Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto

425 views

Published on

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low-profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection from IDS/IPS or monitoring systems. This tool gathers information and use a combination of honeypots to trick Automation Systems to give us their network credentials! We will build a physical network & infrastructure lab to show how CIRCO works (live demo) Major features for release v1.5:

- Allow existing IP-Phone to co-exist with CIRCO
- Eliminate template files (craft all packets)
- Support NTP exfiltration
- Software encrypted via Bluetooth (prevent forensic)
- Self destroy and alarm switch
- Bypass active & passive fingerprinting (NAC)
- Credentials integration into Faraday

  • Be the first to comment

  • Be the first to like this

[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto

  1. 1. C I R C OCisco Implant Raspberry Controlled Operations https://circo.cc
  2. 2. • My name is Emilio and I’m hacker • I like to play with packets, networks, electronics and 3D printers • I presented security tools at various conferences (DEF CON, BlackHat Asia, AV Tokyo HIVE, SECCON, HITB, etc) • Sorry, I’m not a native programmer or English/Japanese speaker J Helloこんにちは https://circo.cc
  3. 3. ▪ Allow existing IP-Phone to co-exist with CIRCO ▪ Eliminate template files (craft all packets) ▪ Support NTP exfiltration ▪ Software encrypted via Bluetooth (prevent forensic) ▪ Self destroy and alarm switch (thanks Will) ▪ Bypass fingerprinting (NAC) ▪ Credentials integration into Faraday (thanks Fran) https://circo.cc What’s new? 新機能
  4. 4. ▪ Cisco DNA (Digital Network Architecture) ▪ Infoblox NetMRI ▪ Micro Focus® Network Automation (formerly HP NA) ▪ Service Now Discovery* ▪ ForeScout CounterACT (NAC) ▪ Trusted network administrators ▪ Others * SNMP discovery only https://circo.cc Who we target? ターゲットは?
  5. 5. https://circo.cc CIRCO Evolution 進化
  6. 6. Demo Box v1 https://circo.cc Production Box v1.4
  7. 7. Production Box v1.5 https://circo.cc
  8. 8. ▪ Components □ CIRCO: Implant (hardware & software) □ CARPA: Credentials Receiver (Internet VPS, software and domain NS) □ JAULA: Wireless Credentials Receiver (software) ▪ Python 2 □ Mainly Scapy for packet manipulation □ Migration into Python 3 started… ▪ Features: □ Honeypots services to behave as a Cisco Switch or IP-Phone □ Trick NAC systems (nmap, Phone whitelisted, Golden MAC) □ OSfooler-NG (https://github.com/segofensiva/OSfooler-ng/) ▪ Exfiltration via cover channel protocols □ ICMP (ping), Traceroute, NTP, HTTP, HTTPS, DNS, Proxy (DNS) and Wireless ▪ Extra: Get plain credentials if a PC is plugged into the IP-Phone □ net-creds (https://github.com/DanMcInerney/net-creds) https://circo.cc Software ソフトウェア
  9. 9. ▪ Cisco CDP & LLDP Advertisement (as IP-Phone & Network Switch) ▪ Cisco SNMP Agent ▪ Cisco Telnet CLI (IOS 15.x) ▪ Cisco SSH CLI (IOS 15.x) ▪ Mimic packets format like IOS to avoid NAC/IDS/IPS https://circo.cc Fake Services (Honeypots) シスコハニーポット
  10. 10. Demo Time! デモの時間!
  11. 11. https://circo.cc Lab Network Diagram
  12. 12. https://circo.cc Exfiltration Format 流出のフォーマット ▪ Telnet □ t,<username>,<password>,<src_IP> □ t,e,<enable_password>,<src_IP> ▪ SSH □ s,<username>,<password>,<src_IP> □ s,e,<enable_password>,<src_IP> ▪ SNMP (v1/v2) □ p,<community>,<src_IP> ▪ net-creds* (optional) □ n,<credentials>,<src_IP> * Under development
  13. 13. ▪ ICMP (IP.id & ICMP.seq fields) ▪ Traceroute (IP.id field & UDP payload) ▪ HTTP and HTTPS (IP.id & TCP.window fields) ▪ NTP (NTP.stratum, NTP.poll, NTP.tx.timestamp) ▪ DNS (NS query evil.sub.domain) ▪ DNS (A query) via Proxy (DHCP Option 252, WPAD.<domain>, PAC Guessing via DNS) ▪ Wireless* (SSID Name & Dot11.beacon, Dot11.SC and Dot11.interval) https://circo.cc Network Exfiltration Techniques ネットワーク流出テクニック * Proximity required Credentials & IP address are encrypted with AES256 before sending
  14. 14. https://circo.cc ICMP Exfiltration Flow
  15. 15. https://circo.cc Traceroute Exfiltration Flow
  16. 16. https://circo.cc HTTP/HTTPS Exfiltration Flow
  17. 17. https://circo.cc NTP Packet “Fraction”
  18. 18. https://circo.cc NTP Exfiltration Flow
  19. 19. https://circo.cc DNS Exfiltration Flow
  20. 20. https://circo.cc Proxy (DHCP) Exfiltration Flow
  21. 21. https://circo.cc Proxy (WPAD) Exfiltration Flow
  22. 22. Proxy (DNS Guessing) Exfiltration Flow https://circo.cc
  23. 23. https://circo.cc Wireless Exfiltration Flow
  24. 24. ありがとうございます! Emilio ekio_jp https://github.com/ekiojp/circo https://circo.cc Thank You!

×