the talk I want to give today, is called hacker in the wires, so it's a little bit about this guy here, it's called a Catch Wire. And we'll tell you a little bit more about this device, but essentially it is a little computer, let live on your network, and hack people, do fun stuff. So what's this talk? It's about a hacking device that lives on a -- [ Indiscernible ] gigabit Ethernet wire, and it's the Catch Wire, it's made by WAW technologies, and it's running Deck Linux. So some of you might be familiar with Deck Linux. I've given some talks at DEFCON before. I've lied, it's not my first time at DEFCON but I describe, How you can build some of these little things, and this talk is about hoarding some of that stuff that I did with BeagleBone to work on this new device. So why would you want to do this? You can do multiple things with it. You can use some command control, and exfiltration, using different options. You can do things on the network, that you've installed this too. You can also remote control it, using some XBee radios, talk a little bit that, and of course, you could use some other technology, such as cellular networks. So why should you care about this stuff anyway? Well, a Catch Wire running the Deck Linux is small. I mean, you can literally fit it in your palm. It's pretty flexible. And you can network it together with other devices, you know, such as some of the BeagleBone-based devices I've talked about at previous DEFCONs and you can easily take this guy and install them a couple of places. Right. So you could put it in your data center, so you have a client, we'll just call them the target client. And if you can get into their data center, particular if they have power over Ethernet you can take one of these little guys, you can plug it in, and you're having fun, right? You're getting all the packets. You might want to narrow it down a little bit more. You could put it on a land segment. Maybe there's only one land segment that's of interest to you. Of course, you could also inline a single PC, if that's what you wanted to do. You know, if you can find unused desk, slap it under there. And be on their network. Some of you have seen me around, professor at Bloomsburg University in Pennsylvania, I teach pen testing information security, digital forensics. Wrote books, book is one of them. Hacking and Penetration Testing with Low Power Devices. We actually have a new book that we're releasing through pentester academy tomorrow on Linux forensics, so if that's interest to you, come by their booth. I've been programming since I was about eight, in assembly since ten. Hacking hardware around 12 or so, also been known to fly, build planes, do some other aviation stuff. Course author for pentester academy and some others as well. So what are we going to talk about? Going to talk a little bit about the Catch Wire. What is it? Talk a little bit about Deck Linux. Some of the attacks you can do with this device, or BeagleBone. Some of the things you can do specific to the Catch Wire. Some ideas or future directions that you might want. So the Catch Wire. What is it? It used to be called the Luna, the little universal network appliance. Kickstarter, last year, I believe. And they changed the name after the Kickstarter for some legal reasons. And it's essentially like the BeagleBone Black, except it's got two gigabit Ethernet interfaces on it, supports power over Ethernet and nice integrated FTDI, USB to your chip. What it doesn't have, the beagle has, it doesn't have the HDMI output or GPIO headers, so in terms of the software, it's very similar, something that made it very easy for me to port what I had done with BeagleBone over to this new platform. Here's a block diagram. You can see, it's got a TI processor, and if you look at this, and you compare it to BeagleBone Black, you will see that it's very similar, other than having Ethernet stuff. The board looks kind of like this. You can see it's got a couple of Ethernet ports. You've got a power over Ethernet pass through module, so you can go ahead and pass through the power through the device, if you want, or not. And that's what those headers that say J1 headers are for. And the bottom of the board you have processor, memory, and some other stuff as well. Including a microSD card slot that you can use if you want to load up something like Deck Linux. So speaking of Deck Linux, what is it? Deck Linux is something I made a while back, and it's essentially built on 1404 and it's optimized for pen testing with things like Beagle Black, Catch Wire and similar things, so you can use this as a Dropbox or a hacking console, remote hacking drone, a lot of different uses for these little devices. It has over 4,000 packages preinstalled, and I will say this. Unlike certain other pentesting oriented distributions, which I won't name, it's pretty much fluff free, right? It's got 4,000 packages that people actually use, not something that someone wrote ten years ago, and used it since. To that base OS I've added some extra things. And have these different modules such as the mesh deck, so the mesh deck allows you to remotely command and control these devices using XBee or ZigBee mesh networking. It allows you to command and control and coordinate attacks. You can attack from up to 2 miles away. I've also developed an Airdeck so it's a flying hacking drone. It's a flying hacking drone that I built it on top of a quad shot, if any of you are familiar with that. It's a nice flying platform capable of vertical takeoffs and landings, picture here as well. And you know, so I have that as another possibility. Let's say you don't have good physical access, you can actually fly in your hacking hardware, land on your target's roof, hack the crap out of them, fly away. Also developed the four deck, which is a forensics module that lets you do USB right blocking, things like that. And I developed something new, called the U deck, the USB deck, or USB based, and that's what my other talk is tomorrow, so tomorrow I'm going to sell this as the first ever Friday night key note presentation at DEFCON, which basically means, somebody asked, can we bump you to 7 p.m. on a Friday? And I said, oh, okay. So I'm the only person talking at 7 o'clock tomorrow. Bored, not eating dinner, come by. We'll talk USB attacks. So the Catch Wire, how are you going to power this thing? If you have power over Ethernet, you're golden. That's the best option ever. Just plug it in. You're good to go. As I said before, you can pass through the power, using the jumpers on the device. You can also use a DC adapter. So it has a -- a plug on the end, for DC power. That's the second best option. And you can also use USB power. So there's a USB port, you can use it to power the device via a charge. If you're going to do this, you should have a 2-amp or greater charger. You can power it from a PC, so if you hook it into a PC, you can power it that way, but be careful, because normally, you're limited to 500-milliamps with a USB 2.0 device, and that's not enough to power up the Catch Wire, couple gigabit Ethernet ports and maybe wireless adapter will attach to it. How do you configure one of these guys? So if you want to do some hacking with your Catch Wire, all you have to do is grab the image, so I hack the image hosted at my faculty page, Bloomsburg, and there's a nice little script, just download the whole thing. And you can create a micro SD card, using the provided script. You're going to need at least a 16 gig card, because it will not fit on an eight gig card. And honestly, I'd recommend 32 gig card, because it's a little bit tight at 16 gig. There's a lot of hacking goodness built into this. So you know, once you've created this, if you get a nice fast card, I recommend at least a class ten card or faster. You can create the card in about a half hour or so. Install it into the Catch Wire. And in order to do that, it's pretty easy. Just take the screws off from the end that has the micro USB and it pulls out, stick in the card and good to go. You can connect the PC to a PC, via the USB, and you can just log in, if you want to do some initial configuration as going to, with password temp BWD and just add stuff as you need, before you deploy. So what does it look like? It looks kind of like this. Cross your fingers, everyone. Like this. connect to the Catch Wire. Before I do that, I need to set up my serial port. This is from a UBUNTU system >> SPEAKER: I will change -- zero. No flow control. I'll plug in the device. And here we can see some of the boot sequence. Now this will take a little bit longer than the -- sequence if you're booting the standard version of Linux that comes with a Catch Wire. And the reason for that is that I am booting up the Deck Linux here, and that has an awful lot of extra stuff that is coming up. And you can see here where it came up, and it started a bridge process that bridges the two Ethernet adapters and here we are bringing up some additional stuff. Now I can go ahead and log in. Default log in as UBUNTU. Tap PWD as displayed in the banner message. I've managed to boot Deck Linux. So that's pretty easy. By the way, the first time that you boot it, it might take a little bit longer, because it has to set up on SD card. Do not write protect the SD card, just a little hint there it can cause some problems. Okay. So you know, I talked a little bit about ridging net connections. That's the default on the Catch Wire. It will come with some network flow monitoring software, and everything pre-installed and the kernel options are going to have this bridge setup but if for some reason, if you wanted to split, you can, it's pretty easy, you just change to the boot, U boot to — directory. If you're not familiar with these things, stands for device tree binaries, device tree binaries are a clever and elegant way of accounting for all the different kinds of hardware you can have on your systems, especially ARM-based systems. All you need to do is change that overlay, that binary that describes the device and you just copy the D Mac version over the Luna version and common out some lines in the udev rules as I indicated here. If you want to go back, just reverse the process. Uncomment the lines and you change it back to the LUNA dash, switch. Something else you might consider doing, you might consider installing the mesh deck. Why would you want to do that? Because it's cool, right? You can command a control, slash, exfiltrate some data from up to 2 miles away without using any kinds of gateways or extenders. If you want to use a gateway, you could be on the other side of the world. All right. If you have XBee to internet gateway of some sort, and it's also out of band. You know, yes, you can use an interface on the target’s network, when you connect the Catch Wire, but people see that traffic. People don't see the traffic on the ZigBee, unless they're using ZigBee and even then they probably don't notice, honestly. It's pretty easy to use Catch Wire into multi device pentest. Maybe you have your case full of a bunch of BeagleBone Black and a few other bits of equipment. And you can use either mesh networking or ZigBee networking or use a start and that's an easy choice to make. So to do, just get a USB adapter, plug in the XBee to that. Plug in the Catch Wire and if you want details on that, if you go back, and look at my DEFCON 21 talk, again, I lied, it's not my first time at DEFCON. And you can get some more details in that talk. You can also, you know, if you had to read my book, you can read my book. And another nice thing about installing the mesh, maybe there's some blocking, some firewalls that are going to prevent you from easily accessing that built in interface on the target network from wherever you are, whereas the XBee is not going to be blocked by a firewall. So another plus for it. I'm going to start with an old friend. Here's using an old friend maybe abusing an old friend with the Catch Wire. I've gone ahead, and I run up, menace on Catch Wire and one of the first things I want is just verify that I’m connected to my database. And I can go ahead and run a DB, and map and we can see that it's finished. Also notice that this house here, 123, looks look it has some interesting services, it’s got a FTP server, an HTTP server, and some Windows files, so it looks like it might have some interesting opportunities in order to exploit things on that sheet, and of course, command, I can also run my services, so now that I have my list of posts and services -- another look at this, and find something we might want to try to attack. So I see right here, free float FTP server, which could be vulnerable and other things that are vulnerable as well. But let's start with good old friend, good old MSO8O67, so I'm going to try and run up this exploit. MSO8O67 -- >> SPEAKER: It's not a security -- >> SPEAKER: Yeah -- >> SPEAKER: Show options. Set. our host, to. 192, 168. One -- 123. Now I'm going to set my -- show options again. And we will our local host is -- ready to run our exploit. And there you have it. We just opened an interpreter session on a Windows machine, using our old friend, MSO8067 I can go ahead, do a screenshot, there we go. And all the usual commands. So it's pretty fun. You know, it's a good chunk of fun to take a little handheld device and PWN Windows boxes. Maybe it's just me. So some other stuff you can do, let's do a little bit of sniffing. I mean, obviously this is an awesome device for doing sniffing on a wired segment. So you know, we notice that there was an FTP server running. So let's go ahead and we will sniff some traffic. And the host -- the command we're going to use, just going to use a TCP dump, on a particular host, so the command is TCP dump dash N, and host, and the name of the host, dash V, which says, hey, please be the — dash A, which says, dump pockets -- sorry can't speak today. Early, it's only Thursday. I haven't been drinking, I promise. And -- what we're going to look for is the USER prompt where they sent their username, or where they sent their password of course, FTP it’s all in clear text. let's give this a try. So we have a host that's running an FTP server, and we can verify that with pen map, 168, one, 120. Which is a system that we previously identified as running FTP. We can then use the Catch Wire to capture all the pockets to or from the system. Again, the Catch Wire is installed in line to this land segment, so I can pretty much do whatever I want. And here we see, sure enough, yes, there is an FTP server running. So I will go ahead, run, TCP dump and I give it the dash N host. And the name, or IP address. Please be host— and dash, capital A says, take all of your stuff and send it to ASCII, so give me an ASCII representation packets. I will pipe that to -- and I will look for either user, uppercase, and then a space, or paths in uppercase, and then a space. So once I do that, it will start listening, and I can go to another machine in my network, and then I can log in via FTP, and Wala, there you have it. User Joe logged in with password, password one. I'd say, not bad and do we even have to write a script? It's like one line on the command line. So, you know, loads of fun. What about other stuff that you might want to do? like, what if you want to use Wireshark? Like, what's with all these console apps? You can use Wireshark with a Catch Wire as well. So something you can do, use the Catch Wire to capture packet, and then you can send those on to Wireshark. Now, before you can do this, however, you're going to have to let log in, so normally, route is not allowed to log in, which is a good thing, so you're going to have to go in and edit an config file that allows route to log in. Why not? Why not let route log in through SSH? Well, route is a very well known user ID so you only have to guess the password itself. You can figure that one out. It's not a good idea to have it enabled. We'll say about this, I don't do this in this demo, but you should probably use some filters, even the most clueless sys admin might get a little suspicious if there's suddenly this double traffic and it's all flowing out of his network. All right. So you know, maybe filter a little bit, narrow that focus a little bit. All you have to do, SSH in, so here's the command, SSH, in as route, at, catch, whatever your Catch Wire address is, and give it something to run. TCP dump dash, SO, capture all those packets, dash W, write them out, dash, please write standard out, pipe it, to Wireshark-K, which means please run right away, dash I, the interface will be dash. Right? So you want to do some sniffing on the Catch Wire and have it displayed on your workstation elsewhere. So how can you do this? The first thing you need to do is you need to enable route to log in, the reason you need to do this is that by default, Route is not allowed to log in. So you need to go to the etsi, config file, and in that file you'll find a line that says, permit route log in, which I've already changed to yes. Previously it said without password. So if you wanted to set up keys, it was allowable, but if you wanted to use a password, it was not. So now that that's been done, quit, and go ahead and show you how to run this. So on your workstation, not the Catch Wire device, you'll need to bring up a terminal, and run this command. So the command is going to be SSH route, and again you want to run this as route, because being prompted for a password is problematic, and you need to be route in order to run TCP dump appropriately. Here's the address for my Catch Wire. Here I have the full path to TCP dump. I'm going to output full packets. I'm going to write them to dash, which means standard out. I piped that, Char dash K, means immediately run this, dash I, dash, so it's going to accept input from standard in and take that input and display it. So I'll go ahead and press enter, notice that Wireshark popped up, prompted for my route password, and now I'm listening. Not much is happening at this moment. But as I start generating some traffic it will. So I can go ahead and repeat my previous, demo, and I'm going to go ahead and I'm going to log in to my FTP server. I've logged in, I'm going to go ahead and stop my capture here, and I'm going to do a search where my target address is 120, and what do I have here? There's a request user Joe, password, password one, so there you have it, in another way that I can sniff some traffic, this case I am exporting this traffic remotely to another workstation. Remember, okay, so you know, if — if that one line on the command line, with that Grupp command was too much, you don't have to write anything, right? Just type the Wireshark, a couple filters and you can do the same thing. All right. Well, that was kind of fun. But I think we could have some more fun. So here's what I'm going do with this next demo. I'm going to run up meta display on the Catch Wire, and I'm going to use my XBee connection on the Catch Wire to find you know, services, find what's vulnerable, and run up Metasploit, another machine, maybe a machine back in my office, maybe intern or somebody that is back there waiting, waiting for inbound connections from my pentest and they're going to run a multi handler, and I can either have my exploit on the Catch Wire I'm going to run directly, or alternatively I could drop some sort of a pay load using Metasploit in order to do the same thing. Let's see how this looks. Let's do a demo to Catch Wire that is connected to my workstation via, the network, so I've gone ahead and installed the mesh deck add on and I have plugged in my USB adapter. To control my Catch Wire from up to 2 miles away, and again, another thing to keep in mind, why would you want to do this? You can do this because you might be blocked by firewalls and such, and in addition to that, it might be very suspicious if there's suddenly a bunch of traffic growing out of your target's network, so I'm going to go ahead and run up the mesh deck server, and I've set up my Catch Wire to be on device three. I'll run a quick test, just to make sure everything is working properly. By running a D message command, and it is. I can also check my networking config and I can see that this device has attached itself at address 120. Again, if I used this, I need to be aware that I might have issues with detection from my target. Let's run Nmab on a machine in this network, and I can see this machine is running FTP server, a web server, and appears to be doing Windows file sharing, and has some other things running as well. So let's have some fun with metasploit. Going to run a metasploit command and we'll just pop up a simple shell. I don't really type this fast, by the way, just so you know. And you can also see how I fat finger stuff occasionally. So now let's have a look at another machine I set up multi handler. I set the pay load appropriately, reverse shell, set up parameters. Exploit pretty soon, I get a shell that's created. However, it almost immediately dies because of some problem, which is not unusual in metasploit. Occasionally things don't work so I hit it again, and this time I successfully created a reverse shell. I can interact with it in metasploit and from there I can run -- commands, such as a quick IP config, just to verify I'm on the machine I think I am and how it's connected to everything else. So, again, so the exploit as being run on the Catch Wire that's in the network and then it's redirecting that victim machine to your multi handler that's running who knows where, right? Somewhere out on the internet. In your office. Et cetera. And I didn't do it, I didn't do a demo of this, but again, you could just as easily take your Catch Wire and drop a pay load instead. I'm saying, please start a reverse shell or interpreter shell. Et cetera. Here's some ideas for some other possibilities. You know, I just briefly touched on using the mesh deck with the Catch Wire. Again, if you go back to my DEFCON 21 talk, you can get a lot more details on that system and how that works. You might get some further ideas. You could use the mesh deck for toggling on and off. If you want to do some sniffing or you want to target your focus, it could be useful for that. And, hey, just sniff, inject some packets. Nobody says you can't do that too. You might also want to use the mesh deck to communicate things like cracked passwords to other hacking drones in your pentest. There's a facility in the mesh deck, not just for running commands. There's also a facility for transferring files both directions and there's a facility for sending announcements both directions. So it's pretty easy. On your Catch Wire or your other hacking drone, just to say, okay, please send an announcement back to the command console saying, guess what, I just hacked this password. — Could also do some online password cracking, tool like hydra. I didn't have a demo for that today. You can do some other attacks, social engineering. Social engineering is always fun, who likes social engineering? Yeah. Maybe add some cool stickers from your IT Department, right? Do not touch IT. Whatever. I don't recommend hacker con stickers -- okay. You could sell it to people. It's a network extender, or performance enhancer. Right. It's going to enhance my performance as a pentester, but you not so much as a victim. So you know, I just -- hopefully I'll given you a few ideas of some of the things you can do. Now, if you do have any questions about this stuff, I am doing a demo lab Saturday from noon to 2:00, or 1200 to 1400, if you prefer that format. Also, I will be spending about -- a lot of time at the pentester academy booth, the security booth, in the vendor area. If I'm not there, ask. I'll be around soon. And of course, the best reason to stop by, win some free stuff. Anyone like free stuff? All right. I like free stuff too. So here's one of the cool things you can win. Actually, the people at WAW were nice enough to donate, not one, but two of these suckers, so in this case is -- first of all, kudos to them. This is nice proper case, right? They don't just, hey, here's some stuff in a baggy, have fun. You know, they have a Catch Wire in here. There's a alpha adapter in here. A couple XBee pro radios. And don't worry, there's more. Also donated a couple copies of my book to go along with it. So, umm, definitely come by security two, register for a chance to win that. Also I think we're going to give away a couple copies of my new Linux forensics book coming up tomorrow again, limited copies here. I will say this for those of you that are paranoid, especially those who said you liked social engineering, there will be a QR code that you can scan. There's one required question, what is your e-mail address? It goes to me. It doesn't go to anybody else. Okay. So unless you check the other optional boxes. We're not going to spam you, all right? I just want to give you stuff, really. It's not a social engineering attack. Or anything like that. So -- anyway, thank you for coming to my talk and hope you have a good DEFCON. [ Applause ]