Department Of Electrical And Computer Engineering Florida .
1MAL-DUINO HACKING:AN UNDERSTANDING OF REVERSE SHELLS AND PAYLOAD METHODSUSING MICROCONTROLLERSMaria Alfonso, Student Member, IEEE,Hector Beltran,Jonathan Nunez,Marcelo Triana,Obed RuizDepartment of Electrical and Computer EngineeringFlorida International UniversityMiami, USAAbstract— Many (if not most) organizations have some form ofperimeter protection that restricts access to their inner-networkmachines from the internet. A reverse shell program circumventsthe firewall filters and lines of defense by forcing a target-system toconnect to an attacking-system that is outside the organization’snetwork. Reverse shells covertly create a discrete channel thatallows the attacker to target specific machines, users, and data toscan internal networks, install network sniffers, collect sensitiveuser information, etc. Using an open-source framework likeMetasploit, the attacker can inject payloads (directed data-packetssent over the internet) into the target machine through the linkedchannel. With a plethora of payloads that perform numerousfunctions, a reverse shell becomes a bridge of countless, uniquemethods of control. The attacker’s objective is (in one way oranother) to export sensitive, internal data to an external source. Acreative way of performing such an attack is through a ‘rubberducky’ – a disguised, USB keystroke injection tool that can droppayloads on unsuspecting machines upon USB-port insertion. Acost-effective and efficient implementation of the rubber ducky isusing an Arduino-like board device because of its low-profilenature, low-price, and features that entry-level and advanced-userscan adapt to. Our team’s project focused on programming aDigispark ATiny85 (cheaper development-board than itscomparable, Arduino Nano) device to insert a TCP reverse-shell ona target machine, which allowed Metasploit to insert maliciouspayloads onto the victim. We observed and analyzed which methodswould result in a greater reward vs. risk to achieve the attacker’srespective goals.Index Terms— Arduino; Digispark; keylogger, Metasploit;Meterpreter, payload; reverse shell; rubber ducky; snifferI.AINTRODUCTIONREVERSE SHELL is a simple concept to understand,with a tremendous force of impact when applied. Itbegins with a listening machine A on a specific TCP port,another machine B connects to the port and the handshake iscomplete. Now machine A has entered machine B’s shell,giving A access to B. Through this channel, machine A canperform a slue of commands to cause machine B to behaveunder A’s control. This is not inherently a nefarious act;however, it makes it easier for attackers to seize control overtarget systems. Metasploit gives the attacker a sandbox ofattack vectors to use on the linked, victim machine. Theseattacks come in the form of payloads, which are executablefiles that are activated by the attacker via shell or by the victim(unsuspectingly) without their knowledge of it. Sometimes,the target does not have access to the internet, this poses anissue to the attacker. One way around this is to physicallyinsert the reverse shell, this can be via a rubber ducky.Although an ordinary-looking USB can do the job, there hasbeen a lot of media attention on not-inserting USBs that do notbelong to you. If the target machine is in a hardware-labsetting, an Arduino-like board would make a terrific disguiseto house the reverse shell program. Once connected and thevictim machine is started, the channel is formulated with theattacker. Because these kinds of boards housemicrocontrollers, other instructions can be injected into targetmachines to perform tasks that further the advancement of theattacker’s goal.II.REVERSE SHELL METHODOLOGYA shell is an interface that requires commands. Auser interacts with a system by typing commands which theoperating systems translates and executes the operation.Shells continue to be used to remotely execute commands onnetwork systems. Remote shell capabilities are found inapplications such as Telnet and Secure Shell (SSH). Here thediscussion will be on Reverse shells, which are effectiveagainst individual systems. Once the reverse shell is deliveredthey can be hard to detect if they call one expected protocolsto connect out of a network.A.Reverse Shell ConceptReverse shell applications target devices inside aninternal protected network and trick them to connect to a hostoutside their protected network. For a reverse shell to work,an attacker must locate a protocol and port, which is allowedout of a firewall. The more common ports targeted addresshttp and https on TCP ports 80 and 443. The othercombinations with outgoing connections include smtp on TCPport 25 and DNS on TCP/UDP port 53 [10]. Additionally,ping, which allows for ICMP echo request and replies are usedfor outgoing connections. Reconnaissance is often needed to
2gather information about the targets infrastructure and securitybefore choosing which protocol and port to attack. TheReverse shell payload allows access to internal system withouthaving the internal access. It forces the internal system toactively connect to an external system. In Figure 1 the SANSinstitute provides an excellent example on the concept ofReverse Shell.and Sana, and Parrot OS version 3.1. Figure 2 shows some ofthe commands used and the description for each one of them[5].Figure 1. Reverse Shell Concept [10]Figure 2. Some of the commands used in the Herculesprogram and their description [5].Installing the reverse shell on the internal computer isoften difficult to accomplish. Therefore, it takes a well-craftedemail to trick users into opening an email attachment thatexecutes the installation code or having them click a link thatdeploys the code another way. Another way we will beshowing is using a USB key with the reverse shell installer onit. This would require physical access to an internal computerthat has been left unattended. The attacker can take advantageof auto-play to launch the code and take over the machine. Anarticle written by Richard Hammer [10] stated “An undetectedreverse shell on a system inside the protected network couldgive a fired employee access long after having been escortedoff company property”.B.Keylogger in Reverse ShellAs stated in previous sections, a reverse shellconnection can be used to allow a hacker to access a desiredcomputer, making it vulnerable. The hacker can then monitorthe user’s activity or even penetrate the computer’s system.Keystroke logging or keylogging refers to the‘logging’ of keys struck on a computer’s keyboard in order tomonitor the user’s activity, but most of the time this kind oflistening is done secretly since the user inputting the keysstruck is usually not aware of his/her behavior being followed.The data gathered can be later restored by the person who ismanaging the logging program. These programs are known askeyloggers, and they can be software or hardware based [13].Therefore, this type of programs can be used in reverse shellto enhance its functionality and desired goal. It is important tostate that keyloggers are legal because some of them have legituse. For example, many employers have implemented suchprograms in order to supervise the handling of theircomputers. However, most of the time, these programs areused with malicious intentions such as stealing passwordsalong with some other confidential information. Hence, itsimplementation in reverse shell.An example of how a reverse shell and a keyloggerprocess can be setup to achieve a desired exploitation is theHercules Reverse Shell. This is a customized reverse shellpayload that is accessible in the GitHub website. According toits creator, Ege Balci, some of the supported platforms includeUbuntu versions 16.04 and 15.10, Kali Linux versions RollingAs seen above, many different techniques can beutilized to design a penetration program. In this case, the useof a keylogging program is useful to gather informationinputted by the user such as passwords, and theimplementation of a reverse shell helps the user to gain accessto the target computer avoiding firewall detection.Another program found also in GitHub that combinesthe use of reverse shells and keyloggers to access a computeris the WPForce-Worpress Attack Suite. As its name states it,WPForce is a suite of Wordpress Attack tools. This suiteconsists of two scripts; the first one, WPFORCE, uses bruteforce to login through the API, while the second one, Yertle, isthe one programmed to upload the shell after the administratorcredentials are obtained. The second script is the oneimplementing the keylogger to obtain the desired credentials,and the one that’s responsible for executing the reverse shell.Figure 3 shows the commands and their description used forthe Yertle script of the WPForce suite [19].Figure 3. shows the commands and their description used forthe Yertle script of the WPForce suite [19]C.AutoRun Command in Reverse ShellAutoRun is basically an element of the MicrosoftWindows operating system, and its purpose is to control thebehavior of the system when a drive is attached. Thiscomponent was introduced in Windows 95 to help users withnon-technical experience to install the software and also cutdown the expense for support calls [2]. Back in 1995, the most
3common drive was the CD-ROM; therefore, when the CDwith the appropriate instructions was inserted into thecomputer, the OS acknowledges the new device and inspectsits content looking for the specific file that holds the set ofinstructions. This feature has been included in the newestversions of Windows, allowing the same functionality [2].Autorun.inf is the file that holds the required information toobtain an automatic installation from the mounted drive. Thisis a text file that needs to be saved in the root directory of alogical drive in ordered to be detected by the OS. Itsarchitecture follows the standard Windows.ini file, whichholds information and instructions as “key value” pairs,grouped into sections [3]. Since this file is legit and it is usedas a loading point for many programs, it has been targeted tobe implemented with malicious purposes. Some of thecommon exploits include to embed a harmful executable fileinto the autorun.inf file, so when the operating system finds it,it will automatically execute it [22].Autorun, like keylogging, is very convenient to beused along with the reverse shell technique because eventhough most of the time a reverse shell is setup to evade thefirewalls restrictions of a network, sometimes the attackertarget’s is not part of a specific net, on the contrary, it is astand-alone computer. In this case, the attacker can use amalware that alters or injects an autorun.inf file into the rootfolder of every single drive of the device as well as amalicious executable. When the infected media is attached tothe desired drive, the tainted autorun.inf file is discovered bythe operating system and starts its execution, which allows themalicious file to run automatically and silently in thecomputer’s background [22].Considering multiple factors like how reliable anexploit can be, Metasploit uses rankings so testers know howcomplicated it will be to use one [15]. The rankings values canbe: Excellent; the exploit is completely reliable; someexamples can be CMD execution or SQL injection. Great; the exploits check for compatibility on thetarget and is easily executed to a default target Good; the exploit is easy and has a default target Normal; the exploit doesn’t detect the targetautomatically but is reliable Average; the exploit is not easy to use and/or isunreliable Low, the exploit is successful less than 50% of thetime Manual, the exploit is configured by the user or it’sextremely unstable.B.Metasploit PayloadsMetasploit has hundreds of payloads which include: Command shellAllows the attacker to execute arbitrary shellcommands on the victi once it’s been compromised MeterpreterThis type of payload allows the attacker to transferfiles from and to the victim, browse its content anduse VNC to control the screen Dynamic payloadsThis generates unique payloads that try to fool antivirus softwareC.III.METASPLOIT FRAMEWORKThe Metasploit Project is currently being developed by Rapid7and helps security experts to find vulnerabilities, define newIntruder Detection Signatures, and in penetration testingprocesses with multiple tools.Its most known element is the Metasploit Frameworkwhich started with a portable network tool in 2003 and hasgrown to an extensive toolset supported in multiple platforms.It is flexible enough to be capable of exploiting vulnerabilitiesthrough modules, which can also be added by externaldevelopers, that affect all kinds of targets by taking advantageof bugs.The Metasploit framework includes hundreds ofexploits and its modular design allows security experts andattackers to mix and match exploits and payloads dependingon the target’s Operating System and the kind of attack thatwill be performed [21].A.Metasploit ExploitsMetasploit categorizes exploits by the platforms in which theycan be used.Developers can write exploits without worryingabout dependencies, payloads and developing modules usingscripts based on the current Metasploit functions but it’srequired to specify exploitable versions, affected operatingsystems so it’s easily identified by final end users.Metasploit DevelopmentAll the code for the Metasploit framework can befound on GitHub and it’s open for public frameworkanddevelopers can download the source code and start modifyingit accordingly or add custom modules [14].D.Metasploit VersionsRapid7, Strategic Cyber LLC, Kali Linux developersand others contribute daily to different versions available tothe public. End users can get some versions for free fromgithub and similar websites or can get a paid version withsupport from Rapid7 [III4]. The main versions currentlyavailable are: Metasploit Framework EditionThis version is completely free and available throughGitHub, developers and penetration testers can use it formultiple tasks, it’s included in Kali linux and uses aterminal interface to execute exploits. Even though it’sfree and doesn’t have support, it can be extended withcustom exploits and payloads. Out of the box it containsnetwork discovery tools and basic exploiting functions. Metasploit Community EditionThis version is maintained by Rapid 7 andrecommended for small business and students, it has allthe functions from the framework version plus a graphicuser interface. It’s considered a one-year trial of the proversion, it includes some automation tools like baseline
4penetration testing reports and automated credentialsbrute forcing but doesn’t have all the pro functions. Metasploit ProThis is the full version provided by Rapid7, containsmultiple additional automation functions like automatedworkflows, wizards and smart exploitation. It alsocontains infiltration tools for dynamic payloads, spearphishing, and web app testing for OWASP top 10vulnerabilities. Other versions.Rapid 7 also offers other versions with limitedfunctionalities for specific tasks or different scenarios likeMetasploit express which can be used for small networks.In addition to Rapid7 other developers can also use thecode available in GitHub to start creating new versionsfor different use cases.IV.METERPRETERMeterpreter is an advanced payload that uses inmemory DLL injection stagers and is extended over thenetwork at runtime. It has been part of Metasploit since 2004.It communicates over the stager socket and provides acomprehensive client-side Ruby API. It features commandhistory, tab completion, channels, and more. Originally writtenin C by Matt "skape" Miller (and now compiled with MSVC),dozens of contributors have provided additional code,including implementations in PHP, Python, and Java. Thepayload continues to be frequently updated as part ofMetasploit development. Common extensions were mergedfor 3.x and are currently undergoing an overhaul forMetasploit 3.3 [20], [16].A.How Meterpreter WorksIn order to better understand this program, here is astep by step explanation on how Meterpreter works.Step 1. The target executes the initial stager:Meterpreter is a sophisticated and well-designedpayload that offers more than a command-line shell. Probablyits most attractive feature is foremost its ease of use. In fact, itis one of the reasons why many of the other Metasploitmodules rely on Meterpreter and not so much the commandshell. Let’s explore how the process begins. Within theMetasploit architecture, Meterpreter is another payload that isdelivered to a target. The delivery is through a small stagerabout 70K in size, which is meant to reach the target fast andundetected by IPS, and IDS systems. Stagers can beobfuscated with applications like msfencode and can becreated with utilities such as msfpayload. A stager is nothingmore than a small program whose purpose is to downloadadditional components or applications once it has reached itstarget. There are several ways to deliver a stager into a system,some of which are trivial and others more sophisticatedmethods. For example, a stager can be delivered as acompromised PDF or docx, or a Java exploit. In fact, anymethod that enables code execution in a remote machine is anoption; it can even be embedded in executable files likenotepad.exe, sol.exe, InstallFlash.exe, etc. One key factor toconsider is that whichever the chosen executable may be, ithas to be run with administrator rights. Also, to be successful,it has to bypass UAC (User Admin Controls) as well. Now,the latter tasks do not have to be necessarily run byMeterpreter, as there are many other tools and methods thatrely on exploits of known vulnerabilities that will get by UAC.Once the stager executes, Meterpreter establishes a connectionfetching a 751KB DLL which will continue the process. Onlythe shell is downloaded, and no user-agents are present. Thelatter file can be encrypted or unencrypted and although someadvances have been made as far as detection, hackers seem tobe one step ahead.Step 2. The stager loads the DLL prefixed with Reflective.The Reflective stub handles the loading/injection of the DLL.With the effort of staying hidden, Meterpreter doessomething very clever; it avoids writing its main executableinto hard disk space. The idea behind is to leave no tracesbehind for computer forensic experts to find that it was everpresent and furthermore to keep hidden what it compromisedin the affected system. To accomplish such a task, the filereceived upon the stager’s execution is loaded into the RAMonly using the reflective DLL injection technique. AReflective DLL Injection allows the sourcing of the DLL inthe form of its raw data. To be able to inject the data into thetarget process, we must manually parse and map the binaryinto the virtual memory, as the Windows image loader woulddo when calling the LoadLibrary function from before. It isworth mentioning that some recent utilities have been usedsuccessfully to analyze system memory dumps to detect thepresence of Meterpreter and the processes it run; one exampleis Volatility with the malfind plugin.Step 3. The Meterpreter core initializes, establishes anHTTP(s) or raw TCP connection:Upon the execution of the stager the MeterpreterDLL is downloaded and kept in RAM. The fingerprint for thisis a GET request to a 4-character path directly off the domain;no file specified. Unlike most legitimate requests, a UserAgent is not included, and the only HTTP headers sent areConnection and Cache-Control [23]. Notice that HTTP andHTTP(s) can be used and typically hackers will use acombination of both as they avoid egresses filters fairly wellblending nicely with everyday network traffic on ports 80 and443. One interesting approach to the adoption of HTTP is thatMeterpreter transports typically use a server/client deploymentwith many short HTTP connections. HTTP POSTs messagessuggests th
Meterpreter, payload; reverse shell; rubber ducky; sniffer I. INTRODUCTION REVERSE SHELL is a simple concept to understand, with a tremendous force of impact when applied. It begins with a listening machine A on a specific TCP port, another machine B connects to the port and the handshake is complete.
Electrical Infrastructure includes an electrical installation, electrical equipment, electrical line or associated equipment for an electrical line. 1.9 Electrical installation As per the Electrical Safety Act 2002 (s15) (a) An electrical installation is a group of items of electrical equipment that—
P100 Partial Plumbing Plan ELECTRICAL E001 Electrical Notes E002 Electrical Symbols E003 Energy Compliance ED100 Electrical Demo Plan E100 Electrical Lighting Plan E200 Electrical Power Plan E300 Electrical One-Line E400 Electrical Schedules The Addenda, if any, are as follows: Number Date Pages . .
Department of Electrical Engineering and Computer Science 3 Glenn E. Healey, Ph.D. Stanford University, Professor of Electrical Engineering and Computer Science (machine learning, data science, sabermetrics, physical modeling, computer vision, image processing)
The Electrical & Computer Engineering Department also administers the Biomedical Engineering degree programs described in the Biomedical Engineering section at the end of this page. Electrical and Computer Engineering graduate studies encompass four broad areas: 1. systems 2. signal and image processing 3. physical electronics 4. computer .
Electrical and Computer Engineering (ECE) 1 ELECTRICAL AND COMPUTER ENGINEERING (ECE) 100 Level Courses ECE 101: Introduction to Electrical and Computer Engineering. 3 credits.
ELECTRICAL & COMP UTER ENGINEERING (ECE) ECE 100. Introduction to Electrical and Computer Engineering. 3 Credit Hours. Introduction to Electrical and Computer Engineering (ECE) for high school students interested in science and technology. The course covers important thematic units of the discipline: electronics, digital design, computer .
Layout the electrical circuit Clean/maintain the work place Carry Out Electrical Fittings and Fixtures Installation (SEIP-LIG-ELE-3-O) Install electrical circuit protection components Gather tools, equipment and electrical materials Install electrical fittings and fixtures Fix Electrical component holders and ceiling rose Clean/maintain the
26 00 00 Electrical General Requirements 26 01 00 Basic Electrical Systems Testing By Electrical Contactor 26 05 00 Basic Electrical Materials and Methods 26 08 00 Commissioning of Electrical Systems 26 10 00 Medium-Voltage Electrical Distribution 26 20 00 Electrical Service & Distribution 26 29 00 Variable Speed Drives 26 30 00 Standby Power .
