Sides Las Vegas 2019 Wednesday - Breaking Ground

Name: Sides Las Vegas 2019 Wednesday - Breaking Ground
Uploaded: 2019-08-07
Duration: 9 h 4 min 13 s
Description: My Event Description

BSides Las Vegas9:04:13980 viewsPublished 2019-08Watch on YouTube ↗

About this talk

My Event Description

Show transcript [en]

[Music]

test

test test test test you hear me guys hear me on this thing a little quiet no all right

good morning everyone and welcome to b-sides Las Vegas breaking ground before we get started with a couple announcements so we want to say thank you to our sponsors especially our inner circle sponsors critical stack and Vala mail we also want to thank our stellar sponsors National Security Agency Microsoft and Robin Hood we have a lot of other sponsors and donors and volunteers and without everyone's support this would not be possible so big thank you to everyone and also would like to remind everyone that this talk is being recorded and streamed to YouTube so if you have a cell phone please silence it and if you have questions please use the microphone raise your hand I'll bring it over so

that you can ask questions and everyone can hear you with that let's get started welcome to Mike and yeah thank you very much all right I'm Mike great time to talk to you about the chaos drive so on the programs it says the Loki drive this first project has been kind of in development all through a winter and spring and when I put the proposal together I caught it Loki drive but even a mild search for Loki and hacking leads you to a whole ton of projects the earliest being in 1996 frack magazine released the Loki project project Loki which was ICMP tunneling I didn't have anything to do with that so I decided to leave that

name alone so I just mean ended the chaos drive and I really value you guys time there's a lot of tracks to go to I appreciate you guys are here but if you don't listen to the story how I got to the Chaos drive by all means jump ahead to my git repo and you can build your own today there's a whole thing there even image you can plug into a socket beagle and get it working right away so let's get on it so what is the chaos Drive the chaos drive is basically Linux USB gadget enabled tomfoolery lets me do all kinds of stuff with USB drives and why did I get here so I'm a

blue team lead professionally it's what I do and I love watching my processes and finding flaws in them and so like all blue team's people bring us things sometimes they bring us Donuts sometimes they bring us USB drives from vendors from their home from their parking lots wherever they find one there into us say hey will you scan this for us so we take it we run it to our ultra mega secure disconnected system when we scan it and we come up with no malware we're happy potato we're moving on and after we find that we give it back to the user who detected he plugged it into his machine everything is good but what

if and here's the seed that germinated that let me build this thing what if while it was moving from my scanning machine to my target machine it actually changed the files and you didn't know that and it changed them to malware which leads us to this situation which everyone knows what he says now stay with me don't write alright so so we get malware on our target machines so that's what led me to building the chaos drive and and I did before I go into what I did with evil USB I think I should talk about the history of evil USB because this is a very interesting interface all right so there's a lot of stuff out there kind of

starting back in DC 18 with Ag and Crenshaw he built the programmable hid human interface device USB dongle right and these are cool what they do is you plug them in your computer and it acts like a keyboard or a mouse it sends a bunch of commands usually those commands ends up ends up downloading an implant or or compiling an implant while you're not watching right on your machine and it works in that manner and what's really cool about them is most hid devices are completely white listed on every machine right there just just accept by default so there's not a lot of a lot of controls around hid so that's a really cool device he references himself to USB

hack saw on his paper there's not a lot of information about that thing out there but there's a link there you guys can track down if you want to read about it and then the rubber ducky is the kind of professionally provided device now built by hack 5 that you I didn't see him out here this year but you definitely get them at the DEF CON vendor area in a couple days so that led to that the next evil USB chapter that started was with philip pollster he started a series of evil USB talks starting in DC 20 and the first talk was basically USB impersonation so I talked about how hid devices are all white

listed typically or just allow by default but USB drives flash drives tend to be in more secure areas they tend to be like white listed like you have to have a specific device to in order to plug it in and use it use the drive he built the personation device there you can you can impersonate any USB device if you can control the device descriptors and that's what he built and his work kind of forced out of some of the problems I have with prop cross-platform work but it was the beginning of a series of talks then he talked at DC 21 about a whole series of leave-behind low-power USB devices and here he really got into the the

BeagleBone series of boards which is why I ended up using as well and to be honest like all of us know I just spent a little bit more time paying attention to what he was saying and reading his slides I probably saved myself an awful lot of time but I didn't and I took the hard way and then he followed that up finally at DC 23 with one device to own them all pwned them all which was finally he kind of refined his BeagleBone mastery and built a board that did everything it did it did the hid it did the it did impersonation and it did all those things that he's built over over the

years he kind of finished it there so that was his series of evil USB but it didn't stop there this device this interface this just allow and trust by default interface is a really big problem for security you guys probably heard a USB killer that's just a high voltage override for your machine I tried to find some really cool videos of plugging that thing in and getting of smoke cloud oh sorry cloud of smoke but remotely happens as you plug that thing in your machine turns off and it basically never turns back on again and so it's not all that dramatic but USB killer and then bad USB in the last year or so there's been a lot of social

media about bad USB and I've associated it because of that with a set of accessory cables right that they're basically man-in-the-middle attacks between a device and your and your computer they're there they're intelligent cables they can do whatever they want to the data that goes back and forth through them however what really was bad USB was in blackhat 2014 where to researchers introduced it and it's really cool it's a USB device that installs malware on your machine which is which is cool but what's really cool is that malware then looks for vulnerable USB devices to be plugged in and it reflash 'as the firmware on those devices so that's how it replicates and that's a really

cool attack vector completely undetectable once it's on the USB Drive because no one's checking the firmware of your device which is actually why chaos drive works too and so like I said also went to these accessory cables of built in microprocessors and then we're finding nothing everyday then slightly less evil and blackhat Asia the USB armory was a device that was really defended put together for protection purposes more than attack you can read their own words there so this device provides developers and users with a reliable platform for building and executing personal security applications so it wasn't didn't really have any attack vectors but some of us functionality was very close to what I built here it's actually pretty hard to

find I've been able to find anywhere to buy one of those things right now there's rumors of a new one coming out but I have been able to find any and there's some links to the YouTube video so you guys can research those so why is Kaos drive different from all that this great history of evil USB why did I come up with a while I work on it and why I'm here today to talk before I can go into that basically chaos drive is a storage focused attack and for this for the non storage nerds in this room storage is basically presented in one's logical unit numbers that's the actual data space you put your information on on a

storage device it works it's on USB it's also most network attached storage enterprise level storage they used ones so the KSR drive has two LUNs secret and in public and and i can change those LUNs whenever i want and i can modify the data on those loans at will and that's allowed me to do a lot of really interesting behavior chaotic behavior as i call because the drive doesn't do what you expected to do which is just be your file storage and so in true D&D nerd fashion and I am a definitely D&D nerd come on who else is in here Dean Dean err who is gonna be twenty in their pocket right now anyone else I got one

back there yes all right okay so I am a true D&D nerd so intruding the nerd here are the chaotic aspects of my drive chaotic good reveal I actually really like this function this function came about after I started working on it what this really is is by default the drive presents the public one and that's the one that anyone sees until a command file is placed in the right spot and it's a secret line in the use case I like on this is quite frankly border and pacune like I know you guys have all read in the news and seeing everywhere that even in the u.s. US is coming through customs and inspection border

they can do warrantless searches of your devices right so in this case you plug this innocuous looking device in they take it from you they plug it in they see your pictures of your vacation your cats or whatever they give it back to you they're fine now if that drive is encrypted and full of a lot of you know encrypted files that raises the suspicion however here they seem kind of what nothing out of it the ordinary and so they take it they give it back to you go home you plug it in you put the command file in place and what I mean by that is the way the chaos drive works which you will see in the demos is it

waits to a certain file is placed at the root of the drive and when it sees that file then it flips the the lungs so in this case it flips to the secret line you give access to the data you didn't want anyone to see so that's the reveal function I call it chaotic good cuz it's kind of fine it's it's for your protection chaotic neutral were just basically utility functions I had to build into this thing to make it work the first ones called squawk it opens a TTY interface a shell over the USB connection so that way you can get into the derive and change it without needing any extra hardware and then fail fail is

just a system that if the drive fails too many times in a row without finishing its tasks it'll default to squawk so you can get in there and find out what the heck the matter with it so just default functions they don't really have any intrinsic evil or goodness but now the chaotic evil function is the one that I really liked about the chaos drive first up is alchemy which lets you modify the contents of the lawn at will and that one's really interesting and I'll show you a specific alchemy script I came up with when I get to my demos dupe is copying the contents of the public lon this is the I lent my drive to my friend

my friend use case where the person takes it they put a bunch of files on it they move the files where they want to then they delete them they wipe them they do whatever they want to those files and give it back to you feeling secure that you can't see what they did except while they were working the drive made a copy of all their files and put it on the secret line then you can go take a look at those that will the last one is fickler this is the actual use case that I started this whole thing where it changes which one is presented depending on the number of times it's been plugged in so those are my those

are my functions we're let them it linked but I got talking about how I got here how do you guys were captured the flag goes anybody done a few or any kind of difficult hacking problem so you work on a problem for a long time and it takes you a long time and you do it and then finally when you go talk about doing it it's like well it looks like as easy okay so it wasn't alright there was a lot of work to get here what you're gonna see it cuz I had to teach myself a lot so first thing you have to do is finding a device that can be used as a USB gadget there aren't a

lot of them so let's go through some common ones so first up your basic workstation and your basic workstation be used as a USB device kanya says no you cannot use your basic workstation as a USB device gadget with the exception if you get one of these boards like the great FET that allows you to emulate between two computers you have one computer set up as the as the controller for the great fit and the other computer thinks it's seeing a USB device on the other end so so you can do that if you buy those extra boards but it seems a little overkill for what I needed to do so I didn't use those which

is probably good because the laptop makes a terrible USB Drive I mean it really does alright your basic large form Raspberry Pi can you use this to be a USB gadget Konya says no actually what it really says is trick question and we'll go over that in a second but basically the large form you Raspberry Pi that you can buy on Amazon or anywhere else don't generally work as USB gadgets I learned that the hard way your basic Arduino nope can't use those there's some clicking boards you can use but out of the box Arduinos do not work as USB gadgets finally the pocket beagle and the Raspberry Pi zero do they work well of course I'm actually

like literally talking about them right here so they do work and they have the other really good features that they are be fully powered from a USB port and and they're super small here's a here's a here's a pocket beagle right here so you can see super small little devices are really good for prototyping and you can even see yourself into building a USB device out of that thing alright it is confusing to find out which of these devices can be used so if you want to learn if you have a Deford you want to use you need to figure out how to there it really does no other way but really digging into the specs of the

given board specifically this is the pocket beagle this is the Octavia systems chip functional diagram that that the board runs and basically the pocket beagle is basically this chip on a breakout board it's an amazing chip it does all kinds of stuff I've barely touched the surface with this thing but it works very well and here's the key part right here down here the USB 2.0 high-speed on-the-go plus physical times two moment closure there that's what you need need the high-speed on-the-go or on the go if you don't have the high-speed that's what you're looking for on a chip now this is to break out the current Raspberry Pi specs that you found on Wikipedia I know this is probably hard

to read I'm gonna talk you guys through it you don't have to read this per se and we know that the PI 0 works as a chip and you can see here the reason why is it because it uses this device here this is a Broadcom 2835 chip that's the communications chip it uses and clicking around get you to the Broadcom site which takes you to the synopsis site and tells you that it's a high-speed USB on-the-go controller but not so fast and here's where it gets tricky about the Raspberry Pi all these other devices also use the 28:35 and they don't work with the exception of the Model A's they don't work as USB gadget devices and even

worse if you go through and look at the 2837 the 28:36 all of those are also chips that support USB on-the-go but they do not work as you on the go devices women built into the browser api form factor and that's because they put this hub between them between the chip and your USB connector that breaks the functionality so it's very difficult and you have to read the specs carefully before you purchase the board or any chip to see if it's going to work for your needs but there's a lot of chips out there that support this not a lot of them come on proto boards already but they are out there all right ok so now if you got a chip that works

to use a USB gadget it's actually pretty straightforward it's a Linux it's a Linux gadget it's a Linux kernel object it's a module you just load through modprobe and and if your Lynx kernel is properly compiled with the options then you can just download it or you can use any one of these types of USB gadgets Ethernet serial there's the human interface device I use a mass store you might have even more the way the best way to find that with this command right here the modprobe - l list and grep for gadget you'll get a list of all the gadgets you can load through your modprobe so that's the quickest way to find that now options very options for

every mod for modulo quite quite specific and quite unique and it can be difficult to figure out what they are there's commands if you google it you'll find commands you can run but I've found that that those commands are not universally applicable I found the best way to figure out what your module can do is using some just basic CTF flare capture the flag flare you strings that that knowledge object sorry the kernel object you grep for parm equals you get a nice list of all the parameters that you can use for any given market way to do it and you can see those module files are typically buried in your in your live modules for your kernel weight way

down there where they are exactly on your distro mayberry but that's where they're at and you can use the file command to find them there's lots of ways to find where they are that's the best way to do it alright so once you have that you figure out how to use it figure out the minimum options you run this command modprobe the name of your module the options and if your device supports modules supports gadgets if your linux kernel has been compiled correctly if you got the options done correctly and if your device isn't already presenting a USB gadget use no less mod to find out by the way then then you will present storage maybe that

commands to remove it maybe depending if you're backing file is correct so we got to talk about backing files now so my first attempt to make a backing file came from the recipe found at that link there these slides are all on my repo repo by the way our link to the slides or on my repo so you can get to them and it's pretty simple you make a file using the data duplicator the DD device you guys know there's like no accepted definition what DD stands for like it depends who you ask it's just a basic command of Linux and no one knows what it actually is supposed to mean anyway so use the DD command then you

make a file the appropriate size and you run make das FS on it and you'll get a backing file and it will work you use that as part of your command you present the storage your computer will see it it'll use it and then work just great unless you're on Windows in which case windows won't work the first time I plugged my drive into a Windows machine I got this down here it says that my hundred megabyte partition test partition was not allocated and so I was like oh that's weird cuz it worked in every other computer I tested along so well then I want and I use Windows to format that thing and I wrote to it and

then I took the thought that that file back to my Linux machine and plugged it in and I saw the original files so Windows Linux for seeing different files in the same packing file basically they put different file allocation tables in place that was kind of trippy and interesting but super unreliable that's not going to work for you and the reason why is right here so this recipe generates a backing file with no partition table and so Linux and window and UNIX have no problems with that Windows chokes on it and so if you want to be cross-platform compatible if you want to be able to use it you have to build the partition file and you do that

with this basically summarize you make a file again that a duplicator you run fdisk on it to generate the partition table then you have to mount that thing as a loopback device and then you format the loopback device and eventually you'll get a file with a partition table and you'll get a a fat formatted disk in place now that's a lot of little fiddly bits in there nothing is difficult about it but it is kind of a pain in the butt to do it over and over again and so inside my chaos directory of my my image which you guys can download or just even from my rep oh you'll find these scripts I wrote back

you file make back you file mount back you file unmount just kind of simplify that stuff Auto magic it but it's doing these little fiddly bits for you all right now okay now I've got a device that works I've got a prevent presented gadget I've got a backing file the the overlying operating system can use I wanted the tech changes to the backing file the way I intended chaos drive to work is it watches while the user is using the file using the system and when it sees changes to the debt to the storage it will then to take actions I want to be able to take those changes well luckily in Linux the backing file

is a there's a file and so you can use the inotify suite of tools to do that right it's pretty straightforward you just open up a watch this is what happens you'll put up a watch this is right now this is inotify watching the public backing file for my presented storage and some things are written to it so you get these modified commands or modify signals the only problem with this is it generates a lot of signals for every write this is a single right here I think it was a jpg file remember exactly but it generates a lot of noise and I want to be able to do something after every modification but but that's too

many I know I can't process all those I don't wanna do that I'm only on a little pocket beagle it might slow things down I might jame up the whole thing so I wrote the scripts in the code which basically turns into a low pass band filter so it takes all those notified commands and reduces them to one one signal so that way you only have to react once for any given file right and that's the then once you have that you can mount the backing file internally to the device and you can see what was done to it you can also but what you can't do at this point is you can't write to it

all right if you have to two parts of the same system that have write access to this particular this particular backing file it's very undefined behavior and it's knockin result and good work for you so you can only do it read-only which complicates the way I want chaos Drive to work a little bit so that means before I present the storage or after the storage is closed that's the only time I can make changes to the storage and so that's something it has to happen on boot or turn off and then you have to use the loop device again to get that thing mounted correctly to read it and that's why those commands are there like I already mentioned to help

you with those fiddly bits and get that thing up and running all right so now I got to this point my proof of concept poof of concept script I'm not really a bash coder but I wanted to make sure that my idea was going to work just kind of in general pardon me y'all get your NSA water bottles I drank from this without washing it I'm not sure that was a good idea all right so so this is my basic little script is all took once I got all that stuff worked out once I got my system up and running this is all it took to make it work it literally just it presents the

storage it watches for right to it and then it checks for my command file in place and then it switches the storage it absolutely worked and so I did my first happy dance with this thing here and now a little funny story about gifts in Microsoft and using in Google slides that guy will never stop dancing never even when he's in the little corner of your screen your slide sorter while you're trying to work he's dancing that's really distracting so I recommend putting a cover on him when you're not using on all right okay but here's where I ran into my problems boot times those who don't know system D will generate this amazing graph for you

to give you a waterfall chart of what your higher system booted at the very top is the gray bar that's the basic kernel then all the services start booting on the right the left I know you can't I know you can't read that but I'll talk you through a little bit so this is the basic boot for my kernel this is the production raspberry pi 0 image that they provide with systemd analyze and so it will it took 18 seconds just for the kernel of boot up and way down here is my Kaos Drive service which presents storage at the end of this red bar that's almost 30 seconds 40 seconds depending and that's really unacceptable for the pronoun from

a perspective of like emulating a USB Drive right it's just not gonna work for me most USB drives Mountain 2 seconds 4 seconds it depends depends on your system but pretty quick so like all good hackers I turn the stack overflow to solve my problems and this is the one I found and the only thing I really took away from everything that was in here was this reverse result so I can reach from provided by build route I was like well builder it is so go route the routes amazing it is a whole architecture out there designed to help slubs like me make invented Linux processing systems so it's got a whole list of boards you can use that's got a

whole build cycle configuration system that you can use to to use built route bill route is awesome but it's also a little bit complicated and thick and finicky and so I had to follow in the footsteps of multiple folks to get my build to work Robert C Nelson he writes the the BeagleBone series of like the images that the production images that you download they're mainly all his work and so looking through his scripts in the configuration files is critical to my work and then the embedded apprentice that Liz Linux engineer project these guys write great tutorials on how to use these systems they put on classes in specifically Thomas Pettis oniy did a step-by-step walkthrough of using build

route on a pocket beagle and without that work I would never been able to figure out it make my pocket beagle work guru also prevents really interesting learning opportunities such as patching Python by hand so I I have to admit I have a problem I'm a Python 2 user I'm sorry I'm sorry I wrote my whole thing in Python 2 I can't seem to get away from it and it really came back to bite me here because python 2 compiled on GC C 8 doesn't work very well and when I want to go do my compilation I got a segmentation fault while compiling okay now I have written a lot of code that segments faults while it runs I've never

had one a segmented faulted why I compiled so I had to figure out how to patch Python required hand dipping the repo hand patching the core GNU libraries what's said that's another problem I had between two builds one day I had built my system successfully I built those next day and a bunch of symbols disappeared because the symbols disappeared the libraries would not rebuild for me and so I had to figure that one out so how do you said and I think I even had to use VI to get this thing to patch right all right but the payoff is great so at the end of all this so I got the build right I had a

for you before second boot time and that's like not even optimized right that's like out of the box build root I didn't anytime trying to optimize it for seconds from power on to login prompt and I was I was like okay I have a device I can actually use now so like I said it's a difficult system to learn to use so I want to pass along its have to pass along some of the wisdom I gained while trying to use this thing first off this is the configuration tool if anyone who's compiled Linux probably have seen this before but this is what you use to set all the very very specific things you need to make build route work is

with the configuration tool now Bill burr is a file structure when you get it just basically just downloading a file structure and it all works from there at the at the root of the build routes file structure is where you need to use these things you can actually you'll be using menu config for build route using Linux menu config and be using busybox then you can take you get this thing up and running but if you decide you want to go to the Linux folder under the build route and then do your configuring from there you're going to Bork your entire set up it will not work so always make sure that you're doing the work from

here that you do it from the root of your build root and this is what the tool looks like and it's got some super useful slash function to find things so you type slash you get this nice little box and you can look for things you look for things like the word knob and then maybe maybe you find something like this you find this little guy here this thing right here kept my thing working for weeks finding that I had to turn this this end to a why is what makes the the USB gadgets work it turns on this transceiver it lets the device work and if anything I've learned is I've done capture the flags as I've done

osep is I've practiced being a better hackers and fights matter and that little Y right there that mattered a lot and that's what let me get this this beautiful light blue text that tells me I have a working USB gadget transceiver and now I can actually present some storage so make sure you take advantage of that to find your features alright don't accidentally make his route it doesn't mess your system up at all there's nothing wrong with the build room setup there's no malware in there but it will destroy all the permissions for your entire build route setup and then you didn't get stuck and you're kind of getting a bad to do there you will need to switch the route

frequently because you'd be writing images to flash drive besties cards all this kind of stuff you'll be doing that and because you're doing that you make sure you switch back out of route before you make again all right perhaps build put your blue brute environment inside a VM insulated from your iron so the breaking I had of the new libraries was definitely caused when I had to update my update my systems like a VirtualBox up and running somehow it updated something in the background and it broke my build root build environment two weeks before I was supposed to be here and I wasn't done presenting all my building all my stuff so that took me

like two days to dig myself out of so maybe put build root in a VM so that way it stays solid all right you got build room working so the one thing I could not get working on Bill root was a builder image for Raspberry Pi zero I tried over and over and over again and I could not get to work there's some problems I think it's the the I think they updated the chips for the memory on the the Raspberry Pi and the code hasn't kept up with it and IGF related information it started off as basically a shared Google Calendar for CTFs but now it has CTF rankings has the CTF ratings and most significantly it has

lists of challenges and write-ups for it so it's become sort of a central repository for seeing the write-ups from in each of the challenges right and they're things that you'll find on there you'll either find the entire write-up published on CTF time or very often you'll find a link to like a blog post or a github gist that explains how someone was able to solve the challenge that they're looking at if you're more the visual type if you like to learn from videos and from audio there's some great YouTube channels as well live overflow I'm a huge fan of that channel he covers both CTF content but also covers real world xsplit exploitation things he's got tutorials on using Ghidorah the

new reverse engineering tool from the NSA because we all like to install NSA software on our machine as well as Gonville cold wind he's the captain of dragons sector which is one of the top CTF teams in the world according to CTF time ranking and according to DEFCON CTF the results and he has also a YouTube channel where he goes through and explains how CTF challenges were approached by his team or by him in particular you'll find some other ones as well I think some of the members of the carnegie-mellon CTF team plaid Parliament of boning a cape EPP also do some YouTube videos of how they solve things so it really depends on your learning style whether write-up or

a video is a better approach to it but they're both available out there and they're both great ways to get an understanding of something you didn't understand while approaching the challenge so let's flip the coin a little bit maybe you instead of being a player are on the other side of the table and are designing and building CTFs like I said I've done both and you want to make a CTF who that has a goal of being educational for your players and not just a challenge for your players and the two are not mutually exclusive but they're definitely ways you can take steps to get more out of the learning opportunities that you're presenting for your players so there's a

couple of different approaches to educational CTFs there's public CTFs maybe run in a conference or a hackerspace or even just run as an online CTF there are many CTFs now that aren't even affiliated with any particular event they just run all their infrastructure in the cloud one of the things you'll have to realize is you're going to get a huge range of backgrounds and skill levels right like running the CTF at beside San Francisco we see

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Music] [Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

[Music]

[Applause]

Sides Las Vegas 2019 Wednesday - Breaking Ground

Related talks