UPS The Undetectable Packet Sniffer. Tri Valley Security Group Introducing the TVSG Dev Team AutoNiN – Software, Team Lead Spyder~1 –

UPSUPSThe Undetectable Packet SnifferThe Undetectable Packet Sniffer

Tri Valley Security Group www.tvsg.org/ups

Introducing the TVSG Dev TeamIntroducing the TVSG Dev Team

AutoNiN – Software, Team LeadAutoNiN – Software, Team Lead

Spyder~1 – HardwareSpyder~1 – Hardware

Mystic – IntegrationMystic – Integration

JustaBill – OrganizationJustaBill – Organization


ConceptConcept

Place a stealthed hostile packet sniffer on a Place a stealthed hostile packet sniffer on a victim network. Physical concealment victim network. Physical concealment

is to hide in plain sight - posing as an is to hide in plain sight - posing as an Uninterruptible Power Supply (UPS). Uninterruptible Power Supply (UPS).

Network concealment involves clandestine Network concealment involves clandestine exfiltration methods like Auto-IP Detection exfiltration methods like Auto-IP Detection

and encrypted UDP tunneling.and encrypted UDP tunneling.


Caveat - PrototypeCaveat - Prototype

Unit presented today is a prototype (mk II) Unit presented today is a prototype (mk II) unit demonstrating basic concepts. Unit is unit demonstrating basic concepts. Unit is really not "Undetectable" but should be really not "Undetectable" but should be difficult to detect, even in its nascent state.difficult to detect, even in its nascent state.

Additional hardware and software features Additional hardware and software features are being researched to further decrease are being researched to further decrease detectibility and increase attack detectibility and increase attack effectiveness.effectiveness.


Undetectable? Undetectable?

Not really…Not really…

Takes advantage of today’s overworked, Takes advantage of today’s overworked, under-resourced, over-managed and under-resourced, over-managed and under-trained Information Technology staffunder-trained Information Technology staff

Completely blocked by proxies (but we’ll Completely blocked by proxies (but we’ll fix that soon enough!)fix that soon enough!)


OverviewOverview

IntroductionIntroduction

IntegrationIntegration

Hardware Hardware

Software Software

Practical DemonstrationPractical Demonstration

Questions & AnswersQuestions & Answers


IntegrationIntegration

Overarching Goal – Stealth:Overarching Goal – Stealth: Tried to maintain 'Stock' look as much as Tried to maintain 'Stock' look as much as

possible.possible.


Hardware RequirementsHardware Requirements

486 or Higher CPU486 or Higher CPU

64Mb or More RAM64Mb or More RAM

1Gb or More Hard Drive1Gb or More Hard Drive

No moving parts No moving parts

Small form factor Small form factor

Integrated networkIntegrated network

Most Important: Cheap!Most Important: Cheap!


System ComponentsSystem Components

UPS ChassisUPS Chassis

Power SupplyPower Supply

Embedded ComputerEmbedded Computer

Network HubNetwork Hub


Physical ComponentsPhysical Components

Pow

er

Pow

er

Sup

ply

Sup

ply

EmbeddedEmbedded

PCPC110v AC110v AC

5v DC5v DCHubHub

EthernetEthernetChassis Chassis RJ-45’sRJ-45’s

InIn

OutOut


UPS ChassisUPS Chassis

Tried several UPS Chassis before we Tried several UPS Chassis before we found one that worked wellfound one that worked well


Power SupplyPower Supply

Needed to convert the 110v AC provided Needed to convert the 110v AC provided by the wall to 3.3v, 5v, and/or 12v DC by the wall to 3.3v, 5v, and/or 12v DC needed by the other components in the needed by the other components in the system. Most UPS power supplies are system. Most UPS power supplies are trickle-charge systems that cannot trickle-charge systems that cannot produce enough power to run our covert produce enough power to run our covert system.system.


Variety of Embedded SystemsVariety of Embedded Systems

Older, Slower, Larger Systems are the Older, Slower, Larger Systems are the CheapestCheapest

Popular Embedded Manufacturers:Popular Embedded Manufacturers: http://www.http://www.advantechadvantech.com.com http://www.http://www.kontronkontron.com.com http://www.http://www.amproampro.com.com http://www.http://www.emjemj.com.com


Our Selected Mainboard:Our Selected Mainboard:

Kontron's Coolmonster:Kontron's Coolmonster: Pentium-166 with passive cooling heatsinkPentium-166 with passive cooling heatsink 128MB PC-100 SDRAM128MB PC-100 SDRAM 44-Pin IDE Channel for temporary CD-ROM Drive44-Pin IDE Channel for temporary CD-ROM Drive 40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive40-Pin IDE Channel for 2.5" 2GB Laptop Hard Drive Single 10/100 Ethernet portSingle 10/100 Ethernet port PS/2 Keyboard & Mouse ports, VGA PortPS/2 Keyboard & Mouse ports, VGA Port PISA Interface (bus expansion)PISA Interface (bus expansion)


Network HubNetwork Hub

Our embedded system had only 1 Ethernet Our embedded system had only 1 Ethernet port, so we could not bridge two interfaces port, so we could not bridge two interfaces together. For simplicity's sake, we ripped together. For simplicity's sake, we ripped a 10/100 hub out of its case and placed it a 10/100 hub out of its case and placed it inside ours. Runs off 5v DC, just like the inside ours. Runs off 5v DC, just like the

embedded PC.embedded PC.


Network ConnectionsNetwork Connections

Repeater hub connected to both wall and Repeater hub connected to both wall and client RJ45 jacks. Embedded PC also client RJ45 jacks. Embedded PC also connected to hub.connected to hub. Good: Client can still access network even if Good: Client can still access network even if

UPS is booting or downUPS is booting or down Bad: Can't do Proxy-ARP attacks, client sees Bad: Can't do Proxy-ARP attacks, client sees

all UPS trafficall UPS traffic Ugly: Either way, client gets Ethernet 'Link' Ugly: Either way, client gets Ethernet 'Link'

from the UPS, which is oddfrom the UPS, which is odd


SoftwareSoftware

OS is Redhat 7.2 patched & strippedOS is Redhat 7.2 patched & stripped

Custom Perl and Shell ScriptsCustom Perl and Shell Scripts

Additional Malware added:Additional Malware added: NetCat by Hobbit & WeldNetCat by Hobbit & Weld dSniff by Dug SongdSniff by Dug Song Nmap by FyodorNmap by Fyodor thcrut by The Hacker’s Choicethcrut by The Hacker’s Choice


Malware Installation - NetCatMalware Installation - NetCat

Many thanks to Hobbit & Weld for this incredibly Many thanks to Hobbit & Weld for this incredibly versatile tool. versatile tool.

Used for UPS <-> Listening Post Used for UPS <-> Listening Post Communications. Communications. Default configuration sends it over UDP port 53 Default configuration sends it over UDP port 53 to exploit firewall rules that permit outbound to exploit firewall rules that permit outbound DNS queries from desktop clients.DNS queries from desktop clients.

http://http://freshmeatfreshmeat.net/projects/netcat/?topic_id=150.net/projects/netcat/?topic_id=150


Issues - UDP/53 TunnelingIssues - UDP/53 Tunneling

Modern IDS/IDP systems can detect UDP Modern IDS/IDP systems can detect UDP tunnelingtunneling

Layer 7-Aware sniffers can detect that Layer 7-Aware sniffers can detect that while the traffic is going over UDP/53, the while the traffic is going over UDP/53, the payload is decidedly not DNSpayload is decidedly not DNS


Tunneling AlternativesTunneling Alternatives

Simple Port 80/HTTP Tunneling Simple Port 80/HTTP Tunneling Mask UPS requests in HTTP URL'sMask UPS requests in HTTP URL's LP replies in HTML WebPagesLP replies in HTML WebPages

Advanced DNS TunnelingAdvanced DNS Tunneling Mask UPS requests in DNS requestsMask UPS requests in DNS requests LP replies in DNS repliesLP replies in DNS replies


Malware Installation - DSniffMalware Installation - DSniff

Many thanks to Dug Song for his excellent Many thanks to Dug Song for his excellent suite of Sniff/Snarf/Spy tools.suite of Sniff/Snarf/Spy tools.

Minor tweak in the makefile for the Minor tweak in the makefile for the Berkeley DB path and we were set!Berkeley DB path and we were set!

http://www.monkey.org/~http://www.monkey.org/~dugsongdugsong//dsniffdsniff//


What We Used - DSniffWhat We Used - DSniff

macof - MAC address flooder - stuffs CAM macof - MAC address flooder - stuffs CAM tabletable

dsniff - Cleartext authentication extractordsniff - Cleartext authentication extractor

filesnarf - NFS interceptorfilesnarf - NFS interceptor

mailsnarf - Email interceptormailsnarf - Email interceptor

urlsnarf - URL interceptorurlsnarf - URL interceptor

msgsnarf - Instant Messenger interceptormsgsnarf - Instant Messenger interceptor


Malware Installation - NmapMalware Installation - Nmap

Thanks Fyodor, you rock!Thanks Fyodor, you rock!

Comes as an RPM with Redhat 7.2, no Comes as an RPM with Redhat 7.2, no installation really necessaryinstallation really necessary

Awesome portscanning/host locating tool, used Awesome portscanning/host locating tool, used to detect permitted connectivity outbound to detect permitted connectivity outbound through victim firewallthrough victim firewall

http://www.insecure.org/nmap/http://www.insecure.org/nmap/


Custom ScriptsCustom Scripts

A variety of Perl scripts were developed to A variety of Perl scripts were developed to handle UPS <-> Listening Post handle UPS <-> Listening Post communications, command and control, communications, command and control, including IP Address Mode, Active Scan including IP Address Mode, Active Scan Commands and Exfiltration Methods.Commands and Exfiltration Methods.

http://www.tvsg.org/upshttp://www.tvsg.org/ups



ups.pl - Master Control Scriptups.pl - Master Control ScriptStarted as a service on UPS boot time and Started as a service on UPS boot time and health checked by a cron job, this script is health checked by a cron job, this script is responsible for monitoring UPS-specific responsible for monitoring UPS-specific processes and initiating connections to the processes and initiating connections to the command queue server. command queue server.


UPS Process FlowUPS Process Flow

Load ConfigLoad Config

Configure NetworkConfigure NetworkAuto-Identify Network (if Configured)Auto-Identify Network (if Configured)

Confirm NetworkConfirm Network

Confirm/Update System SettingsConfirm/Update System Settings

Contact Listening PostContact Listening PostGet CommandsGet Commands

Process CommandsProcess Commands


IP ModesIP Modes

4 Different Methods of Configuring IP:4 Different Methods of Configuring IP:

1. No IP Mode (Dumb Sniffer)1. No IP Mode (Dumb Sniffer)

2. Fixed IP Mode (Good for Testing)2. Fixed IP Mode (Good for Testing)

3. DHCP Mode (Not very Stealthy!)3. DHCP Mode (Not very Stealthy!)

4. Stealth IP Mode (Auto-find Subnet/Gateway)4. Stealth IP Mode (Auto-find Subnet/Gateway)



netsnarf.plnetsnarf.plRequired for IP Mode 4 – automatic Required for IP Mode 4 – automatic network discoverynetwork discoveryWatches the network for ARP requests Watches the network for ARP requests and replies for network information to and replies for network information to determine local network topographydetermine local network topographyUses The Hacker’s Choice “R U There” Uses The Hacker’s Choice “R U There” (thcrut) to ARP scan IP’s on the same (thcrut) to ARP scan IP’s on the same layer 2 segmentlayer 2 segment



netcheck.plnetcheck.plUses nmap and host to probe Internet Uses nmap and host to probe Internet targets to verify external connectivity.targets to verify external connectivity. Nmap 3 popular websites (HTTP)Nmap 3 popular websites (HTTP) Unix ‘host’ command to 3 DNS Root ServersUnix ‘host’ command to 3 DNS Root Servers Nmap to Listening Post on UDP/53Nmap to Listening Post on UDP/53



Various Shell ScriptsVarious Shell ScriptsOther scripts for UPS process Other scripts for UPS process management, task automation, and other management, task automation, and other cool stuff...cool stuff...


Corporate

Network

Command and ControlCommand and Control

Internet LP

Attacker

UDP/53

TCP/80

NAT/Firewall

UPS

TCP/22(SSH)



client.pl & server.plclient.pl & server.plRemote command fetch system with DES Remote command fetch system with DES encryption, randomly generated keys, and encryption, randomly generated keys, and pre-shared key system.pre-shared key system.

Client connects at intervals controlled by Client connects at intervals controlled by the master control script to Server to the master control script to Server to check command queue for changes in check command queue for changes in configured behavior.configured behavior.


UPS ConnectivityUPS Connectivity

2 Different Methods of Communicating:2 Different Methods of Communicating:

1. UDP/53 (looks like DNS) beacon to config 1. UDP/53 (looks like DNS) beacon to config serverserver

2. TCP/80 (looks like HTTP) reverse shell to LP2. TCP/80 (looks like HTTP) reverse shell to LP


DemonstrationDemonstration

Our demonstration will place the UPS Our demonstration will place the UPS behind a NAT device along with a victim behind a NAT device along with a victim PCPC

We will place a Listening Post outside the We will place a Listening Post outside the NAT and command our unit to monitor the NAT and command our unit to monitor the useruser

We will then exfiltrate the captured data to We will then exfiltrate the captured data to the LPthe LP


Demonstration LabDemonstration Lab

Internal Network

External Network LP

AttackerNAT/Firewall

UPSVictim

Server

Username: LoserPassword: passwordUsername: LoserPassword: passwordEmail Data:Subject: Watch out for hackers!

Server


How to Defeat?How to Defeat?

Inspect all items entering the premisesInspect all items entering the premises

Deny clients direct outward access (DNS, Deny clients direct outward access (DNS, HTTP, ICMP, etc)HTTP, ICMP, etc)

Require the use of internal servers for all Require the use of internal servers for all services – HTTP, DNS, Mail, etc.services – HTTP, DNS, Mail, etc.

Use encrypted services like SSH, HTTPS, Use encrypted services like SSH, HTTPS, POP3S, SMTPS, or even IPSEC for POP3S, SMTPS, or even IPSEC for internalinternal as well as external traffic. as well as external traffic.


Questions?Questions?

Thanks for Attending…Thanks for Attending…

UPS The Undetectable Packet Sniffer. Tri Valley Security Group Introducing the TVSG Dev Team AutoNiN – Software, Team Lead Spyder~1 –

Documents

tri valley security

orgups ups chassis

orgups power supply

orgups warning

ac power

ups power supplies

orgups hardware requirements

tvsg dev team autonin