Through Glass Transfer - Ted says this can`t end well
Download
Report
Transcript Through Glass Transfer - Ted says this can`t end well
ThruGlassXfer
Ted doesn’t think this can end well
October 2014
Through Glass Transfer // Ian Latter
This is enterprise @ L7
• Remote access
– VMware
– Citrix
– RDP
– VNC
– SSH
– etc ad nausea
• Console abstraction
October 2014
Through Glass Transfer // Ian Latter
Optical Packet Network (L3)
• Data exfiltration
– Imagine the screen as cut fiber optic bundle
• Consider an image (arbitrarily: QR Code) as an
optical packet within the ether of the display
• Animate it - replace one image for another image
to create a packet flow
• Datagram network protocol, OSI Layer 3
– Layer 4 problems for receiver
• Uni-directional flow (no flow control)
• Camera oversampling, Packet duplication
October 2014
Through Glass Transfer // Ian Latter
TGXf Transport Protocol +
Through Glass Transfer (exfiltrate)
• One way data transfer, two or more peers
Features (at Layers 4-7)
• Supports high latency, interrupted transfers, error
detection, 80bps -> 32kbps, and;
• ANSI terminal displays (42x21 chars)
– Requires (of Layer 3)
• Basically binary encoding and >10bytes MTU
– Either 1, 2, 5, 8 or 10 Frames Per Second (FPS)
– QR Code version 1, 2, 8 or 15
– Binary encoding, Type M (15%) error correction
October 2014
Through Glass Transfer // Ian Latter
Keyboard Packet Network (L3)
• Data infiltration
– Arduino Leonardo
– USB HID Keyboard
• No drivers needed!
• Keyboard.println(“x”)
– Upload arbitrary
executables via keyb
• Images;
– Digispark - 6KB flash
– Leostick - 32KB flash
October 2014
Through Glass Transfer // Ian Latter
TKXf – “Keyboard Stuffer”
Through Keyboard Transfer (infiltrate)
• Target Arduino (top)
– USB HID Keyboard
• Encodes received
raw/binary data as keys
– Alter “Keyboard”
library to expose HID
packet (12x faster ++)
• Attacker Arduino
– USB Serial Interface
• Sends raw/binary octets
to Target Arduino
October 2014
Through Glass Transfer // Ian Latter
TCXf Application Architecture
Through Console Transfer (full duplex compromise)
October 2014
Through Glass Transfer // Ian Latter
TCXf IP Network Evolution
• PPP over the Screen and Keyboard
– On the target device;
• sudo pppd 10.1.1.1:10.1.1.2 debug noccp
nodetatch pty “netcat localhost 8442”
– Note the privilege required to create a NIC
(We already had a full-duplex socket without it)
– On the attackers device;
• sleep 2; sudo pppd noipdefault debug noccp
nodetatch pty “netcat localhost 8442”
October 2014
Through Glass Transfer // Ian Latter
TCXf PPP via XPe Thin Client
Playing video ..
October 2014
Through Glass Transfer // Ian Latter
Thank-you!
– Thanks to Ruxcon
• Thanks to my wife and daughter
• ThruGlassXfer
– Information site: http://thruglassxfer.com/
Source code, white paper, and videos are all available
– Project site:
http://midnightcode.org/projects/TGXf/
– Contact me:
[email protected]
(If you’re talking to me on social media, it’s not me)
October 2014
Through Glass Transfer // Ian Latter