SO MANY PENTESTING TOOLS FROM A $4 ARDUINO

SO MANY PENTESTINGTOOLS FROM A $4 ARDUINOKevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GCFA, GAWN GSECMichael Vieau, CISSP, CEHOctober 6, 2018

ABOUT SIKICH

Sikich is a national technology consultancy with a single-minded focus on improving business performance by deploying best-fit technology solutions. We help our clients understand “what could be”, help them set priorities, and take responsibility to deliver transformative digital strategies.

Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.

ABOUT SECURITY AND COMPLIANCE

The Sikich Security and Compliance practice is dedicated to assisting clients with information security consulting, fraud management, risk mitigation and vulnerability detection and prevention. Our experts specialize in performing compliance audits, penetration tests, security and risk assessments and computer forensic investigations.


ABOUT KEVIN ABOUT MICHAEL

▪ Consultant and penetration tester at Sikich

▪ Focus on IT audits, risk assessments, network and web application penetration testing

▪ Hobbyist security researcher▪ Created the “minipwner”

penetration testing drop box project

▪ Multiple projects and presentations on topics such as RFID, hardware hacking and software-defined radio

▪ Consultant and penetration tester at Sikich

▪ Focus on network penetration testing and embedded devices

▪ Hardware hacking hobbyist▪ Maintainer of the “minipwner”▪ Co-creator of the Mayhem Lab▪ Multiple presentations on topics

such as RFID, biohacking and portable router hacking

▪ I like to build things

SECURITY AND COMPLIANCE


AGENDA

▪ Overview▪ Leonardo/Pro Micro▪ Building with Arduino▪ Fritzing Board

▪ Embedded Device Testing▪ TTL Adapter/Analyzer▪ Logic Analyzer▪ SPI/I2C Bridge▪ AVR Programmer/Firmware Dumper▪ EEPRom Memory Dumper

▪ Physical SE Tools▪ Bad USB▪ Magnetic Strip Spoofer▪ Proximity Badge Snooper▪ Mouse Jiggler



PRO MICRO OVERVIEW

▪ Small in size

▪ Low cost (~$4 from China)

▪ Leonardo clone, uses the ATmega32U4 chip

▪ Has digital and analog pinouts

▪ Can accept 6-12v power via RAW pin

▪ All components are on one side (so it lays flat)

▪ Program using the standard Arduino IDE

▪ No reset, but can jump RST to GND



ATMEGA 32U4 BOARDS

BUILDING TOOLS WITH THE PRO MICRO

1. Install Arduino software

2. Add SparkFun Additional Boards URL▪ Under File…Preferences▪ https://raw.githubusercontent.com/sparkfun/Arduino_Boards/master/IDE

_Board_Manager/package_sparkfun_index.json

3. Install Sparkfun AVR Boards under Tools > Boards Manager

4. Then select the right Pro Micro Version (5V/16Mhz) or you’ll brick your Pro Micro ▪ You can unbrick with an ICSP programmer



https://raw.githubusercontent.com/sparkfun/Arduino_Boards/master/IDE_Board_Manager/package_sparkfun_index.json

https://raw.githubusercontent.com/sparkfun/Arduino_Boards/master/IDE_Board_Manager/package_sparkfun_index.json

ADDITIONAL BASIC COMPONENTS

▪ Solderless breadboard

▪ Jumper wires (M-F, M-M, F-F)

▪ Soldering iron and solder



EMBEDDED DEVICE TESTING



EMBEDDED DEVICE (PUMP SKIMMER) TEST SCENARIO

▪ Are there serial or other debug interfaces?

▪ What do the different pins and test points do?

▪ Can we get stored data from the EEPROM memory chip?

▪ Can we dump the bytecode (program) from the processor?



LOGIC ANALYZER

LOGIC ANALYZER SETUP

▪ Goal: Detect the baud rate and TX/RX pins used on a device

▪ Materials: Arduino Pro Micro, small breadboard, seven wires, USB cable

LOGIC ANALYZER SOFTWARE

▪ Arduino source from https://github.com/gillham/logic_analyzer▪ Modified for Pro Micro

▪ Also need Sump compatible client software▪ OpenBench Logic Sniffer

https://github.com/gillham/logic_analyzer

LOGIC ANALYZER DEMO

TTL ANALYZER

▪ Goal: Detect the baud rate and TX/RX pins used on a device

▪ Materials: Arduino Micro, small breadboard, three wires, USB cable





TTL ANALYZER DEMO



EEPROM MEMORY DUMPER

▪ Goal: Extract data from an EEPROM memory chip

▪ Materials: Arduino Micro, small breadboard, six wires, USB cable

▪ Optional: Desoldering wick, ChipQuikLow Temperature Removal Kit



EEPROM MEMORY DUMPER CONNECTIONS

▪ EEPROMs use I2C protocol (inter-integrated circuit)

▪ Need to connect I2C Pro Micro pins to corresponding EEPROM pins

▪ Set the address “000” by connecting address pins to ground



EEPROM MEMORY DUMPER DEMO



AVR PROGRAMMER/FIRMWARE DUMPER

▪ Goal: Pull the bytecode from within the processor on an embedded device

▪ Materials: Arduino Pro Micro, small breadboard, six wires, USB cable

▪ Target board – for example this Arduino Uno with an ICSP header



AVR PROGRAMMER/FIRMWARE DUMPER SETUP

1. Open ArduinoISPexample

2. Customize pin definitions for Pro Micro

3. Write the ArduinoISPcode to the Pro Micro

4. Connect to ICSP pins of your target device

5. Us AVRDude to read or write the device



AVR PROGRAMMER/FIRMWARE DUMPER DEMO



PHYSICAL SE TOOLS



BAD USB

▪ Goal 1: Make a stealth USB attack without spending $40

▪ Goal 2: Make it look like a valid USB thumb drive

▪ Materials: Arduino Micro, male micro USB end, male USB A end, USB drive shell, small bits of wire

▪ Code name:Plastic Chicken



BAD USB DEMO



MAGNETIC STRIP SPOOFER

▪ Goal 1: Replay data from a magnetic strip card (credit card)

▪ Goal 2: Make it a palm-sized device for easy/stealth usage

▪ Materials: Arduino Micro, thin wire (for the antenna), battery/power



MAGNETIC STRIP SPOOFER BUILD

▪ Build an antenna▪ Find something to wrap wire around 200

times

▪ Dip in polycrylic (optional)▪ Gives more structure so the wires do not

unwind

▪ Solder male ends to each end of the wire

▪ Connect to Arduino

▪ Profit!



MAGNETIC STRIP SPOOFER DEMO



MAGNETIC STRIP SPOOFER PRO

▪ Can store up to five cards (two tracks each)

▪ Uses Bluetooth for managing the device

▪ More powerful battery (9v)

▪ More details at:▪ https://www.youtube.com/watch?v=_-

D9YzmY7n0&t=399s

MOUSE JIGGLER

▪ Goal 1: Create a device to keep a computer from sleeping

▪ Goal 2: Make it small for stealth usage

▪ Materials: Arduino Micro, male micro USB end, male USB A end, small bits of wire, black case/tape



MOUSE JIGGLER DEMO



RFID BADGE SNOOPER

▪ Goal 1: Modify an RFID badge reader to dump badges

▪ Goal 2: Intercept badge codes by tapping a wire between a reader and an access control system

▪ Materials: Arduino Micro, three wires, USB cable



BADGE SNOOPER – MODIFIED RFID READER

▪ Use a logic analyzer to find the trace that feeds the decoded RFID signal into the processor

▪ Connect an Arduino data pin to that trace, decode the signal (whether EM400 or HID)



BADGE SNOOPER – WIEGAND INTERCEPTION

▪ Determine which wires are ground, DATA0, DATA1

▪ Connect to the Arduino

▪ Capture and decode the communications



THANK YOU FOR YOUR TIME.Are there any questions?

Kevin [email protected] x349

Michael [email protected] x360

Documentation at: http://www.mayhemlab.net

Source code at:https://github.com/TheMayhamLab

LinkedIn: www.linkedin.com/company/sikichFacebook: www.facebook.com/sikichllp

Twitter: www.twitter.com/sikichllpBlog: www.sikich.com/blog

SO MANY PENTESTING TOOLS FROM A $4 ARDUINO

Documents