SO MANY PENTESTING TOOLS FROM A $4 ARDUINO Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GCFA, GAWN GSEC Michael Vieau, CISSP, CEH October 6, 2018
SO MANY PENTESTINGTOOLS FROM A $4 ARDUINOKevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GCFA, GAWN GSECMichael Vieau, CISSP, CEHOctober 6, 2018
ABOUT SIKICH
Sikich is a national technology consultancy with a single-minded focus on improving business performance by deploying best-fit technology solutions. We help our clients understand “what could be”, help them set priorities, and take responsibility to deliver transformative digital strategies.
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
ABOUT SECURITY AND COMPLIANCE
The Sikich Security and Compliance practice is dedicated to assisting clients with information security consulting, fraud management, risk mitigation and vulnerability detection and prevention. Our experts specialize in performing compliance audits, penetration tests, security and risk assessments and computer forensic investigations.
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
ABOUT KEVIN ABOUT MICHAEL
▪ Consultant and penetration tester at Sikich
▪ Focus on IT audits, risk assessments, network and web application penetration testing
▪ Hobbyist security researcher▪ Created the “minipwner”
penetration testing drop box project
▪ Multiple projects and presentations on topics such as RFID, hardware hacking and software-defined radio
▪ Consultant and penetration tester at Sikich
▪ Focus on network penetration testing and embedded devices
▪ Hardware hacking hobbyist▪ Maintainer of the “minipwner”▪ Co-creator of the Mayhem Lab▪ Multiple presentations on topics
such as RFID, biohacking and portable router hacking
▪ I like to build things
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
AGENDA
▪ Overview▪ Leonardo/Pro Micro▪ Building with Arduino▪ Fritzing Board
▪ Embedded Device Testing▪ TTL Adapter/Analyzer▪ Logic Analyzer▪ SPI/I2C Bridge▪ AVR Programmer/Firmware Dumper▪ EEPRom Memory Dumper
▪ Physical SE Tools▪ Bad USB▪ Magnetic Strip Spoofer▪ Proximity Badge Snooper▪ Mouse Jiggler
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
PRO MICRO OVERVIEW
▪ Small in size
▪ Low cost (~$4 from China)
▪ Leonardo clone, uses the ATmega32U4 chip
▪ Has digital and analog pinouts
▪ Can accept 6-12v power via RAW pin
▪ All components are on one side (so it lays flat)
▪ Program using the standard Arduino IDE
▪ No reset, but can jump RST to GND
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
BUILDING TOOLS WITH THE PRO MICRO
1. Install Arduino software
2. Add SparkFun Additional Boards URL▪ Under File…Preferences▪ https://raw.githubusercontent.com/sparkfun/Arduino_Boards/master/IDE
_Board_Manager/package_sparkfun_index.json
3. Install Sparkfun AVR Boards under Tools > Boards Manager
4. Then select the right Pro Micro Version (5V/16Mhz) or you’ll brick your Pro Micro ▪ You can unbrick with an ICSP programmer
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
ADDITIONAL BASIC COMPONENTS
▪ Solderless breadboard
▪ Jumper wires (M-F, M-M, F-F)
▪ Soldering iron and solder
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
EMBEDDED DEVICE TESTING
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
EMBEDDED DEVICE (PUMP SKIMMER) TEST SCENARIO
▪ Are there serial or other debug interfaces?
▪ What do the different pins and test points do?
▪ Can we get stored data from the EEPROM memory chip?
▪ Can we dump the bytecode (program) from the processor?
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
LOGIC ANALYZER SETUP
▪ Goal: Detect the baud rate and TX/RX pins used on a device
▪ Materials: Arduino Pro Micro, small breadboard, seven wires, USB cable
LOGIC ANALYZER SOFTWARE
▪ Arduino source from https://github.com/gillham/logic_analyzer▪ Modified for Pro Micro
▪ Also need Sump compatible client software▪ OpenBench Logic Sniffer
TTL ANALYZER
▪ Goal: Detect the baud rate and TX/RX pins used on a device
▪ Materials: Arduino Micro, small breadboard, three wires, USB cable
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
TTL ANALYZER DEMO
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
EEPROM MEMORY DUMPER
▪ Goal: Extract data from an EEPROM memory chip
▪ Materials: Arduino Micro, small breadboard, six wires, USB cable
▪ Optional: Desoldering wick, ChipQuikLow Temperature Removal Kit
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
EEPROM MEMORY DUMPER CONNECTIONS
▪ EEPROMs use I2C protocol (inter-integrated circuit)
▪ Need to connect I2C Pro Micro pins to corresponding EEPROM pins
▪ Set the address “000” by connecting address pins to ground
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
EEPROM MEMORY DUMPER DEMO
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
AVR PROGRAMMER/FIRMWARE DUMPER
▪ Goal: Pull the bytecode from within the processor on an embedded device
▪ Materials: Arduino Pro Micro, small breadboard, six wires, USB cable
▪ Target board – for example this Arduino Uno with an ICSP header
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
AVR PROGRAMMER/FIRMWARE DUMPER SETUP
1. Open ArduinoISPexample
2. Customize pin definitions for Pro Micro
3. Write the ArduinoISPcode to the Pro Micro
4. Connect to ICSP pins of your target device
5. Us AVRDude to read or write the device
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
AVR PROGRAMMER/FIRMWARE DUMPER DEMO
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
PHYSICAL SE TOOLS
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
BAD USB
▪ Goal 1: Make a stealth USB attack without spending $40
▪ Goal 2: Make it look like a valid USB thumb drive
▪ Materials: Arduino Micro, male micro USB end, male USB A end, USB drive shell, small bits of wire
▪ Code name:Plastic Chicken
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
BAD USB DEMO
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
MAGNETIC STRIP SPOOFER
▪ Goal 1: Replay data from a magnetic strip card (credit card)
▪ Goal 2: Make it a palm-sized device for easy/stealth usage
▪ Materials: Arduino Micro, thin wire (for the antenna), battery/power
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
MAGNETIC STRIP SPOOFER BUILD
▪ Build an antenna▪ Find something to wrap wire around 200
times
▪ Dip in polycrylic (optional)▪ Gives more structure so the wires do not
unwind
▪ Solder male ends to each end of the wire
▪ Connect to Arduino
▪ Profit!
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
MAGNETIC STRIP SPOOFER DEMO
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
MAGNETIC STRIP SPOOFER PRO
▪ Can store up to five cards (two tracks each)
▪ Uses Bluetooth for managing the device
▪ More powerful battery (9v)
▪ More details at:▪ https://www.youtube.com/watch?v=_-
D9YzmY7n0&t=399s
MOUSE JIGGLER
▪ Goal 1: Create a device to keep a computer from sleeping
▪ Goal 2: Make it small for stealth usage
▪ Materials: Arduino Micro, male micro USB end, male USB A end, small bits of wire, black case/tape
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
MOUSE JIGGLER DEMO
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
RFID BADGE SNOOPER
▪ Goal 1: Modify an RFID badge reader to dump badges
▪ Goal 2: Intercept badge codes by tapping a wire between a reader and an access control system
▪ Materials: Arduino Micro, three wires, USB cable
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
BADGE SNOOPER – MODIFIED RFID READER
▪ Use a logic analyzer to find the trace that feeds the decoded RFID signal into the processor
▪ Connect an Arduino data pin to that trace, decode the signal (whether EM400 or HID)
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
BADGE SNOOPER – WIEGAND INTERCEPTION
▪ Determine which wires are ground, DATA0, DATA1
▪ Connect to the Arduino
▪ Capture and decode the communications
SECURITY AND COMPLIANCE
Copyright © 2018 Sikich LLP. All rights reserved. Distribution or copying is strictly prohibited.
THANK YOU FOR YOUR TIME.Are there any questions?
Kevin [email protected] x349
Michael [email protected] x360
Documentation at: http://www.mayhemlab.net
Source code at:https://github.com/TheMayhamLab