The document discusses using a Teensy microcontroller device to compromise secure environments. It begins by providing background on the presenter and an overview of topics to be covered. It then discusses limitations in typical pentests and how exploiting vulnerabilities is important. The document proposes using a Teensy device to bypass security controls and perform tasks like enabling RDP, downloading files, and keylogging. It demonstrates some payloads, notes current limitations, and ideas for future improvements like using additional storage. The conclusion is that Teensy can be used as a complete pentesting device if leveraged properly.

1. MERE PAAS TEENSY HAI
OR
COMPROMISING A HIGHLY SECURE
ENVIRONMENT PART 2
Nikhil Mittal (SamratAshok)

2. ABOUT ME
 SamratAshok
 Twitter - @nikhil_mitt
 Penetration Tester with PwC India
 I am interested in Offensive Information Security,
new attack vectors and methodologies to pwn
systems.
 Creator of Kautilya and Maareech
 Previous Talks
 Ultimate Pen Testing: Compromising a highly secure
environment Clubhack’10
 Here are your Keystrokes Hackfest’11
 Upcoming Talks
 Kautilya: Teensy beyond shell Blackhat Abu Dhabi’11

3. OVERVIEW
 Why the Title?
 Current State of Pentesting
 Questions being raised to us
 The answer to the questions
 What’s done
 What we will do
 Limitations
 Future
 Conclusion

4. WHY THE TITLE?
 What I Told to the ClubHack team:
 I talked about compromising a highly secure
environment last year, let’s continue with the pwnage!!
 Thanks to the team for buying that and allowing me to
speak.
 The real reason:

6. A TYPICAL PEN TEST SCENARIO
 A client engagement comes with IP addresses.
 We need to complete the assignment in very
restrictive time frame.
 Pressure is on us to deliver a “good” report with
some high severity findings. (That “High” return
inside a red colored box)

7. CURRENT STATE OF PENTESTING
Vuln
Exploit Report
Scan

8.  This is a best case scenario.
 Only lucky ones find that.
 Generally legacy Enterprise Applications or
Business Critical applications are not upgraded.
 There is almost no fun doing it that way.

9. SOME OF US DO IT BETTER
Enum Scan Exploit Report

10. SOME OF US DO IT EVEN BETTER
Enum
Post
+ Scan Exploit Report
Exp
Intel

11. WHY DO WE NEED TO EXPLOIT?
 To gain access to the systems.
 This shows the real threat to clients that we can
actually make an impact on their business. No more
“so-what” 
 We can create reports with “High” Severity findings.
 <Audience>
 <Audience>

12. WHAT DO WE EXPLOIT?
 Memory Corruption bugs.
 Server side
 Client Side
 Humans
 Mis-configurations
 Design Problems
 <Audience>
 <Audience>

13. QUESTIONS BEING RAISED TO US
 Many times we get some vulnerabilities but can’t
exploit.
 No public exploits available.
 Not allowed on the system.
 Countermeasure blocking it.
 Exploit completed but no session was generated :P
Kya hai tumhare
paas?

14. QUESTIONS BEING RAISED TO US
 Hardened Systems
 Patches in place
 Countermeasures blocking scans and exploits
 Security incident monitoring and blocking
Kya hai tumhare
paas?

15. QUESTIONS BEING RAISED TO US
 Just a bad day.
 Exploit completed but no session was generated :P
Kya hai tumhare
paas?

16. ALTERNATIVES
 Open file shares.
 Sticky slips.
 Social Engineering attacks.
 Man In The Middle (many types)
 SMB Relay
 <Audience>
 <Audience>

17. THE ANSWER TO THE QUESTIONS
TEENSY
 A USB Micro-controller device.
 We will use Teensy ++ which is a newer version of
Teensy.
 Available for $24 from pjrc.com
Mere paas Teensy hai

18. USING TEENSY
 Find an unattended system and insert the teensy
device in USB port.
 Fool your victim by disguising it as a mouse, USB
toy, Thumb drive etc.
 Generally Teensy needs just a minute to complete
the job.
 You can program it according to your needs.
 Undetected and unblocked, Teensy works great for
popping shells.

19. WHAT’S DONE
 Arduino-Based attack vector in Social Engineering
Toolkit by David Kennedy
 Contains some really awesome payloads.
 Almost all payloads are for popping shells.

20. WHAT WE WILL DO
 Teensy can be used for much more than popping
shells.
 It can be used to perform pre and post exploitation.
 We will have a detailed look at some of these
payloads and will understand how to create
payloads as per our needs.

21. DESCRIPTION OF PAYLOADS
 More for Windows as desktops are generally based
on Windows.
 Payloads vary from one line commands to powerful
scripts.
 If you know powershell scripting, payloads will
make more sense and will be easier to customize.

22. DEMO

23. WINDOWS USER ADD

27. THANK YOU

28. DEFAULT DNS

29. EDIT HOSTS FILE

30. ENABLE RDP

31. BUT
 What if even Teensy doesn’t work? With other
options not working already?
 If USB ports are ripped off?
 Would it be impossible to pwn such environment?

33. ENABLE TELNET

34. FORCEFUL BROWSING

35. DOWNLOAD AND EXECUTE

36. SETHC AND UTILMAN BACKDOOR

37. UNINSTALL APPLICATION

38. REGISTRY EXPORT

39. TWEET

40. HASHDUMP

41. CODE EXECUTION

42. KEYLOGGING

43. LIMITATIONS
 Limited storage in Teensy. Resolved if you attach a
SD card with Teensy.
 Inability to “read” from the system. You have to
assume the responses of victim OS and there is
only one way traffic.

44. FUTURE
 Kautilya
 Improvement in current payloads.
 New payloads for non-traditional shells.
 Dropping executables using additional storage
(already done).

45. CONCLUSION
 If used wisely Teensy can be used as a complete
penetration testing device though with its own
limitations.
 It’s a cheap device so use it.
 Please use Kautilya and give feedback after it is
released.
Mere paas Teensy hai

46. THANK YOU
 Questions?
 Insults?
 Feedback?