Whenever an attacker decides to attempt to compromise an organization they have a few options. They can try to send phishing emails, attempt to break in through an externally facing system, or if those two fail, an attacker may have to resort to attacks that require physical access. Having the right tools in the toolkit can determine whether a physical attacker is successful or not. In this talk we will discuss a number of different physical devices that should be in every physical pentester’s go-bag. Stealing credentials from a locked computer, getting command and control access out of a network, installing your own unauthorized devices, and cloning access badges are some of the topics we will highlight. We will demo these devices from our own personal go-bags live. Specific use cases for each of the various devices will be discussed including build lists for some custom hardware devices.

1. Build Your Own Physical
Pentesting Go-Bag
Beau Bullock - @dafthack
Derek Banks - @0xderuke

2. Overview
• Attackers commonly try attacking
organizations remotely first
• Phishing Attacks
• Exploiting vulnerabilities in
externally facing systems
• External credential dumps
• Etc.
• If these fail, physical attacks are
required

3. Overview
• Having the right tools in the
physical attack toolkit can
determine success or failure
• Simply “getting in” is not enough
• What happens after one is inside
an organization can make or
break an operation
• We wanted to share what our
physical pentesting go-bags look
like

4. About Us
• Pentesters at Black Hills
Information Security
• Have a number of SANS and
OffSec certs…
• CitySec Meetup Organizers
• CigarCitySec – (Tampa, FL)
• CitrusSec – (Orlando, FL
• TidewaterSec – (Poquoson, VA)
• Avid OWA enthusiasts

5. Go-Bag
Where are we storing our gear?

6. Choose a Quality Bag
• Totally a personal preference
• Weatherproofing
• GoRuck bags are top notch (but a bit expensive)
• Built in USA
• Scars Lifetime Guarantee
• Must comfortably hold all the gear

7. “Remote” Physical Attacks
Sometimes, devices can make their way into organizations

8. USB Drop
• Most employees are “very
concerned” with things like
budgets and payroll
• Dropping USB’s with “sensitive
data” in a parking lot gets shells
• Macro-enabled docs and
spreadsheets are still king
• We are fans on PowerShell
Empire payloads

9. Backdoored Streaming
Media Devices
• People enjoy gifts
• Streaming media devices require
Internet
• Corp WiFi networks seem to be a
good place to plugin new gifts
• So, I backdoored an Amazon Fire
Stick
• It calls back to a C2 server
providing a remote shell

10. Wireless Hacking
Can we attack the network over wireless frequencies?

11. Wireless Gear
• Alfa Cards (AWUS036H)
• Yagi Antenna
• Ubertooth One
• WiFi Pineapple
• HackRF One
• Etc.

12. Gaining Access
Physical Exploitation Methods

13. Get-Out-of-Jail-Free Card
• Probably the most important
thing.
• Needed to ensure your
authorized pentest doesn’t land
you in jail
• But, you can spoof these too
• Change security contact info to
someone on your team

14. Social Engineering
• Simply walking into buildings works sometimes
• The printer really needs paper…
• Having a good ruse is key though
• Tailgating
• Just knocking
• Seriously, this has worked for me.
• Much more in depth topic than can be covered quickly

15. Lock Picks
• Having a good set of lock picks is
a must
• Some quality brands:
• Sparrows
• SouthOrd
• Toool
• Practice, practice, practice
• Shims

16. Bypassing Devices
• Compressed Air
• Under the Door Tool
• Credit card trick
• Whiskey
• Etc.

17. RFID Cloning
• Misplaced belief in the security of RFID access control
• Many types of RFID access devices and protocols
• Can be confusing getting started
• Field usable cloning device examples:
• BLEKey
• ESPKey
• Proxmark3
• Bishop Fox Tastic RFID Theif

18. RFID Access Control
• Consists of a reader that energizes a tag that returns a signal
• Return signal contains encoded information over a protocol
• Common RFID Frequencies
• Low Frequency (LF) – 125KHz
• HID Prox, EM
• High Frequency (HF) – 13.56 MHz
• MiFare, HID iClass
• Wiegand most common format

19. BLEKey
• Physical tap for the Wiegand protocol
• Presented at BlackHat 2015
• Uses Bluetooth Low Energy to communicate
• Sniffed data can be offloaded to an app
• App can replay signal granting access
https://github.com/linklayer/BLEKey

20. ESPKey
• Physical tap that communicates over WiFi
• Presented at Shmoocon 2017
• Implantable Logic Analyzers and Unlocking Doors – Kenny McElroy
• Stands up WiFi hot spot and has a web interface
• Draws power from the card reader
• Not quite for sale yet…
https://archive.org/details/ShmooCon2017

21. Proxmark3 RDV2 Kit
• Portable RFID sniffing/reading/cloning
• Pretend to be a reader or a tag
• Both LF and HF antennae included
• Need to be relatively close to badge
• Can be operated on battery or be powered via USB
• Works with Kali NetHunter

22. Bishop Fox Tastic
• Long range RFID reader
• On your own to replay to card reader
• Targets 125KHz systems such as HID Prox
and Indala Prox
• Code and parts list available for free online
• Uses Arduino and long range card reader
https://www.bishopfox.com/resources/tools/rfid-
hacking/attack-tools/

23. Post Access Exploitation
You’re in. Now what?

24. Pentest Dropbox
• Fully functional pentesting device
• Persistent reverse SSH tunnel
• Can be controlled over WiFi
• Relatively unnoticeable
• ODROID-C2 build instructions
here:
• http://www.blackhillsinfosec.com/
?p=5156

25. NAC Bypass Device
• Layer 2 and 3 NAT – Helps avoid
triggering port security rules on
802.1X
• Insert “between” wall and valid
system
• Device spoofs both sides of wire
• Passively learns MAC addresses
• Current build is a Beaglebone
Black

26. Kon-Boot
• Bypass authentication on many
systems
• Boot to Kon-boot USB or CD
• After getting in you could:
• Dump local hashes
• Add a new admin user
• Get a shell
• Doesn’t work on encrypted HD’s

27. Wi-Fi Keylogger
• Insert between keyboard and PC
• Connects to an AP specified by us
• Retrieve keys from LAN
connection
• Can email a report every hour
• Keys are stored locally as well
• 4 GB of storage
• Hardly noticeable

28. PoisonTap
• Emulates an Ethernet device over
USB
• Intercepts all Internet traffic
• Is able to sniff HTTP cookies and
sessions from the browser
• Can be used
• Can be used on a locked machine

29. LAN Turtle
• “Generic Housing” USB Device that out of the box that provides
• Remote Access
• Network Intelligence
• Man-in-the Middle Monitoring
• Community Module Framework
• Credential grabbing from locked computer
• Thanks @mubix!

30. HID Attack – Rubber Ducky
• USB Human Interface Device (HID) Keyboard Injection Attack Platform
• From HAK5’s Hakshop
• Takes advantage of inherent trust of connected keyboard devices
• Payloads in the form of scripts then encoded to SD card
• Pre-configured payloads available
• Works on most platform

31. Kali NetHunter
• Kali Linux on a mobile device
• Android ROM Overlay
• Builds available for Nexus, OnePlus, as well other devices
• Chroot environment with multiple options from minimal to full Kali installs
• HID Attacks (DuckHunter)
• MANA Evil Access Point
• BadUSB Attacks
• Cost – Variable

32. Kali NetHunter
(Ducky HID Attack)
DEMO!

33. Conclusion
• There’s a lot more to compromising an organization than just getting
in the door… And there is usually more than one door.
• Preparing for different situations before going on-site is a must.
• Include tools in your go-bag to help you succeed in each scenario.
• One last tip:
• Do recon on the target location prior to getting there. Use Google maps to
locate entrances; Use Wigle to determine possible WiFi SSIDs.

34. Gear List
• GoRuck bag
• Get-Out-of-Jail-Free Card
• “Remote” Physical Attack Tools
• USB’s for USB drop
• Backdoored Amazon Fire Stick
• Wireless Gear
• Alfa Cards (AWUS036H)
• Yagi Antenna
• Ubertooth One
• WiFi Pineapple
• HackRF One
• Physical Exploitation Tools
• Lock Picks
• Compressed Air
• Under the Door Tool
• Badge Cloning Devices
• Proxmark3 RDV2
• BLEKey
• ESPKey
• Bishop Fox Tastic RFID Thief
• Post-Access Exploitation
• Pentest Dropbox
• NAC Bypass Device
• Kon-Boot
• Wi-Fi Keylogger
• PoisonTap
• LAN Turtles
• Rubber Duckys
• Post-Access Exploitation Cont.
• Kali Nethunter
• Laptop
• Additional Tools
• Powered Screwdriver
• Flashlight
• Cat-5 Cables
• Battery Packs for mobile
devices
• USB On-The-Go Cable
• Throwing star LAN Tap (or real
throwing stars)

35. Summary and Conclusions
• Black Hills Information Security
• http://www.blackhillsinfosec.com/
• @BHInfoSecurity
• Beau Bullock @dafthack
• Derek Banks @0xderuke
• Questions?