Tech Insight: Three Hardware Tools For Physical Penetration Testing

  /     /     /  
Publicated : 22/11/2024   Category : security


Tech Insight: Three Hardware Tools For Physical Penetration Testing


How to hack yourself like a social engineer



Social engineering is an attackers most effective weapon -- Kevin Mitnicks newly released memoirs are a testament to that fact. In a physical penetration test, the attackers goal is to get inside of your facilities and gain access to the sensitive data; often, leveraging social engineering tactics is the key to doing so. The data the attacker is after is sometimes sitting on a CEOs desk, locked in a filing cabinet, or stored on an internal file server.
More often than not, the goal is to gain access to the network, but its not always practical to carry a laptop or expect to have more than a few minutes to plug in to the network, then scan, attack, and make off with the crown jewels. Instead, attackers will plug in a small wireless access point, a wireless router with custom firmware, or a specially designed drop box like the Pwn Plug -- all of which are designed to facilitate remote access into the targets internal network.
When planning a penetration test, the purpose is to emulate the same types of attacks that a real attacker might carry out. The physical security side of the testing can be a lot of fun and a bit nerve-wracking, so its important to have your hardware ready to go and tested before going on site.
There are a several hardware options that someone performing a physical penetration test can use once inside the target facility. Some were never designed for the express purpose of breaking into a corporate network, but others were built commercially with that sole purpose in mind. No matter the original intent of the device, the penetration testers intent is to get into the building, plug the device into the network, and get out.
The first and often cheapest option is simply a wireless access point or wireless router. There are a plethora of models to choose from, but the best choices are those that can be reflashed, or reprogrammed, with custom firmware, like
OpenWRT
or
DD-WRT
. Those firmware options allow full access to the underlying Linux system for configuration and can be fully customized with penetration-testing tools. Some examples include nmap, netcat, and even the Metasploit Framework; however, the latter is not recommended due to underpowered CPUs and limited memory in these devices.
Whats great about choosing a wireless access point or wireless router is these devices come in all different sizes. Some are smaller than a deck of cards, making them incredibly easy to conceal. There have been numerous hacks to make them easier to deploy, including powering them from battery packs and USB ports to adding additional storage through USB flash drives and SD cards.
Dark Reading
contributing blogger Steve Stasiukonis has an excellent example of a physical penetration test paired with social engineering and a wireless access point in
Using HVAC To Set Up A Hack
.
A second option is to use a laptop, preferably as small as possible to avoid detection. A laptop is generally going to be more expensive and less inconspicuous, but it has a lot more power to run penetration-testing tools, like the Metasploit Framework or Core IMPACT. Laptops have the same benefit as wireless access points because they have wireless and wired ports. The wired Ethernet port can be plugged into the targets network jack, and the wireless can be configured to allow the tester to connect in from outside the building sitting in the parking lot.
So how does a penetration tester connect in once his attack device has been deployed? The obvious method in the previous two device examples is via wireless.
Another method is to include the ability for the device to phone home once it is plugged into the target network. The easiest method is some type of SSH connection out to a system the penetration tester controls. Using SSH reverse tunnels, the tester can then connect back into the device and perform scans and attacks against the internal network. Creating an automatic SSH reverse tunnel is possible on the wireless devices mentioned above and on the laptop. There are many how to articles available online, like this
one
, to help you get started in case youre not familiar with the concept.
GSM or CDMA cellular connections using the many USB adapters available on the market also work. Plug in the laptop or drop box, like the Pwn Plug, into the network and let it phone home via the cellular connection. The device is now practically invisible on the network (if configured properly) because it isnt attempting to make connections through the targets network, and very few target environments would have the capability to detect the cellular connection. The tester can now ride the cell connection back into the internal network unnoticed.
A third hardware option for penetration testing is a custom hardware drop box that has been designed with pen testing in mind. The idea has come up many times over the years about how it would be cool to create one based on the plethora of microcomputing platforms available, like the Sheevaplug, but few public projects exist for doing so. The Pwn Plug from
Pwnie Express
is the first publicly available drop box designed with physical penetration testing in mind.
With more computing power than most wireless routers but much less power than a laptop, the Pwn Plug comes in a small form factor that can be easily disguised as a power adapter for a printer. The different models available include wired Ethernet ports, wireless, and cellular modem capabilities, making it a versatile device. You could walk into your targets network, pretend to be the copier machine repairperson, and deploy one of these with ease -- making it an attractive option if you dont want to take the do-it-yourself approach.
Physical security is an important aspect to any company, but its impact on internal network security is overlooked. The typical impression is that physical security is there to prevent someone from stealing physical property, but as you can see with the different hardware options for physical penetration testing, its even easier to make off with the digital goods.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tech Insight: Three Hardware Tools For Physical Penetration Testing