well as external traffic.
Tri Valley Security Group www.tvsg.org/ups
Questions?Questions?
Thanks for Attending…Thanks for Attending…
Top Related