silent wire hacking
play

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr - PowerPoint PPT Presentation

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest Silent wire hacking ? You know about TCP hijacking, 802.1x bypass techniques


  1. Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest

  2. Silent wire hacking ? • You know about – TCP hijacking, – 802.1x bypass techniques (Valérian Legrand, HIP 2017), ways to exploit a MITM position with Fenrir – … • We want – to connect to an ethernet 100Mb cable, – in order to take the man in the middle position – without any warning in supervision : A silent wire hacking Hack In Paris - June 28th 2018 2

  3. Outdoor accessible wires Hack In Paris - June 28th 2018 3

  4. Indoor accessible wires From the ground… ...to the ceiling Hack In Paris - June 28th 2018 4

  5. Typical situation Hack In Paris - June 28th 2018 5

  6. Naive connection • Is not effective • Triggers an alert Hack In Paris - June 28th 2018 6

  7. Usualy monitored • Link status, link down • RSTP • LLDP • Filters on MAC and IP @ • (802.1x) Hack In Paris - June 28th 2018 7

  8. Available solutions • TAP: listening only, setup interrupts network Hack In Paris - June 28th 2018 8

  9. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network Hack In Paris - June 28th 2018 9

  10. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection Hack In Paris - June 28th 2018 10

  11. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection • Dedicated hardware solution: not publicly available, back to standards and datasheets Hack In Paris - June 28th 2018 11

  12. Goal of silent wire hacking • Taking the Man In The Middle position on a Ethernet 100Mb/s link • Without being detected by switches – No link_down link_up – No snmp trap – No RSTP topology change – No LLDP detection Hack In Paris - June 28th 2018 12

  13. Intention • Simple solution, DIY • Low cost (about 200€) Hack In Paris - June 28th 2018 13

  14. Technology choice Signal conditioning with operational amplifiers? Classic OA (lm341, lf355): gain.band<10MHz DIY → no surface mounted components Signal manipulation activated by relays, Data manipulation with Raspberry Hack In Paris - June 28th 2018 14

  15. Step1: wire intrusion • Opening cable • Best twisted pair splitting tool: • Connecting Hack In Paris - June 28th 2018 15

  16. Step2 : gathering information • First, we gather information: – Mac @ – IP @ – speed – existing protocols: RSTP, LLDP, SNMP, ETC. Hack In Paris - June 28th 2018 16

  17. Speed and addresses gathering Hack In Paris - June 28th 2018 17

  18. Speed and addresses gathering Hack In Paris - June 28th 2018 18

  19. Issue #1: Auto MDIx • Auto MDI-X ports on network interfaces detect if the connection would require a crossover and automatically chooses the MDI or MDI-X configuration to properly match the other end of the link • Auto → can’t know wire use → To witch side affect collected data? Witch ip@ and mac@ belongs to witch device? Hack In Paris - June 28th 2018 19

  20. MDI / MDIx Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Tx+ Rx+ Tx- Rx- Hack In Paris - June 28th 2018 20

  21. Rx and Tx identification • How to ? (without OA, signal comparator...) Hack In Paris - June 28th 2018 21

  22. Identification of Rx et Tx Hack In Paris - June 28th 2018 22

  23. Identification of Rx et Tx Hack In Paris - June 28th 2018 23

  24. Hack In Paris - 28 june 2018 24

  25. Hack In Paris - 28 june 2018 25

  26. Issue #2 • We can not send traffic Hack In Paris - June 28th 2018 26

  27. Step3: apparatus connection • To inject traffic we will need some electronics. • How to place the electronics instead of the wire ? Hack In Paris - June 28th 2018 27

  28. Step3: apparatus connection Hack In Paris - June 28th 2018 28

  29. Step3: apparatus connection Hack In Paris - June 28th 2018 29

  30. Step4: switching Hack In Paris - June 28th 2018 30

  31. Finally ready for switching ! Hack In Paris - June 28th 2018 31

  32. Step4: switching • (somewhat) quick* switching from existing communication to devices with: – Same speed – Quiet (no-RSTP, no-LLDP, etc.) *5ms (relay switching time; Mosfet would be much quicker) Hack In Paris - June 28th 2018 32

  33. Issue #3 • Even if we switch at 5ms, it is detected. ...how to ? Hack In Paris - June 28th 2018 33

  34. Solution • We add some noise to keep the link up during transition: – High enough to keep the link up – Low enough to be considered as noise / signal Hack In Paris - June 28th 2018 34

  35. Tests and proof of Concept Hack In Paris - June 28th 2018 35

  36. First design • Each steps works alone (POC) • Card design, welding, cutting strips, checking... • Didn’t work. Lack of time to fix it :( • → full design to be confirmed Hack In Paris - June 28th 2018 36

  37. Demo • But we will still show you ! (we will just have to do some steps manually) Hack In Paris - June 28th 2018 37

  38. Conclusion • 4 ideas in this hack : – Insertion of the electronics – Identification of Rx and Tx wires – Switching to well-configured devices – Diming legitimate signal during switching Hack In Paris - June 28th 2018 38

  39. Conclusion • Costs: – 2 Raspberry Pi: 120€ – electronics: 80€ – (managable switches: 250€) – candy: 5€ …Hacking : priceless Hack In Paris - June 28th 2018 39

  40. Possible improvements • Rebuild full circuit and complete testing • Do without additional ethernet switches: Raspberry Pi ethernet configuration • Use one single Raspberry Pi instead of two • Scripting information gathering • Coping with multicast switching on Raspberry Pi • POE compatibility • Implementing 802.1x attack • Less attenuation in Rx/Tx identification Hack In Paris - June 28th 2018 40

  41. • It IS possible to silent take MITM position How to cope? • Faster link down? Impedance monitoring? – difficult to implement in real world: Many existing EM perturbations (events on high power lines, lightning, lorries with electromagnetic retarders...) → Not suitable for plants, infrastructure operators... • End to end encryption Hack In Paris - June 28th 2018 41

  42. THANK’S erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - June 28th 2018 42

Recommend


More recommend