PIE - A hardware based Prebellico Intelligence Exfiltration Botnet

William Suthers

Prebellico is a powerful and undetectable network analysis tool designed to passively map and challenge assumptions about a target environment. Using 100% passive techniques, Prebellico has the ability to extract network intelligence either spilled on switches/firewalls/VLANS/etc., or captured through broadcast-based traffic. In the hands of a Blue Team operator it can allow detection of even the most evasive adversaries operating on the network as well as help understand what is interacting within a target environment one is trying to defend. In the hands of a Red Team operator or pentester it can provide powerful insight into the nature of the network and its configuration, disclosing secrets such as systems and services behind impenetrable firewalls, trust relationships, network host intent and even authentication information.
While useful in and of itself for Red Team based operations, Prebellico required a host and the ability to manually retrieve the data it collects or obtain it through some form of network egress, all of which might lead to device detection or operation compromise.
Furthermore, organizations as a whole have grown comfortable in limited spectrum analysis of known frequencies in hopes to capturing rouge devices. Unfortunately, this is far from the realities of modern-day attacks, leading to several incidents of organization compromise through the use of uncommon alternative wireless frequencies or technologies. 
To address these challenges and push the narrative forward, Prebellico has been extended with the PIE device – a hardware-based botnet built for Prebellico that no longer requires a network or a sneaker net to obtain intelligence acquired through Prebellico. The PIE device allows an attacker the ability to drop a device on environments as secure as air gapped networks and obtain intelligence about such configurations safely in remote locations without the risk or overhead of getting caught. True to the nature of Prebellico, after initial seeding a PIE device is nearly undetectable after a short period of time as it is designed to only broadcast newly acquired intelligence. PIE devices can also be extended in a way where if one device is in fact detected and removed from the infrastructure another device can simply continue to operate and exfilltrate passively acquired network intelligence.
It's time the Blue Team steps up their assessment practices and starts to make full RF spectrum analysis part of their audit regimen and its up to the Red Team to raise that bar. PIE is the extension Prebellico was built for and intends to drive these narratives. There is no spoon. Your network controls mean nothing to me. Hardware botnets are the future and when combined with 100% passive network reconnaissance the attacker once again has the upper hand forcing defenders to think hard about network controls such as physical security, port security and port-based authentication. Disregard the basics and you run the risk of complete compromise through 100% passive reconnaissance.

Quick Info

Venue for DEF CON 27:
Talks: Celebrity 5
InfoBooth and CTF: Contest Area
Planet Hollywood
Las Vegas.

Got a question?
DM @reconvillage or Drop an email to info@reconvillage.org

Whats going on?

Web page was built with Mobirise