Metasploit like framework to lessen the learning curve
1. Connecting the dots….
Footprints in the ether, and other
Sean Satterlee – Principal Security Engineer
THIS IS PURELY FOR EDUCATIONAL PURPOSE.
Myself, any identities that I may use, Net Source,
Inc., NetSourceLabs, NetSourceSecure and any
other organizations that I am affiliated with
cannot be held liable for any negligence or
illegal activity that may result in the disclosure
of the information included in this briefing.
3. About me
intentionally left blank
4. A “howto” or “readme.txt”
A quick guide to a talk by me.
Topics will be all over the place
I will chase rabbits
I use profanity to make my point
I am passionate about my work
If you get up during this talk, be prepared to be heckled.
Did I mention that I will jump around on topics?
I will bring in points that I find interesting, while they might not be germane to the exact topic, you may find them useful.
If I switch languages for a certain word or concept. Do not get angry. Write it down, google it, you can figure it out for yourself
I may repeat things every now again.
I will chase rabbits
I need to make a “logic-chart” for following my talks
I should also remember to start using the “notes” feature for powerpoint.
I like it when people clap immediately after pseudo profound statements.
I do not like the obligatory applause at the end of my talks
My talks are interactive.
Several of my friends are in the crowd
Sometimes I will just skip slides because I don’t feel like talking about them. It’s alright though, you can download this slide deck
The detailed sections are out of order. Sorry, I don’t want to fix it.
They are not “plants”, but I will sometimes call on them to help me remember antic dotes.
5. Business Intelligence?
• A nice name for Corporate Espionage
• Knowing the business model for a given target
(read: client), and you will further understand
the areas of their infrastructure that may be
• Knowing more about your target will lead you
to appropriate attack vectors
• Is it necessary to publish this information?
• In short, the answer is no.
• Having information is one thing.
• Displaying that you have this information is
• An entire generation raised with the notion
that “knowledge is power” has caused this.
• Displaying this information as a means to
show power and to hinder some else‟s
operations is something completely different.
8. Forms of Reconnaissance and Intel
9. Subsets of Physical
– Done at multiple times throughout the day/night.
– Establish key employees and work shifts
– Use a rental car with a contour cam (HD), just leave it.
– Don’t get too close
– Use everything you can in BT5, or Kali
• Dumpster Dive
– Do this at night
– Avoid the critters
10. • Get a tour, make note of how physical security
– Electronic Keypads
– “Secure” keylocks
11. • Make note of the badges, if you are conducting
a social, you may need to create one.
• It doesn’t need to “work”, Just pass a glance.
12. • RFID? Sure, we can do that…
13. • Magstrips? Yeah, that too.
Info available on instructables.com
• Seriously? Are you kidding me?
• Medco, Chubb, and Bonowi keys are now
available for download to be printed on
15. Physical Locks
16. Security Keypads
#,0 (same time) followed by 0000
“Program” button, followed by 7777
#,9,# 123456 add your code by:
1234 (no lockout, just keep pecking)
17. Keys to a successful “Social”
• Accurate data
• Susceptible targets
18. USB drops and rubber duckies
19. CD/USB drop
• Curiosity killed the cat
• Think of this as a „reverse dead drop‟.
Pseudo public place, and you WANT it to
– You may ask yourself, “who would actually
plug this in?”
– Now tell yourself, “too many people that
probably work with me.”
20. You knew this would come up
21. Other methods
• The USB drop isn‟t always needed
– If you can gain physical access:
• a rubber-ducky can be used to drop a payload and
a reverse, persistent shell
– If you can‟t gain physical access:
• You can squeeze a rubber-ducky into anything that
uses a USB connection. Ship it to someone in the
target company. Human stupidity will take over,
and SOMEONE will plug it in.
22. Just how easy is that?
• Not calling anyone out, but certain people in
this industry are literally, batting 1000 using
– But seriously, how easy is it?
23. I was going to make a political joke
here, but… well, let’s just skip that
part as I don’t really have any
25. Quality of Sources
• None of these tools are worth the processing
power of launching them if you don’t know
where to look.
26. Sources, you say?
Public Records for target area
ESRI – GIS data
County Assessors office
28. Flickr? Why flickr?
• Because sometimes smart people do very
• You can do something about it…
30. Examples, you say?
• Users will come up with a “clever” password…
– And reuse it.
– And reuse it.
– And reuse it.
31. So what comes of this behavior?
33. And again…
34. Why Facebook?
35. Inadvertent Excess
• Go into the Kinko‟s
closest to your target.
• Say you “forgot your
• They show you a box,
you say “that‟s it!”
36. A quick note about ‘excessed
• Please wipe configs on hardware and
• 4th Saturday sales have yielded quite a
few Cis** devices with current configs for
an organization STILL ON THEM.
38. Create your own transforms
• There is a wealth of information in public
– Property taxes
– Marriages, divorces, VPO’s, traffic citations, etc
– Birth records, death certificates
39. Quality of Product
• Your information is only as good as your
– Use CORRECT and ACCURATE information. Do not
• The signal to noise ration is horrendous This entire
section is total
41. Social Engineering
• I will not pretend that neuro-linguistics has gotten me past some
serious security measures.
– However, a fake accent did get ri0t and I quite a few drinks in Vegas.
• How does it work?
– You appeal to a person’s sensibility and logic.
42. Seriously though, what does SE get us?
• It gets us physical access to a location to actually
DO the CD/USB drop
• If the target is in a shared office location, hangout
in the smoker’s area.
Pay attention to visual layout of ID badges in case you
need to fabricate one
– Possibly tailgate a person into a secure area
43. • Become a customer/client of the target.
• Remember, people are inherently stupid
and willing to trust. Exploit this.
– “Give them an ounce of quality lies, and you
will get a pound of truth in return.” - me
44. Qualify your statements and questions
• Don’t ask stupid questions that are DIRECT.
• You will always need to fill some gaps, it’s
important to do this without inferring a
• Be knowledgeable of the subject matter at
– This means taking an interest in whatever widget
you are trying to gather information about
45. Pushing in
• So what options do I have to exploit a location
using the information I have gathered?
Intranet access portals with weak user/pass combos
Sub-domains for test/development environments to
attack via web applications to extract data
– Complete Breach of network via wireless to create a
46. Wait, I just said wireless
“techie LUsers” – let me tell you why they are
your biggest problem.
47. “Why?” you ask?
• Because they are the ones that take it upon
themselves to create and fix things with only
half of the ‘larger picture’
• Which, in turn, just ends up causing more
48. Rogue AP’s anyone?
49. People who build “labs” at work
50. How this can cause issues
• Vast majority of ‘labs’ are default passwords
• Rogue AP’s lack strong encryption or any at all
• A shared password used over an open wifi
• Unused accounts with the “default
51. How is this remedied?
Strengthen your policies
Educate users (yes, that’s twice on purpose)
– Old machine accounts in AD
– Maintenance (service) accounts
– Accounts that have never been used
52. In conclusion
• Try harder
• Enable yourself and your staff
– Come to local hacker meetings
– We will gladly show you stuff
• No such thing as a stupid question.
– Just stupid people, that don’t ask questions.
53. Any questions that relate to the actual
• I like to eat steak cooked medium rare
• I have two cats, a dog, a planted aquarium
and a entire school of carnivorous fish
• My favorite color is clear