Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016.
Resumo:
O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.
5. # cat hacklog.txt
“So, I had three options: look for
a 0day in Joomla, look for a 0day in
postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded
device seemed like the easiest option,
and after two weeks of work reverse
engineering, I got a remote root
exploit.”
“ I did a lot of work and testing before
using the exploit against Hacking Team.
I wrote a backdoored firmware, and
compiled various post-exploitation tools
for the embedded device.”
6. # man firmwares
* Download Firmware updates
* Extract from serial(UART)
* Looking for filesystem
7. # man firmwares
* binwalk + hexdump + firmware-mod-kit
* Look for big chunks of 00s or FFs
delimiting the parts
* Check for common compression stream
patterns
-> zlib: 78 01, 78 9C, 78 DA
-> gzip: 1F 8B
-> LZMA: 5D 00 00 80
* Offset to extract de filesystem
* squashfs
25. # cat next_steps.txt
* Fix bugs
* Code refactor
* More features
* Criptography
* Clients to ARM / MIPS / etc...
* TakeDown Evasion
26. # man tor2web
* https://www.tor2web.org/
“Tor is a software project that lets you
anonymously browse the Internet. Tor2web is a
project to let Internet users access Tor Onion
Services without using Tor Browser”
* replace .onion with .onion.to or .onion.city or
.onion.cab or .onion.direct
Anonymity for the server
• eqt5g4fuenphqinx.onion
• End-to-end encryption