Upload
edwin-ellis
View
215
Download
0
Embed Size (px)
Citation preview
ThruGlassXferThruGlassXferTed doesn’t think this can end wellTed doesn’t think this can end well
October 2014 Through Glass Transfer // Ian Latter
This is enterprise @ L7This is enterprise @ L7
October 2014 Through Glass Transfer // Ian Latter
• Remote accessRemote access– VMwareVMware– CitrixCitrix– RDPRDP– VNCVNC– SSHSSH– etc ad nauseaetc ad nausea
• Console abstractionConsole abstraction
Optical Packet Network (L3)Optical Packet Network (L3)
• Data exfiltrationData exfiltration– Imagine the screen as cut fiber optic bundleImagine the screen as cut fiber optic bundle
• Consider an image (arbitrarily: QR Code) as an Consider an image (arbitrarily: QR Code) as an optical packet within the ether of the displayoptical packet within the ether of the display
• Animate it - replace one image for another image Animate it - replace one image for another image to create a packet flowto create a packet flow
• Datagram network protocol, OSI Layer 3Datagram network protocol, OSI Layer 3
– Layer 4 problems for receiverLayer 4 problems for receiver• Uni-directional flow (no flow control)Uni-directional flow (no flow control)• Camera oversampling, Packet duplicationCamera oversampling, Packet duplication
October 2014 Through Glass Transfer // Ian Latter
TGXf Transport Protocol +TGXf Transport Protocol +
• One way data transfer, two or more peers One way data transfer, two or more peers Features (at Layers 4-7)Features (at Layers 4-7)
• Supports high latency, interrupted transfers, error Supports high latency, interrupted transfers, error detection, 80bps -> 32kbps, and;detection, 80bps -> 32kbps, and;
• ANSI terminal displays (42x21 chars)ANSI terminal displays (42x21 chars)
– Requires (of Layer 3)Requires (of Layer 3)• Basically binary encoding and >10bytes MTUBasically binary encoding and >10bytes MTU
– Either 1, 2, 5, 8 or 10 Frames Per Second (FPS)Either 1, 2, 5, 8 or 10 Frames Per Second (FPS)– QR Code version 1, 2, 8 or 15QR Code version 1, 2, 8 or 15– Binary encoding, Type M (15%) error correctionBinary encoding, Type M (15%) error correction
October 2014 Through Glass Transfer // Ian Latter
Through Glass Transfer (exfiltrate)Through Glass Transfer (exfiltrate)
Keyboard Packet Network (L3)Keyboard Packet Network (L3)
• Data infiltrationData infiltration– Arduino LeonardoArduino Leonardo– USB HID KeyboardUSB HID Keyboard
• No drivers needed!No drivers needed!• Keyboard.println(“x”)Keyboard.println(“x”)
– Upload arbitrary Upload arbitrary executables via keybexecutables via keyb
• Images;Images;– Digispark - 6KB flashDigispark - 6KB flash– Leostick - 32KB flashLeostick - 32KB flash
October 2014 Through Glass Transfer // Ian Latter
TKXf – “Keyboard Stuffer”TKXf – “Keyboard Stuffer”
• Target Arduino (top)Target Arduino (top)– USB HID KeyboardUSB HID Keyboard
• Encodes received Encodes received raw/binary data as keysraw/binary data as keys
– Alter “Keyboard” library Alter “Keyboard” library to expose HID packet to expose HID packet (12x faster ++)(12x faster ++)
• Attacker ArduinoAttacker Arduino– USB Serial InterfaceUSB Serial Interface
• Sends raw/binary octets Sends raw/binary octets to Target Arduinoto Target Arduino
October 2014 Through Glass Transfer // Ian Latter
Through Keyboard Transfer (infiltrate)Through Keyboard Transfer (infiltrate)
TCXf Application ArchitectureTCXf Application Architecture
October 2014 Through Glass Transfer // Ian Latter
Through Console Transfer (full duplex compromise)Through Console Transfer (full duplex compromise)
TCXf IP Network EvolutionTCXf IP Network Evolution
• PPP over the Screen and Keyboard PPP over the Screen and Keyboard – On the target device;On the target device;
• sudo pppd 10.1.1.1:10.1.1.2 debug noccp sudo pppd 10.1.1.1:10.1.1.2 debug noccp nodetatch pty “netcat localhost 8442”nodetatch pty “netcat localhost 8442”
– Note the privilege required to create a NICNote the privilege required to create a NIC
(We already had a full-duplex socket without it)(We already had a full-duplex socket without it)
– On the attackers device;On the attackers device;• sleep 2; sudo pppd noipdefault debug noccp sleep 2; sudo pppd noipdefault debug noccp
nodetatch pty “netcat localhost 8442”nodetatch pty “netcat localhost 8442”
October 2014 Through Glass Transfer // Ian Latter
TCXf PPP via XPe Thin ClientTCXf PPP via XPe Thin Client
October 2014 Through Glass Transfer // Ian Latter
Playing video ..Playing video ..
Thank-you!Thank-you!
– Thanks to RuxconThanks to Ruxcon• Thanks to my wife and daughterThanks to my wife and daughter
• ThruGlassXferThruGlassXfer– Information site:Information site:http://thruglassxfer.com/http://thruglassxfer.com/
Source code, white paper, and videos Source code, white paper, and videos are all availableare all available
– Project site:Project site: http://midnightcode.org/projects/TGXf/http://midnightcode.org/projects/TGXf/– Contact me:Contact me: [email protected]@midnightcode.org
(If you’re talking to me on social media, it’s not me)(If you’re talking to me on social media, it’s not me)
October 2014 Through Glass Transfer // Ian Latter