silent wire hacking
play

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr - PowerPoint PPT Presentation

Aug 16, 2022 •46 likes •466 views

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest Silent wire hacking ? You know about TCP hijacking, 802.1x bypass techniques

  1. Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest

  2. Silent wire hacking ? • You know about – TCP hijacking, – 802.1x bypass techniques (Valérian Legrand, HIP 2017), ways to exploit a MITM position with Fenrir – … • We want – to connect to an ethernet 100Mb cable, – in order to take the man in the middle position – without any warning in supervision : A silent wire hacking Hack In Paris - June 28th 2018 2

  3. Outdoor accessible wires Hack In Paris - June 28th 2018 3

  4. Indoor accessible wires From the ground… ...to the ceiling Hack In Paris - June 28th 2018 4

  5. Typical situation Hack In Paris - June 28th 2018 5

  6. Naive connection • Is not effective • Triggers an alert Hack In Paris - June 28th 2018 6

  7. Usualy monitored • Link status, link down • RSTP • LLDP • Filters on MAC and IP @ • (802.1x) Hack In Paris - June 28th 2018 7

  8. Available solutions • TAP: listening only, setup interrupts network Hack In Paris - June 28th 2018 8

  9. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network Hack In Paris - June 28th 2018 9

  10. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection Hack In Paris - June 28th 2018 10

  11. Available solutions • TAP: listening only, setup interrupts network • Probe: listening filtering, injection, setup interrupts network • FO bending: no injection • Dedicated hardware solution: not publicly available, back to standards and datasheets Hack In Paris - June 28th 2018 11

  12. Goal of silent wire hacking • Taking the Man In The Middle position on a Ethernet 100Mb/s link • Without being detected by switches – No link_down link_up – No snmp trap – No RSTP topology change – No LLDP detection Hack In Paris - June 28th 2018 12

  13. Intention • Simple solution, DIY • Low cost (about 200€) Hack In Paris - June 28th 2018 13

  14. Technology choice Signal conditioning with operational amplifiers? Classic OA (lm341, lf355): gain.band<10MHz DIY → no surface mounted components Signal manipulation activated by relays, Data manipulation with Raspberry Hack In Paris - June 28th 2018 14

  15. Step1: wire intrusion • Opening cable • Best twisted pair splitting tool: • Connecting Hack In Paris - June 28th 2018 15

  16. Step2 : gathering information • First, we gather information: – Mac @ – IP @ – speed – existing protocols: RSTP, LLDP, SNMP, ETC. Hack In Paris - June 28th 2018 16

  17. Speed and addresses gathering Hack In Paris - June 28th 2018 17

  18. Speed and addresses gathering Hack In Paris - June 28th 2018 18

  19. Issue #1: Auto MDIx • Auto MDI-X ports on network interfaces detect if the connection would require a crossover and automatically chooses the MDI or MDI-X configuration to properly match the other end of the link • Auto → can’t know wire use → To witch side affect collected data? Witch ip@ and mac@ belongs to witch device? Hack In Paris - June 28th 2018 19

  20. MDI / MDIx Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Rx+ Tx+ Rx- Tx- Tx+ Rx+ Tx- Rx- Hack In Paris - June 28th 2018 20

  21. Rx and Tx identification • How to ? (without OA, signal comparator...) Hack In Paris - June 28th 2018 21

  22. Identification of Rx et Tx Hack In Paris - June 28th 2018 22

  23. Identification of Rx et Tx Hack In Paris - June 28th 2018 23

  24. Hack In Paris - 28 june 2018 24

  25. Hack In Paris - 28 june 2018 25

  26. Issue #2 • We can not send traffic Hack In Paris - June 28th 2018 26

  27. Step3: apparatus connection • To inject traffic we will need some electronics. • How to place the electronics instead of the wire ? Hack In Paris - June 28th 2018 27

  28. Step3: apparatus connection Hack In Paris - June 28th 2018 28

  29. Step3: apparatus connection Hack In Paris - June 28th 2018 29

  30. Step4: switching Hack In Paris - June 28th 2018 30

  31. Finally ready for switching ! Hack In Paris - June 28th 2018 31

  32. Step4: switching • (somewhat) quick* switching from existing communication to devices with: – Same speed – Quiet (no-RSTP, no-LLDP, etc.) *5ms (relay switching time; Mosfet would be much quicker) Hack In Paris - June 28th 2018 32

  33. Issue #3 • Even if we switch at 5ms, it is detected. ...how to ? Hack In Paris - June 28th 2018 33

  34. Solution • We add some noise to keep the link up during transition: – High enough to keep the link up – Low enough to be considered as noise / signal Hack In Paris - June 28th 2018 34

  35. Tests and proof of Concept Hack In Paris - June 28th 2018 35

  36. First design • Each steps works alone (POC) • Card design, welding, cutting strips, checking... • Didn’t work. Lack of time to fix it :( • → full design to be confirmed Hack In Paris - June 28th 2018 36

  37. Demo • But we will still show you ! (we will just have to do some steps manually) Hack In Paris - June 28th 2018 37

  38. Conclusion • 4 ideas in this hack : – Insertion of the electronics – Identification of Rx and Tx wires – Switching to well-configured devices – Diming legitimate signal during switching Hack In Paris - June 28th 2018 38

  39. Conclusion • Costs: – 2 Raspberry Pi: 120€ – electronics: 80€ – (managable switches: 250€) – candy: 5€ …Hacking : priceless Hack In Paris - June 28th 2018 39

  40. Possible improvements • Rebuild full circuit and complete testing • Do without additional ethernet switches: Raspberry Pi ethernet configuration • Use one single Raspberry Pi instead of two • Scripting information gathering • Coping with multicast switching on Raspberry Pi • POE compatibility • Implementing 802.1x attack • Less attenuation in Rx/Tx identification Hack In Paris - June 28th 2018 40

  41. • It IS possible to silent take MITM position How to cope? • Faster link down? Impedance monitoring? – difficult to implement in real world: Many existing EM perturbations (events on high power lines, lightning, lorries with electromagnetic retarders...) → Not suitable for plants, infrastructure operators... • End to end encryption Hack In Paris - June 28th 2018 41

  42. THANK’S erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - June 28th 2018 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Silent Shout 2.009 SILVER Silent Shout The Market 65 million users $9.7 billion market 2.009

Silent Shout 2.009 SILVER Silent Shout The Market 65 million users $9.7 billion market 2.009

Silent Shout Silent Shout 2.009 SILVER Silent Shout The Market 65 million users $9.7 billion market 2.009 SILVER Silent Shout Benchmarking SIREN POM by POMCO Silent Shout Product Type Description Alarm ring Keychain attachment

116 views • 10 slides
and Education (WIRE) Jane Hillston University of Edinburgh What is WIRE? WIRE is a working

and Education (WIRE) Jane Hillston University of Edinburgh What is WIRE? WIRE is a working

Women in Informatics Research and Education (WIRE) Jane Hillston University of Edinburgh What is WIRE? WIRE is a working group of Informatics Europe, aiming to raise awareness and promote good practice with respect to women in

366 views • 9 slides
N D WIRE NETTING e M h P i t c h s f D I A W r e o i 1. 60 1 .60 ) m m (

N D WIRE NETTING e M h P i t c h s f D I A W r e o i 1. 60 1 .60 ) m m (

WOVEN WIRE WONDERS N D WIRE NETTING e M h P i t c h s f D I A W r e o i 1. 60 1 .60 ) m m ( 1. 60 1 .60 1. 20 1 .20 2. 00 2 .00 2. 00 1 .62 IN FOOD PROCESSING, OUR CONVEYOR BELTS ARE USED IN WASHING, BAKING,

254 views • 6 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Wire Scanner Reliability Improvement Plans Omar Garza I&amp;C Engineering Group Leader Wire

Wire Scanner Reliability Improvement Plans Omar Garza I&amp;C Engineering Group Leader Wire

Wire Scanner Reliability Improvement Plans Omar Garza I&amp;C Engineering Group Leader Wire Scanner System Overview Problem Wire Scanners 41 Wire Scanners (not including Hall C) Device Location Issue IHA0L10 Injector Multiple

519 views • 11 slides
Longwall Mine Layout Welded Wire Panels Installed in Areas between Pillars 10 Gage Welded Wire

Longwall Mine Layout Welded Wire Panels Installed in Areas between Pillars 10 Gage Welded Wire

Longwall Mine Layout Welded Wire Panels Installed in Areas between Pillars 10 Gage Welded Wire Mesh TX Meshing Using Controlled Resistance Welded Wire Roof Support Current welded wire technology has been in effect and unchanged for years.

374 views • 18 slides
TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable Launch of 100E Signal Wire

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable Launch of 100E Signal Wire

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable Launch of 100E Signal Wire Family TE Connectivity is pleased to announce the launch of 100E 300v signal wire and cable. Released in accordance to EN50306 EN50306-2 Thin Wall

591 views • 18 slides
Brief Introduction to Wire-Cell Xin Qian BNL For the Wire-Cell Team

Brief Introduction to Wire-Cell Xin Qian BNL For the Wire-Cell Team

Brief Introduction to Wire-Cell Xin Qian BNL For the Wire-Cell Team http://www.phy.bnl.gov/wire-cell/ 1 Challenges of Event Reconstruction in LArTPCs Event topology: Tracks, showers, unknown vertex in LArTPCs Simple tracks in

704 views • 17 slides
TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable www.is-rayfast.com |

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable www.is-rayfast.com |

TE Connectivity Wire &amp; cable solutions 100E Wire &amp; Cable www.is-rayfast.com | uksales@is-rayfast.com | +44(0)1793 616700 Launch of 100E Signal Wire Family TE Connectivity is pleased to announce the launch of 100E 300v signal wire and

331 views • 15 slides
THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION AND SUICIDE THE SILENT EPIDEMIC OF

THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION AND SUICIDE THE SILENT EPIDEMIC OF

SHAUNA HAHN, PMHNP, CBIS THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION AND SUICIDE THE SILENT EPIDEMIC OF TBIS: LISTENING FOR DEPRESSION &amp; SUICIDE OVERVIEW: SCOPE OF THE PROBLEM IN AMERICA THE SILENT EPIDEMIC OF TBIS: LISTENING

969 views • 64 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder Resources; St. Gerard Majella Catholic School, March 6, 2010 William B. Daigle, Ph.D. 8748 Quarters Lake Road Baton Rouge, LA 70809 (225)

91 views • 5 slides
What is Electricity? 1 ATOM 2 Water Pipe Pump Water Pipe Wire + Wire - 3 EMF

What is Electricity? 1 ATOM 2 Water Pipe Pump Water Pipe Wire + Wire - 3 EMF

What is Electricity? 1 ATOM 2 Water Pipe Pump Water Pipe Wire + Wire - 3 EMF Potential Difference Between Two Points Source of Energy Electrical Pressure Voltage Friction / Static Triboelectric Chemical

979 views • 18 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Solar magnetic field strength and the Suns Shadow observed by Tibet Air Shower Array

Solar magnetic field strength and the Suns Shadow observed by Tibet Air Shower Array

Solar magnetic field strength and the Suns Shadow observed by Tibet Air Shower Array Yoshiaki Nakamura for the Tibet AS collaboration P.1 ICRC2017 14 July, 2017 @Busan, Korea. The e Tibet et AS AS Col

423 views • 17 slides
Muon Collider Machine-Detector Interface Summary Nikolai Mokhov and Robert Palmer Muon Collider

Muon Collider Machine-Detector Interface Summary Nikolai Mokhov and Robert Palmer Muon Collider

Fermilab Muon Collider Machine-Detector Interface Summary Nikolai Mokhov and Robert Palmer Muon Collider Physics Workshop Fermilab November 10-12, 2009 Introduction Muon collider detector performance is strongly dependent on background

518 views • 37 slides
CLIC FF MAGNET AND IR LAYOUT SC-FF meeting @LAPP, 14-6-2010 Lau Gatignon / CERN-EN for the CLIC

CLIC FF MAGNET AND IR LAYOUT SC-FF meeting @LAPP, 14-6-2010 Lau Gatignon / CERN-EN for the CLIC

CLIC FF MAGNET AND IR LAYOUT SC-FF meeting @LAPP, 14-6-2010 Lau Gatignon / CERN-EN for the CLIC MDI team &amp; related WG MDI members Robert Appleby, Armen Apyan, Marco Battaglias, Enrico Bravin, Helmut Burkhardt, Phil Burrows, Francois

832 views • 47 slides
SiD and MDI Meeting CR-3 Implementation Plans and Intro to CR-4 V Kuchler 13 January, 2015

SiD and MDI Meeting CR-3 Implementation Plans and Intro to CR-4 V Kuchler 13 January, 2015

SiD and MDI Meeting CR-3 Implementation Plans and Intro to CR-4 V Kuchler 13 January, 2015 Overview ILC Change Management Board Change Request 3 Implementation Plan Change Request 4 2 SiD and MDI Meeting 13 January 2015 Change

413 views • 13 slides
Administration 2019-20 With: Maddison Spenrath, Marit Gilbert and Kim Mascarenas November 14,

Administration 2019-20 With: Maddison Spenrath, Marit Gilbert and Kim Mascarenas November 14,

MDI WEBINAR SERIES 2019/2020 MDI Steps to District Administration 2019-20 With: Maddison Spenrath, Marit Gilbert and Kim Mascarenas November 14, 2019 HELPs Vision All children thriving in healthy societies OVERVIEW 1. MDI Overview 2.

519 views • 51 slides
Sequentially Cohen-Macaulay Rees modules . Naoki Taniguchi Meiji University Joint work with T.

Sequentially Cohen-Macaulay Rees modules . Naoki Taniguchi Meiji University Joint work with T.

Introduction Definition of seq C-M modules Main results Graded case Application References . Sequentially Cohen-Macaulay Rees modules . Naoki Taniguchi Meiji University Joint work with T. N. An, N. T. Dung and T. T. Phuong Mathematical

415 views • 20 slides
Novel techniques for ground to space quantum channels IQC @ 2019: 31 faculty 157 Grad students

Novel techniques for ground to space quantum channels IQC @ 2019: 31 faculty 157 Grad students

7/31/20 Novel techniques for ground to space quantum channels IQC @ 2019: 31 faculty 157 Grad students 57 Postdoc 1800+ publications $600M+ funding Thomas Jennewein 13 spin-offs Institute for Quantum Computing &amp; Department of Physics

391 views • 9 slides
Magnetic Field Mapping of Chemically Peculiar Stars James Silvester Uppsala University, Sweden

Magnetic Field Mapping of Chemically Peculiar Stars James Silvester Uppsala University, Sweden

Magnetic Field Mapping of Chemically Peculiar Stars James Silvester Uppsala University, Sweden Stars 2016, Lake District, UK Ap / Bp Type Stars - Some Recent MDI Maps - 53 Cam - Kochukhov et al. (2004) - Low resolution - 2 CVn - Kochukhov

391 views • 22 slides

More recommend