silent wire hacking
play

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr - PowerPoint PPT Presentation

Aug 16, 2022 •46 likes •466 views

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest Silent wire hacking ? You know about TCP hijacking, 802.1x bypass techniques

  1. Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest

  2. Silent wire hacking ? • You know about – TCP hijacking, – 802.1x bypass techniques (Valérian Legrand, HIP 2017), ways to exploit a MITM position with Fenrir – … • We want – to connect to an ethernet 100Mb cable, – in order to take the man in the middle position – without any warning in supervision : A silent wire hacking Hack In Paris - June 28th 2018 2

  3. Outdoor accessible wires Hack In Paris - June 28th 2018 3

  4. Indoor accessible wires From the ground… ...to the ceiling Hack In Paris - June 28th 2018 4

  5. Typical situation Hack In Paris - June 28th 2018 5

  6. Naive connection • Is not effective • Triggers an alert Hack In Paris - June 28th 2018 6

  7. Usualy monitored • Link status, link down • RSTP • LLDP • Filters on MAC and IP @ • (802.1x) Hack In Paris - June 28th 2018 7

  8. Available solutions • TAP: listening only, setup interrupts network Hack In Paris - June 28th 2018 8

  9. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network Hack In Paris - June 28th 2018 9

  10. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection Hack In Paris - June 28th 2018 10

  11. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection • Dedicated hardware solution: not publicly available, back to standards and datasheets Hack In Paris - June 28th 2018 11

  12. Goal of silent wire hacking • Taking the Man In The Middle position on a Ethernet 100Mb/s link • Without being detected by switches – No link_down link_up – No snmp trap – No RSTP topology change – No LLDP detection Hack In Paris - June 28th 2018 12

  13. Intention • Simple solution, DIY • Low cost (about 200€) Hack In Paris - June 28th 2018 13

  14. Technology choice Signal conditioning with operational amplifiers? Classic OA (lm341, lf355): gain.band<10MHz DIY → no surface mounted components Signal manipulation activated by relays, Data manipulation with Raspberry Hack In Paris - June 28th 2018 14

  15. Step1: wire intrusion • Opening cable • Best twisted pair splitting tool: • Connecting Hack In Paris - June 28th 2018 15

  16. Step2 : gathering information • First, we gather information: – Mac @ – IP @ – speed – existing protocols: RSTP, LLDP, SNMP, ETC. Hack In Paris - June 28th 2018 16

  17. Speed and addresses gathering Hack In Paris - June 28th 2018 17

  18. Speed and addresses gathering Hack In Paris - June 28th 2018 18

  19. Issue #1: Auto MDIx • Auto MDI-X ports on network interfaces detect if the connection would require a crossover and automatically chooses the MDI or MDI-X configuration to properly match the other end of the link • Auto → can’t know wire use → To witch side affect collected data? Witch ip@ and mac@ belongs to witch device? Hack In Paris - June 28th 2018 19

  20. MDI / MDIx Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Tx+ Rx+ Tx- Rx- Hack In Paris - June 28th 2018 20

  21. Rx and Tx identification • How to ? (without OA, signal comparator...) Hack In Paris - June 28th 2018 21

  22. Identification of Rx et Tx Hack In Paris - June 28th 2018 22

  23. Identification of Rx et Tx Hack In Paris - June 28th 2018 23

  24. Hack In Paris - 28 june 2018 24

  25. Hack In Paris - 28 june 2018 25

  26. Issue #2 • We can not send traffic Hack In Paris - June 28th 2018 26

  27. Step3: apparatus connection • To inject traffic we will need some electronics. • How to place the electronics instead of the wire ? Hack In Paris - June 28th 2018 27

  28. Step3: apparatus connection Hack In Paris - June 28th 2018 28

  29. Step3: apparatus connection Hack In Paris - June 28th 2018 29

  30. Step4: switching Hack In Paris - June 28th 2018 30

  31. Finally ready for switching ! Hack In Paris - June 28th 2018 31

  32. Step4: switching • (somewhat) quick* switching from existing communication to devices with: – Same speed – Quiet (no-RSTP, no-LLDP, etc.) *5ms (relay switching time; Mosfet would be much quicker) Hack In Paris - June 28th 2018 32

  33. Issue #3 • Even if we switch at 5ms, it is detected. ...how to ? Hack In Paris - June 28th 2018 33

  34. Solution • We add some noise to keep the link up during transition: – High enough to keep the link up – Low enough to be considered as noise / signal Hack In Paris - June 28th 2018 34

  35. Tests and proof of Concept Hack In Paris - June 28th 2018 35

  36. First design • Each steps works alone (POC) • Card design, welding, cutting strips, checking... • Didn’t work. Lack of time to fix it :( • → full design to be confirmed Hack In Paris - June 28th 2018 36

  37. Demo • But we will still show you ! (we will just have to do some steps manually) Hack In Paris - June 28th 2018 37

  38. Conclusion • 4 ideas in this hack : – Insertion of the electronics – Identification of Rx and Tx wires – Switching to well-configured devices – Diming legitimate signal during switching Hack In Paris - June 28th 2018 38

  39. Conclusion • Costs: – 2 Raspberry Pi: 120€ – electronics: 80€ – (managable switches: 250€) – candy: 5€ …Hacking : priceless Hack In Paris - June 28th 2018 39

  40. Possible improvements • Rebuild full circuit and complete testing • Do without additional ethernet switches: Raspberry Pi ethernet configuration • Use one single Raspberry Pi instead of two • Scripting information gathering • Coping with multicast switching on Raspberry Pi • POE compatibility • Implementing 802.1x attack • Less attenuation in Rx/Tx identification Hack In Paris - June 28th 2018 40

  41. • It IS possible to silent take MITM position How to cope? • Faster link down? Impedance monitoring? – difficult to implement in real world: Many existing EM perturbations (events on high power lines, lightning, lorries with electromagnetic retarders...) → Not suitable for plants, infrastructure operators... • End to end encryption Hack In Paris - June 28th 2018 41

  42. THANK’S erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - June 28th 2018 42

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Silent Shout 2.009 SILVER Silent Shout The Market 65 million users $9.7 billion market 2.009

Silent Shout 2.009 SILVER Silent Shout The Market 65 million users $9.7 billion market 2.009

Silent Shout Silent Shout 2.009 SILVER Silent Shout The Market 65 million users $9.7 billion market 2.009 SILVER Silent Shout Benchmarking SIREN POM by POMCO Silent Shout Product Type Description Alarm ring Keychain attachment

116 views • 10 slides
and Education (WIRE) Jane Hillston University of Edinburgh What is WIRE? WIRE is a working

and Education (WIRE) Jane Hillston University of Edinburgh What is WIRE? WIRE is a working

Women in Informatics Research and Education (WIRE) Jane Hillston University of Edinburgh What is WIRE? WIRE is a working group of Informatics Europe, aiming to raise awareness and promote good practice with respect to women in

366 views • 9 slides
N D WIRE NETTING e M h P i t c h s f D I A W r e o i 1. 60 1 .60 ) m m (

N D WIRE NETTING e M h P i t c h s f D I A W r e o i 1. 60 1 .60 ) m m (

WOVEN WIRE WONDERS N D WIRE NETTING e M h P i t c h s f D I A W r e o i 1. 60 1 .60 ) m m ( 1. 60 1 .60 1. 20 1 .20 2. 00 2 .00 2. 00 1 .62 IN FOOD PROCESSING, OUR CONVEYOR BELTS ARE USED IN WASHING, BAKING,

254 views • 6 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Wire Scanner Reliability Improvement Plans Omar Garza I&amp;C Engineering Group Leader Wire

Wire Scanner Reliability Improvement Plans Omar Garza I&amp;C Engineering Group Leader Wire

Wire Scanner Reliability Improvement Plans Omar Garza I&amp;C Engineering Group Leader Wire Scanner System Overview Problem Wire Scanners 41 Wire Scanners (not including Hall C) Device Location Issue IHA0L10 Injector Multiple

519 views • 11 slides
Longwall Mine Layout Welded Wire Panels Installed in Areas between Pillars 10 Gage Welded Wire

Longwall Mine Layout Welded Wire Panels Installed in Areas between Pillars 10 Gage Welded Wire

Longwall Mine Layout Welded Wire Panels Installed in Areas between Pillars 10 Gage Welded Wire Mesh TX Meshing Using Controlled Resistance Welded Wire Roof Support Current welded wire technology has been in effect and unchanged for years.

374 views • 18 slides
TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable Launch of 100E Signal Wire

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable Launch of 100E Signal Wire

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable Launch of 100E Signal Wire Family TE Connectivity is pleased to announce the launch of 100E 300v signal wire and cable. Released in accordance to EN50306 EN50306-2 Thin Wall

591 views • 18 slides
Brief Introduction to Wire-Cell Xin Qian BNL For the Wire-Cell Team

Brief Introduction to Wire-Cell Xin Qian BNL For the Wire-Cell Team

Brief Introduction to Wire-Cell Xin Qian BNL For the Wire-Cell Team http://www.phy.bnl.gov/wire-cell/ 1 Challenges of Event Reconstruction in LArTPCs Event topology: Tracks, showers, unknown vertex in LArTPCs Simple tracks in

704 views • 17 slides
TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable www.is-rayfast.com |

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable www.is-rayfast.com |

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable www.is-rayfast.com | uksales@is-rayfast.com | +44(0)1793 616700 Launch of 100E Signal Wire Family TE Connectivity is pleased to announce the launch of 100E 300v signal wire and

331 views • 15 slides
THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION AND SUICIDE THE SILENT EPIDEMIC OF

THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION AND SUICIDE THE SILENT EPIDEMIC OF

SHAUNA HAHN, PMHNP, CBIS THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION AND SUICIDE THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION &amp; SUICIDE OVERVIEW: SCOPE OF THE PROBLEM IN AMERICA THE SILENT EPIDEMIC OF TBIS: LISTENING

969 views • 64 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder Resources; St. Gerard Majella Catholic School, March 6, 2010 William B. Daigle, Ph.D. 8748 Quarters Lake Road Baton Rouge, LA 70809 (225)

91 views • 5 slides
What is Electricity? 1 ATOM 2 Water Pipe Pump Water Pipe Wire + Wire - 3 EMF

What is Electricity? 1 ATOM 2 Water Pipe Pump Water Pipe Wire + Wire - 3 EMF

What is Electricity? 1 ATOM 2 Water Pipe Pump Water Pipe Wire + Wire - 3 EMF Potential Difference Between Two Points Source of Energy Electrical Pressure Voltage Friction / Static Triboelectric Chemical

979 views • 18 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

486 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Chapter 4 The Wire Wiring analysis is essential for: Speed Power Reliability Parasitics Wire

Chapter 4 The Wire Wiring analysis is essential for: Speed Power Reliability Parasitics Wire

Digital IC-Design The Wire &amp; decreasing feature sizes Dynamic behavior change in deep submicron A Active elements are less dominant i l l d i Chapter 4 The Wire Wiring analysis is essential for: Speed Power Reliability Parasitics

392 views • 9 slides
Slide 1 / 65 Slide 2 / 65 1 The length and radius of an aluminum wire is quadrupled. By 2 A

Slide 1 / 65 Slide 2 / 65 1 The length and radius of an aluminum wire is quadrupled. By 2 A

Slide 1 / 65 Slide 2 / 65 1 The length and radius of an aluminum wire is quadrupled. By 2 A copper wire has a length L and cross-sectional area A. What which factor does the resistance change? happens to the resistivity of the wire if the

299 views • 11 slides
EOT Cranes Inspection of Wire rope Inspect the wire rope to make sure it is lubricated and

EOT Cranes Inspection of Wire rope Inspect the wire rope to make sure it is lubricated and

EOT Cranes Inspection of Wire rope Inspect the wire rope to make sure it is lubricated and that none of the following conditions exist: 1. No kinks 2. No broken or cut strands 3. No bird caging 4. No crushed sections of rope 2 . 1 . 3 . 4.

439 views • 18 slides
#prep X Assembly 05: Wire Harness It is HIGHLY recommended to watch the video for this part. It's a

#prep X Assembly 05: Wire Harness It is HIGHLY recommended to watch the video for this part. It's a

#prep X Assembly 05: Wire Harness It is HIGHLY recommended to watch the video for this part. It's a better learning experience; the images can't easily convey how the wire slack should feel and what are the wire paths. PS: In the videos, we are

434 views • 15 slides
The laser-wire Project PETRA laser-wire Royal Holloway, UoL: G.Blair, G.Boorman, S.Boogert,

The laser-wire Project PETRA laser-wire Royal Holloway, UoL: G.Blair, G.Boorman, S.Boogert,

The laser-wire Project PETRA laser-wire Royal Holloway, UoL: G.Blair, G.Boorman, S.Boogert, A.Bosco, J.Carter, M.Price. Oxford: N.Delerue, D.Howell. DESY: S.Schreiber, F.Poirier, H.Lewin, K.Wittenburg, K.Belewski. BESSY: T.Kamps. Michael

743 views • 22 slides
Measurement of Wire Sag in a Vibrating Wire Setup* Animesh Jain, Ping He, George Ganetis

Measurement of Wire Sag in a Vibrating Wire Setup* Animesh Jain, Ping He, George Ganetis

Measurement of Wire Sag in a Vibrating Wire Setup* Animesh Jain, Ping He, George Ganetis Superconducting Magnet Division Brookhaven National Laboratory, Upton, NY 11973 and Alexander Temnykh Cornell University 15 th International Magnet

516 views • 13 slides

More recommend