BSides Leeds – an information security conference held at the Cloth Hall Court on the 24th of January 2020. I thought it would be a good idea to write a post about my experience and share what I learned from the day!
For the first portion of the day, I attended a firmware extraction workshop run by C00kie, a French security researcher. I had always been curious about how firmware could be extracted from devices such as routers etc. but had never taken the time to research it. Lucky for me, C00kie was able to present a brilliant crash course on how to extract firmware from IoT devices.
First, the required tools were explained. One tool, Universal asynchronous receiver-transmitter (UART-USB) adaptor, was provided to us. These devices connect to the serial port of the target, allowing for asynchronous serial communication. Tools start from £2 on eBay. Next, Minicom, an open-source, text-based serial port communications program is required. Finally, a target device. We were given a Netgear router, with no USB, and Open-WRT as the firmware.
Next, the router was pried open, revealing the internals. The goal? to identify the serial port, by either utilising markings on the router’s board or using locating by eye (four pins). Once found, the UART-USB adaptor was connected to the board(RX to TX and TX to RX). The connection can be identified as functioning by running dmesg.
So now Minicom can be connected. First, a script is used to find the correct baud rate. Ours was 115200 baud. Once connected, you can start poking around for tools that can be used to extract the firmware from the device. Eventually, I found something interesting. Mtdblocks, a memory technology device can be used for storing boot images. After listing these block devices, one piqued my interest. “rootfs”. Now I just needed a way of extracting.
I was attempting to think of all the ways that I could get this off the hardware. SSH, FTP, netcat, the built-in HTTP server, but all my efforts were fruitless. Eventually, I got some help from C00kie, who explained that netcat could be placed onto the router to extract the bins. By using a statically linked nc binary and a TFTP server, the mtdblocks could be transferred over UART. After fiddling around and using dd, I finally managed to get the bins onto my machine. The files could be decompressed using unsquashfs. Once performed, the files are ready to be analysed!
Overall the session was fascinating. I learnt something new and met some great people along the way. I’m definitely picking up a UART adaptor and finding some hardware to play around with. If you get the chance to go to this session (C00kie has done a few of them) I would definitely recommend!
In the latter half of the day, I attended a few pretty noteworthy talks. The first talk was by Glenn Pegden, a gentleman at the heart of the 90s hacking scene. His talk was about Phone Phreaking in the UK. His main goal is to gather documents relating to the scene us was heavily involved in, with the hope of not letting it die out. Glenn spoke about how every hacker’s goal was to get their hands on a BT, Hosiden Besson 290 aka the “butt phone”. This phones could be used to get free phone calls and cause other mischief. Glenn also made a point to ask anyone from the scene to get in contact with him – Ill leave his blog here for that reason.
Next, I attended a talk by Dan Card, an offensive contractor. Dan gave a talk on how to get started with CTFs. He covered the basics such as the five phases of ethical hacking and provided a basic CTF example using hack the box. One thing that caught my attention was when Dan asked the room if people are put off by CTF’s because they do not know where to get started. A good 80-90% of the room raised their hands. This surprised me as offensive security has become a lot more popular with lots of resources being only a google away. I don’t know if people are put off with the technical side, or if they don’t know where to get started. I might put something together, or write a post on how to get started with CTF’s. I’ll see.
My final talk was by an experienced red teamer, Neil Lines. Neil gave examples and demos of techniques for bypassing enterprise controls. He included priv esc and exfill techniques while explaining that since EDR has been a burden on his operations since becoming more popular in enterprise environments. However, one thing commonly overlooked is machines joining the domain. When credentials domain credentials are acquired, an attacker can add a new build to the domain. This new build will not have any EDR or monitoring tools, so the attacker is free to do as they please. The only way they can get spotted is if the SOC is monitoring machines added to the domain, or if the attacker interacts with other machines. So if anything was learned from the session, monitor machines joining your domain!!!
Overall, BSides Leeds was a great day. Met some interesting people, saw some excellent talks and learnt a little bit too. If you want to watch any of the sessions, they should be up on the YouTube channel soon. If you have any more questions, let me know, and of course, thanks for reading.