Survey
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Download Piano Thieving for Experts
Document related concepts
Transcript
ThruGlassXfer Ted doesn’t think this can end well October 2014 Through Glass Transfer // Ian Latter This is enterprise @ L7 • Remote access – VMware – Citrix – RDP – VNC – SSH – etc ad nausea • Console abstraction October 2014 Through Glass Transfer // Ian Latter Optical Packet Network (L3) • Data exfiltration – Imagine the screen as cut fiber optic bundle • Consider an image (arbitrarily: QR Code) as an optical packet within the ether of the display • Animate it - replace one image for another image to create a packet flow • Datagram network protocol, OSI Layer 3 – Layer 4 problems for receiver • Uni-directional flow (no flow control) • Camera oversampling, Packet duplication October 2014 Through Glass Transfer // Ian Latter TGXf Transport Protocol + Through Glass Transfer (exfiltrate) • One way data transfer, two or more peers Features (at Layers 4-7) • Supports high latency, interrupted transfers, error detection, 80bps -> 32kbps, and; • ANSI terminal displays (42x21 chars) – Requires (of Layer 3) • Basically binary encoding and >10bytes MTU – Either 1, 2, 5, 8 or 10 Frames Per Second (FPS) – QR Code version 1, 2, 8 or 15 – Binary encoding, Type M (15%) error correction October 2014 Through Glass Transfer // Ian Latter Keyboard Packet Network (L3) • Data infiltration – Arduino Leonardo – USB HID Keyboard • No drivers needed! • Keyboard.println(“x”) – Upload arbitrary executables via keyb • Images; – Digispark - 6KB flash – Leostick - 32KB flash October 2014 Through Glass Transfer // Ian Latter TKXf – “Keyboard Stuffer” Through Keyboard Transfer (infiltrate) • Target Arduino (top) – USB HID Keyboard • Encodes received raw/binary data as keys – Alter “Keyboard” library to expose HID packet (12x faster ++) • Attacker Arduino – USB Serial Interface • Sends raw/binary octets to Target Arduino October 2014 Through Glass Transfer // Ian Latter TCXf Application Architecture Through Console Transfer (full duplex compromise) October 2014 Through Glass Transfer // Ian Latter TCXf IP Network Evolution • PPP over the Screen and Keyboard – On the target device; • sudo pppd 10.1.1.1:10.1.1.2 debug noccp nodetatch pty “netcat localhost 8442” – Note the privilege required to create a NIC (We already had a full-duplex socket without it) – On the attackers device; • sleep 2; sudo pppd noipdefault debug noccp nodetatch pty “netcat localhost 8442” October 2014 Through Glass Transfer // Ian Latter TCXf PPP via XPe Thin Client Playing video .. October 2014 Through Glass Transfer // Ian Latter Thank-you! – Thanks to Ruxcon • Thanks to my wife and daughter • ThruGlassXfer – Information site: http://thruglassxfer.com/ Source code, white paper, and videos are all available – Project site: http://midnightcode.org/projects/TGXf/ – Contact me: [email protected] (If you’re talking to me on social media, it’s not me) October 2014 Through Glass Transfer // Ian Latter
