Embed Size (px)
Citation preview
Security & Security & “Ethical “Ethical
Hacking”Hacking”
Luke ArntsonLuke ArntsonCentral Washington UniversityCentral Washington University
Spring 2007Spring 2007
Presentation #4 – Hardware Hacking & CrackingPresentation #4 – Hardware Hacking & Cracking
News Flash!! 5-1-07News Flash!! 5-1-07 Digg.com was taken over last night by what some are Digg.com was taken over last night by what some are
calling a “digital riot”. The demand for freedom of speech calling a “digital riot”. The demand for freedom of speech and the order of the DMCA to remove the HD-DVD unlock and the order of the DMCA to remove the HD-DVD unlock key have spawned a massive retaliation on the website. key have spawned a massive retaliation on the website. Literally 40,000 stories have spawned about the key, Literally 40,000 stories have spawned about the key, including direct text.including direct text.
IntroductionIntroduction Hardware is just as important Hardware is just as important
as softwareas software
Hands-on means you can break Hands-on means you can break it.. Permanentlyit.. Permanently
What fun would equipment be What fun would equipment be if it only had one purpose?if it only had one purpose?
About MeAbout Me
OverviewOverview Cracking WEP/WPA on a RouterCracking WEP/WPA on a Router
Bluetooth Sniffing/Snarfing/HijackingBluetooth Sniffing/Snarfing/Hijacking
Magnetic Strip Reading for < $5Magnetic Strip Reading for < $5
RFID Reading & WritingRFID Reading & Writing
Console Hacking (brief)Console Hacking (brief)
Arcade Building (very very brief)Arcade Building (very very brief)
Cracking WEP / WPACracking WEP / WPA Every modern day router comes Every modern day router comes
with an encryption optionwith an encryption option
WEP & WPA are both vulnerableWEP & WPA are both vulnerable
WEP requires many IVs from sourceWEP requires many IVs from source
WPA requires one 4-way handshakeWPA requires one 4-way handshake
Cracking WEP - ToolsCracking WEP - Tools Let’s crack a 128-bit WEP key!Let’s crack a 128-bit WEP key!
Linux Tools used: gkismet, aireplay, Linux Tools used: gkismet, aireplay, & aircrack. (NG versions work fine.)& aircrack. (NG versions work fine.)
Optional Tools: Optional Tools: void11_hopper/void11_penetration void11_hopper/void11_penetration for prism based chipsets.for prism based chipsets.
Backtrack is a free LiveCD that Backtrack is a free LiveCD that supplies all the listed tools & has a supplies all the listed tools & has a hard drive install optionhard drive install option
Setup Card & Begin ScanSetup Card & Begin Scan
First, you need to scan for a victim & First, you need to scan for a victim & setup your card. For atheros, Kismet setup your card. For atheros, Kismet automatically detects, others you will automatically detects, others you will need to edit Kismet’s config.need to edit Kismet’s config.
Once you know the bssid & channel you Once you know the bssid & channel you need, set your network card to Monitor need, set your network card to Monitor like so:like so:
iwconfig ath0 mode Monitor channel iwconfig ath0 mode Monitor channel 66
Begin Dumping & Begin Dumping & InjectingInjecting
Use airodump to record all of the IVs Use airodump to record all of the IVs you’ll need to crackyou’ll need to crack
Use aireplay to inject a mass quantity to Use aireplay to inject a mass quantity to get new IVs to use to crack the key.get new IVs to use to crack the key.
You’ll need at least 100,000 keys to You’ll need at least 100,000 keys to crack a 128-bit WEP key, generally 200-crack a 128-bit WEP key, generally 200-300k is good.300k is good.
Aircrack, WEP cracking Aircrack, WEP cracking tooltool
Aircrack is a very fast WEP cracker Aircrack is a very fast WEP cracker that has many nice options.that has many nice options.
aircrack –f 4 –q 0 myFile.capaircrack –f 4 –q 0 myFile.cap
Wait patiently until Aircrack tells you Wait patiently until Aircrack tells you its found the key, this can take its found the key, this can take upwards of 24 hours, but will generally upwards of 24 hours, but will generally take 1-2 minutes with 200k IVs.take 1-2 minutes with 200k IVs.
WPA CrackingWPA Cracking
To crack WPA, you need the 4-way To crack WPA, you need the 4-way handshake. This is acquired when a handshake. This is acquired when a new client connects to the WPA router.new client connects to the WPA router.
Void11 de-authenticates users and Void11 de-authenticates users and forces them to reconnect, thus giving forces them to reconnect, thus giving you a fresh 4-way handshake. Void11 is you a fresh 4-way handshake. Void11 is only supported by prism cards.only supported by prism cards.
Cowpatty – WPA crackingCowpatty – WPA cracking
WPA is cracked via a dictionary or WPA is cracked via a dictionary or brute force method.brute force method.
Slower in many cases, but because Slower in many cases, but because the attacker takes the 4-way the attacker takes the 4-way handshake home, they are given an handshake home, they are given an infinite amount of time to crack it.infinite amount of time to crack it.
Cowpatty is not as fast as aircrack, Cowpatty is not as fast as aircrack, but gives similar results.but gives similar results.
Which To Use?Which To Use? Well its all up to you, WPA is slower Well its all up to you, WPA is slower
than WEP in terms of transfer speed.than WEP in terms of transfer speed.
If your network is not being If your network is not being attacked, WEP is fine for protectionattacked, WEP is fine for protection
If your extremely worried about If your extremely worried about intruders, use WPA with AES (new intruders, use WPA with AES (new routers support this) and use routers support this) and use extremely long passwords.extremely long passwords.
Bluetooth SnarfingBluetooth Snarfing Watch this real quick video of a Nokia Watch this real quick video of a Nokia
phone with Bluetooth getting destroyed by phone with Bluetooth getting destroyed by bluesnarferbluesnarfer
Involves a weakness discovered in Involves a weakness discovered in allowing Bluetooth connections with allowing Bluetooth connections with specified hardware calls. Each specified hardware calls. Each phone/carrier is different.phone/carrier is different.
Bluetooth viruses also have been released Bluetooth viruses also have been released that spread between phonesthat spread between phones
Car WhispererCar Whisperer Inject sound into Bluetooth dongles, save sounds, Inject sound into Bluetooth dongles, save sounds,
and cause general paranoiaand cause general paranoia
Open-source software Open-source software http://trifinite.org/trifinite_stuff_carwhisperer.htmlhttp://trifinite.org/trifinite_stuff_carwhisperer.html
Most Bluetooth dongles use “0000” as the Most Bluetooth dongles use “0000” as the passkey, and many others have a default company passkey, and many others have a default company passkey.passkey.
This passkey is what is used to connect via a This passkey is what is used to connect via a Bluetooth dongle. By forcing a connection, we are Bluetooth dongle. By forcing a connection, we are also talking to the dongle just like the phone.also talking to the dongle just like the phone.
Identify, Hijack, Identify, Hijack, HumiliateHumiliate
The consequences for this flaw are The consequences for this flaw are essentially eavesdropping (wireless essentially eavesdropping (wireless Watergate??)Watergate??)
Do you think the government is not Do you think the government is not using this now? Pff, read up on FBI using this now? Pff, read up on FBI using cell phones as RF transmitters using cell phones as RF transmitters
Programs are available to identify, Programs are available to identify, exploit, hijack, download, upload, and exploit, hijack, download, upload, and abuse hardware via Bluetooth.abuse hardware via Bluetooth.
Magnetic Strip Reading Magnetic Strip Reading < $5< $5
Under $5, wtf? How? Can sound Under $5, wtf? How? Can sound represent digits on a magnetic strip? represent digits on a magnetic strip? FSK (frequency shift keying - a.k.a. FSK (frequency shift keying - a.k.a. Atkin Biphase) modulation from the Atkin Biphase) modulation from the magnetic strip can!magnetic strip can!
Materials: Goodwill headphones with Materials: Goodwill headphones with polarized magnetic head ~$0.99, half polarized magnetic head ~$0.99, half of a 6-ft mono Audio Cable $2.50, of a 6-ft mono Audio Cable $2.50, material for the stand/swiper Freematerial for the stand/swiper Free
ConstructionConstruction Step 1: Cut mono cable in halfStep 1: Cut mono cable in half
Step 2: Remove polarized Step 2: Remove polarized magnetic head from cheap magnetic head from cheap walkman, toss rest if walkman, toss rest if disgusting (mine was) disgusting (mine was)
Step 3: Combine positives Step 3: Combine positives and negatives on mono cable and negatives on mono cable and polarized and polarized magnetic headmagnetic head
Step 4: Tape, construct slider, record and Step 4: Tape, construct slider, record and load!load!
Attention to Track Attention to Track DetailsDetails
There are three tracks on a magnetic There are three tracks on a magnetic card: Track 1, 0.223” inches from card: Track 1, 0.223” inches from bottom, Track 2, 0.333” inches from bottom, Track 2, 0.333” inches from the bottom, and Track 3, 0.443” the bottom, and Track 3, 0.443” inches from the bottominches from the bottom
These tracks all can contain useful These tracks all can contain useful information, although highly secure information, although highly secure tracks are often encrypted (check out tracks are often encrypted (check out 2600’s cracking the train tickets!)2600’s cracking the train tickets!)
Dab.c & Dmsb.cDab.c & Dmsb.c
Currently both are only supported in Currently both are only supported in Linux, I will try to make a Win32 portLinux, I will try to make a Win32 port
Can take raw microphone input, Can take raw microphone input, OR .wav filesOR .wav files
Dab.c reads raw binary data, then Dab.c reads raw binary data, then converts over to ASCII via Dmsb.cconverts over to ASCII via Dmsb.c
Swipe & ObserveSwipe & Observe Sometimes the information on a card is Sometimes the information on a card is
junk, but remember, a credit card reader is junk, but remember, a credit card reader is ONLY looking at this junk.ONLY looking at this junk.
If you acquire a writer off… Ebay… you If you acquire a writer off… Ebay… you could collect card tracks, take a writable could collect card tracks, take a writable smart card, and cause chaos.smart card, and cause chaos.
Hackers at Defcon always manage to Hackers at Defcon always manage to unlock a few rooms this way. unlock a few rooms this way.
Imagine a portable swiper hooked up to an Imagine a portable swiper hooked up to an MP3 player as well. Sort of scary…scares MP3 player as well. Sort of scary…scares the sh** out of methe sh** out of me
RFID Reading & WritingRFID Reading & Writing
RFID – radio frequency information deviceRFID – radio frequency information device
Used in pets, on credit cards, in Used in pets, on credit cards, in passports, some guy had it implanted in passports, some guy had it implanted in his skin!his skin!
Nothing more than a miniature radio Nothing more than a miniature radio transmitter that spits out its ID when told transmitter that spits out its ID when told toto
Give Me Access DamnitGive Me Access Damnit
RFID badges are very frequently used in RFID badges are very frequently used in big companies trying to keep “high-tech”big companies trying to keep “high-tech”
Radio frequencies can only be blocked by Radio frequencies can only be blocked by faraday caged wallets & passport holdersfaraday caged wallets & passport holders
RFID readers can pick up anything given RFID readers can pick up anything given to them, especially RFID badgesto them, especially RFID badges
RFID RFID Read/Write/<Enter>Read/Write/<Enter>
RFIDs give off a unique frequency, one RFIDs give off a unique frequency, one which a writer/spoofer can clonewhich a writer/spoofer can clone
Most RFIDs are locked as read-only, but Most RFIDs are locked as read-only, but hackers have come up with RFID clonershackers have come up with RFID cloners
Give a door the right RFID via a cloner Give a door the right RFID via a cloner and you’re in! All the attacker needed and you’re in! All the attacker needed was to be close enough to activate your was to be close enough to activate your RFID badge & copy it. RFID badge & copy it.
Costs of RFID ReadersCosts of RFID Readers RFID Reading is fun to imagine projects for.RFID Reading is fun to imagine projects for.
RFID Toys – essential how-to book on all RFID Toys – essential how-to book on all sorts of projects involving RFID tagssorts of projects involving RFID tags
www.parallax.com – $40, cheapest www.parallax.com – $40, cheapest RFID modules on the RFID modules on the internet, build your own serial internet, build your own serial connector as wellconnector as well
www.thinkgeek.com – $99, sells the “RFID www.thinkgeek.com – $99, sells the “RFID Devil”, a USB RFID reader that can work Devil”, a USB RFID reader that can work independently of a computer and save independently of a computer and save acquired RFIDS.acquired RFIDS.
Console HackingConsole Hacking All systems have been able to run All systems have been able to run
homebrew in one way or anotherhomebrew in one way or another
Three main types of homebrew enablers; Three main types of homebrew enablers; mod chips, custom firmware, and flash mod chips, custom firmware, and flash carts.carts.
We will discuss the Nintendo DS Flash Cart We will discuss the Nintendo DS Flash Cart and the Xbox mod chip, Xecuter 2.6CEand the Xbox mod chip, Xecuter 2.6CE
www.neoflash.com offers many flash carts www.neoflash.com offers many flash carts nobody else has including Turbo Graphx 16nobody else has including Turbo Graphx 16
Nintendo DS Flash & Nintendo DS Flash & FirmwareFirmware Nintendo DS currently has 3 ways to Nintendo DS currently has 3 ways to
run homebrewrun homebrew
1. Running a Slot-1 Passhthrough 1. Running a Slot-1 Passhthrough device and loading programs off of Slot-device and loading programs off of Slot-2 (gba)2 (gba)
2. Running a Slot-1 Passthrough & 2. Running a Slot-1 Passthrough & Homebrew device all-in-oneHomebrew device all-in-one
3. Flashing the firmware with FlashMe 3. Flashing the firmware with FlashMe v0.7 and running off of Slot-2 (gba)v0.7 and running off of Slot-2 (gba)
Flashing the DSFlashing the DS If you do not own a passthrough or other If you do not own a passthrough or other
such device, and you want to play such device, and you want to play homebrew via a Slot-2 (gba) flashcart, homebrew via a Slot-2 (gba) flashcart, here’s how!here’s how!
Remove the battery cover from the Remove the battery cover from the Nintendo DS, and locate the small hole Nintendo DS, and locate the small hole located on the left side of the battery. The located on the left side of the battery. The top hole contains this: top hole contains this:
( || ) – metal contacts( || ) – metal contacts
Insert a passthrough, bridge the metal Insert a passthrough, bridge the metal contacts, and run the FlashMe.nds file on contacts, and run the FlashMe.nds file on the slot-2 flash cart. Flash, restart, finish!the slot-2 flash cart. Flash, restart, finish!
Xbox Mod ChipsXbox Mod Chips Many mod chips, some have better Many mod chips, some have better
features than others, but all circumvent features than others, but all circumvent the Microsoft Bios.the Microsoft Bios.
Not entirely illegal: full Linux bios options Not entirely illegal: full Linux bios options are available for a pure Linux Xboxare available for a pure Linux Xbox
Xecuter 2.6CE offer a lot of options and Xecuter 2.6CE offer a lot of options and are very affordable. Come check it out are very affordable. Come check it out after the presentation.after the presentation.
Post-Modded XboxPost-Modded Xbox Emulators, “backups”, Emulators, “backups”,
applications, and many more applications, and many more Bigger hard drives, as big as you can get Bigger hard drives, as big as you can get
in IDE, 500gb are 100% okin IDE, 500gb are 100% ok Replace thermal compound to get rid of Replace thermal compound to get rid of
nasty M$ gunk (also replace fans if you nasty M$ gunk (also replace fans if you want to)want to)
Run Xbox as a media device, streaming Run Xbox as a media device, streaming live off of the computerlive off of the computer
Emulation is perfect, games are fun, Emulation is perfect, games are fun, Xboxs are very cheap, why the heck Xboxs are very cheap, why the heck not??not??
Arcade BuildingArcade Building
Just throwing it out there for those who Just throwing it out there for those who are interestedare interested
Use a keyboard interface to make arcade Use a keyboard interface to make arcade controls “act” like a keyboard. Gamepad controls “act” like a keyboard. Gamepad hacks also work great.hacks also work great.
Check out the arcade parts I have to Check out the arcade parts I have to show.show.
Use MAME, FCEU, ZSNES, and other Use MAME, FCEU, ZSNES, and other emulators to “emulate” the feel of a real emulators to “emulate” the feel of a real arcade.arcade.
Many Online Arcade Many Online Arcade ResourcesResources And a book from Saint called Extreme And a book from Saint called Extreme
Tech – Project Arcade!Tech – Project Arcade! www.arcadecontrols.com has some of www.arcadecontrols.com has some of
the best examples out there. Check out the best examples out there. Check out the Examples section!the Examples section!
www.happcontrols.com is a good place www.happcontrols.com is a good place to get the real parts, although I prefer to get the real parts, although I prefer EbayEbay
www.shoryuken.com check out the www.shoryuken.com check out the hardware talk for single arcade sticks hardware talk for single arcade sticks (not arcades) if you like fighting games (not arcades) if you like fighting games or just want an arcade joystick, not an or just want an arcade joystick, not an arcadearcade
Thank You For Your Thank You For Your TimeTime
Feel free to send me any comments / Feel free to send me any comments / suggestions / requests for any slides suggestions / requests for any slides presentedpresented
arntsonl<at>cwu.eduarntsonl<at>cwu.edu
