Although some say hackers have the resources to backdoor the actual hardware’s motherboard or weaponize PCI network cards, we unfortunately have time and budget constraints to keep in mind. At the Ghost Labs Offensive Security team, we often employ hardware implants for our Red teaming and physical penetration tests. Also referred to as hardware backdoors or drop boxes. In this blog I will shed some light of why we use these devices, how they work and probably the most fun part; how we build them.
A hardware implant is a small box that allows operators to physically plug it into the targeted network, leave it there and then remotely connect to the implant, providing us with a backdoor into the targeted network. We often utilize these when performing a physical penetration test, where acting quick is key. You don’t want to be in a situation where you tailgate an employee into the building, roam around various office floors, get challenged by a security guard, blend in with a group of employees during a coffee break, clone an access badge, walk into a restricted area, move into the R&D facility… To then take out your laptop, start hacking and sit down for a few hours until you get a persistent foothold into the network.
The absolute last thing you want is someone walking up on you, while you are hacking your way with all these ‘weird’ terminals on your screen sitting in a place you are not allowed to be. Although there are assignments where we can just sit around, in most cases you want to get in and out swiftly. Preferably without being challenged or even seen by any employees.
That is where the hardware implant comes in: Get in, find a good place to plant it, plug it into the network and get out. From there the remote team can take it remotely, and the operator can exfiltrate the facility.
How does PiPlant work?
It depends on the nature of the implant: Intelligence agencies might place implants with microphones and video recorders, whereas our version simply tries to connect back to a centralized server for us to control the device remotely. The main trick up it’s sleeve is that it will attempt to connect out-of-bound through a cellular 4G connection. As the hardware implant might not have an Internet connection after plugging it in, 4G is a nice connection method. But, more importantly, you ideally don’t want to send you traffic over the client’s network as that might get picked up by the blue team.
What the PiPlant technically does is setup an SSH tunnel to the PowerPlant C2 server. An operator can then simply open the SSH session of the PiPlant and control it through there. From there we can perform any hacking activities as if we were on the local network of the client.
Designing a plant
So how does one create a hardware implant? How long did the R&D take? Is it proprietary? Well… It might come as a surprise to some, but it is not rocket science. It is just a combination of the tools you need to fit your purpose. Do you want to also record audio? Add a microphone? Do you want it to be extremely tiny? Use an Arduino? You want it to fly so you mount it to a drone? You can apply whatever is most suitable for your purpose and it mostly comes down to your ability to cobble them together and turn it into something useful. For us this is one of the many models, so we can be flexible in our approaches.
As with any design, it starts with a list of requirements. What should your implant be able to do? In our case as we needed to fly abroad with the implant, we started with the following list of requirements:
- Must be portable, rigid and easy to travel with.
- Must have a backup battery, preferable UPS type so it will always run whenever power is cut-off (in line with our ‘easy to travel with’-requirement, this restricts us to 27.000mAh batteries as larger are banned from flying on most airlines).
- Must have 4G capabilities for a truly out of band channel.
- Must be capable of/powerful enough to perform simultaneous stand-alone hacking tasks (e.g. network scans, exploitation, catching reverse shells etc.).
- Should not look too suspicious (trust me, I have seen implants with duct-taped cases, beeping batteries and hand-soldered cables sticking out…).
- Could be powered over Ethernet.
- Could have an integrated LAN-tap.
It is a challenge to find everything and balance it out to get the most powerful computing unit that also fits into a small yet sturdy case. So let’s get drawing!
In some of the original drawings I accommodated for a LAN tap, but this idea was dropped for now due to the tight fit of the case and the required additional complexity (Tap, additional USB ethernet adapters and bundles of ethernet cables). So that might be something for a next iteration, but in the first version it is a small form-factor over more functionality.
For the base of the design I chose a Raspberry Pi, as the new model is powerful enough for anything you throw at it. In addition, it is a platform with great support, compatibility and for me familiarity. Likewise, I chose a 4G USB dongle I knew would work out of the box with a Raspberry Pi. The box was the main part that had to be factored in, as it will physically restrict the sizes of your components. From the base I had set with the Raspberry and the 4G dongle, I set out to find a box that would fit it all. Based on my calculations a random Pelican-like case from Amazon would do the job just about right, leaving some room for the Raspberry Pi casing, ethernet and USB keystones and a battery. So, I went ahead and ordered everything at once. What could go wrong?
Putting it all together
Although it is always a bit nerve-wracking when putting everything together. The constant fear of “will it actually fit” is floating around in the back of your head throughout the process. However, my calculations appeared to be spot-on, so I can proudly continue the everyday humble brag: “Trust me, I’m an engineer”.
Apart from some visual imperfections, the initial prototype came out pretty good! The Raspberry Pi was held firmly in place, the added Power-over-Ethernet HAT (add-on for the Raspberry Pi) was able to power everything through a single ethernet connection and the 4G module worked out of the box. Time to move to the software side of things and setup the Command & Control (C2) server.
Catching a reverse shell is one thing but making something that consistently does it for you and providing the team with an easy way to work is something else. Luckily nothing a few bash scripts and some nifty pieces of software can transform into something useful. Now both PowerPlant and the PiPlants provide our operators with a quick overview of what is connected and an easy way to connect to the PiPlants. From a fail-safe perspective, sessions are monitored and destroyed if they become stale, informing the operators of the latest status.
The basic setup relies on the PiPlant automatically creating a reverse SSH tunnel back to the PowerPlant server using autossh. This means that the PiPlant will continuously attempt to connect back to the PowerPlant server over 4G. However, if there is no 4G connection for a set period, the PiPlant will attempt to connect over the network connection. However, this is a fallback scenario, as we obviously try to stay completely out of sight from the blue team.
Catching an implant
Whenever we drop an implant, we hope it will remain undetected for a good while so we can utilize the backdoor into the corporate network. But how can you detect them? Monitoring here is key. Although we try to mimic corporate workstations, potentially clone MAC addresses to bypass port security it will always stand out at some point. A new device connecting to a certain port should already be a trigger, if not maybe the reconnaissance traffic might trigger some alerts. If it is not found, we can always increase the volume and start sending obvious malicious traffic over the network to see if, and when, the blue team will detect the device.
Once detected, it is important to notice how the blue team follows up. If networking and asset management is done correctly, the team should be able to quickly locate the port it is connected to. If not… It might become a tedious job of sweeping an entire office in search of a device that might be well hidden. Think underneath desks, underneath floors, inside cabinets, between your servers or even on top of ceilings. But once our particular PiPlant is found, the actual fun starts. Our PiPlants have full disk encryption and they will only start when you insert a certain USB drive with the decryption key. So unless we forgot to remove the USB drive, the blue team will basically be looking at a box of hardware. Happy forensics!
Now let us put these implants to good use, and like Q told James Bond: "Bring it back in one piece, not, bring back one piece".
About Ghost Labs
Ghost Labs is the specialist security unit within Outpost24, offering enhanced security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure programs.
Ghost Labs performs hundreds of success penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies.