SlideShare a Scribd company logo
Nikhil Mittal
   SamratAshok
   Twitter - @nikhil_mitt
   Blog – http://labofapenetrationtester.blogspot.com
   Creator of Kautilya
   Interested in Offensive Information Security, new
    attack vectors and methodologies to pwn systems.
   Previous Talks
     Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu
      Dhabi’11
   Upcoming Talks
     Troopers’12, PHDays’12, Hack In Paris’12
     Training at GrrCON’12
   A typical Pen Test Scenario
   How we are doing it
   Need for new methods to break into systems
   HID anyone?
 Introduction to Teensy
 Basics of Arduino Development Environment (ADE)
 Installing and configuring ADE to use with Teensy
 Understanding the basics of programming using ADE
 Writing Hello World
 Basic usage and programming of Teensy
 Introduction to Kautilya
 Demonstration of Payloads in Kautilya
 Program and perform attacks on a Windows machine
 Program and perform advanced attacks on a Windows
  machine
 Understanding structure of and automation using Kautilya
 Understanding Integration of payloads in Kautilya
   Protection against HID based attacks
   Pen Test Stories
   Limitations
   Future
   Conclusion
 Be as interactive as you can. Query me, ask
  nasty questions, insult me.
 It is mandatory to laugh on jokes, they be on
  slides or cracked by me.
 We will start slow and then pick up speed. Be
  patient if you know something, everybody is not
  good as you.
 I don’t have much theory so be ready to see
  demos and source code.
 Make sure you keep your eyes on. You should be
  able to program your device after this. I will keep
  checking if everyone is awake ;)
   A client engagement comes with IP
    addresses.
   We need to complete the assignment in very
    restrictive time frame.
   Pressure is on us to deliver a “good” report
    with some high severity findings. (That
    “High” return inside a red colored box)
Vuln
       Exploit   Report
Scan
   This is a best case scenario.
   Only lucky ones find that.
   Generally legacy Enterprise Applications or
    Business Critical applications are not
    upgraded and are the first targets.
   There is almost no fun doing it that way.
Enum   Scan   Exploit   Report
Enum
                         Post
  +     Scan   Exploit          Report
                         Exp
Intel
   To gain access to the systems.
   This shows the real threat to clients that we
    can actually make an impact on their
    business. No more “so-what” 
   We can create reports with “High” Severity
    findings which bring $$$
   Memory Corruption bugs.
     Server side
     Client Side
   Mis-configurations
   Open file shares.
   Sticky slips.
   Man In The Middle (many types)
   Unsecured Dumpsters
   Humans
   <Audience>
   Many times we get some vulnerabilities but
    can’t exploit.
     No public exploits available.
     Not allowed on the system.
     Countermeasure blocking it.
     Exploit completed but no session was generated
     :P
   Hardened Systems
   Patches in place
   Countermeasures blocking scans and exploits
   Security incident monitoring and blocking
   No network access

   We need alternatives.
   Bad guys are getting smarter.
   Smart attacks of 2011
       Sony (ok not so smart :P)
       RSA (clever attack), chained to Lockheed Martin
       Epsilon (Spear Phishing)
       Barracuda Networks (WAF turned off for little while)
       Some attacks on India
   Smart attacks of 2010
     Stuxnet
     Operation Aurora
   And Many more (like Apache in 2009)
   Breaking into systems is not as easy as done
    in the movies.
   Those defending the systems have become
    smarter (at many places :P) and it is getting
    harder to break into “secured” environments.
   Everyone is breaking into systems using the
    older ways, you need new ways to do it
    better.
   Wikipedia – “A human interface device or HID
    is a type of computer device that interacts
    directly with, and most often takes input
    from, humans and may deliver output to
    humans.”
   Mice, Keyboards and Joysticks are most
    common HID.
   What could go
    wrong?
   A USB Micro-controller device.
   Storage of about 130 KB.
   We will use Teensy ++ which is an updated
    version of Teensy.
   http://www.pjrc.com/teensy/projects.html
   Really cool projects.
 Install Arduino
 Windows Serial Installer (only Windows)
 Install Teensyduino
 Copy Teensy loader executable in Arduino
  directory.
 Detailed with screenshots here:
http://www.pjrc.com/teensy/td_download.html
   Make sure to select correct “Board” and “USB
    Type” under Tools menu item.
   If Teensyduino has been installed
    properly, sketch examples could be found at
    File->Examples->Teensy
   Almost C++ like syntax is used in ADE
   Two functions are required at minimum
     setup() which runs whenever Teensy is plugged or
      restarted.
     loop() which keeps running after setup()
   Basic usage and programming of Teensy
   Writing Hello World with Teensy.
DEMO, Source Code and
   Programming
   It’s a toolkit which aims to make Teensy more
    useful in Penetration Tests.
   Named after Chanakya a.k.a. Kautilya.
   Written in Ruby.
   It’s a menu drive program which let users
    select and customize payloads.
   Aims to make Teensy part of every
    Penetration tester’s tool chest.
 Payloads are written for teensy without SD Card.
 Pastebin is extensively used. Both for uploads
  and downloads.
 Payloads are commands, powershell scripts or
  combination of both.
 Payload execution of course depends on
  privilege of user logged in when Teensy is
  plugged in.
 Payloads are mostly for Windows as the victim
  of choice generally is a Windows machine. 
   Adds a user with Administrative privileges on
    the victim.
   Uses net user command.
   Changes the default DNS for a connection.
   Utilizes the netsh command.
   Edit hosts file to resolve a domain locally.
   Enables RDP on victim machine.
   Starts the service.
   Adds exception to Windows firewall.
   Adds a user to Administrators group.
   Installs Telnet on victim machine.
   Starts the service.
   Adds exception to Windows firewall.
   Adds a user to Administrators group and
    Telnetclients group..
   Starts an invisible instance of Internet
    Explorer which browses to the given URL.
   Downloads an exe in text format from
    pastebin, converts it back to exe and
    executes it.
   Using registry hacks, calls user defined
    executable or command when Shift is
    pressed 5 times or Win + U is pressed.
   When the system is locked, the called exe is
    executed in System context.
   Uninstalls an msiexec application silently.
   This payload uses opens up chrome, launches
    Remote Desktop plugin, enters credentials
    and copies the access key to pastebin.
   This payload operates on browser window.
   Dumps valuable information from
    registry, net command and hosts file.
   This payload pulls the sniffer powershell
    script (by Robbie Fost) and executes it on the
    victim.
   The output is compressed and uploaded to
    ftp.
   This payload pulls powerdump script of msf
    from pastebin, schedules it as taks to run in
    system context and upload the hashes to
    pastebin.
   This payload logs keys and pastes it to
    pastebin every twenty seconds.
   There is a separate script to parse the output.
   This payload creates a hosted network with
    user define SSID and key.
   It also adds a user to Administrators and
    TelnetClients group.
   It installs and starts telnet and adds it to
    windows firewall exception.
   This payload forces the victim to connect to
    an attacker controlled WiFi AP. The AP in this
    case is portable WiFi hotspot on a
    smartphone.
   Using this either payloads can be pulled from
    the smartphone or the internet using the AP
    thus effectively bypassing any internet
    restriction policies on the system.
   This payload uses the powershell code
    execution script (by Matt from exploit-
    monday blog).
   A meterpreter shell is executed completely in
    memory using this script.
   This payload browses in background to a url
    where Metasploit Java Signed Applet module
    is hosted and accepts the run prompt after
    few seconds.
   We were doing internal PT for a large media
    house.
   The access to network was quite restrictive.
   The desktops at Library were left unattended
    many times.
   Teensy was plugged into one system with a
    sethc and utilman backdoor.
   Later in the evening the system was accessed
    and pwnage ensued.
   A telecom company.
   We had to do perimeter check for the firm.
   The Wireless rogue AP payload was used and
    teensy was sold to the clients employees
    during lunch hours.
   Within couple of hours, we got a wireless
    network with a administrative user and telnet
    ready.
 A pharma company.
 We replaced a user’s data card with a Teensy
  inside the data card’s cover.
 The payload selected was Keylogger.
 “Data card” obviously didn’t worked and we got
  multiple keylogging for the user and the
  helpdesk.
 Helpdesk guys had access to almost everything
  in the environment and over a workday, it was
  over.
   Use Endpoint Protector 4 :P :P
   Group Policy in Windows which prevent
    installation of hardware devices.
   Limited storage in Teensy. Resolved if you
    attach a SD card with Teensy.
   Inability to “read” from the system. You have
    to assume the responses of victim OS and
    there is only one way traffic.
   Many payloads need Administrative privilege.
   Lots of traffic to and from pastebin.
   Inability to clear itself after a single run.
   Not very stable as it is still a new tool and has
    not gone through user tests.
   For payloads which use executables you
    manually need to convert and paste them to
    pastebin.
   Improvement in current payloads.
   Implementation of SD card.
   Use some payloads as libraries so that they
    can be reused.
   Support for Non-English keyboards.
   Maybe more Linux payloads.
   Implementation of some new payloads which
    are under development.
   Please complete the Speaker Feedback
    Surveys.
   Questions?
   Insults?
   Feedback?

   Kautilya is available at
    http://code.google.com/p/kautilya/
   Follow me @nikhil_mitt
   http://labofapenetrationtester.blogspot.com/

More Related Content

What's hot

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 ||  Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 ||  Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 

What's hot (20)

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 ||  Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 ||  Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 

Viewers also liked

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
How to hack anywhere
How to hack anywhereHow to hack anywhere
How to hack anywhere
Muhammad Zubair
 
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for MaemoBlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
VDVsx
 
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
CODE BLUE
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
A. Faruk ÜNAL
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
amiable_indian
 
Interfacing bluetooth with arduino
Interfacing bluetooth with arduinoInterfacing bluetooth with arduino
Interfacing bluetooth with arduino
Jairaj Jangle
 
Honey pots
Honey potsHoney pots
Honey pots
Divya korrapati
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Arduino based Home Automation System with Android
Arduino based Home Automation System with AndroidArduino based Home Automation System with Android
Arduino based Home Automation System with Android
Sayan Seth
 
Linux101 - Standart Gi̇rdi-Çıktı
Linux101 - Standart Gi̇rdi-ÇıktıLinux101 - Standart Gi̇rdi-Çıktı
Linux101 - Standart Gi̇rdi-Çıktı
SDU CYBERLAB
 

Viewers also liked (12)

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
How to hack anywhere
How to hack anywhereHow to hack anywhere
How to hack anywhere
 
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for MaemoBlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
 
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Interfacing bluetooth with arduino
Interfacing bluetooth with arduinoInterfacing bluetooth with arduino
Interfacing bluetooth with arduino
 
Honey pots
Honey potsHoney pots
Honey pots
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Arduino based Home Automation System with Android
Arduino based Home Automation System with AndroidArduino based Home Automation System with Android
Arduino based Home Automation System with Android
 
Linux101 - Standart Gi̇rdi-Çıktı
Linux101 - Standart Gi̇rdi-ÇıktıLinux101 - Standart Gi̇rdi-Çıktı
Linux101 - Standart Gi̇rdi-Çıktı
 

Similar to Teensy Programming for Everyone

Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
Angie Lee
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
Nutan Kumar Panda
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
Safety In Numbers - Protecting Us All From The Internet of Things
Safety In Numbers - Protecting Us All From The Internet of ThingsSafety In Numbers - Protecting Us All From The Internet of Things
Safety In Numbers - Protecting Us All From The Internet of Things
Ian Heron
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Chapter 10. ScenariosI have always been a big fan of learnin
Chapter 10. ScenariosI have always been a big fan of learninChapter 10. ScenariosI have always been a big fan of learnin
Chapter 10. ScenariosI have always been a big fan of learnin
EstelaJeffery653
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Networking and Computer Troubleshooting
Networking and Computer TroubleshootingNetworking and Computer Troubleshooting
Networking and Computer Troubleshooting
Rence Montanes
 
Webinar Security: Apps of Steel transcription
Webinar Security:  Apps of Steel transcriptionWebinar Security:  Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
CSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayCSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment Essay
Rochelle Schear
 
App locker
App lockerApp locker

Similar to Teensy Programming for Everyone (20)

Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Safety In Numbers - Protecting Us All From The Internet of Things
Safety In Numbers - Protecting Us All From The Internet of ThingsSafety In Numbers - Protecting Us All From The Internet of Things
Safety In Numbers - Protecting Us All From The Internet of Things
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Chapter 10. ScenariosI have always been a big fan of learnin
Chapter 10. ScenariosI have always been a big fan of learninChapter 10. ScenariosI have always been a big fan of learnin
Chapter 10. ScenariosI have always been a big fan of learnin
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Networking and Computer Troubleshooting
Networking and Computer TroubleshootingNetworking and Computer Troubleshooting
Networking and Computer Troubleshooting
 
Webinar Security: Apps of Steel transcription
Webinar Security:  Apps of Steel transcriptionWebinar Security:  Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
CSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayCSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment Essay
 
App locker
App lockerApp locker
App locker
 

More from Nikhil Mittal

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal
 

More from Nikhil Mittal (8)

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 

Recently uploaded

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
manji sharman06
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 

Recently uploaded (20)

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 

Teensy Programming for Everyone

  • 2. SamratAshok  Twitter - @nikhil_mitt  Blog – http://labofapenetrationtester.blogspot.com  Creator of Kautilya  Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems.  Previous Talks  Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11  Upcoming Talks  Troopers’12, PHDays’12, Hack In Paris’12  Training at GrrCON’12
  • 3. A typical Pen Test Scenario  How we are doing it  Need for new methods to break into systems  HID anyone?
  • 4.  Introduction to Teensy  Basics of Arduino Development Environment (ADE)  Installing and configuring ADE to use with Teensy  Understanding the basics of programming using ADE  Writing Hello World  Basic usage and programming of Teensy  Introduction to Kautilya  Demonstration of Payloads in Kautilya  Program and perform attacks on a Windows machine  Program and perform advanced attacks on a Windows machine  Understanding structure of and automation using Kautilya  Understanding Integration of payloads in Kautilya
  • 5. Protection against HID based attacks  Pen Test Stories  Limitations  Future  Conclusion
  • 6.  Be as interactive as you can. Query me, ask nasty questions, insult me.  It is mandatory to laugh on jokes, they be on slides or cracked by me.  We will start slow and then pick up speed. Be patient if you know something, everybody is not good as you.  I don’t have much theory so be ready to see demos and source code.  Make sure you keep your eyes on. You should be able to program your device after this. I will keep checking if everyone is awake ;)
  • 7. A client engagement comes with IP addresses.  We need to complete the assignment in very restrictive time frame.  Pressure is on us to deliver a “good” report with some high severity findings. (That “High” return inside a red colored box)
  • 8. Vuln Exploit Report Scan
  • 9. This is a best case scenario.  Only lucky ones find that.  Generally legacy Enterprise Applications or Business Critical applications are not upgraded and are the first targets.  There is almost no fun doing it that way.
  • 10. Enum Scan Exploit Report
  • 11. Enum Post + Scan Exploit Report Exp Intel
  • 12. To gain access to the systems.  This shows the real threat to clients that we can actually make an impact on their business. No more “so-what”   We can create reports with “High” Severity findings which bring $$$
  • 13. Memory Corruption bugs.  Server side  Client Side  Mis-configurations  Open file shares.  Sticky slips.  Man In The Middle (many types)  Unsecured Dumpsters  Humans  <Audience>
  • 14. Many times we get some vulnerabilities but can’t exploit.  No public exploits available.  Not allowed on the system.  Countermeasure blocking it.  Exploit completed but no session was generated :P
  • 15. Hardened Systems  Patches in place  Countermeasures blocking scans and exploits  Security incident monitoring and blocking  No network access  We need alternatives.
  • 16.
  • 17.
  • 18. Bad guys are getting smarter.  Smart attacks of 2011  Sony (ok not so smart :P)  RSA (clever attack), chained to Lockheed Martin  Epsilon (Spear Phishing)  Barracuda Networks (WAF turned off for little while)  Some attacks on India  Smart attacks of 2010  Stuxnet  Operation Aurora  And Many more (like Apache in 2009)
  • 19. Breaking into systems is not as easy as done in the movies.  Those defending the systems have become smarter (at many places :P) and it is getting harder to break into “secured” environments.  Everyone is breaking into systems using the older ways, you need new ways to do it better.
  • 20. Wikipedia – “A human interface device or HID is a type of computer device that interacts directly with, and most often takes input from, humans and may deliver output to humans.”  Mice, Keyboards and Joysticks are most common HID.  What could go wrong?
  • 21. A USB Micro-controller device.  Storage of about 130 KB.  We will use Teensy ++ which is an updated version of Teensy.
  • 22.
  • 23. http://www.pjrc.com/teensy/projects.html  Really cool projects.
  • 24.  Install Arduino  Windows Serial Installer (only Windows)  Install Teensyduino  Copy Teensy loader executable in Arduino directory.  Detailed with screenshots here: http://www.pjrc.com/teensy/td_download.html
  • 25. Make sure to select correct “Board” and “USB Type” under Tools menu item.  If Teensyduino has been installed properly, sketch examples could be found at File->Examples->Teensy
  • 26. Almost C++ like syntax is used in ADE  Two functions are required at minimum  setup() which runs whenever Teensy is plugged or restarted.  loop() which keeps running after setup()  Basic usage and programming of Teensy  Writing Hello World with Teensy.
  • 27. DEMO, Source Code and Programming
  • 28. It’s a toolkit which aims to make Teensy more useful in Penetration Tests.  Named after Chanakya a.k.a. Kautilya.  Written in Ruby.  It’s a menu drive program which let users select and customize payloads.  Aims to make Teensy part of every Penetration tester’s tool chest.
  • 29.  Payloads are written for teensy without SD Card.  Pastebin is extensively used. Both for uploads and downloads.  Payloads are commands, powershell scripts or combination of both.  Payload execution of course depends on privilege of user logged in when Teensy is plugged in.  Payloads are mostly for Windows as the victim of choice generally is a Windows machine. 
  • 30. Adds a user with Administrative privileges on the victim.  Uses net user command.
  • 31. Changes the default DNS for a connection.  Utilizes the netsh command.
  • 32. Edit hosts file to resolve a domain locally.
  • 33. Enables RDP on victim machine.  Starts the service.  Adds exception to Windows firewall.  Adds a user to Administrators group.
  • 34. Installs Telnet on victim machine.  Starts the service.  Adds exception to Windows firewall.  Adds a user to Administrators group and Telnetclients group..
  • 35. Starts an invisible instance of Internet Explorer which browses to the given URL.
  • 36. Downloads an exe in text format from pastebin, converts it back to exe and executes it.
  • 37. Using registry hacks, calls user defined executable or command when Shift is pressed 5 times or Win + U is pressed.  When the system is locked, the called exe is executed in System context.
  • 38. Uninstalls an msiexec application silently.
  • 39. This payload uses opens up chrome, launches Remote Desktop plugin, enters credentials and copies the access key to pastebin.  This payload operates on browser window.
  • 40. Dumps valuable information from registry, net command and hosts file.
  • 41. This payload pulls the sniffer powershell script (by Robbie Fost) and executes it on the victim.  The output is compressed and uploaded to ftp.
  • 42.
  • 43. This payload pulls powerdump script of msf from pastebin, schedules it as taks to run in system context and upload the hashes to pastebin.
  • 44. This payload logs keys and pastes it to pastebin every twenty seconds.  There is a separate script to parse the output.
  • 45. This payload creates a hosted network with user define SSID and key.  It also adds a user to Administrators and TelnetClients group.  It installs and starts telnet and adds it to windows firewall exception.
  • 46. This payload forces the victim to connect to an attacker controlled WiFi AP. The AP in this case is portable WiFi hotspot on a smartphone.  Using this either payloads can be pulled from the smartphone or the internet using the AP thus effectively bypassing any internet restriction policies on the system.
  • 47. This payload uses the powershell code execution script (by Matt from exploit- monday blog).  A meterpreter shell is executed completely in memory using this script.
  • 48. This payload browses in background to a url where Metasploit Java Signed Applet module is hosted and accepts the run prompt after few seconds.
  • 49. We were doing internal PT for a large media house.  The access to network was quite restrictive.  The desktops at Library were left unattended many times.  Teensy was plugged into one system with a sethc and utilman backdoor.  Later in the evening the system was accessed and pwnage ensued.
  • 50. A telecom company.  We had to do perimeter check for the firm.  The Wireless rogue AP payload was used and teensy was sold to the clients employees during lunch hours.  Within couple of hours, we got a wireless network with a administrative user and telnet ready.
  • 51.  A pharma company.  We replaced a user’s data card with a Teensy inside the data card’s cover.  The payload selected was Keylogger.  “Data card” obviously didn’t worked and we got multiple keylogging for the user and the helpdesk.  Helpdesk guys had access to almost everything in the environment and over a workday, it was over.
  • 52. Use Endpoint Protector 4 :P :P  Group Policy in Windows which prevent installation of hardware devices.
  • 53. Limited storage in Teensy. Resolved if you attach a SD card with Teensy.  Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic.
  • 54. Many payloads need Administrative privilege.  Lots of traffic to and from pastebin.  Inability to clear itself after a single run.  Not very stable as it is still a new tool and has not gone through user tests.  For payloads which use executables you manually need to convert and paste them to pastebin.
  • 55. Improvement in current payloads.  Implementation of SD card.  Use some payloads as libraries so that they can be reused.  Support for Non-English keyboards.  Maybe more Linux payloads.  Implementation of some new payloads which are under development.
  • 56. Please complete the Speaker Feedback Surveys.  Questions?  Insults?  Feedback?  Kautilya is available at http://code.google.com/p/kautilya/  Follow me @nikhil_mitt  http://labofapenetrationtester.blogspot.com/