Exiting the Matrix: Introducing Metasploit's Hardware Bridge
Metasploit is an amazing tool. You can use it to maneuver through vast networks, pivoting through servers and even embedded OSes. Having a single interface for your team and yourself to control a web of servers and networks is extremely powerful. But sometimes you want to do more than control the virtual world. You want to control the physical world. You need to exit the Matrix.
We recently announced a new addition to Metasploit to help you do exactly that: the Hardware Bridge API. The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices. Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware. From within Metasploit you can now branch out into a Metasploit compatible hardware device to remotely control and use it for your penetration testing needs.
How does it work?
There are two ways to connect a physical device to Metasploit:
- Build support directly into your firmware to make your device Metasploit compatible, or
- Create a relay service.
A relay service is required if your device does not have a way to naturally communicate on Ethernet. Many useful hardware tools such as Software Defined Radio (SDR) devices are controlled solely through a USB port. In order to connect an SDR device like this to Metaslpoit then the machine that SDR is connected to would run a relay service. This uses a REST API, the details of which can be found here: Metasploit Hardware Bridge API.
Why REST?
There are trade-offs with any solution. Embedded systems typically don't support REST because that would require they run some types of mini-web server. Newer embedded systems, especially IoT devices, have no problem running web servers locally but if you have hardware that doesn't have WiFi or Ethernet capabilities we make it easy to create relays for your device. We will provide several examples in the Metasploit tools section demonstrating how to leverage the Metasploit framework to handle all of your http/web needs so you can focus on serial, usb, or whatever communication channel your device uses. We also plan on providing libraries for common microcontrollers and embedded systems to quickly allow your device to support Metasploit.
So what can the Hardware Bridge do?
Technically, anything. The API provides some core functionality that you *should* support, although most of commands are optional. These core features mainly watch power, and get versioning information and the devices capabilities. There are certain "specialties" the device can support that will trigger extra capabilities on the Metasploit end. At launch, this will include the Automotive extension.
Getting out of your dreams, getting into your car
If your device supports CAN, Metasploit will automatically provide several interactive vehicle-related commands. This will also mark your Hardware Bridge (HWBridge) session as an Automotive session that can be viewed in your session list or via modules that are designed to work only on automotive systems. This allows exploit developers to focus on writing automotive tools without having to worry about the attached hardware. It also provides internal Metasploit APIs to make common automotive calls easier, such as getting the vehicle speed or requesting a security access token from the Engine Control Unit (ECU).
Hardware devices can teach Metasploit new tricks! You don't have to wait for Metasploit updates or specific support for your new device. Hardware devices can expose any functionality they have to the Metasploit Framework. This is typically something that is unique to your hardware device. It could be as simple as exposing the LEDs, or as complicated as a series of commands that run on MIL-STD-1553 bus systems. When functionality is taught via the API to Metasploit, they show up as interactive commands in the HWBridge session. This allows for support of specific hardware support without forcing the developer to the strict rules of an API, and these commands can also be used by post exploitation modules.
How can I use it?
If you have read this far I can assume you are ready to take the red pill. This first release comes with support for SocketCAN. If you have a Linux system and a CAN bus sniffer that support SocketCAN you can get started without anything else. The local_hwbridge module is provided as an example of a simple relay system. You can run the relay locally or on a remote machine.
msf > use auxiliary/server/local_hwbridge msf auxiliary(local_hwbridge) > run [*] Auxiliary module execution completed [*] Using URL: http://0.0.0.0:8080/6xOv7GqFs3YTeIE [*] Local IP: http://10.1.10.21:8080/6xOv7GqFs3YTeIE [*] Server started. msf auxiliary(local_hwbridge) > |
The local_hwbridge defaults will automatically detect any SocketCAN interfaces you have and should just work without having to type in any options. A relay service does not have to run within Metasploit but can be its own service, or if the REST API is supported by the hardware itself, you can skip this step. Next you need to connect to a relay or a supported piece of hardware to establish a HWBridge session.
msf > use auxiliary/client/hwbridge/connect msf auxiliary(connect) > set rhost 10.1.10.21 rhost => 10.1.10.21 msf auxiliary(connect) > set targeturi 6xOv7GqFs3YTeIE targeturi => 6xOv7GqFs3YTeIE msf auxiliary(connect) > run [*] Attempting to connect to 10.1.10.21... [*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-01-17 11:02:34 -0800 [+] HWBridge session established [*] HW Specialty: {"automotive"=>true} Capabilities: {"can"=>true, "custom_methods"=>true} [!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge [!] could have real world consequences. Use this module in a controlled testing [!] environment and with equipment you are authorized to perform testing on. [*] Auxiliary module execution completed msf auxiliary(connect) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 hwbridge cmd/hardware automotive 127.0.0.1 -> 127.0.0.1 (10.1.10.21) |
---|
Once connected, a HWBridge session will be established. If you are familiar with using meterpreter you will feel very at home using a hwbridge. Jumping on a session you can see a list of commands by typing help or run a post module such as the supplied getvinfo (Get Vehicle Info) module.
msf auxiliary(connect) > sess 1 [*] Starting interaction with 1... hwbridge > supported_buses Available buses can0, can1, can2 hwbridge > run post/hardware/automotive/getvinfo CANBUS=can2 [*] Available PIDS for pulling realtime data: 46 pids [*] [1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 24, 25, 28, 31, 32, 32, 33, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 64, 65, 66, 67, 68, 69, 70, 71, 73, 74, 76] [*] MIL (Engine Light) : OFF [*] Number of DTCs: 0 [*] Engine Temp: 48 °C / 118 °F [*] RPMS: 0 [*] Speed: 0 km/h / 0.0 mph [*] Supported OBD Standards: OBD and OBD-II [*] Mode $09 Vehicle Info Supported PIDS: [2, 4, 6, 8] [*] VIN: 1G1ZT53826F109149 [*] Calibration ID: UDS ERR: {"RCRRP"=>"Request Correctly Received, but Response is Pending"} [*] PID 6 Response: ["00", "00", "C4", "E9", "00", "00", "17", "33", "00", "00", "00", "00"] [*] PID 8 Response: ["00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00"] |
---|
Feel free to look at the source to post/hardware/automotive/getvinfo.rb to see how to use Metasploit's Unified Diagnostic Service (UDS) API to make modules like these very simple. There are a lot more automotive modules and other services coming.
How can I help?
This is the initial release of the HWBridge. We are looking for feedback from both hardware developers and exploit writers. If there are automotive features you would like to see, let us know. If you’re a hardware developer who wants to be Metasploit compatible, let us know how we can help you.
Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware. As you exit the Matrix, please watch your step!
Exiting the Matrix: Introducing Metasploit's Hardware Bridge的更多相关文章
- Metasploit的射频收发器功能 | Metasploit’s RF Transceiver Capabilities
https://community.rapid7.com/community/metasploit/blog/2017/03/21/metasploits-rf-transceiver-capabil ...
- Methods and Systems for Enhancing Hardware Transactions Using Hardware Transactions in Software Slow-Path
Hybrid transaction memory systems and accompanying methods. A transaction to be executed is received ...
- Examples of MIB Variables - SNMP Tutorial
30.5 Examples of MIB Variables Versions 1 and 2 of SNMP each collected variables together in a singl ...
- A trip through the Graphics Pipeline 2011_06_(Triangle) rasterization and setup
Welcome back. This time we’re actually gonna see triangles being rasterized – finally! But before we ...
- Cloud Computing Deployment Models
Cloud computing can broadly be broken down into three main categories based on the deployment model. ...
- ROSCon 2016视频和幻灯片发布 ROS机器人操作系统重要参考资料
ROSCon 2016视频和幻灯片发布 By Tully Foote on 十月19,2016 7:28 AM 全部PPT下载地址:http://pan.baidu.com/s/1gf2sn2F RO ...
- recovery 升级前兼容性检查(Vendor Interface Object)
从android P(9.0)版本开始,我们发现编译出来的OTA升级了里面多了一个文件,compatibility.zip,这个里面存储这system与vendor分区的一些特性,用来做升级前的兼容性 ...
- [TensorFlow] Introducing TensorFlow Feature Columns
Welcome to Part 2 of a blog series that introduces TensorFlow Datasets and Estimators. We're devotin ...
- Introducing Holographic Emulation
Holographic Emulation is a new feature that vastly reduces iteration time when developing holographi ...
随机推荐
- Delphi2010生成GB2312字库乱码问题
用Delphi2010做一个点阵字库软件,字库生成部分是从一个用Delphi2007做旧的程序里扣出来的.点阵字库软件完成后生成GB2312字库在LED控制卡上显示为乱码.知道Delphi版本高于20 ...
- java类固定值代替基表写法
package cn.com.mcd.enumeration; public enum AuditStatusEnum { NOTAUDIT("0", "未审核" ...
- 基于FPGA的OLED真彩色动态图像显示的实现
源:基于FPGA的OLED真彩色动态图像显示的实现 作为第3代显示器,有机电致发光器件(Organic Light Emitting Diode,OLED)由于其主动发光.响应快.高亮度.全视角.直流 ...
- 《javascript语言精粹》——第3章对象
第三章:对象: 属性名字:可以是包括空字符串在内的任意字符串: 属性值:是除undefined值之外的任何值; [1].对象字面量: var obj={}; //空对象 var obj = new O ...
- iOS开发——Scheme白名单
问题:在iOS 9下涉及到平台客户端跳转,系统会自动到项目info.plist下检测是否设置平台Scheme.对于需要配置的平台,如果没有配置,就无法正常跳转平台客户端. 报错:This app is ...
- 支付宝WAP支付接口开发
支付宝WAP支付接口开发 因项目需要,要增加支付宝手机网站支付功能,找了支付宝的样例代码和接口说明,折腾两天搞定,谨以此文作为这两天摸索的总结.由于公司有自己的支付接口,并不直接使用这个接口,所以晚些 ...
- MySQL临时表与派生表(简略版)
MySQL临时表与派生表 当主查询中包含派生表,或者当select 语句中包含union字句,或者当select语句中包含一个字段的order by 子句(对另一个字段的group by 子句)时,M ...
- 10天学会phpWeChat——第十天:phpWeChat的会员注册、登录以及微信网页开发
通过前面的系列教程,我们系统的讲解了phpWeChat从视图端.控制器端到模型端的操作流程:熟悉了phpWeChat的目录结构:掌握了视图端模板如何创建一个丰富的表单和模型端如何操作数据库.这一切都是 ...
- LRU Cache 题解
题意 Design and implement a data structure for Least Recently Used (LRU) cache. It should support the ...
- 2017-01-11小程序form表单提交
小程序form表单提交 1.小程序相对于之前的WEB+PHP建站来说,个人理解为只是将web放到了微信端,用小程序固定的格式前前端进行布局.事件触发和数据的输送和读取,服务器端可以用任何后端语言写,但 ...