Transcript UPS
UPS
The Undetectable Packet Sniffer
Tri Valley Security Group
www.tvsg.org/ups
Introducing the TVSG Dev Team
AutoNiN – Software, Team Lead
Spyder~1 – Hardware
Mystic – Integration
JustaBill – Organization
Tri Valley Security Group
www.tvsg.org/ups
Concept
Place a stealthed hostile packet sniffer on a
victim network. Physical concealment
is to hide in plain sight - posing as an
Uninterruptible Power Supply (UPS).
Network concealment involves clandestine
exfiltration methods like Auto-IP Detection
and encrypted UDP tunneling.
Tri Valley Security Group
www.tvsg.org/ups
Caveat - Prototype
Unit presented today is a prototype (mk II)
unit demonstrating basic concepts. Unit is
really not "Undetectable" but should be
difficult to detect, even in its nascent state.
Additional hardware and software features
are being researched to further decrease
detectibility and increase attack
effectiveness.
Tri Valley Security Group
www.tvsg.org/ups
Undetectable?
Not really…
Takes advantage of today’s overworked,
under-resourced, over-managed and
under-trained Information Technology staff
Completely blocked by proxies (but we’ll
fix that soon enough!)
Tri Valley Security Group
www.tvsg.org/ups
Overview
Introduction
Integration
Hardware
Software
Practical Demonstration
Questions & Answers
Tri Valley Security Group
www.tvsg.org/ups
Integration
Overarching Goal – Stealth:
Tried to maintain 'Stock' look as much as
possible.
Tri Valley Security Group
www.tvsg.org/ups
Hardware Requirements
486 or Higher CPU
64Mb or More RAM
1Gb or More Hard Drive
No moving parts
Small form factor
Integrated network
Most Important: Cheap!
Tri Valley Security Group
System Components
UPS Chassis
Power Supply
Embedded Computer
Network Hub
www.tvsg.org/ups
Tri Valley Security Group
www.tvsg.org/ups
Physical Components
Embedded
PC
Supply
Power
110v AC
5v DC
Ethernet
Hub
Chassis
RJ-45’s
In
Out
Tri Valley Security Group
www.tvsg.org/ups
UPS Chassis
Tried several UPS Chassis before we
found one that worked well
Tri Valley Security Group
www.tvsg.org/ups
Power Supply
Needed to convert the 110v AC provided
by the wall to 3.3v, 5v, and/or 12v DC
needed by the other components in the
system. Most UPS power supplies are
trickle-charge systems that cannot
produce enough power to run our covert
system.
Tri Valley Security Group
www.tvsg.org/ups
Variety of Embedded Systems
Older, Slower, Larger Systems are the
Cheapest
Popular Embedded Manufacturers:
http://www.advantech.com
http://www.kontron.com
http://www.ampro.com
http://www.emj.com
Tri Valley Security Group
www.tvsg.org/ups
Our Selected Mainboard:
Kontron's Coolmonster:
Pentium-166 with passive cooling heatsink
128MB PC-100 SDRAM
44-Pin IDE Channel for temporary CD-ROM Drive
40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive
Single 10/100 Ethernet port
PS/2 Keyboard & Mouse ports, VGA Port
PISA Interface (bus expansion)
Tri Valley Security Group
www.tvsg.org/ups
Network Hub
Our embedded system had only 1 Ethernet
port, so we could not bridge two interfaces
together. For simplicity's sake, we ripped
a 10/100 hub out of its case and placed it
inside ours. Runs off 5v DC, just like the
embedded PC.
Tri Valley Security Group
www.tvsg.org/ups
Network Connections
Repeater hub connected to both wall and
client RJ45 jacks. Embedded PC also
connected to hub.
Good: Client can still access network even if
UPS is booting or down
Bad: Can't do Proxy-ARP attacks, client sees
all UPS traffic
Ugly: Either way, client gets Ethernet 'Link'
from the UPS, which is odd
Tri Valley Security Group
www.tvsg.org/ups
Software
OS is Redhat 7.2 patched & stripped
Custom Perl and Shell Scripts
Additional Malware added:
NetCat by Hobbit & Weld
dSniff by Dug Song
Nmap by Fyodor
thcrut by The Hacker’s Choice
Tri Valley Security Group
www.tvsg.org/ups
Malware Installation - NetCat
Many thanks to Hobbit & Weld for this incredibly
versatile tool.
Used for UPS <-> Listening Post
Communications.
Default configuration sends it over UDP port 53
to exploit firewall rules that permit outbound
DNS queries from desktop clients.
http://freshmeat.net/projects/netcat/?topic_id=150
Tri Valley Security Group
www.tvsg.org/ups
Issues - UDP/53 Tunneling
Modern IDS/IDP systems can detect UDP
tunneling
Layer 7-Aware sniffers can detect that
while the traffic is going over UDP/53, the
payload is decidedly not DNS
Tri Valley Security Group
Tunneling Alternatives
Simple Port 80/HTTP Tunneling
Mask UPS requests in HTTP URL's
LP replies in HTML WebPages
Advanced DNS Tunneling
Mask UPS requests in DNS requests
LP replies in DNS replies
www.tvsg.org/ups
Tri Valley Security Group
www.tvsg.org/ups
Malware Installation - DSniff
Many thanks to Dug Song for his excellent
suite of Sniff/Snarf/Spy tools.
Minor tweak in the makefile for the
Berkeley DB path and we were set!
http://www.monkey.org/~dugsong/dsniff/
Tri Valley Security Group
www.tvsg.org/ups
What We Used - DSniff
macof - MAC address flooder - stuffs CAM
table
dsniff - Cleartext authentication extractor
filesnarf - NFS interceptor
mailsnarf - Email interceptor
urlsnarf - URL interceptor
msgsnarf - Instant Messenger interceptor
Tri Valley Security Group
www.tvsg.org/ups
Malware Installation - Nmap
Thanks Fyodor, you rock!
Comes as an RPM with Redhat 7.2, no
installation really necessary
Awesome portscanning/host locating tool, used
to detect permitted connectivity outbound
through victim firewall
http://www.insecure.org/nmap/
Tri Valley Security Group
www.tvsg.org/ups
Custom Scripts
A variety of Perl scripts were developed to
handle UPS <-> Listening Post
communications, command and control,
including IP Address Mode, Active Scan
Commands and Exfiltration Methods.
http://www.tvsg.org/ups
Tri Valley Security Group
www.tvsg.org/ups
Custom Scripts
ups.pl - Master Control Script
Started as a service on UPS boot time and
health checked by a cron job, this script is
responsible for monitoring UPS-specific
processes and initiating connections to the
command queue server.
Tri Valley Security Group
www.tvsg.org/ups
UPS Process Flow
Load Config
Configure Network
Auto-Identify Network (if Configured)
Confirm Network
Confirm/Update System Settings
Contact Listening Post
Get Commands
Process Commands
Tri Valley Security Group
www.tvsg.org/ups
IP Modes
4 Different Methods of Configuring IP:
1. No IP Mode (Dumb Sniffer)
2. Fixed IP Mode (Good for Testing)
3. DHCP Mode (Not very Stealthy!)
4. Stealth IP Mode (Auto-find Subnet/Gateway)
Tri Valley Security Group
www.tvsg.org/ups
Custom Scripts
netsnarf.pl
Required for IP Mode 4 – automatic
network discovery
Watches the network for ARP requests
and replies for network information to
determine local network topography
Uses The Hacker’s Choice “R U There”
(thcrut) to ARP scan IP’s on the same
layer 2 segment
Tri Valley Security Group
www.tvsg.org/ups
Custom Scripts
netcheck.pl
Uses nmap and host to probe Internet
targets to verify external connectivity.
Nmap 3 popular websites (HTTP)
Unix ‘host’ command to 3 DNS Root Servers
Nmap to Listening Post on UDP/53
Tri Valley Security Group
www.tvsg.org/ups
Custom Scripts
Various Shell Scripts
Other scripts for UPS process
management, task automation, and other
cool stuff...
Tri Valley Security Group
www.tvsg.org/ups
Command and Control
Internet
LP
UDP/53
NAT/Firewall
Corporat
e
Network
TCP/80
TCP/22
(SSH)
Attacker
UPS
Tri Valley Security Group
www.tvsg.org/ups
Custom Scripts
client.pl & server.pl
Remote command fetch system with DES
encryption, randomly generated keys, and
pre-shared key system.
Client connects at intervals controlled by
the master control script to Server to
check command queue for changes in
configured behavior.
Tri Valley Security Group
www.tvsg.org/ups
UPS Connectivity
2 Different Methods of Communicating:
1. UDP/53 (looks like DNS) beacon to config
server
2. TCP/80 (looks like HTTP) reverse shell to LP
Tri Valley Security Group
www.tvsg.org/ups
Demonstration
Our demonstration will place the UPS
behind a NAT device along with a victim
PC
We will place a Listening Post outside the
NAT and command our unit to monitor the
user
We will then exfiltrate the captured data to
the LP
Tri Valley Security Group
www.tvsg.org/ups
Demonstration Lab
Server
External Network
NAT/Firewall
Server
Internal
Network
UPS
Victim
Username: Loser
Password: password
Email Data:
Subject: Watch out
for hackers!
LP
Attacker
Tri Valley Security Group
www.tvsg.org/ups
How to Defeat?
Inspect all items entering the premises
Deny clients direct outward access (DNS,
HTTP, ICMP, etc)
Require the use of internal servers for all
services – HTTP, DNS, Mail, etc.
Use encrypted services like SSH, HTTPS,
POP3S, SMTPS, or even IPSEC for
internal as well as external traffic.
Tri Valley Security Group
www.tvsg.org/ups
Questions?
Thanks for Attending…