How to Build Your Own Physical Pentesting Go-bag
-
Upload
beau-bullock -
Category
Technology
-
view
555 -
download
2
Transcript of How to Build Your Own Physical Pentesting Go-bag
Build Your Own Physical Pentesting Go-Bag
Beau Bullock - @dafthackDerek Banks - @0xderuke
Overview• Attackers commonly try attacking
organizations remotely first• Phishing Attacks• Exploiting vulnerabilities in
externally facing systems• External credential dumps• Etc.
• If these fail, physical attacks are required
Overview• Having the right tools in the
physical attack toolkit can determine success or failure• Simply “getting in” is not enough• What happens after one is inside
an organization can make or break an operation• We wanted to share what our
physical pentesting go-bags look like
About Us• Pentesters at Black Hills
Information Security• Have a number of SANS and
OffSec certs…• CitySec Meetup Organizers• CigarCitySec – (Tampa, FL)• CitrusSec – (Orlando, FL• TidewaterSec – (Poquoson, VA)
• Avid OWA enthusiasts
Go-BagWhere are we storing our gear?
Choose a Quality Bag• Totally a personal preference• Weatherproofing • GoRuck bags are top notch (but a bit expensive)• Built in USA• Scars Lifetime Guarantee
• Must comfortably hold all the gear
“Remote” Physical AttacksSometimes, devices can make their way into organizations
USB Drop• Most employees are “very
concerned” with things like budgets and payroll• Dropping USB’s with “sensitive
data” in a parking lot gets shells• Macro-enabled docs and
spreadsheets are still king• We are fans on PowerShell
Empire payloads
Backdoored Streaming Media Devices• People enjoy gifts• Streaming media devices require
Internet• Corp WiFi networks seem to be a
good place to plugin new gifts• So, I backdoored an Amazon Fire
Stick• It calls back to a C2 server
providing a remote shell
Wireless HackingCan we attack the network over wireless frequencies?
Wireless Gear• Alfa Cards (AWUS036H)• Yagi Antenna• Ubertooth One• WiFi Pineapple• HackRF One • Etc.
Gaining AccessPhysical Exploitation Methods
Get-Out-of-Jail-Free Card• Probably the most important
thing.• Needed to ensure your
authorized pentest doesn’t land you in jail• But, you can spoof these too• Change security contact info to
someone on your team
Social Engineering• Simply walking into buildings works sometimes• The printer really needs paper…
• Having a good ruse is key though• Tailgating• Just knocking• Seriously, this has worked for me.
• Much more in depth topic than can be covered quickly
Lock Picks• Having a good set of lock picks is
a must• Some quality brands:• Sparrows• SouthOrd• Toool
• Practice, practice, practice• Shims
Bypassing Devices• Compressed Air• Under the Door Tool• Credit card trick• Whiskey• Etc.
RFID Cloning• Misplaced belief in the security of RFID access control• Many types of RFID access devices and protocols• Can be confusing getting started
• Field usable cloning device examples:• BLEKey• ESPKey• Proxmark3• Bishop Fox Tastic RFID Theif
RFID Access Control• Consists of a reader that energizes a tag that returns a signal • Return signal contains encoded information over a protocol• Common RFID Frequencies • Low Frequency (LF) – 125KHz
• HID Prox, EM• High Frequency (HF) – 13.56 MHz
• MiFare, HID iClass
• Wiegand most common format
BLEKey• Physical tap for the Wiegand protocol• Presented at BlackHat 2015• Uses Bluetooth Low Energy to communicate• Sniffed data can be offloaded to an app• App can replay signal granting access
https://github.com/linklayer/BLEKey
ESPKey• Physical tap that communicates over WiFi• Presented at Shmoocon 2017• Implantable Logic Analyzers and Unlocking Doors – Kenny McElroy
• Stands up WiFi hot spot and has a web interface• Draws power from the card reader• Not quite for sale yet…
https://archive.org/details/ShmooCon2017
Proxmark3 RDV2 Kit• Portable RFID sniffing/reading/cloning• Pretend to be a reader or a tag
• Both LF and HF antennae included• Need to be relatively close to badge
• Can be operated on battery or be powered via USB• Works with Kali NetHunter
Bishop Fox Tastic• Long range RFID reader• On your own to replay to card reader
• Targets 125KHz systems such as HID Prox and Indala Prox• Code and parts list available for free online• Uses Arduino and long range card reader
https://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/
Post Access ExploitationYou’re in. Now what?
Pentest Dropbox• Fully functional pentesting device• Persistent reverse SSH tunnel• Can be controlled over WiFi• Relatively unnoticeable• ODROID-C2 build instructions
here: • http://
www.blackhillsinfosec.com/?p=5156
NAC Bypass Device• Layer 2 and 3 NAT – Helps avoid
triggering port security rules on 802.1X• Insert “between” wall and valid
system• Device spoofs both sides of wire• Passively learns MAC addresses• Current build is a Beaglebone
Black
Kon-Boot• Bypass authentication on many
systems• Boot to Kon-boot USB or CD• After getting in you could:• Dump local hashes• Add a new admin user• Get a shell
• Doesn’t work on encrypted HD’s
Wi-Fi Keylogger• Insert between keyboard and PC• Connects to an AP specified by us• Retrieve keys from LAN
connection• Can email a report every hour• Keys are stored locally as well• 4 GB of storage• Hardly noticeable
PoisonTap• Emulates an Ethernet device over
USB• Intercepts all Internet traffic• Is able to sniff HTTP cookies and
sessions from the browser• Can be used• Can be used on a locked machine
LAN Turtle• “Generic Housing” USB Device that out of the box that provides• Remote Access• Network Intelligence• Man-in-the Middle Monitoring
• Community Module Framework • Credential grabbing from locked computer• Thanks @mubix!
HID Attack – Rubber Ducky• USB Human Interface Device (HID) Keyboard Injection Attack Platform• From HAK5’s Hakshop
• Takes advantage of inherent trust of connected keyboard devices• Payloads in the form of scripts then encoded to SD card• Pre-configured payloads available
• Works on most platform
Kali NetHunter• Kali Linux on a mobile device • Android ROM Overlay• Builds available for Nexus, OnePlus, as well other devices• Chroot environment with multiple options from minimal to full Kali installs
• HID Attacks (DuckHunter)• MANA Evil Access Point• BadUSB Attacks• Cost – Variable
Kali NetHunter(Ducky HID Attack)
DEMO!
Conclusion
• There’s a lot more to compromising an organization than just getting in the door… And there is usually more than one door.• Preparing for different situations before going on-site is a must.• Include tools in your go-bag to help you succeed in each scenario.• One last tip: • Do recon on the target location prior to getting there. Use Google maps to
locate entrances; Use Wigle to determine possible WiFi SSIDs.
Gear List• GoRuck bag• Get-Out-of-Jail-Free Card• “Remote” Physical Attack Tools
• USB’s for USB drop• Backdoored Amazon Fire Stick
• Wireless Gear• Alfa Cards (AWUS036H)• Yagi Antenna• Ubertooth One• WiFi Pineapple• HackRF One
• Physical Exploitation Tools• Lock Picks• Compressed Air• Under the Door Tool
• Badge Cloning Devices• Proxmark3 RDV2• BLEKey• ESPKey• Bishop Fox Tastic RFID Thief
• Post-Access Exploitation• Pentest Dropbox• NAC Bypass Device• Kon-Boot• Wi-Fi Keylogger• PoisonTap• LAN Turtles• Rubber Duckys
• Post-Access Exploitation Cont.• Kali Nethunter
• Laptop• Additional Tools
• Powered Screwdriver
• Flashlight• Cat-5 Cables• Battery Packs for mobile devices• USB On-The-Go Cable• Throwing star LAN Tap (or real
throwing stars)
Summary and Conclusions• Black Hills Information Security• http://www.blackhillsinfosec.com/• @BHInfoSecurity
• Beau Bullock @dafthack• Derek Banks @0xderuke
• Questions?