Presentation about Cotopaxi toolkit from Black Hat Asia 2019 Arsenal session. Author: Jakub Botwicz
https://www.blackhat.com/asia-19/arsenal/schedule/index.html#cotopaxi-iot-protocols-security-testing-toolkit-14325
2. About the author
• Jakub Botwicz
Principal Security Engineer
at Samsung R&D Institute in Warsaw, Poland
• Leads a team of security researchers / pentesters
• PhD and MSc at Warsaw University of Technology
• 15+ years experience - previously worked as:
‒ Developer/architect for vendor of encryption devices
‒ Security advisor at credit card payment company
‒ Security consultant and manager at Big4 company
• Big enthusiast of rock climbing and active volcanoes
3. Cotopaxi – origin / idea
• IoT introduced new protocols: CoAP, DTLS, MQTT
and refurbished old protocols: UPnP, SSDP
• Lack of security testing tools for IoT protocols
(except for MQTT)
• Low level of security measures
of IoT components and devices
• Our team performed assessment
of multiple IoT components – results:
- tools
- corpus of malformed messages
- 15+ new vulnerabilities Source: Redbubble sticker:
https://ih1.redbubble.net/image.534691174.7627/sticker,375x360-bg,ffffff.u3.png
4. IoT protocols – Constrained Application Protocol (CoAP)
• IoT messaging protocol
• Provides all types of HTTP requests
in more compact (binary) format
• UDP-based – request / response: 2 packets
(while TCP smallest req/resp: 9 packets)
• Introduces: CONfirmable messages
• Without additional protection
CoAP servers are vulnerable to DDoS
Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
5. IoT protocols – Datagram Transport Layer Security (DTLS)
• UDP-based version of Transport Layer Security
• Reuses all message formats from TLS
– only protocol version IDs are different
• Used as a security layer for all UDP-based
protocols
• Anti-DDoS measure (Hello Verify Request)
is not mandatory and some libraries
do not implement it
(vulnerability BOTAN_000 test it)
Source: Klaus Hartke, Olaf Bergman „Datagram Transport Layer Security in Constrained Environments”
6. IoT protocols – Multicast DNS (mDNS) / DNS-Service Discovery (DNS-SD)
• Discovery of local services: printers, displays
• Querying local services using Multicast addresses
• Reuse query formats from DNS protocols
• Best known as: Apple Bonjour, Zeroconf or Avahi
7. IoT protocols – Message Queuing Telemetry Transport (MQTT)
• Most popular IoT messaging protocol
• Publish/Subscribe message delivery
by Brokers between Clients
Source: Trend Micro „The Fragility of Industrial IoT’s Data Backbone”
8. Cotopaxi – the name
• Active stratovolcano
in Ecuador
• Elevation: 5,897 m
Author: Gerard Prins CC BY-SA 3.0
9. Cotopaxi – the toolkit
• Set of tools
for security testing
of Internet of Things devices
using network IoT protocols
• License: GPL-2.0
• Repository:
https://github.com/samsung/cotopaxi
Source: Rankin Kennedy C.E. (1912) The Book of the Motor Car, Caxton (PD)
10. Cotopaxi – usage scenarios
• For pentesters to:
• analyze environments using IoT, Smart-{Home, Factory, City}
• find active endpoints using IoT protocols
• identify network traffic reflectors (DDoS)
• For security researchers to:
• perform „black box” testing of IoT devices
• identify known security vulnerabilities
• For developers or vendors of IoT devices to:
• fuzz components or interfaces
• test traffic amplification (DDoS)
11. Cotopaxi – features
Reconnaissance:
• Service ping – checking availability of network services
• Software fingerprinting – recognizing the software used by remote network
server
• Resource listing „dirbusting” – discovering resources identified by given
URLs
Pre-exploitation:
• Protocol fuzzing – fuzzing implementation of protocol
• Amplification sniffing – detecting network traffic amplification
• Vulnerability testing – identifying known vulnerabilities
12. Cotopaxi – IoT protocols
• Supported in 1st release:
• Constrained Application Protocol (CoAP)
• Datagram Transport Layer Security (DTLS)
• Multicast DNS (mDNS) / DNS-System Discovery (DNS-SD)
• Message Queuing Telemetry Transport (MQTT)
• Planned for next releases:
• Advanced Message Queuing Protocol (AMQP)
• Discovery and Launch (DIAL)
• Hyper Text Coffee Pot Control Protocol (HTCPCP)
• MQTT-Sensor Networks (MQTT-SN)
• Simple Service Discovery Protocol (SSDP) / Universal Plug and Play (uPnP)
• Zigbee/Z-Wave
14. Cotopaxi feature – „service ping”
• Identifies active service endpoints (IPv4/IPv6:port)
• Not uses ICMP echo!
• For each protocol there is a set of messages
that triggers responses in all tested servers
e.g. DTLS – Client Hello in all DTLS versions
• Better than using standard tools:
• nmap does not recognize CoAP and most DTLS servers
• wireshark will not recognize protocols servers on non-standard ports
• sslyze and similar SSL/TLS tools do not support DTLS
15. Cotopaxi feature – service ping
sudo python -m cotopaxi.service_ping 192.168.1.2 10000-10008,20000-20010,30000-30002
[.] Started service ping
[+] Host 192.168.1.2:10000 does NOT respond to MQTT ping (Connect) message
[+] Host 192.168.1.2:10000 does NOT respond to mDNS ping message
...
[.] Finished service ping (for all addresses, ports and protocols)
==================================================================
Test statistics:
Messages sent: 138, responses received: 58, 58% message loss, test time: 123236 ms
Round-Trip Time (min/avg/max): 11 / 59 / 84 ms
==================================================================
Test results:
Active endpoints:
For Protocol.CoAP: ['192.168.1.2:20000', '192.168.1.2:20002', ... , '192.168.1.2:20009']
Total number of active endpoints: 18
Inactive endpoints: 5
16. Cotopaxi feature – resource listing (dirbusting)
• Equivalent to DirBuster/dirb for CoAP/mDNS
or nmap script coap-resources
• Uses a list of URIs (for CoAP) or services (for mDNS)
• Cotopaxi includes sample lists of resource
• User can provide own list of URIs or services
17. Cotopaxi feature – resource listing (dirbusting)
sudo python -m cotopaxi.resource_listing 192.168.1.2 20000-20010 cotopaxi/lists/urls/short_url_list.txt -P
CoAP
[.] Started resource listing
SENT size:9 RECV size:74 AMPLIFICATION FACTOR:722.00%
[+] Url |test| received code |2_05| on server 192.168.1.2:20001 for method GET
...
[.] Finished resource listing (for all addresses, ports and protocols)
==================================================================
Test statistics:
Messages sent: 33, responses received: 28, 15% message loss, test time: 7088 ms
Round-Trip Time (min/avg/max): 45 / 61 / 115 ms
==================================================================
Test results:
Active endpoints:
For Protocol.CoAP: ['192.168.1.2:20001/test', '192.168.1.2:20002/big']
Total number active endpoints: 2
Inactive endpoints: 20
18. Cotopaxi feature – service fingerprinting
• Detection of software and version used by server
• Equivalent to nmap –sV (Service and Application Version Detection)
• Uses machine learning classifier
• In this version works only for CoAP, DTLS
19. Cotopaxi feature – service fingerprinting (algorithm)
• Preparation of classifier for protocol:
1. Gather all available protocol implementations
2. Generate corpus of packets (payloads)
a. Fuzz implementation of protocol using coverage based fuzzer (like afl)
b. One of output result is set of payloads causing different execution (queue in
afl)
3. For all available implementations:
a. Gather responses of for all payloads
b. Extract features
c. Convert output to format used by Machine Learning tool (ARFF)
4. Train classifier using machine learning (Weka)
5. Implement classifier as Python function
20. Cotopaxi feature – service fingerprinting (training classifier)
Generated classifier:
packet_1_type = No
| packet_3_type = No
| | packet_10_type = No
| | | packet_11_options = Content-Format_Empty: smcp (5.0)
| | | packet_11_options = ETag: libcoap (5.0)
| | packet_10_type = RST: FreeCoAP (5.0)
| | packet_10_type = ACK: moongose (5.0)
| packet_3_type = Empty: iotivity (5.0)
| packet_3_type = ACK
| | packet_0_type = No: coap-rs (5.0)
| | packet_0_type = ACK: lwm2m (5.0)
packet_1_type = RST
| packet_9_code = No: aiocoap (5.0)
| packet_9_code = Empty: ecoap (5.0)
| packet_9_code = 4_00: CoAPthon (5.0)
packet_1_type = ACK: microcoap (5.0)
Features (ARFF format):
@RELATION coap_responses
@ATTRIBUTE class {AIOCOAP, COAPTHON, … }
@ATTRIBUTE packet_0_type { No, Empty, RST, ACK, CON, NON }
@ATTRIBUTE packet_0_code { No, Empty, 2_05, 4_00, 4_01,
4_04, 4_05, 5_00, 5_02, NON }
@ATTRIBUTE packet_0_options { No, Empty, Uri-Query_OK, Uri-
Query_Unsupported_cri, Uri-Query_CoAP_version_mu, Uri-
Query_Method_Not_Allo, Content-Format_Empty, Content-
Format_FFFF, ETag }
@ATTRIBUTE packet_1_type …
@ATTRIBUTE packet_1_code …
@ATTRIBUTE packet_1_options …
…
No – No response from server for this packet
Empty – This field was empty
21. Cotopaxi feature – service fingerprinting
sudo python -m cotopaxi.server_fingerprinter 192.168.0.100 20000 -P CoAP
[.] Started service fingerprinting
[.] Host 192.168.0.100:20000 is alive before test!
[.] Host 192.168.0.100:20000 is alive after test!
[+] CoAP server 192.168.0.100:20000 is using software: aiocoap
[.] Finished service fingerprinting (for all addresses, ports and protocols)
==================================================================
Test statistics:
Messages sent: 8, responses received: 5, 38% message loss, test time: 3493 ms
Round-Trip Time (min/avg/max): 51 / 62 / 83 ms
==================================================================
Test results:
Identified endpoints:
For Protocol.CoAP: ['192.168.0.100:20000 is using aiocoap']
Total number of identified endpoints: 1
Inactive endpoints: 0
22. Cotopaxi feature – protocol fuzzer (black-box)
• Uses corpus of malformed protocol messages (payloads)
prepared with afl (American Fuzzy Loop)
• Checks „service ping” before and after
sending payload
• Allows to use own corpus of payloads
and integrate with mutating fuzzer
• In verbose mode displays
payload and response packet
• Calculates RTT for payloads with responses
and displays Top 10% - potentially interesting
because of longest processing on server
Protocol
CoAP DTLS
mDNS/
DNS-SD
MQTT
Size of
corpus 557 395 77 285
23. Cotopaxi feature – protocol fuzzer
[+] Started fuzzing payload (nr: 395): dtls_corpus/id:000360,sync:fuzzer_tinydtls_slave_laf-1,src:000379
Request:
###[ DTLS Record ]###
content_type= handshake
version = DTLS_1_1
------------------------------------------------------------
Response:
###[ DTLS Record ]###
content_type= handshake
version = DTLS_1_1
…
Payloads with longest Round-Trip Time (RTT):
RTT (sec) | Payload
--------------------------------------------------------------------------------
0.08722 | dtls_corpus/id:000206,src:000168,op:arith8,pos:840,val:+27,+cov
0.08630 | dtls_corpus/id:000362,sync:fuzzer_tinydtls_slave_laf-1,src:000373
24. Cotopaxi feature – protocol fuzzer (cont.)
….
==================================================================
Test statistics:
Messages sent: 795, responses received: 732, 8% message loss, test time: 169906 ms
Round-Trip Time (min/avg/max): 35 / 55 / 131 ms
==================================================================
Test results:
Payloads causing crash:
For Protocol.DTLS: ['192.168.0.100:10004 - payload: id:000308,sync:fuzzer_tinydtls_slave_laf-
1,src:000303,+cov']
25. Cotopaxi feature – vulnerability tester
• Types of vulnerabilities:
• crash (DoS) – leads to crash of server
(detected by service ping)
• traffic amplification (for DDoS)
– responses larger than request
• memory leak – server wastes
memory after processing payload
(requires manual confirmation)
• remote code execution
(currently only detected as crashes)
Vulnerab
ility
Type
Protocol
CoAP DTLS
mDNS/
DNS-SD
MQTT
Crash 5 4 1 1
Traffic
Amplification 1 1
Memory
Leak 1
Remote
Code
Execution
2 1
TOTAL* 7 5 3 2
* 2 vulnerabilities are currently in responsible disclosure process
26. Cotopaxi feature – vulnerability tester
• Example vulnerabilities found by our team
and supported by Cotopaxi
• CVE-2019-9747 tinysvcmdns
mDNS server goes into infinite loop after receiving
DNS query with recursive referenced names
• CVE-2019-9004 Wakaama
CoAP server leaks (wastes) 24 bytes
per each crafted packet
• CVE-2019-9750 IoTivity
CoAP server responds with 6 error messages
Source: Grasshopper shot near Miles City
Mont. C. 1937 Coles Studio Glassgow Mont
27. Cotopaxi feature – vulnerability tester
sudo python -m cotopaxi.vulnerability_tester 192.168.1.2 10000 –cve CVE-2019-9004 –vuln FLUENTBIT_000 –P
DTLS
[.] Started vulnerability testing
[+] Server 192.168.0.100:30000 is NOT vulnerable to FLUENTBIT_000
[+] Server 192.168.0.100:30002 is probably vulnerable to FLUENTBIT_000
[.] Finished vulnerability testing (for all addresses, ports and protocols)
==================================================================
Test statistics:
Messages sent: 7, responses received: 4, 43% message loss, test time: 1100 ms
Round-Trip Time (min/avg/max): 5 / 21 / 43 ms
==================================================================
Test results:
Vulnerable endpoints:
For Protocol.MQTT: ['192.168.0.100:30002 - vuln: FLUENTBIT_000']
Total number of vulnerable endpoints: 1
Invulnerable endpoints: 1
28. Cotopaxi feature – amplification sniffer
• Sniffs for all packets incoming to
and outgoing from specified target
• Target is defined by IPv4 or IPv6 address
and optionally port
• Calculates amplification factor (size_out/size_in - 1)
• Tracks req/resp with highest amplification factor
and display record on exit
• Should be placed on router or use network tap
to see all traffic to/from target
29. DDoS attack via IP Spoofing and Traffic Amplification
Vulnerable IoT devices
Source: Austin Brooks „NTP DDoS Vulnerability”
• Identified amplifiers-reflectors:
• CoAP
• every request with large
response
e.g. CoAPthon example /big
• IoTivity 4.04 6x repeated
response
IOTIVITY_000 issue in tester
• DTLS
• every DTLS server
without Hello Verify Request
e.g. Botan_000 issue in tester
30. Cotopaxi feature – amplifier detector
sudo python -m cotopaxi.amplifier_detector 192.168.0.100
[.] Starting sniffing with filter: udp and host 192.168.0.100
TARGET: 192.168.0.100 | TO TARGET packets: 3, bytes: 165 | FROM TARGET packets: 1, bytes: 60 | AMPLIF FAC
TOR: -64.00%
TARGET: 192.168.0.100 | TO TARGET packets: 6, bytes: 311 | FROM TARGET packets: 3, bytes: 180 | AMPLIF FA
CTOR: -43.00%
[.] Finished sniffing
Highest amplify packet factor: 30%
TO TARGET:
###[ Ethernet ]###
dst = ….
src = ….
type = 0x800
###[ IP ]###
version = 4L
…
FROM TARGET:
###[ Ethernet ]###
dst = ….
31. Cotopaxi – common usage details
• Destination addresses: set or range of IPv4, IPv6 addresses
• Destination port: set or range of ports
• Protocol: ALL or subset of CoAP, DTLS, mDNS, MQTT
• Ignore Ping: -Pn
• Verbose mode: -V (more messages)