Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest
Silent wire hacking ? • You know about – TCP hijacking, – 802.1x bypass techniques (Valérian Legrand, HIP 2017), ways to exploit a MITM position with Fenrir – … • We want – to connect to an ethernet 100Mb cable, – in order to take the man in the middle position – without any warning in supervision : A silent wire hacking Hack In Paris - June 28th 2018 2
Outdoor accessible wires Hack In Paris - June 28th 2018 3
Indoor accessible wires From the ground… ...to the ceiling Hack In Paris - June 28th 2018 4
Typical situation Hack In Paris - June 28th 2018 5
Naive connection • Is not effective • Triggers an alert Hack In Paris - June 28th 2018 6
Usualy monitored • Link status, link down • RSTP • LLDP • Filters on MAC and IP @ • (802.1x) Hack In Paris - June 28th 2018 7
Available solutions • TAP: listening only, setup interrupts network Hack In Paris - June 28th 2018 8
Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network Hack In Paris - June 28th 2018 9
Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection Hack In Paris - June 28th 2018 10
Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection • Dedicated hardware solution: not publicly available, back to standards and datasheets Hack In Paris - June 28th 2018 11
Goal of silent wire hacking • Taking the Man In The Middle position on a Ethernet 100Mb/s link • Without being detected by switches – No link_down link_up – No snmp trap – No RSTP topology change – No LLDP detection Hack In Paris - June 28th 2018 12
Intention • Simple solution, DIY • Low cost (about 200€) Hack In Paris - June 28th 2018 13
Technology choice Signal conditioning with operational amplifiers? Classic OA (lm341, lf355): gain.band<10MHz DIY → no surface mounted components Signal manipulation activated by relays, Data manipulation with Raspberry Hack In Paris - June 28th 2018 14
Step1: wire intrusion • Opening cable • Best twisted pair splitting tool: • Connecting Hack In Paris - June 28th 2018 15
Step2 : gathering information • First, we gather information: – Mac @ – IP @ – speed – existing protocols: RSTP, LLDP, SNMP, ETC. Hack In Paris - June 28th 2018 16
Speed and addresses gathering Hack In Paris - June 28th 2018 17
Speed and addresses gathering Hack In Paris - June 28th 2018 18
Issue #1: Auto MDIx • Auto MDI-X ports on network interfaces detect if the connection would require a crossover and automatically chooses the MDI or MDI-X configuration to properly match the other end of the link • Auto → can’t know wire use → To witch side affect collected data? Witch ip@ and mac@ belongs to witch device? Hack In Paris - June 28th 2018 19
MDI / MDIx Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Tx+ Rx+ Tx- Rx- Hack In Paris - June 28th 2018 20
Rx and Tx identification • How to ? (without OA, signal comparator...) Hack In Paris - June 28th 2018 21
Identification of Rx et Tx Hack In Paris - June 28th 2018 22
Identification of Rx et Tx Hack In Paris - June 28th 2018 23
Hack In Paris - 28 june 2018 24
Hack In Paris - 28 june 2018 25
Issue #2 • We can not send traffic Hack In Paris - June 28th 2018 26
Step3: apparatus connection • To inject traffic we will need some electronics. • How to place the electronics instead of the wire ? Hack In Paris - June 28th 2018 27
Step3: apparatus connection Hack In Paris - June 28th 2018 28
Step3: apparatus connection Hack In Paris - June 28th 2018 29
Step4: switching Hack In Paris - June 28th 2018 30
Finally ready for switching ! Hack In Paris - June 28th 2018 31
Step4: switching • (somewhat) quick* switching from existing communication to devices with: – Same speed – Quiet (no-RSTP, no-LLDP, etc.) *5ms (relay switching time; Mosfet would be much quicker) Hack In Paris - June 28th 2018 32
Issue #3 • Even if we switch at 5ms, it is detected. ...how to ? Hack In Paris - June 28th 2018 33
Solution • We add some noise to keep the link up during transition: – High enough to keep the link up – Low enough to be considered as noise / signal Hack In Paris - June 28th 2018 34
Tests and proof of Concept Hack In Paris - June 28th 2018 35
First design • Each steps works alone (POC) • Card design, welding, cutting strips, checking... • Didn’t work. Lack of time to fix it :( • → full design to be confirmed Hack In Paris - June 28th 2018 36
Demo • But we will still show you ! (we will just have to do some steps manually) Hack In Paris - June 28th 2018 37
Conclusion • 4 ideas in this hack : – Insertion of the electronics – Identification of Rx and Tx wires – Switching to well-configured devices – Diming legitimate signal during switching Hack In Paris - June 28th 2018 38
Conclusion • Costs: – 2 Raspberry Pi: 120€ – electronics: 80€ – (managable switches: 250€) – candy: 5€ …Hacking : priceless Hack In Paris - June 28th 2018 39
Possible improvements • Rebuild full circuit and complete testing • Do without additional ethernet switches: Raspberry Pi ethernet configuration • Use one single Raspberry Pi instead of two • Scripting information gathering • Coping with multicast switching on Raspberry Pi • POE compatibility • Implementing 802.1x attack • Less attenuation in Rx/Tx identification Hack In Paris - June 28th 2018 40
• It IS possible to silent take MITM position How to cope? • Faster link down? Impedance monitoring? – difficult to implement in real world: Many existing EM perturbations (events on high power lines, lightning, lorries with electromagnetic retarders...) → Not suitable for plants, infrastructure operators... • End to end encryption Hack In Paris - June 28th 2018 41
THANK’S erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - June 28th 2018 42
Recommend
More recommend