45
Hacking and Forensics on the Go Philip A. Polstra, Sr. @ppolstra [email protected] http://ppolstra.blogspot.com

Hacking and Forensics on the Go - 44CON 2012

  • Upload
    44con

  • View
    1.804

  • Download
    0

Embed Size (px)

DESCRIPTION

Philip A. Polstra presents Hacking and Forensics on the Go at 44CON 2012 in London, September 2012.

Citation preview

Page 1: Hacking and Forensics on the Go - 44CON 2012

Hacking and Forensics on the Go

Philip A. Polstra, Sr.

@[email protected]

http://ppolstra.blogspot.com

Page 2: Hacking and Forensics on the Go - 44CON 2012

What is this talk about?

● Hacking and/or forensics with small, low-power devices

● ARM-based Beagleboard & Beaglebone running full suite of security/forensics tools

● Porting tools to a new platform ● USB forensics (now at high speed!!)

Page 3: Hacking and Forensics on the Go - 44CON 2012

Why You Should Care

● A full set of tools that can fit in a child's lunch box

● A full-featured Linux install for flexibility● Low-power devices can run for days or

weeks on battery power● Small devices can be planted for later

retrieval● Did I mention high-speed USB?

Page 4: Hacking and Forensics on the Go - 44CON 2012

Who is this handsome man with the sexy accent anyway?

● If you were at last year's 44Con & you don't know, you partied much too hard Thursday night

● For the rest of you:– Professor at a medium size (1800 student)

private university in Dubuque, Iowa

– Programming from age 8

– Hacking hardware from age 12

– Also known to fly and build airplanes

Page 5: Hacking and Forensics on the Go - 44CON 2012

Roadmap

● Choosing a platform● Selecting a base OS● Building a base system● The easy part – leveraging repositories● The slightly harder part – building tools● Building your own accessories● Demonstrations● Future directions

Page 6: Hacking and Forensics on the Go - 44CON 2012

Choosing a Platform

● Small● Low-power● Affordable● Mature● Networking built in● Good USB support● Convenient input and output

Page 7: Hacking and Forensics on the Go - 44CON 2012

And the Winning Platform is...

● Beagleboard– 3.25” square

– <10 Watts

– £125 (or buy in USA for only $149)– Based on Cortex A8– 100 Mbs Ethernet built in– 4 high-speed USB plus USB-on-the-go– DVI-D, S-video, and LCD output– RS-232, webcam, audio, and microSD

Page 8: Hacking and Forensics on the Go - 44CON 2012

Beagleboard

Page 9: Hacking and Forensics on the Go - 44CON 2012

Selecting a Base OS

● Angstrom comes in the box– Optimized for hardware

– Nice package management

– Poor repository support for our purposes

● Ubuntu is available– Backtrack is based on Ubuntu

– Ubuntu is very popular

– Good repository and community support

Page 10: Hacking and Forensics on the Go - 44CON 2012

Building a Base Device

● Upgrade to 16GB microSD (8GB would work, but go big)

● Download an image for microSD card– Canonical image or

– Robert C. Nelson demo images

– I used Nelson's because they are tweaked for Beagleboard and updated frequently

● Good instructions available at http://elinux.org/BeagleBoardUbuntu

Page 11: Hacking and Forensics on the Go - 44CON 2012

The Easy Part – Using Repositories

● Many of the tools we want are available in the standard Ubuntu repositories

● Some are also available as .deb files– Packages written in interpreted languages

(Java, Python, PERL, Ruby) usually work out of the box

– C-based packages depend on libraries that may or may not be available/installed

Page 12: Hacking and Forensics on the Go - 44CON 2012

The Harder Part – Building Your Own Tools

● Native or cross-compile?● Native

– Straightforward

– Can be slow on 1GHz ARM with 512 MB RAM

● Cross-compile– A bit more complicated

– Take advantage of multi-core desktop with plenty of RAM

Page 13: Hacking and Forensics on the Go - 44CON 2012

Native Compilation

● “Sudo apt-get install build-essential” is about all you need to be on your way

● Something to keep in mind if you SSH in and use DHCP: Ethernet is via USB chipset and MAC address varies from one boot to next which leads to different address being assigned

Page 14: Hacking and Forensics on the Go - 44CON 2012

Cross-Compile Method 1

● Download a toolchain “wget http://angstrom-distribution.org/toolchains/angstrom-<ver>-armv7a...”

● Untar toolchain “tar -xf angstrom-<ver>-armv7a-linux-gnueabi-toolchain.tar.bz2 -C”

● Setup build environment “. /usr/local/angstrom/arm/environment-setup”

● Download source

● Configure with “./configure --host=arm-angstrom-linux-gnueabi –prefix=/home/...”

● Build with “make && sudo make install”

● Copy binaries to BB-xM

● Could have problems if there is a kernel mismatch between setup and what is installed to BB-xM

Page 15: Hacking and Forensics on the Go - 44CON 2012

Cross-Compile Method 2

● Install a toolchain as in Method 1● Install Eclipse● Install C/C++ Development Tools in Eclipse● Download software● Use makefile to create Eclipse project● Create a Build Configuration in Eclipse● Compile● Move binaries to BB-xM

Page 16: Hacking and Forensics on the Go - 44CON 2012

Create a Project from the Makefile

● Can have a makefile based project– Simple

– Requires slight modification of makefile

● Can use makefile to create Eclipse project– Slightly more involved

– Dependencies and special compile flags can be divined from makefile

– More flexible if you want to make modifications

Page 17: Hacking and Forensics on the Go - 44CON 2012

Create a Build Configuration

● Right-click project in Project Explorer select Build Configurations-Manage

● Click New to create new configuration● Set the paths to point to cross-compilation

tools for installed toolchain– Set compiler, linker, and assembler

commands

– Set include and library paths

– Good tutorial on http://lvr.com

Page 18: Hacking and Forensics on the Go - 44CON 2012

Cross-Compile Method 3

● Same as Method 2, but with the addition of remote debugging

● Has advantage of easy transfer of binaries● In Eclipse under Mobile Development add

– C/C++ DSF GDB Debugger Integration

– C/C++ Remote Launch

– Remote System Explorer End-User Runtime

– Remote System Explorer User Actions

Page 19: Hacking and Forensics on the Go - 44CON 2012

Cross-Compile Method 3 (contd.)● Create /etc/hosts entry for BB-xM IP● On BB-xM install SSH & GDBServer

– “sudo apt-get install ssh”

– “sudo apt-get install gdbserver”

● Manually SSH to BB-xM to make sure it works and to set up key cache

● In Eclipse create a connection● Create .gdbinit file● Create debug configuration

Page 20: Hacking and Forensics on the Go - 44CON 2012

Create a Connection

● Open Remote System Explorer view● Select Connection->New->Linux● Use BB-xM IP with options ssh.files,

processes.shell.Linux, ssh.shells, and ssh.terminals

● After creating connection enter IP, user, and password under properties

Page 21: Hacking and Forensics on the Go - 44CON 2012

Create .gdbinit

● Change to the directory with your source code

● “touch .gdbinit” ● Go forth and have fun

Page 22: Hacking and Forensics on the Go - 44CON 2012

Create Debug Configuration

● Run->Debug Configurations->C/C++ Remote Configurations

● Main tab – set configuration● Set remove absolute path● Commands to execute before “chmod 777”● Set path to GDB debugger● Set the GDB port to an appropriate value

Page 23: Hacking and Forensics on the Go - 44CON 2012

Building Your Own Hardware Accessories

Page 24: Hacking and Forensics on the Go - 44CON 2012

Demo 1 - Hardware

Page 25: Hacking and Forensics on the Go - 44CON 2012

Demo 1 - Hardware

Page 26: Hacking and Forensics on the Go - 44CON 2012

Demo 1 – Chris John Riley

Page 27: Hacking and Forensics on the Go - 44CON 2012

Demo 1 (contd.)

Page 28: Hacking and Forensics on the Go - 44CON 2012

Demo 1 (contd.)

Page 29: Hacking and Forensics on the Go - 44CON 2012

Demo 2 – Wifi Cracking

Page 30: Hacking and Forensics on the Go - 44CON 2012

Demo 2 (contd.)

Page 31: Hacking and Forensics on the Go - 44CON 2012

Demo 2 (contd.)

Page 32: Hacking and Forensics on the Go - 44CON 2012

Demo 3 – Password Cracking

Page 33: Hacking and Forensics on the Go - 44CON 2012

Demo 4 – WPS Cracking

Page 34: Hacking and Forensics on the Go - 44CON 2012

Demo 4 (contd.)

Page 35: Hacking and Forensics on the Go - 44CON 2012

Demo 5 – Pwn Win7 Like Its a Mac

Page 36: Hacking and Forensics on the Go - 44CON 2012

Demo 5 (contd.)

Page 37: Hacking and Forensics on the Go - 44CON 2012

Demo 6 – Clickiddiestm

Page 38: Hacking and Forensics on the Go - 44CON 2012

WTF – I thought you said there would be forensics in this talk!

Page 39: Hacking and Forensics on the Go - 44CON 2012

USB Forensics – Now at High Speed!!

● Use a magical USB hub– Everything connected to magic hub

automatically mounted read only

– Everything not connected to the magic hub is mounted normally (probably with a prompt, etc.)

● Initially wanted to dive in and hack USB drivers

– But there is a better way! ...

Page 40: Hacking and Forensics on the Go - 44CON 2012

Enter Udev Rules

● Udev rules allow you to handle what happens when devices are connected, disconnected, etc.

● Every block device connected downstream of magic hub (parent with appropriate VID/PID) is automatically mounted read only

● Suitable for hard disks and ANYTHING that can be mounted via USB

Page 41: Hacking and Forensics on the Go - 44CON 2012

Udev Rules Reali(z|s)ed

● In /etc/udev/rules.d/10-protectedmt.rulesACTION=="add", SUBSYSTEM=="block", KERNEL=="sd?[1-9]", ATTRS{idVendor}=="1a40", ATTRS{idProduct}=="0101", ENV{PHIL_MOUNT}="1", ENV{PHIL_DEV}="%k", RUN+="/etc/udev/scripts/test.sh %k"ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd?[1-9]", ATTRS{idVendor}=="1a40", ATTRS{idProduct}=="0101", ENV{PHIL_UNMOUNT}="1", RUN+="/etc/udev/scripts/test3.sh %k"

ENV{PHIL_MOUNT}=="1", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_AUTOMOUNT_HINT}="never", RUN+="/etc/udev/scripts/test2.sh"ENV{PHIL_MOUNT}!="1", ENV{UDISKS_PRESENTATION_HIDE}="0", ENV{UDISKS_AUTOMOUNT_HINT}="always"

ENV{PHIL_UNMOUNT}=="1", RUN+="/etc/udev/scripts/test4.sh"

Page 42: Hacking and Forensics on the Go - 44CON 2012

Udev Rules Scripts

● /etc/udev/scripts/test.sh#!/bin/bashecho "#!/bin/bash" > /etc/udev/scripts/test2.shecho "mkdir /media/$1" >> /etc/udev/scripts/test2.shecho "chmod 777 /media/$1" >> /etc/udev/scripts/test2.shecho "/bin/mount /dev/$1 -o ro,noatime /media/$1" >> /etc/udev/scripts/test2.shchmod +x /etc/udev/scripts/test2.sh

Page 43: Hacking and Forensics on the Go - 44CON 2012

Udev Rules Scripts (contd.)

● /etc/udev/scripts/test3.sh

#!/bin/bashecho "#!/bin/bash" > /etc/udev/scripts/test4.shecho "/bin/umount /dev/$1" >> /etc/udev/scripts/test4.shecho "rmdir /media/$1" >> /etc/udev/scripts/test4.shchmod +x /etc/udev/scripts/test4.sh

Page 44: Hacking and Forensics on the Go - 44CON 2012

Future Directions

● Continue to add useful packages as need arises

● Optimize some packages for BB-xM● Other output devices● Port to BeagleBone● Custom printed case● Associate with a standard pentest distro● Port to another platform

Page 45: Hacking and Forensics on the Go - 44CON 2012

Questions?