TRIPWIRE VERT

HACK LAB CHEAT SHEET

SEARCH PATTERNS FOR SUCCESS
Analysis of extracted firmware and GNU source releases is one of the most fruitful tools for embedded device hacking. The follow-
ing search patterns are among the favorites of VERT researchers.

SQL INJECTION grep –RE “(SELECT|INSERT|UPDATE|WHERE|DELETE|VALUES) “ * 2>/dev/null | grep “%s”

COMMAND INJECTION grep –RE “(^|[[:space:]]|\.)(system|exec([a-z]+?)\(“ * 2>/dev/null | grep “%s”

STRING OVERFLOWS find ./ -name \*.c\* -print | xargs egrep “(^|[[:space:]])(sprintf|strc[a-z]+)\(.*%s“

MEMORY CORRUPTION find ./ -name \*.c\* -print | xargs egrep “(^|[[:space:]])(memcpy|memmove)\(“

UNAUTHENTICATED SERVICES, UPnP AND MORE

You don’t need a shell if the device takes commands without authentication. A number of products rely on infrastructure authenti-
cation rather than device authentication. Many IoT devices simply have no authentication for connections from the local LAN.

TESTING STRATEGY
»»Connect device and/or smartphone through MiTM access point (e.g. bit.ly/SSLMiTM)
• Look for credentials being passed that were not selected by the device owner and commands without auth
»» a port scan to see what services are exposed via IP
Run
• Try connecting to each service with nc ip port and openssl s_client –connect ip:port
• Fuzz UPnP/SOAP services with command injection and SQL injection locator strings specified as parameters
HTTP INTERFACE TESTING
Many of the weaknesses found in IoT devices are found in HTTP interfaces for controlling or managing the product. Vulnerable
aspects of these systems can commonly be found with quick black box testing. Some of VERT’s techniques involve submitting
crafted values to the web server as a form of manual fuzz testing. Developers commonly restrict the crafted input only by client-side
limitations. Sometimes this is done through regular expressions within JavaScript or Flash while other times URL parameters are
hardcoded into mobile applications. The use of a proxy server such as Burp (www.portswigger.net/), Chrome Developer Tools, or
FireBug allow the tester to side-step these restrictions. From there it is a matter of knowing what to look for and how to abuse it.

TIP 1: LOOK FOR PLACES WHERE EXTERNALLY SUPPLIED INPUT MAY BE USED FOR RUNNING COMMANDS.
Example #1: Diagnostic functions like ping are often backed with something like system(“ping %s”,cHost);
If shell meta-characters are sent to the shell, an attacker can gain command execution.

EXAMPLE INPUTS RESULT IF VULNERABLE

;reboot • ‘reboot’ • $(reboot) • &&reboot • ||reboot Reboots system (using this in the wrong place leads to boot loop)

‘echo <expected value>’ • $(echo <expected value>) Acts the same as if <expected value> were entered

;ping ip • ‘ping ip’ • $(ping ip) • && ping ip • || ping ip ICMP echo sent to ip and response may be delayed waiting

ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

TIP 2: LOOK FOR USER-SUPPLIED VALUES BEING SERVED AS WEB CONTENT OR INCLUDED IN EXECUTED COMMANDS
Wireless SSID Values
»»Is SSID rendered within an app’s WebView? (XSS without same-origin-policy possible)
»»What happens if you try to connect to the network named “reboot” or “utelnetd –l/bin/sh”?
Names
»»Device name or owner name commonly displayed without sanitization
»»Filenames may be displayed or even used in commands – ext filesystems can have files with “interesting” names

EXTRACTING FIRMWARE FINDING UNPROTECTED PAGES

binwalk –e <firmware file> for P in $(ls www); do curl –v http://ip/$P 2>&1|grep –i
“200 o” >/dev/null && echo $P; done

OUTPUT: Recursively extract into ./_firmware/
Analyzing the firmware content can reveal a lot:
»» Unlinked web content
»» Vulnerabilities in scripts and configs
»» Undocumented features in binary strings
»» Other tools: ‘7z x <file>’ or ‘unsquashfs <file>’
OUTPUT: Identify requests that don’t give 401
Whitelisted files expose information and even vulnerability:
»» curl –v ip/$P 2>&1|grep “HTTP/1.0 200” && echo $P
»» If ‘foo’ or ‘.foo’ is open, try ‘?foo’ or ‘?.foo’ after query
»» Grep page contents for passwords or tokens
»» Look for pages with ‘hidden’ or ‘debug’ in the name

BINARY REVERSING UNCOVERING SECRETS

objdump -d <binary_file> strings <binary_file>

OUTPUT: Recover assembly for proprietary binaries OUTPUT: Text sections, symbols, and more
Reverse engineering is time consuming but valuable: Strings is a quick and dirty binary recon tool:
»» Find unbounded copies (memcpy, strcpy, etc) »» Check httpd for built-in pages and ACLs
»» Reveal unreferenced API calls »» Search for %s in command strings
»» Recover crypto keys and other secrets »» Backdoor/hardcoded credentials hide in binaries
»» Determine expected message formats »» Locate SQL queries for injection attempts

WiFi RESILIENCE SSL VALIDATION

aireplay-ng -0 <count> -a <ap_mac> -c <dev_mac> ath0 sslsniff -a -s <port> -w log –c cert

OUTPUT: Deauthenticate device from access point OUTPUT: Find certificate validation failures
Some basic flaws related to Wi-Fi handling: Some setup is required:
»» Device becomes open AP when kept off network »» Connect IoT through Linux router
»» Restarting device without net leads to first-time setup »» Apply iptables NAT to redirect SSL ports to <port>
»» Will device connect to SSID without password? »» Self-signed signing cert needed
»» IoT devices are easy for sniffing handshake »» Logged data means the device trusted forged cert

EXTRACTING SECRETS FROM ANDROID STATIC ANALYSIS EXTRACTING SECRETS FROM ANDROID DYNAMIC ANALYSIS
apktool d <IoT control app>.apk “Packet Capture” app, sslsplit/sslsniff with trusted cert

OUTPUT: Extract and decompile Android app OUTPUT: View data sent to device and infrastructure
Things to look for: Things to look for:
»» Hardcoded device credentials »» Hardcoded credentials sent via HTTP/HTTPS
»» Unadvertised URLs on IoT target »» Services and URLs used for device control
»» Empty checkServerTrusted method (SSL fail) »» Privacy violations (i.e. exfiltrated data)
»» Firmware update URLs »» Firmware update URLs

u Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations,
service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint
intelligence combined with business context; together these solutions integrate and automate security and IT operations.
Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vul-
nerability management, log management, and reporting and analytics. Learn more at tripwire.com. u

SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER

©2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.

All other product and company names are property of their respective owners. All rights reserved. TVRTHLCS1b 201510