WarBerry: Tactical Network Reconnaissance from a Raspberry Pi

which is a of course a work in progress it works but I seot networ to make sure that it actually works so back in 2015 I started with this project just to make my job easier my day-to-day work easier it was written in bash and then at point you realize that your code really sucks when it's in going to do lot of things so I have to make a decision and rewrite it in Python and right now it's able of scanning for Windows FP all of that and numerating all of this and at the end running poisoning credentials I will not go into detail about how it does this but we see so why did I do that first of all I

needed to satisfy my need being a hiker to create something to cre create something which I consider cool and something which I can share with the community rasp is very cheap it's Expendable if we put at a client and were not able to to retrieve it we don't mind and I couldn't find anything that fits my need I could find stuff that run C automatically but being an ethical hicker I couldn't RK running something in a corporate Network that it might break something might exploit something or or do anything that I'm not really sure what it's doing so when I come in front of the client I want to make sure that I know what I did and if I did

something wrong or something dangerous I'm going be in a position to explain when you're doing right scenarios you have very limited time if you want to get in and get out you don't have the time to laptop usually of course have time to a laptop don't have the time to execute commands make sure that network works okay so with the Rasberry I'm able to just drop it and live and make it to the hard work for me at the end of the day we want to show the client the the emphasis that you need to put on physical security cyber we all understand people we all kind of understand but physical we usually don't correlate it with um

hiking approaches we tend to believe that having some controls is effective so as I was looking for my research I found many distributions which are similar like the Rasberry pwn the P very p p Express P FL which is very famous and many other projects were available online but then again I was still in the same having the same problem of not being able to know what exactly the SC does in the background uh I had the biggest problem being the price I don't know if you know about the prices of some of these products they're very expensive so this gave me some more power to keep going to complete my project just to give you an analogy we

only use nmap during our penetration test I use a lot and if you do a basic of the the most simple scan you can do with then you're running scans for 1,50 and approximately 1,000 services and this is a loot this is a loot it's very heavy inside the network especially it's a big Network when you're using the which is customized still makes use of end map you're scanning from 53 PP ports 4p ports and about 50 services so it's significantly more covered than nmap itself if you're running nmap with a standard scripts uh script you running about 115 scripts inside the network some of this may not be um not be safe some of these you might need

authorization so you don't know you don't really with the client just put this parameter run it and you hope for the best which is not the right approach if you do that with the war you only run 16 scpt of course if you compare 1,000 with 16 sorry 115 with 16 these are less scripts it's not that it's 115 scripts inside those 16 but what I did I went through and I I resarch which scripts do I really want there are some Services I know that I will not find NE cine environment for sure so why not exclude those every time but nevertheless the the choice which one to use it depends what type of Engagement you're doing you

might want to scan for 65,000 PS and it all depends so it's not that the war is better than and I Rely heavy on so I like I like as I said the choice comes to what you want to do if you're attacking a network you can do this which is a fullblown attack or you can do a tactical attack which you try to remain hidden if you're running a fullblown attack you have some benefits which is quick you run some tools you get a lot of shells which is the best thing for a high penetration tester but then again you make a lot of noise you do not have a lot of control on what's going on so

for example if you're running n you're not really sure what kind of packings you're running at any given time if you're doing a tactical attack you remain selfy is more controllable but then again the scope is smaller and it requires a lot of skill to manage to get a sh so these are some pictures I took from engagements that we use the RAs in this case this is a very common setup in offices okay so you have stack of box of paper right next to the printer so we built a box with a fake bottom that sits on top of the rasping we filled it with um with paper close it people were using it so taking out paper and by the time

they went to the last um box of paper it was too late because the Rasberry usually takes a couple of hours Network and this is inside the server room it doesn't show very well so it was um we put it behind the server on the top of the rack and we just left it there okay so these are nice scenarios but how far can social engineering and red teaming Take You Is it feasible in the real world so just to make it more funny for you can get you front row tickets to the Champions League game if you do a good enough social engineering so back in 2008 olympos was playing anorthosis from Cyprus in Cyprus

and I had tickets for the anorthosis side but I was in in a it was very hot and this was during the warm up and I was on this this fun side dur the first half I decided that I want to get closer and maybe get inside the field inside the stadium and at the second half I was standing right behind the player being one of these guys how I did it it was basically pretended to be a photographer I had a small son Cyber Shot if you know which one it was in 2008 it's this big so I just told the security I really need to do my job I would get fire so he let me

in he said get in but stay here don't want what it is so hly Eng can take you far it can take you very far and you can you know that guy that was Georg one of when you're using a warry though you face a lot of problems like Port security so how to overcome this if you have Port security which one m is associated to a single port inside the network the warry has as it is now it can help you because you have two ethernet inputs one can be used as input one can be used as output if you use brid utility utilities you set both um both IPS to 0.0.0.0 then you have a

transparent interface then you have you are inside the network between the host and the network C and it will work many other ways to do it this is one solution if you're having a static IP that's easy you just assign yourself a static IP warry does that automatically if you have ma filtering then just sneff all the Mac addresses in the network the associate IPS and just mimic one of those duplicate it and you will be inside the network and this is the hardest security to BU which is network access control so basically you need to authorize yourself to the network but the problem is that many devices do not have this capability like let's say for example printers do

not have the capability of supporting KNC in many cases not always so if we look for these exceptions and then we find the IP we find the MAC address of the exception maybe we will be able to bypass the KN in place this is not a silver bullet it doesn't work all the time the tries to that automatically so we have a database of keywords to search for if it finds a keyword like printer or whatever else which looks like an ex takes the hostman changes its host name changes it m and IP so you just REM make a device Network so let's do a demo I hope you in the back you can see

well pray with me that it works otherwise just make fun of me so this is the most simple Network that I'm using because everything is over Wi-Fi and I have a video of stud IP bypass video if if you have the

time so I'm connected to the warry Via uh over Wi-Fi usually when I leave it at a client this also has a us a 3G USB stick on it which connects back to a service which I will show you it's called we it's an online service which it provides reverse SSH to your device and it's very nice because it also has a iOS application iPad application and you can see if any of your War are online that means you're doing well

anybody remember the

[Music] shortcut Maybe

now we know way maybe the demo would work

it's set B

so this is a [Music] warp requires sudes you Das H you can see the help page you can do a lot of things like if you want to just run poison inside network if you want to poison credentials just run with the malicious mode on uh you can specify the intensity of the scans you want to do you can specify the interface by default the c z in my case because I'm using Wireless it's going to be w l

z I try to walk you through so first of all it checks if it has valid IP address if it not it not R other scps it checks to see the net mask in order to scan the entire network and it begins by sniffing packets using scappy the Pyon scy module of python and it tries to capture any interesting trafficing from Network then in the numeric the names and it found out that there's an interesting name called dc1 which I have in my database is interesting so it's changing the host name from warry to dc1 so right now the host name is dc1 and you appear everywhere as dc1 so you have two dc1s and then after we

enumerated we did the the sniffing it starts enumerating a bunch of services using threads TCP and UDP and then depending on the result result that you have it starts a numeration of those sh those for example if it found UPnP like there it's going to run scripts only for UPnP so you don't run random scripts that you don't need you only run scripts based on the result you had from open ports only so right right now it's doing shares numeration just because of the ports that were open on the Windows machines if finds for example SQL is going to do only the SQL eneration modules so you save a lot of time and you save a lot of U Network traffic that

you were normally going to to send inside the network enumerating shares take some time there there were some tries and some um attempts to to spoof this short side key I released the version a couple of days ago and I took it back I changed my mind because yes why standing for shares I saw theut at the beginning that say no internet contivity uh no external no exter but did you can you for example Implement some kind of erress booster to check VI a lot of ports which Port are open is it a feature I don't need that it doesn't doesn't send anything outside because at this moment I have 3G connectivity to the war bre anyway so

that's the cover channel that I'm using so the external the check no never it just checks if you have access then and I connect via 3G maybe I want to download some files for post exploitation that's only way the only reason why I'm taking for outbound but sh right now I'm standing the internal Network which is

question so

far so there two or three scripts which run just because those are windows machines and windows machines are nice when you CU you do your work and I'm enumerating HTTP titles because after it completes I want to see what type of um of applications I'm against against if I want to if I want to do some um escalation if I want to exploit more machines maybe that's an Avenue that I can use I'm also checking if there is a web application fire firew World on each of the uh web servers we found before and then lastly we're doing operating system in just to know which kind of heart you're

against so can you explain can you explain how the the port security can be bypassed yes which the port security just the port security when when when before I I miss my IQ so we are at Bluetooth eneration it's also it also numerates Bluetooth just turn it on for now this is useful for um fishing attacks later on so you will see that it found my iPhone so right now you have you know that somebody inside the company is called Y and has an iPhone with this mag address a lot of the taxs to perform from fishing from if you know if it's an iPhone five or whatever you can do some exploitation and get access to the phone

so this is not an active attack just needs the names ma addresses for future steps it takes some time I left it on purpose to run for some time to capture as many Bluetooth devices as possible and the last part is going to do is do a wireless networks numeration so that combined with something like Wi-Fi fure where you can do fishing attacks against World networks if you know the names already save you a lot of time and it's easier to to to exploit to launch the exploitation very nice I was something like

that guys together in a b so

the picture so it elated the Y wir networks as well and then we get into poison mode if you no responder it does a poison let's say so you're able to capture hashes and then from there if you capture the hashes crack them if they one mv1 you get access to the r v 3G and just launch your attacks so this was a demo with the with the DCP if you give me some couple of minutes we get back to problem just you have time for the second [Music] demo minutes

I'm just going to show the difference I will not show the numeration that we don't have a valid

IP just clearing out the pr out for

here I'm just showing that everything all the have have

a so right here we can see that the IP is not valid and we want to check if we can bypass it with the St IP so I'm scanning the network for

IPs I found four IPS which are in use and they are valid and then the subnet and I create the subnet based on the IPS that I found um we make a list and we exclude the IPS which are in use and then from the remaining we select one randomly we set the IP statically randomly and we P one of the live IPS if we get a response that means it's a valid IP and we disregard the rest otherwise we proceed with pinging the next setting a different IP address and all that so this is sniffing module you found a different interesting namee server and that's exactly what I showed you before

so in the second case I had a Cisco 800 series Cisco 800 series which was doing the St p andp and everything is sa in a folder called results if you extract that folder and you place it in the reporting module which is available available in GitHub it creates a report for you which you can export to PDF you have a nice Report with credentials Wireless name Bluetooth names which machines are windows which machines have this port open different port open and just some of the content measures first of all train your people because in order to for us to get in we need people that will bypass use for security and and knock whenever you can go beyond default

Windows loging because we see that most of the time you don't appear locks which it's it's scary to think that some other malicious people not do not appear in the Lo run to the necessary Services hatch and Harden and for responder U basically it does mbns poisoning it does LMN L MNR poisoning which is access of the previous one this one and dou poisoning which these are enabled by default on windows so you can disable them this was a great reference I found other day it explains exactly what to do and said you from a lot of and many thanks to these people because they help me a lot and if you know something just share it it's good to

share I learn everything from others to come back to your security to your

basically basically in this situation we use one end coming in from the port to the warberry that a going to from the warberry to the host to the legitimate host that was supposed to be there example printer uh if you if you create this if you create both interfaces if you set them an IP you create a bridge called mitm then you can be a transparent bridge between the port and the if if uh the port is configured uh to be an access port not a tunel board then it's not possible okay there are other types of things we can do but usually usually we we target devices like the easiest way they get most of

the access on the internet and usually misconfigured enough to be in network segment that not supposed to be and it is EAS to find the ma address of the printer so you can change address of

the other questions okay thank you very much [Applause]