SlideShare une entreprise Scribd logo

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero

Télécharger en tant que PPTX, PDF
RootedCON
RootedCON

RootedCON https://www.rootedcon.com Marzo/March 5-7 2020 Madrid (Spain)

Technologie
1  sur  25
Roapt evil mass storage & Tu-ya aqui? David Reguera Garcia aka Dreg & Abel Valero Lozano aka SkUaTeR 2020
David Reguera Garcia aka Dreg • Senior malware researcher, C, C++, ASM, x86_64, ARM Cortex & AVR-8-bit • Contributing to rootkit unhooker, unhide, x64dbg, enyelkm, anticuckoo, dbgchild.... • https://github.com/David-Reguera-Garcia-Dreg • https://twitter.com/fr33project • http://www.fr33project.org/ • dreg@fr33project.org
evil mass storage – POC just for fun • infect a target machine without NET & exfiltrate info • hardware: at90usb1287 + atmega328p + ts3usb221 + mosfet + sd card reader (SPI) + rf 433MHz ASK … • multi-stage malware: only visible when connected to target • exfiltrate info via two ways: • mass storage: crypt & hidden sectors • radio: rf 433MHz ASK • firmware: keyboard + mass storage (USB composite device). LUFA + FatFs + Dreg adaptation “USB Mass storage SD card for Teensy2/ATMEGA32U4 by Mathieu Sonet” • dynamic: serial, VID, PID, USB Descriptor, decrypt/delete sectors…
external hardware - receiving data • rf 433mhz receiver • WIFI AP/STA • SMS • GSM/GPRS • MICRO SD CARD
demo prototype evil mass storage
prototype shopping list 1 • mini soldering iron + iron tip • arduino uno + cable • arduino mega 2560 + cable • USB 2.0 Type A 1-Male 1-Female to 5P Screw with/ Shield Terminal Plug Adapter Connector • USB to DIP Type A 2-Female 1-Male USB Adapter Converter for 2.54mm PCB Board DIY • ESP-01S ESP8266 Serial Wi-Fi Wireless Module + ESP-01 Adapter for Arduino (5v) • 400 Tie Points Solderless PCB Breadboard Mini Universal Test Protoboard DIY Bread Board Bus (x2)
prototype shopping list 2 • 4 Channel 5V 3.3V IIC UART SPI TTL Logic Level Converter level conversion module • 10pcs High Efficiency Test Hook Clip Logic Analyzer Cable Gripper Probe Test Clamp Kit • kit LEDs 5mm Red Blue Green Yellow White • mosfet NDP6020P TO-220 NDP6020 TO220 6020P P-channel • 433 Mhz RF Receiver and Transmitter Module. RX470-4, WL102- 341, Short antenna for Transmitter. Long antenna for Receiver • common values resistor Kit • DIY TS3USB221 High-Speed USB 2.0 (480Mbps) 1:2 Multiplexer To Demultiplexer Switch With Single Enable Board Module
prototype shopping list 3 • Reader Adapter for Micro SD USB 2.0 TF M2 MMC MS PRO DUO Card Reader • 2PCS 9V rechargeable battery large capacity 1000mAh lithium ion rechargeable battery + 1PCS smart 9 V charger • 9V PP3 Battery Holder Box Case Wire Lead ON/OFF Switch Cover with DC 2.1mm Plug • SanDisk micro SD card 16GB SDHC + adapter • DC 9V1A 9V 1A Power Supply AC 100V-240V Converter Adapter Plug Charger 5.5mm x 2.1mm 1000mA • SIM808 module GSM GPRS GPS Development Board IPX SMA with GPS Antenna
prototype shopping list 4 • Screw Kit Screw Driver • Micro SD / TF Card Breakout to DIP Board Module (3.3v) • Micro SD Module TF Micro SD Storage Board TF Card Memory Shield (5v) • 120pcs 40PIN 20CM Dupont Line Male to Male, Female to Male, Female to Female Jumper Dupont Wire Cable • AT90USBKEY2 • ATMEL ICE (ATATMEL-ICE) • solder iron tip cleaning sponge pad • Tin Lead Rosin Core Solder Wire
prototype shopping list 5 • Hot Air Glue Gun Thermo Electric Heat Temperature • Test hook clip,Grabber SMD IC Test Probe Hook for Multimeter,Logic analyzer… • 20pcs 10 pairs 40 Pin 1x40 Single Row Male and Female 2.54 Breakable Pin Header PCB
Roapt – my own pcb for attack • soon available at www.rootkit.es • JTAG, ICSP, UART… •current beta prototype 1.0
SD card SDHC 16GB special mass storage 2GB FAT16 • f.exe • g normal mass storage 2GB FAT16 • f.exe • g f.exe stage1 f.exe stage2 … exfiltrate area • FAT16, Only 1 FAT TABLE. SPI is slow • f.exe: malware crypted – multi-stage • exfiltrate blocks crypted from .exe • g: file for communication with firmware. firmware can encrypt/decrypt sectors, relocate writes & reads, reset USB connection (OS cache), change stages, delete all f.exe entries.. • special area is “protected” • Its possible switch between special-normal • normal area can be formatted
demo create & burn SD card image
demo firmware: dev, debug & flash. Atmel studio 7
• USB Mass Storage: Designing and Programming Devices and Embedded Hosts • USB Complete: The Developer's Guide (Complete Guides series) • https://www.microchip.com/DevelopmentTools/Product Details/PartNO/AT90USBKEY2 • https://www.microchip.com/wwwproducts/en/AT90US B1287 • https://www.avrfreaks.net/ • http://elm-chan.org/fsw/ff/00index_e.html • http://www.fourwalledcubicle.com/LUFA.php
TO-DO •improve source code: leaks, overflows, crap code… •improve performance: fatfs, ISRs… •more firmware & examples: SharpLocker/LockScream... •more doc •OS X & Linux examples •more keyboard langs (current English) •support multi-file (current POC is limited) •exf mode selection: 433MHz(slow) or mass storage(faster)
Future (maybe) • ARM Cortex-M4 180MHz 32 bit + rf transceiver •NXP Kinetis MK66FN2M0VMD18 or MK66FX1M0VMD18 • native 4bit-SDIO micro sd card port (SPI is very slow) •cryptographic acceleration unit (AES) & CRC • random number generator •https://www.pjrc.com/store/teensy36.html • NXP Kinetis FRDM-K66F board • https://www.utasker.com/kinetis/FRDM-K66F.html
Greetz & credits •janio IRC-HISPANO •Sergio Lara & Luis Fernando Regel – Panda •Jose Vicente Martínez – electronic engineering •Paul Stoffregen - pjrc, teensy, altsoftserial… •Mathieu Sonet: mass storage SD for Teensy2/ATMEGA32U4 •Dean Camera: lufa •ChaN: fatfs •Yassin Said Esteller avrfreaks.net
Thx! Questions? evil mass storage in my github •https://www.rootkit.es •https://github.com/David-Reguera-Garcia-Dreg •https://twitter.com/fr33project •http://www.fr33project.org/ •dreg@fr33project.org

Recommandé

The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 

Recommandé

The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
PacSecJP
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
Michael Ducy
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
Luis Grangeia
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
Positive Hack Days
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
Tazdrumm3r
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat Security Conference
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
Zach Grace
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
Hardware Hacks
Hardware HacksHardware Hacks
Hardware Hacks
n|u - The Open Security Community
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 

Contenu connexe

Tendances

Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat Security Conference
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 

Tendances (20)

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 

Similaire à Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero

Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
EC-Council
 
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdfmicrocontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
adfadfadf
 
FZ3 Card - Deep Learning Accelerator Card
FZ3 Card - Deep Learning Accelerator CardFZ3 Card - Deep Learning Accelerator Card
FZ3 Card - Deep Learning Accelerator Card
Linda Zhang
 

Similaire à Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero (20)

Hardware Hacks
Hardware HacksHardware Hacks
Hardware Hacks
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOT
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
 
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
 
Parallel Rendering of Webpages
Parallel Rendering of WebpagesParallel Rendering of Webpages
Parallel Rendering of Webpages
 
Gadgets
GadgetsGadgets
Gadgets
 
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdfmicrocontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
 
Republic of IoT - Hackathon Hardware Kits Hands-on Labs
Republic of IoT - Hackathon Hardware Kits Hands-on LabsRepublic of IoT - Hackathon Hardware Kits Hands-on Labs
Republic of IoT - Hackathon Hardware Kits Hands-on Labs
 
Single chip computer for iot application
Single chip computer for iot application Single chip computer for iot application
Single chip computer for iot application
 
Presentation_BTBox_2012
Presentation_BTBox_2012Presentation_BTBox_2012
Presentation_BTBox_2012
 
Multipilot pres-ufficiale def
Multipilot pres-ufficiale defMultipilot pres-ufficiale def
Multipilot pres-ufficiale def
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Asus Tinker Board
Asus Tinker BoardAsus Tinker Board
Asus Tinker Board
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
FZ3 Card - Deep Learning Accelerator Card
FZ3 Card - Deep Learning Accelerator CardFZ3 Card - Deep Learning Accelerator Card
FZ3 Card - Deep Learning Accelerator Card
 
160110_ChameleonMini_history_smaller.pdf
160110_ChameleonMini_history_smaller.pdf160110_ChameleonMini_history_smaller.pdf
160110_ChameleonMini_history_smaller.pdf
 
O meu futuro PC
O meu futuro PCO meu futuro PC
O meu futuro PC
 
NVDK-ESP32 Quick Start Guide
NVDK-ESP32 Quick Start GuideNVDK-ESP32 Quick Start Guide
NVDK-ESP32 Quick Start Guide
 
Eris iot development board
Eris iot development boardEris iot development board
Eris iot development board
 

Plus de RootedCON

Plus de RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero

  • 1. Roapt evil mass storage & Tu-ya aqui? David Reguera Garcia aka Dreg & Abel Valero Lozano aka SkUaTeR 2020
  • 2. David Reguera Garcia aka Dreg • Senior malware researcher, C, C++, ASM, x86_64, ARM Cortex & AVR-8-bit • Contributing to rootkit unhooker, unhide, x64dbg, enyelkm, anticuckoo, dbgchild.... • https://github.com/David-Reguera-Garcia-Dreg • https://twitter.com/fr33project • http://www.fr33project.org/ • dreg@fr33project.org
  • 3. evil mass storage – POC just for fun • infect a target machine without NET & exfiltrate info • hardware: at90usb1287 + atmega328p + ts3usb221 + mosfet + sd card reader (SPI) + rf 433MHz ASK … • multi-stage malware: only visible when connected to target • exfiltrate info via two ways: • mass storage: crypt & hidden sectors • radio: rf 433MHz ASK • firmware: keyboard + mass storage (USB composite device). LUFA + FatFs + Dreg adaptation “USB Mass storage SD card for Teensy2/ATMEGA32U4 by Mathieu Sonet” • dynamic: serial, VID, PID, USB Descriptor, decrypt/delete sectors…
  • 4. external hardware - receiving data • rf 433mhz receiver • WIFI AP/STA • SMS • GSM/GPRS • MICRO SD CARD
  • 6.
  • 7.
  • 8.
  • 9. prototype shopping list 1 • mini soldering iron + iron tip • arduino uno + cable • arduino mega 2560 + cable • USB 2.0 Type A 1-Male 1-Female to 5P Screw with/ Shield Terminal Plug Adapter Connector • USB to DIP Type A 2-Female 1-Male USB Adapter Converter for 2.54mm PCB Board DIY • ESP-01S ESP8266 Serial Wi-Fi Wireless Module + ESP-01 Adapter for Arduino (5v) • 400 Tie Points Solderless PCB Breadboard Mini Universal Test Protoboard DIY Bread Board Bus (x2)
  • 10. prototype shopping list 2 • 4 Channel 5V 3.3V IIC UART SPI TTL Logic Level Converter level conversion module • 10pcs High Efficiency Test Hook Clip Logic Analyzer Cable Gripper Probe Test Clamp Kit • kit LEDs 5mm Red Blue Green Yellow White • mosfet NDP6020P TO-220 NDP6020 TO220 6020P P-channel • 433 Mhz RF Receiver and Transmitter Module. RX470-4, WL102- 341, Short antenna for Transmitter. Long antenna for Receiver • common values resistor Kit • DIY TS3USB221 High-Speed USB 2.0 (480Mbps) 1:2 Multiplexer To Demultiplexer Switch With Single Enable Board Module
  • 11. prototype shopping list 3 • Reader Adapter for Micro SD USB 2.0 TF M2 MMC MS PRO DUO Card Reader • 2PCS 9V rechargeable battery large capacity 1000mAh lithium ion rechargeable battery + 1PCS smart 9 V charger • 9V PP3 Battery Holder Box Case Wire Lead ON/OFF Switch Cover with DC 2.1mm Plug • SanDisk micro SD card 16GB SDHC + adapter • DC 9V1A 9V 1A Power Supply AC 100V-240V Converter Adapter Plug Charger 5.5mm x 2.1mm 1000mA • SIM808 module GSM GPRS GPS Development Board IPX SMA with GPS Antenna
  • 12. prototype shopping list 4 • Screw Kit Screw Driver • Micro SD / TF Card Breakout to DIP Board Module (3.3v) • Micro SD Module TF Micro SD Storage Board TF Card Memory Shield (5v) • 120pcs 40PIN 20CM Dupont Line Male to Male, Female to Male, Female to Female Jumper Dupont Wire Cable • AT90USBKEY2 • ATMEL ICE (ATATMEL-ICE) • solder iron tip cleaning sponge pad • Tin Lead Rosin Core Solder Wire
  • 13. prototype shopping list 5 • Hot Air Glue Gun Thermo Electric Heat Temperature • Test hook clip,Grabber SMD IC Test Probe Hook for Multimeter,Logic analyzer… • 20pcs 10 pairs 40 Pin 1x40 Single Row Male and Female 2.54 Breakable Pin Header PCB
  • 14.
  • 15.
  • 16.
  • 17. Roapt – my own pcb for attack • soon available at www.rootkit.es • JTAG, ICSP, UART… •current beta prototype 1.0
  • 18. SD card SDHC 16GB special mass storage 2GB FAT16 • f.exe • g normal mass storage 2GB FAT16 • f.exe • g f.exe stage1 f.exe stage2 … exfiltrate area • FAT16, Only 1 FAT TABLE. SPI is slow • f.exe: malware crypted – multi-stage • exfiltrate blocks crypted from .exe • g: file for communication with firmware. firmware can encrypt/decrypt sectors, relocate writes & reads, reset USB connection (OS cache), change stages, delete all f.exe entries.. • special area is “protected” • Its possible switch between special-normal • normal area can be formatted
  • 19. demo create & burn SD card image
  • 20. demo firmware: dev, debug & flash. Atmel studio 7
  • 21. • USB Mass Storage: Designing and Programming Devices and Embedded Hosts • USB Complete: The Developer's Guide (Complete Guides series) • https://www.microchip.com/DevelopmentTools/Product Details/PartNO/AT90USBKEY2 • https://www.microchip.com/wwwproducts/en/AT90US B1287 • https://www.avrfreaks.net/ • http://elm-chan.org/fsw/ff/00index_e.html • http://www.fourwalledcubicle.com/LUFA.php
  • 22. TO-DO •improve source code: leaks, overflows, crap code… •improve performance: fatfs, ISRs… •more firmware & examples: SharpLocker/LockScream... •more doc •OS X & Linux examples •more keyboard langs (current English) •support multi-file (current POC is limited) •exf mode selection: 433MHz(slow) or mass storage(faster)
  • 23. Future (maybe) • ARM Cortex-M4 180MHz 32 bit + rf transceiver •NXP Kinetis MK66FN2M0VMD18 or MK66FX1M0VMD18 • native 4bit-SDIO micro sd card port (SPI is very slow) •cryptographic acceleration unit (AES) & CRC • random number generator •https://www.pjrc.com/store/teensy36.html • NXP Kinetis FRDM-K66F board • https://www.utasker.com/kinetis/FRDM-K66F.html
  • 24. Greetz & credits •janio IRC-HISPANO •Sergio Lara & Luis Fernando Regel – Panda •Jose Vicente Martínez – electronic engineering •Paul Stoffregen - pjrc, teensy, altsoftserial… •Mathieu Sonet: mass storage SD for Teensy2/ATMEGA32U4 •Dean Camera: lufa •ChaN: fatfs •Yassin Said Esteller avrfreaks.net
  • 25. Thx! Questions? evil mass storage in my github •https://www.rootkit.es •https://github.com/David-Reguera-Garcia-Dreg •https://twitter.com/fr33project •http://www.fr33project.org/ •dreg@fr33project.org