Hardware assisted penetration testing

Penetration testing or pentesting is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Prior to start with the penetration testing you normally need to clearly define the scope and get a written consent from the client, in other words you need a pre-engagement contract signed by your client. Depending on the information in your possession it could be a white-box or a black-box pentest. You’ll also need to follow a standard methodology while conducting the test in order to ensure quality, reproducibility and comparability of your pentest. I’m not going to talk about this now but I plan to write a series of articles on this matter in the future. Every ethical hacker or penetration tester uses a variety of software in order to accomplish various tasks, some are well known frameworks for vulnerability assessment like Nexpose, Nessus and OpenVAS (just to name a few) or exploitation frameworks like Metasploit, CoreImpact Pro and Immunity Canvas, together with in-house tools.  Obviously any software needs a personal computer, a server or a Cloud instance to run. Apart from this, there is a variety of other small devices and appliances that can assist a penetration tester during his job and today I’m going to talk right about this.

HARDWARE KEYLOGGERS

Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users’ keystrokes, including sensitive information like passwords and credit card numbers. They can be implemented via BIOS-level firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer. They usually are made of a microcontroller, a flash memory and a USB or PS/2 connector.

USB Keylogger

PS/2 Keylogger

KeySweeper Wireless Keyboard Sniffer

                   Covert Keylogger Keyboard

HARDWARE VIDEO LOGGER (FRAME GRABBER)

                                                    

SIGINT AND TEMPEST SYSTEMS

SIGINT (SIGnals INTellingence) is intelligence derived from electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems. SIGINT provides a vital window for our nation into foreign adversaries’ capabilities, actions, and intentions.

TEMPEST is a National Security Agency specification and NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and also how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC). For more information about TEMPEST see here: http://www.jammed.com/~jwa/tempest.html .

                          TEMPEST Attack

Van Eck Phreaking demonstration

Another interesting demonstration was given in a 2009 BlackHat talk entitled “Sniffing Keystrokes With Lasers/Voltmeters – Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage” by Andrea Barisani and Daniele Bianco of Inverse Path Ltd. https://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf

WiFi HACKING DEVICES

Devices usually made of a router with an antenna capable of packet injection and a custom firmware usually based on a linux distro  with hacking tools installed (aircrack-ng and others).

An example of such device is WiFi Pineapple:

                               WiFi Pineapple

The WiFi Pineapple Mark V is the latest generation wireless network auditing tool from Hak5. With its custom, purpose built hardware and software, the WiFi Pineapple enable users to quickly and easily deploy advanced attacks using our intuitive web interface.From a man-in-the-middle hot-spot honeypot to an out-of-band pentest pivot box, the WiFi Pineapple is unmatched in performance, value and versatility.

Another example of WiFi cracking device is Reaver Pro:

                              Reaver Pro™ II

Reaver Pro is able to crack a WEP password in only a few minutes, also WPA cracking is fast in case WPS is enabled.

PENTEST BOXES

MiniPwner – made up of a portable TP-Link MR3040 running OpenWrt

                                Mini Pwner

Pwnie Express solutions:

                                   Pwn Plug R3

                                          Pwn Pro

                                     Pwn Phone

                                       Pwn Pad

#r00tabaga is thinner than the MiniPwner, smaller and lighter than the WiFi Pineapple, and has a built-in 2000mAh LI-ON battery

                                   #r00tabaga

TrustedSec Attack Platform (TAP) – TAP will ensure that the system is always up-to-date with your latest patches and uses the PenTesters Framework (https://github.com/trustedsec/ptf) to automatically install all of your tools and keep them up-to-date. For hardware, it uses the Intel NUC series with a solid-state drive, 16 gigs of ram, wireless alfa attached for wireless assessments and a Verizon LTE card so you don’t have to worry about egress filtering if it isn’t available. TAP is used internally by TrustedSec and isn’t available for sale but the software is open source and can be found here: https://github.com/trustedsec/tap

                                                TAP

 HID ATTACKS

A Human Interface Device is a device that can be plugged into the USB port of a computer and is recognized as a keyboard and automatically trusted and executed by the computer (unlike CDs/DVDs and normal USB drives that rely on the Autorun). It can be programmed in order to execute a payload (as keystrokes) that can do many things, even spawning a shell, dumping passwords and escalate privileges.

Teensy – a complete USB-based microcontroller development system, in a very small footprint, capable of implementing many types of projects. All programming is done via the USB port. No special programmer is needed, only a standard “Mini-B” USB cable and a PC or Macintosh with a USB port.

                                         Teensy

There are some libraries available for Teensy, like PHUKD by IronGeek, SET, Kautilya and Peensy.

Bad USB – a concept of HID attack vector presented at Blackhat 2014 by Karsten Nohl.

USB RUBBER DUCKY – a HID attack tool by Hack5

                              Rubber Ducky

Kali Linux NetHunter – a Kali Linux distro for Nexus and OnePlus that supports Wireless 802.11 frame injection, one-click MANA Evil Access Point setups, HID keyboard (Teensy like attacks), as well as BadUSB MITM attacks.

USB Armory by Inverse Path – The capability of emulating arbitrary USB devices in combination with the i.MX53 SoC speed, the security features and the flexible and fully customizable operating environment, makes the USB armory the ideal platform for all kinds of personal security applications. The secure boot feature allows users to fuse verification keys that ensure only trusted firmware can be ever executed on a specific USB armory board. The support for ARM® TrustZone®, in contrast to conventional TPMs, allows developers to engineer custom trusted platform modules by enforcing domain separation, between the “secure” and “normal” worlds, that propagates throughout all SoC components, and therefore not only limited to the CPU core.

                             usb armory

MAKE YOUR OWN HACKER GADGET

All of us have heard about or used Hacker Gadgets like the WiFi Pineapple, Minipwner, Pwn Plug, R00tabaga etc. They are fantastic to use for demos, in social engineering tasks, explaining security implications in a fun way to non security professionals and in actual pentest task automation! but what does it take to build one? In this course, we will teach you how to build a Hacker Gadget (or Pentest Gadget if you prefer 😉 ) for less than $50 from scratch. How much technical expertise do you need to follow this course? – if you’ve installed Linux and ever configured an Access Point, you will feel right at home!

See the course on PentesterAcademy, a SecurityTube.net initiative.

BOOKS

 Some useful books for creating your own hacker gadget:

Happy hacking! 🙂

Author: Fabio Baroni   Date: 2015-10-29 22:46:19