Introducing Pi-Key: Hacking just like the Movies

okay good morning can you all hear me okay good stuff um before I get started can I just have a quick show of hands um so how many of you guys and girls are so pentesters or working in red teams blue teams sock analysts that type of thing and security sort managers and and a like okay excellent so we are um first time presenters so bear with us um but we'll give you a quick bit of in introduction into what we're about and who we are so that's me and as you can tell I probably look a lot better in black and white um so previous background quite heavily into sort of infrastructure um sort of

various roles um fairly new to infosec so couple of years in now as a penetration tester um you're probably thinking you don't want to listen to me talk for good 40 minutes um so you'll be happy to know that my colleague here John um will be taking over another pres presentation so um as you can see from from John's photo he's not much better looking in real life um so you know bear with him um so John has much of a similar background to me um so we are um sort of we've done sort of similar work in the background um John is now working as a security architect um sort of specializing in iot um so he is um going

to be very happy to F any questions you have around any complicated iot issues um so feel free to um you know touch him on the shoulder and when you're out in the hwc con and and uh and make sure you are make it as difficult for him as possible um also he is because he's working in iot um he is single-handedly sort of saving the internet so again feel free to sort of congratulate him on that um last boring slide is a little bit of a disclaimer um so obviously our um words and Views and thoughts are our own um we don't have any affiliation with the companies that we work for um and obviously if you do decide to

go and use the work that we present here today um in your places of work or in systems that you um may come in contact with then obviously the usual is be responsible um so if we um we'll get into what we're actually here to talk about and so what is a um so as you can see from the executive summary there really it's a physical pen testing device um and we've designed it um for the extraction and reuse of credentials so the way we look at it is we wanted to design something or make use of something that um was in essence a tool that you could come along to a a locked computer Windows 7 in this

case in a corporate environment um plug it in wait a few you know 60 seconds or so um and as if by Magic it would unlock so that is exactly what this talk is going to be about so there's going to be a little bit of background about how we've got to this point so there will be some sort of R&D slides and kind of get you um into the mindset that we had whilst we were developing it and hopefully at the end you can obviously download the code yourself from GitHub um and have a go at making one so um the basis for this work and you can probably if you cast your minds

back to September 2016 um you may remember seeing an article from U who's Rob filler um so he had demonstrated that by plugging in a USB uh Network device into a Windows 7 machine or Windows 10 machine for that matter um Windows naturally then starts to trust this device um and proceeds to send traffic out of its interface so in essence it gets bumped up in the rooting table um and all of a sudden um all the network traffic that is that is going from the from the um PC at the time will quite happily go across this new network in face so this is kind of the basis and the key to to the work so we built on

this um and there's been other similar attacks since then so you might recall poison tap um but this one seemed to sort of stand out to us as the one that's most relevant to a corporate environment so um sort of the natural thing that we see in the engagements that we that we do so just to give you some background on how this works so obviously you guys that are pentesters and working red teams you're probably more than more than aware of how this attack worked um um but for others we'll just go through some of the detail so um Rob took a USB Lan Armory which is in essence just a USB key with some compute module on it

this emulated itself as a network adapter Happy Days um Windows naturally saw the the network adapter and was quite happy to install it as I said earlier Windows tends to prefer the newer and faster connections so again it was more than happy to accept this um and proceed send traffic out the interface um the real key bit was that um Rob had installed uh responder which is a tool from spider Labs um so again pentesters red team is probably more than aware of what responder does but in essence it is going to um poison any uh name resolution request that it sees so in a typical engagement you might um start it on a land segment um and then wait for a

period of time so what responder is going to do is it's going to look for any name resolution requests that come across the network so your normal net buyers link local and then it was going to proceed to in essence put it hand up and go yeah I'm I'm that guy I'm that host so it looks for people that you know perhaps fat fingered a internet address or a file server address um once it's emulated once it spoofed that address it then proceeds to emulate the service that was the original request was for so for SB Services HTTP SMTP um respond has a whole library of services that it will emulate and then it proceed to um take

part in the any authentication protocols thereafter so for nlm for example it will quite happily do the challenge response start to store the credentials and then end the communication so in this instance it doesn't have to worry too much about looking for that name resolution traffic because it's all coming out of that interface anyway and again in the original t so after the device had received some credentials so responder happens to store these credentials uh in a database that it runs so once it has these um the device just shuts down and then it's down to the person that's running the attack the um attacker to then take it away and crack these credentials so all in all um it

was quite simplistic and we've elegantly summarized the process here um so USB device Windows machine credentials um and that is as simple as it go so at the time I think Rob got quite a lot of pressed for that CU um it was it was so simplistic he summed it up in his own words uh USB Ethernet plus DHCP plus responder equals creds um so again he decided to use um some quite expensive equipment for this so he used USB Armory at the time um he also demonstrated that it could be done on a hack five land turtle um the one slight caveat with the process is it was it relies on the Windows machines being been quite chatty

so um what we found certainly when we were testing this um is that in your sort of typical coffee shop scenario where you might find a locked machine you're not going to have so much success um it's it's largely based around corporate environments where you know clients are locked they're already sending traffic um you know they might be trying to update their email or browsing in Internet site Etc um he also discovered it worked on Windows 10 and earlier and as you'll see a little bit later in the present that's kind of been caveated now but um still 100% works on Windows 7 which is great so we had to go at uh replicating this attack so the USB um Armory was was

Rob's weapon of choice so we thought we' give this ago um at 200 quid a time it's quite an expensive device um it's not so um easy to get going um and we also found that when you plugged it in fundamentally Windows um needed to get some drivers installed and again because we were looking to Target this in a corporate environment as you're more than aware uh it's not going to reach out to Windows update with proxies in place uh UAC is going to obviously block it so it wasn't wasn't quite working to plan um we felt both of those issues kind of made it a low risk so um but we thought we'd have a go at maybe trying to De the

cost down at least um so I think there's similar work out there as well around this but we in essence bought AR rajb Pi z um we managed to get all of um Rob's work and replicated onto that so the original work was really based on um just having a couple of services start when the device boots up so it was quite easy to uh replicate that onto a pi z um with a pi Z however we still had the emulation issue so drivers were still required and the one thing that really frustrated us was the fact that fundamentally even on the arm um the feedback from the device was quite minimal so you would in essence

just see a little LED flashing it might turn off it might flash longer um we couldn't really tell what the device was doing at any point in time sometimes responder could take up to you know 3 minutes to grab some credentials sometimes it might happen quicker um so we we found that constantly unplugging and plugging the device in ended up you know corrupting the SD cards a lot of the time uh and we had to spend quite a bit of time rebuilding them thereafter so we got thinking that we could try and make this a little bit better so and this is kind of where we get to with the the project and the talk as it is

today um so whilst snagging the creds um is great it still means that we have to take them offline uh to crack them so whilst you can use it as a bit of a harvesting tool whilst you're in front of the machine we got thinking well perhaps it's better if it just unlocks the machine because you already made the effort to get to that point anyway um so the whole aim for us was to try and make something that was uh usable in essence so overcome those initial hurdles uh that we saw with um with the driver issues um give it some better feedback make it cheaper no one really wants to spend 200 quid on a USB Armory

every time they want to do especially if you're going to lose it um and also make it plug and play so again we don't really want to have to um plug in the device and Tinker with the code every time you use it or uh or you know that sort of thing so really in essence we wanted to simplify it for some reason John really loves this slide um so I left it in uh so we got thinking and we try to break it down into those sort of component parts so the user feedback making it usable um driverless installs um and unplug and play so we stuck with the pi z um partly because it's it's immensely cheap

um and also it had a few perks that come with it so as you can see on the image there it doesn't have a lot of interfaces but it does have a USB port and it does have a power port um the one good thing is that it takes its power from either so it can be powered over the data Port so that means you don't have to carry around a separate power supply and it kind of performs as it would do in the original attack so you just need an on thego cable and a where you go um the other and probably the most important part is that the device can be put into host or slave mode so for a USB

um device when it's in for a device like this when it's in host mode it will quite happily receive um connections so from keyboard mouse Etc when it's in slave mode however it can then do the emulation stuff so because we were looking to be able to do feedback so reuse the credentials that we had um that we had snagged and cracked um we needed to be able to switch it in into into that mode as well so we emulate network adapters and we wanted to emulate a keyboard so that we could type it back in so that's quite a key piece to the to the puzzle um obviously it's small tiny um and it's designed for a

whole community of people that like to design wonderful cases of all various colors sizes and whatever so wrapping it in a case and putting in your pocket um made it quite ideal it comes with its own um strong sort of community backing as well so there are various Linux disos for it so again getting it installed on a Micro SD card um is really no problem at all um and lastly the most again kind of an important piece to this is um along the rear side of it um for those of you who don't know it has these gpio pins which are just um input and output interfaces um but because it's designed for a

community of people that quite happily like to Tinker it's designed to have various Motors sensors um and other devices plugged into it so for us we got thinking that that would be a good opportunity to be able to give it some feedback um which we'll touch on a little bit later so the downside um of the pi zero is however we wanted to crack the credentials um and play them back so as you can imagine uh doing any sort of U cracking on a on a single um processor one G processor with 5 and 12 mega ram is not going to going to get you very far um we wanted it to be as the title

suggests like the movie so we didn't want you to plug it in hang around for five 10 minutes two hours three hours whatever make a cup of coffee we kind of wanted it to be as instantaneous as possible so although there are and again as you see in the demo there's a little bit of a delay in it um we got the time write down by not relying on the pi um zero doing the cracking itself so if we couldn't crack on the pi zero um we got thinking about where we could do the cracking um and obviously as again some of you pentesters and stuff will know there's there's various libraries of pre-computed hashes out

there um and we thought that would be a good place to start because at least then we'd get some immediate response back so we could either say this hash was a simple password um and it would get cracked immediately or nothing and we can just shut the device down and move on so we did find a problem with using that approach however so this is quite a quite a busy slide but um as you can see up there uh responder quite happily emulates all those various Services as I mentioned earlier so um HTTP https Etc um and what it tends to do is because it's performing The Challenge response for those Services um for an

nlm perspective it doesn't just store a plain hash it stores a salted hash so but the good thing is we know the salt because responder is doing the uh challenge response so responder is in essence sending that initial Challenge and the saled hash thereafter is a mix of the domain the user um and that challenge so we have all the information we need um but the downside is the online crackers typically prefer unsalted hashes so um I guess some of you have probably used crack station in the past um and you can see down the bottom there it's quite happily crack um n and LM passwords a bit like the typical output from the Sam table but it won't help us

um in doing those salted hashes that's just another example of another online cracker and again similar thing um quite do the nlm and LM straight out of the sound but but not what we were hoping to crack so we wanted to obviously do it ourselves and we decided this um and also because the client's data that we're working with it it's sensitive it's password data U we wanted to put it into an environment where we were in control um and obviously the applications is like John and hash cat John the Ripper um they will quite happily crack passwords all um these saled hashes all day long um we can control the word lists um so that exactly what we wanted to do

and to do that um as you can imagine we just spun up an AWS cc2 instance um doing it on a little bit of a Sho string budget so we only uh we only went for the cheap T2 micro option um but as you can see it's already doing it eight times faster the cracking than the pi Zer itself um if you want to scale that up and and John will touch touch on this a little bit later as well then the options are there but um there is one snag now before I put this next slide up for some of you in the know um bearing in mind when we did the initial research

for this this was back in 2016 um so at the time there was no Wi-fi um available on the pi zero and this has probably got us thinking why no one's bothered trying this before because um as I come on to in a minute you'll see um why it was quite such an arduous task to try and get it get it working so we had some options for the uh the wireless um first of all most people um seem to suggest I just plug in a USB dongle and Away you go so the downside to this is as I said before we either can run in host mode or slave mode uh soon as you plug in a USB dongle um it

becomes host mode and then you can't do the emulation of the keyboard on the network adapter and we've only got one USB port so that's not really an option and we'd have to carry a battery around to try and power it um on the far right there there was um various sort of Serial hats that you can get to plug on top of the USB um the pi Z again these were brilliant um however they were they were kind of reliant on previous the old school at commands you'd have to write your own packet making the whole communication a little bit tricky and then to the real extreme in the middle um we had those people that like to do

soldering um and use various amounts of tape um and that just horrified us the whole point of this was we wanted to make something that was reproducible and we didn't want to come along and say Here's a brilliant device however you know if you have 20 hours free you can do some soldering and you'll be away so amazingly it took quite a lot of research to find this um but there was a device a Kickstarter project um and this red bear hat which gave us in essence Bluetooth um and wireless capabilities so um it didn't immediately jump to the top of any internet search however um the benefit of this is it uses all of those gpio pins we mentioned

earlier so great we weren't using them in a minute um and it comes presold with the headers so again no real need to do any soldering um it comes with a a custom eom as well so it means when the device boots it preconfigured so there's no there's no need to do any driver installs or anything funny you just get a w Lan zero presented Straight Out of the Box um soldering however still caused us some issues I don't know if many of you out there like to do soldering um soldering 40 pins at a time for a novice like myself and John is is a stressful task um certainly not therapeutic so we went

to try and find something that would be a little bit easier and a little bit more reproducible so we we did come across these wonderful um solderless headers uh so I find using a hammer much more therapeutic than soldering so we thought that was great um so you put these in place and you just hit it with a hammer and Away you go so in essence that gave us our wireless capability so we had our PI zero our solderless headers and our red bear hat on top um the red bear was a little bit expensive so it kind of hit our budget um we wanted to try and keep the cost down and it had to ship from Hong Kong

so we had to wait you know the best part of four weeks for it to arrive um the next thing we wanted to look at and as I mentioned earlier is trying to improve that user feedback so having one little LED that blinks um isn't great we didn't want to make this like a school project so we didn't want to then have a a whopping great big LED just solded on hanging off the side um so we we tried to have a look a little bit into um the other resource available and like I say Pi Z and the whole Pi Community there are so many customizable interfaces and modules so we found that we could get a

nice little LED Matrix um to sit on top of the uh the GPI pins in essence and that would give us some feedback so and not only just an on andof feedback we could stage it so we knew exactly where the device was at any point in time and fundamentally that helped us with the whole debugging as well so when we were building the thing we knew exactly what stage um we were at so at this point I'll leave this slide up here just for you to ponder um but I'll hand over to John who will take you through the next half of presentation thank you very much okay so what you're looking at here on the left

hand side is the GP IO pin out for the red B device we were using and on the right hand side are a couple of examples of LED display boards now you might be a to see there's actually a crossover between the two um there are a number of pin required by the LED uh displays that are also in use by the red bear already um and we found this all over the shop when we were looking for suitable LEDs um stuff that was easy just plug and play just just didn't want to work they weren't compatible so with a bit of research we found two devices that would uh kind of fit the uh the first one's called the blink uh

it comes with eight uh RGB LEDs it cost about5 to buy so it's nice and cheap uh it comes with a python Library so it was easy programming for us uh and it comes on a header that just uh essentially just sits straight on top of the uh the pie okay so here is an action um the astute amongst you will notice that it's not sat on top of the pie um and that's because when we got it we realized that a couple of the pins required for the blink were actually in use by the by the Red Bar already so quick solution was to uh solder a couple of wires on the back of the uh the blink

map those to unused pins on the p uh and then just remap the whole lot on software so the pros of using the blink was that it was cheap 75 um and those eight LEDs get really good use of feedback as to what was going on the downsize was those four pins soldering on made it wasn't wasn't quite plug in play as we wanted it to be um and you had to wedge the blink in between the pi Z and the red bed to keep it in place it it wasn't the best solution so the option two was a scroll fat um this comes with 55 LEDs uh they're all white they're not colored unfortunately um it cost twice as much

as the blink it's £10 but again comes with a header you can just plunk on top of the pie uh and again comes with the python library for easy programming um because it's got so many LEDs it also means you can give text messages to the user so we can say we're at stage one or responders running or we've got creds go so here is an action so the top left hand image you're looking at is the pi Z on its own uh the top right hand one is the red bear with a couple of extra long headers called stacking headers so it on uh the bottom left hand image is a the scroll fat and then the

bottom right is everything connected up together with my really poorly shoddy wiring so the pros of using the scroll fat was it it literally just sits sits straight on top of the pie um the GPI pins required were exact match so it goes straight on like Lego um and because we have those LEDs like I mentioned you can give text uh feedback to the user um the downside was um between all the solder required for everything that's 120 pins I head of solder and those stacking headers were a real pain in the backside um and because it's 10 pound it's twice as expensive as the blink so quick recap where we are so far we've now got a cheap device to run the

attack on we've given it networking capabilities uh we've got password cracking up in the cloud uh We've now user feedback through LEDs uh well we still got that issue that Trevor mentioned earlier with the uh the drive is still being required which really cause problems in the corporate environment so we fixed it so straight off the bat the pi will present itself as a generic uh ethernet Gadget and windows doesn't have drivers for that built in but bit go and a bit of messing around and we found that in fact if you just tweak the vendor code and the product ID Windows does have driv for an IBM device built into it so if you

presented the IBM device instead of the generic Gadget uh Windows has the drivers and we just pick up and run with

it and the last piece of the puzzle should have been the easiest one actually so to type in the creds back into windows we need to emulate a keyboard and weirdly the mod modules required to emulate keyboard and not in the kernel that was in Ed by the pi by default so um we had to roll our own kernel and we are say not Linux guys so that was interesting but after that was fixed um the P just plugs and plays and and windows picks it up as a keyboard so we were done we had two devices they worked perfectly the password cracking worked perfectly we had a small amount of code polishing to do we were ready to release to the world

and this was start of this year start 2017 there was just one thing the pi ZW came out so Feb 2017 we were just polishing everything off and this got released um for those that don't know it basically takes the pi zero and gives it Wireless capabilities uh because we now have wireless capabilities we don't need to use specific LED devices to give feedback we can use whatever we want um and because it's got wiress it updates the kernel and that kernel broke our keyboard module again have you ever worked on a project for three months loads of time and effort and Research into it and then somethingone comes along just as you're ready to release and just kind of kashes

it all over yeah yeah we were thrilled new technology okay so introducing the new based on the PW uh we polished it all up a bit so it's now got uh installers for the uh the itself and for the server side for the password cracking um we've standardized on the blink because it does give really good user feedback um um we don't need to do any soldering of fiddly wires anymore because all the the pins are free up we can just stick it straight on top uh we have left the code in for the scroll fat if you want to use that which is the one I chose uh right okay so quick recap how

everything works firstly you plug in the pie key which powers itself up the pie key will then connect to your phone or whatever wireless network you've got to make sure it's got a cloud connection it then it stalls itself as a network interface and waits for Windows to give it some creds assuming you get some credentials come out windows for some way the P key Chucks it up to our password cracker in the cloud that CHS away and assuming of course you can crack the password that gets sent back to the P key the then removes itself as an Ethernet device reinstalls itself as a head device to Windows presses control. delete and types the password back into

the user in the lock screen hopefully un in it now I wasn't brave enough to give a live demo today so we got yes we've got a uh we've got a we've got the devices with us so we can show you later but uh we got a video in action okay so normally takes about 20 odd seconds for the to boot um when it does a couple of LEDs will come on so it's booting connect to your Wi-Fi to test connectivity so responders sat in the background just waiting for Windows to give it some creds the fourth LED will light up when uh when responder gets some creds Okay so we've got some creds it's

now going to send it off to our our cracker up in the cloud and once those have been cracked it'll be sent back to the pie key P key is now installing itself in hi mode and you'll get a few more LEDs and the Machine should unlock itself there you [Applause] go okay so that was a demo how's it usually take us so we found it normally takes about 60 to 90 seconds for the whole attack to work um a large chunk of that is the pi booting and obviously a large chunk of that is the password cracking up in the cloud so we can probably optimize that slightly um we did have to introduce

some artificial delays actually so when um when you first install it windows it's got pick up the drivers and it's got to install them on really slow machines that can cause problems so we had to put in a kind of 10-c delay for that uh and again we found some machines when you uh uh when you type type in the control lock delete takes half a second or so for for the machine to pick it up so we had to put some delays in for that uh so right so one of the things as I said earlier was um and tev touched on actually is that to speed the attack up um we're at the moment we're using John

the Ripper for doing the password cracking um you can swap it out and use hashcat um Amazon now support uh GPU instances and Cali comes with it out the box which is what the server is based on so if you want to do a bit more a bit more cracking um spin up an ec2 P2 instance uh and that that will make the pass crack in a lot quicker um fundamentally the is just based on password cracking it just takes a password cracks it and returns it resolves so like any engagement uh if you optimize your word list beforehand if you're going into Enterprise there chances are they got eight characters or more complexity turned on if you

optimize your word list you'll get much better results so we had very specific use cases when we actually built this um we figured people would be using it for social engineering engagements maybe for internal testing um you might take it between different clients um there's a high probability that you're going to either lose the device or the internal team's going to catch you and are going to snag it and we really didn't want um corporate creds just kind of floating around a device for for someone to grab so when the Pik key first boots and when it shuts down it clears all of its logs so nothing stored on the on the device itself um for passing creds between the

and the uh the cloud and back again we use SSH and the keys for that are generated when you first install it so the unique keys for yourself um the server side though the password cracker does store everything pass to it um and the rationale behind this is um The Pike is really meant to be used on a kind of a couple minute engagement you find a lock machine you stick it in you crack it or you don't and you kind of walk away but it could well be that you're on a two or 3D engagement and those passwords can be reused at a later date so you'll send everything up to the cloud cracker if you can't crack it

there and then doesn't matter move on but it could well be that you can spend a lot more resources that evening crack the password come back on day two and use those in a different manner so okay in the real world uh realistically this only works on wind 7 uh the original attack by muik worked on Windows 10 but Microsoft patched it and everybody keeps their environment patched right um so Windows 7 but quick show of hands how many people use Windows 7 in their Enterprise yeah quite a few so it's it's going to work basically everywhere um again in the real world um the machine has to be fairly chatty if you take a

newly booted machine and lock it it'll take a long time to get any credits out of it if you've got a a standard machine with Outlook running a lot of background Services you'll get a lot quicker responses um and also you need a Wi-Fi connection to get up to the up to the cloud uh we found some engagements either the clients wanton take your phones in or you just don't have a 4G signal in which case you go nowhere so when we tested this we've got about a 20% success rate and if anyone's done any real password crack in an Enterprise that that kind of sounds about right if they've never done a password audit of their ad 20% is kind

of the normal hit right um as I said earlier if you optimize your word list shuck a lot more power behind it you get a much better success rate um but we have found um in some places um Technologies in place that accidentally prevent the P from working because when it's first inserted it comes up as a new network inter device and we found that some Enterprises have got uh far walls automatically come up if they don't recognize the network or vpns automatically try and connect and that kills the attack

dead I to this slide at the last minute I'm kind of regretting it now right so up to this point we talked about the red teaming aspect of it how do you protect against the pie key so uh one solution is endpoint protection software if you define exactly what you can and can't connect to your Enterprise which USB devices like only specific keyboard and mouse that kills his dead um if you haven't got um endpoint protection Group Policy comes with out the box you've just got to configure it um if you haven't got that or as well as essentially the P ke is just a password cracker so strong and repeatable password audits will make a

big difference nist actually just released a new standard for password you can kind of shove in your Enterprise's face um but if you can't do that uh you could force all user to log off when they uh when they walk away you'll be very friendly for that one super glue the USB port on my favorite give your Enterprise MacBooks with the stupid USBC connectors and uh and hope they don't an adapter when they come on site okay so last slide um if you want to have a crack this yourself everything's up on GitHub we've got um easy to use installers literally it's just kind of uh run the command at the bottom I think for the client similar

one for the server it'll take care of all the setup for you um all the instructions and all the all the bits and pieces are up on on GitHub don't forget you'll need a pi0w uh and ideally need some LEDs as well to get it running but um Good Luck [Applause]