Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is...
Transcript of Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is...
![Page 1: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/1.jpg)
Open Hardwarefor (software) offensive security
04 07 2018
[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]
Antoine CERVOISE
![Page 2: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/2.jpg)
@acervoise
Pentester @NTT Security FR
Love open hardware
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]2
Who am I?
![Page 3: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/3.jpg)
• Raspberry Spy
‒ (Rump) SSTIC 2013
‒ http://www.antoine-cervoise.fr/wp-content/uploads/2013/06/SSTIC-2013-Raspberry-Spy-Rump-A.-Cervoise.pdf
• Open hardware for "physical" password attacks
‒ RMLL 2015 / (Rump) GreHack 2015 / ESGI Security Day 2016 / Sthack 2016
‒ https://2015.rmll.info/materiel-libre-pour-attaques-physiques-sur-des-mots-de-passe?lang=en
• Teensy – Add a backdoor in USB
‒ BeeRump 2016
‒ https://www.rump.beer/2016/slides/Teensy_-_Introduire_une_porte_derobe_dans_un_peripherique_USB.pdf
• Unlock Android by emulating a keyboard and a mouse (FR)
‒ SSTIC 2016
‒ https://www.sstic.org/2016/presentation/unlock_android/
• Android Face Unlock bruteforce
‒ (Rump) SSTIC 2016
• Pocket Wi-Fi , PocketCHIP for Wi-Fi pentest
‒ ESGI Security Day 2017 / Sthack 2017 (rump)
• Ardui-no pown Android
‒ RMLLsec 2016 (rump)
‒ https://rmll.ubicast.tv/videos/rump-session_/
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]3
Previous talks
![Page 4: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/4.jpg)
• My favorite toys
• A few words about hardware offsec
• What the hell is « software pentest »?
• Cases
• Pwn plug
• Wi-Fi
• I always wanted to be a Keyboard
• Ethernet
• Storage
• Mass storage emulation
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]4
Contents
![Page 5: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/5.jpg)
My favorite toys
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]5
![Page 6: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/6.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]6
Toys’R’mine
Sources: Wikipedia
![Page 7: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/7.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]7
Toys’R’mine
Source: https://www.pjrc.com/teensy/
![Page 8: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/8.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]8
Toys’R’mine
Sources: https://www.arduino.cc/
![Page 9: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/9.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]9
Some other stuff Source: https://getchip.com/pages/pocketchip
![Page 10: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/10.jpg)
Hardware offsec
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]10
![Page 11: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/11.jpg)
• Extract firmware
• Find secret/key
• Interact with the device (UART, SPI, I²C, CAN…)
• https://labs.portcullis.co.uk/blog/uart-debugging-rooting-an-ip-phone-using-uart/ (23/03/2018)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]11
Hardware offsec - Goals
![Page 12: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/12.jpg)
• Bus Pirate (https://github.com/BusPirate/Bus_Pirate)
• Teensy (https://www.pjrc.com/teensy/)
• GoodFET (http://goodfet.sourceforge.net/)
• USB/UART (https://osmocom.org/projects/mv-uart/wiki)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]12
Hardware offsec – (some) Tools
![Page 13: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/13.jpg)
« Software pentest »?
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]13
![Page 14: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/14.jpg)
• Not hardware pentest
• Wi-Fi
• « Red team » / Physical
• Laptop/Desktop
• …
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]14
Software pentest
![Page 15: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/15.jpg)
• Methodology
• Lots of ideas and tools on the Internet
• Specific to ONE hardware
• Adapt the wheel with what you have!
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]15
Software pentest
![Page 16: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/16.jpg)
Cases / Tools – Pwn plug
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]16
![Page 17: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/17.jpg)
• Raspberry Pi 3
• Can open a Wi-Fi access point
• POE Adaptor
• https://github.com/PiSupply/PiPoE
• 3G/4G Access
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]17
Homemade pwn plug
Source : https://www.framboise314.fr/une-alimentation-poe-pour-le-raspberry-pi/
![Page 18: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/18.jpg)
Hide the pwn plug
• Powerstrip
• A « Do not unplug » box on a MFP
• Under a desk
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]18
Homemade pwn plug
![Page 19: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/19.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]19
Network « tester »
![Page 20: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/20.jpg)
Cases / Tools – Wi-Fi
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]20
![Page 21: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/21.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]21
Wi-Fi
Source : https://getchip.com/pages/pocketchip
![Page 22: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/22.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]22
Wi-Fi
![Page 23: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/23.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]23
Wi-Fi
Source: http://xtof.free.fr/wifi/ricore.html
![Page 24: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/24.jpg)
Tools
• WiFite
‒ https://github.com/derv82/wifite2
‒ Tips : Wifite2 supports 5Ghz, Kali uses Wifite v2r87 ≠ Wifite2
• Mojlnir
‒ https://github.com/rasta-mouse/Mjolnir
• PocketWifi
‒ https://github.com/nttcomsecurity/PocketWifi
• WPS ?!
Homemade antena
• Ricoré box
• http://xtof.free.fr/wifi/ricore.html (FR)
• Pringles box
• https://repo.zenk-security.com/Protocoles_reseaux_securisation/Comment%20fabriquer%20une%20antenne%20Wifi%20soi%20meme,%20facilement%20et%20surtout%20pas%20cher.pdf(FR)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]24
Wi-Fi
![Page 25: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/25.jpg)
Make your own stuff
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]25
Wi-Fi
Source : https://twitter.com/elkentaro/status/1012156297104494592
![Page 26: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/26.jpg)
Cases / Tools – Keyboard (payload)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]26
![Page 27: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/27.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]27
Source : https://imgflip.com/i/2d5wvw
![Page 28: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/28.jpg)
• Layout issue
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]28
Keyboard
Sources: Wikipedia
![Page 29: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/29.jpg)
Solved on Teensy
No solution for Arduino
On raspberry QWERTY is already painful
Call for contributions
• Implement the Teensy way of choosing layout for Arduino
• Work on a RPI lib to make Keyboard use easier
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]29
Keyboard – Layout issue
![Page 30: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/30.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]30
Fake MP3 Player
![Page 31: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/31.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]31
Keyboard
![Page 32: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/32.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]32
Mouse
![Page 33: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/33.jpg)
• Find your target
• Look for good components
• Destroy them
• Retry
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]33
How to proceed?Sources : http://www.dx.com
![Page 34: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/34.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]34
More ideas
Sources:www.slashgear.comwww.buldoz.comwww.mademoiselle-bio.comwww.communiplace.fr
![Page 35: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/35.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]35
More ideas
Source: gamebuino.com
![Page 36: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/36.jpg)
When CAPS LOCK is disabled ALL keyboard are updated
• Enable CAPS LOCK
• Detect CAPS UNLOCK
• Wait a few seconds
• Send payload
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]36
Detect unlocking
![Page 37: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/37.jpg)
https://github.com/nttcomsecurity/RemoteTeensy
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]37
Add remote control
![Page 38: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/38.jpg)
https://github.com/whid-injector/WHID https://github.com/mame82/P4wnP1
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]38
Add remote control
![Page 39: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/39.jpg)
• Teensy Scripts
• https://github.com/samratashok/Kautilya
• Add feedback using specials keys and SD card
• https://github.com/offensive-security/hid-backdoor-peensy
• Convert Rubber Ducky to Arduino
• https://github.com/whid-injector/Dckuino.js
• Rasperry Pi Zero Framework
• https://dantheiotman.com/2017/09/15/p4wnp1-the-pi-zero-based-usb-attack-platform/
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]39
Softwares
![Page 40: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/40.jpg)
Cases / Tools – Keyboard (bruteforce)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]40
![Page 41: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/41.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]41
Hardware Bruteforce Framework – V1
![Page 42: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/42.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]42
Hardware Bruteforce Framework – V2
![Page 43: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/43.jpg)
Bruteforce :
• (old) Android Pin code/password/pattern
• BIOS/UEFI Password
• Boot encryption password/pin code
• Parental code on Freebox TV
• https://github.com/cervoise/Hardware-Bruteforce-Framework-2
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]43
Hardware Bruteforce Framework – V2
![Page 44: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/44.jpg)
Work in progress :
• Use a RPI zero
• No more SPI, only a Raspberry
• No capture through a webcam possible
• Improve video capture using HDMI/Ethernet
• Source: Visualisez, enregistrez ou transmettez la sortie HDMI de votre Pi – Hackable 23
• Not working on phone, but the attack is not possible anymore on Android
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]44
Hardware Bruteforce Framework – V2
![Page 45: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/45.jpg)
Cases / Tools – Ethernet
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]45
![Page 46: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/46.jpg)
• Emulates an Ethernet device over USB (or Thunderbolt)
• Hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
• https://github.com/samyk/poisontap
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]46
PoisonTap
![Page 47: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/47.jpg)
Cases / Tools – Storage 1
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]47
![Page 48: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/48.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]48
USB restriction bypass
![Page 49: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/49.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]49
USB restriction bypass
![Page 50: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/50.jpg)
Teensy 2 : https://web.archive.org/web/20120401015600/http://renosite.com/
Call for contribution
• Emulate CD/DVD burner / Floppy Drive / Tape Drives with a Teensy 3.X
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]50
USB restriction bypass
![Page 51: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/51.jpg)
Cases / Tools – Storage 2
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]51
![Page 52: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/52.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]52
Leaky Storage
Components :
• Teensy 2
• SD Adaptor
• 3.3 Volt Regulator
• ESP8266
Price : 16 $ + 8 $ + 1$ + 4$ = 29 $
DIY :
• Micro USB to USB
• Case
![Page 53: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/53.jpg)
https://github.com/nttcomsecurity/LeakyStorage
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]53
LeakyStorage
![Page 54: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/54.jpg)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]54
LeakyStorage - Issue
![Page 55: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/55.jpg)
Evolution : migrate to Teensy 3.X
• More storage (for sketch)
Ideas :
• Use GSM/3G (and hide them all in a fake portable hard drive)
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]57
LeakyStorage
![Page 56: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/56.jpg)
Cases / Tools – Storage 3
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]58
![Page 57: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/57.jpg)
Put a Desktop.ini file with a SMB ref on a USB Stick
Use the Keyboard fonction to emulate autorun
Source (for responder over desktop.ini)
https://threat.tevora.com/usb-drives-desktop-ini-and-ntlm-hashes/
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]59
Desktop.ini
![Page 58: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/58.jpg)
Conclusion
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]60
![Page 59: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/59.jpg)
Attacker side
• Think out of the box
• Put everything together
• Do not blindly follow online tutorials
Defender side
• Unknown hardware is a threat
• Screwdriver is your best investigation tool
04 07 2018[Open Hardware for (software) offensive security]-[Public]-[Final]-v[1-0]61
Conclusion
![Page 60: Please delete this slide – instructions for use · No solution for Arduino On raspberry QWERTY is already painful Call for contributions • Implement the Teensy way of choosing](https://reader035.fdocuments.net/reader035/viewer/2022071011/5fc9d7470487c725ec11fba9/html5/thumbnails/60.jpg)
2018
Thank you