Key Cyber Solutions at Tech Warrior Cyber Ops 2020 - IoT Enumeration

What is it like to participate in a hacking challenge hosted by the Air Force? It's incredibly fun and exciting and I wanted to share our experience here. Key Cyber Solutions (KCS) was proud to participate in the Tech Warrior Cyber Ops Cyber Challenge that took place from October 5-9th. KCS was among the finalist selected to compete in the inaugural Tech Warrior Enterprise event in the IOT mapping category and was represented by our president AJ Mojaddidi and myself. In this post, I will share details of the experience, our findings, our methodology, and provide and explanation about how these types of challenge events work! Simply put, It was nothing short of 3 days of pure hacking fun. Follow this link, to can learn more about the program/challenge itself, as well as view the comprehensive lists of the IoT Mapping challenge finalists.

What is the Tech Warrior Cyber Ops Challenge?

Hosted by the U.S. Air Force, the challenge was was an extensive hacking symposium for small businesses. Each business was allowed to use the technology of their choice to complete the challenge within a period of roughly 24 hours. There were two main challenge categories; one involved information assurance, and the other was a challenge to enumerate IoT devices on a given subnet. The IoT category aligned best with our interest, (and is much more fun) so naturally, KCS elected to apply for that category. After submitting a white paper on our organizational methodologies and technologies, our team was accepted into the competition! This was shocking because we planned to use no proprietary technology, and relied solely on open source technologies and scripts. We figured the Air Force wanted to observe some cool proprietary technologies in action, but there was a great deal of interest shown in our open-source approach that cost absolutely nothing. I will dig further into the technology and methodology used later. I will not disclose our specific findings, just in case this same environment is used for other challenges in the future; I only want to discuss our approach and the environment itself. I will begin with a discussion around how the approach was setup, and the environment.

IoT Challenge Environment/Setup

The challenge occurred during the midst of the COVID pandemic, so the entire competition was virtual to protect the safety of all participants. While some may have preferred an in-person gathering, I thoroughly enjoyed the virtual option. I felt I had more time and control over the challenge and I also had access to my own host machine at home. Before being allowed into the virtual environment, we had to complete a few initial briefings discussing our approach to (who I assume was) leadership, and some tech scouts. All of these interactions took place over Zoom and WebEx and went smoothly.

After the initial briefings the competition officially began. We were allowed into the virtual environment on the first day, to install the tools we wanted to use. The discovery process did not start until the following day. If a team attempted to move ahead before the designated timeframe, they were at risk of being disqualified, so, KCS used our time to explore the environment and become more familiar with one of the tools provided, SDR Sharp. Again, more on the technologies later.

The environment itself was quite simple, and worked incredibly well. The Air Force had a small network set up on-location, and every company was assigned a Windows 10 laptop for the challenge; we were all on the same subnet. We were told roughly 30-50 devices were on this subnet; these were the devices we would have to discover the next day. To access the Windows 10 laptops, we simply RDP'd in via TeamViewer. Now, we could build our attack machines. This is when the other companies began setting up their proprietary tools. We, however, took a much simpler approach.

Technologies Utilized and KCS's Methodology

When the time came to download all of our tools and prepare for the challenge, the initial plan was enumerating subdomains for a given target, using Amass. This tool is a favorite recon/enumeration tool among our team. Amass enumerates subdomains incredibly fast and it uses D3, a java visualization framework to create topological mappings of findings with a visually appealing outcome. Given our experience with the tool, we decided to leverage these attributes to enumerate IoT devices, create a beautiful graph, and present our findings. Unfortunately, everything did not go as smoothly as planned. I'll walk you through the challenges we faced daily throughout the competition.

Day 1 - Monday, October 5th

Around 4pm, the team started configuring the attack machine for the challenge the following day. We install VMWare to allow us to load/configure Kali Linux. Amass comes pre-installed on Kali distros which saves some time. We installed nmap/zenmap on the host Windows machine, and are confident enough to start the challenge. They have provided us with a tool called "SDR Sharp" which uses a USB-connected software defined radio (SDR) peripheral cable (in this case, HackRF One) and can pick up a wide range of frequencies. This feature allows you to connect affordable $30 antennas and pick up basics signals such as CB radio comms and FM radio stations, but the HackRF One is special because of its incredibly large bandwidth (to our understanding). We are novices to the world of radio frequencies, so after doing a little research on common frequencies for IoT devices, we call it a night. The next day, we will see what we can discover using Amass and SDR Sharp.

Day 2 - Tuesday, October 6th

At 9am, we receive the go-ahead to begin enumerating devices and afterwards, we have to report our findings and provide a topological graph of the network. We have Amass and hope that it will be able to handle enumerations. Unfortunately, we are unable to get it to discover IoT devices on the subnet, and we aren't able to figure out why. We have a great deal of experience using Amass to discover subdomains, but either we weren't using the correct switches, or we have misconfigured the virtual machine. Typically, we would dive deeper into the issue, and possibly post in forums for some guidance, but with little time, we decide to abandon the Amass tool approach, and use a different open-source tool.

After breaking for lunch, we jump back onto our Windows machine. With nmap and zenmap installed, we launch a very basic scan against the subnet and wait for the results. Within minutes, we discovered nearly 30 devices. We are in shock and did not expect it to be so easy. Our basic enumeration experience has paid off and thankfully zenmap (the GUI version of nmap) is capable of creating a visual network topology.

After our initial scans, we have a list of active devices on the subnet. With these devices, we launch specific scans against each host, using the NSE (nmap scripting engine) to delve into what services may be running on their ports, and to hopefully get a better idea of operating systems and other components. While waiting for these scans to run, we also tried Angry IP Scanner, and Solarwinds which did not produce the expected results and was not open-source. We abandoned Solarwinds. We find it's best to use multiple tools for the same purpose as a backup because one tool may find details missed by the other. Our redundant and abundant scans pay off tremendously. By the afternoon, we gained a staggering amount of information and knowledge.

After a few hours of working, the team nearly forgot about SDR Sharp. We quickly boot it up while running more scans in the background, and decide to monitor some of the more common frequencies and immediately discover a rogue, suspicious signal, and take notes. Afterwards, the program crashed, and the HackRF is no longer detectable by Windows, despite a reboot and everything we could manage from an RDP session. At this point, fortunately we have an overwhelming amount of information. With a report due the next day, we decide to abandon SDR Sharp and begin compiling our findings. We did our best research to make guesses on what the discoveries may be. I won't get into specifics here, but we found several devices ranging from smart lightbulbs to vehicle communication devices. It was truly incredible what was achieved using only nmap and zenmap. Thanks to zenmap, we even had a nice visualization of the network and a finished report by the final day of the challenge.

Day 3 - Wednesday, October 7th

The hardest (and most fun) parts were over, and we prepared to wrap up. We submitted our report by noon, and have our final 30-minute debrief around 2pm. This turns out to be the most satisfying part of the process, as we learned that ALL the devices discovered we classified were correct or extremely close. Even the single signal we discovered with SDR Sharp was correctly identified, and the hosts of the event seemed extremely impressed with our humble approach. I am by no means a master hacker, so this was a very fun learning experience and I was proud to represent Key Cyber Solutions in such an exciting challenge.

Conclusion and Lessons Learned

Overall, we were disappointed that we could not leverage Amass as planned, but I'm sure with more time and research we would have launched it successfully. After working through the initial setbacks, we were extremely satisfied with the outcome, and the team had fun. The competition was a great opportunity to to meet new cybersecurity professionals and learn how other companies approached the challenge, which all were proprietary solutions. I think the most important lesson learned, is that a proper mindset and knowledge of the right tools can complete the job, as well as expensive tools and proprietary methodologies. Properly leveraging open-source tools can be extremely cost-efficient and powerful, especially for smaller businesses. Given more time, with a working SDR Sharp program, and a correctly leveraged Amass, I think the team would have nailed every single device on the challenge. Maybe next time!

We are grateful that the Air Force allowed Key Cyber Solutions to be a part of this incredibly fun and enlightening challenge. It was a much needed confidence boost and a great opportunity to test our enumeration skills. I've learned a great deal and it's been a blast so far! What a great way to celebrate my 2nd work anniversary with KCS! As always, thanks for reading, and I hope you learned a little bit about how these challenges work and how they can be approached.