Tech Insight: Three Hardware Tools For Physical Penetration Testing
How to hack yourself like a social engineer
John Sawyer- Contributing Editor
Dark Reading, Dark Reading
September 02, 2011
Social engineering is an attacker's most effective weapon -- Kevin Mitnick's newly released memoirs are a testament to that fact. In a physical penetration test, the attacker's goal is to get inside of your facilities and gain access to the sensitive data; often, leveraging social engineering tactics is the key to doing so. The data the attacker is after is sometimes sitting on a CEO's desk, locked in a filing cabinet, or stored on an internal file server.
More often than not, the goal is to gain access to the network, but it's not always practical to carry a laptop or expect to have more than a few minutes to plug in to the network, then scan, attack, and make off with the crown jewels. Instead, attackers will plug in a small wireless access point, a wireless router with custom firmware, or a specially designed drop box like the Pwn Plug -- all of which are designed to facilitate remote access into the target's internal network.
When planning a penetration test, the purpose is to emulate the same types of attacks that a real attacker might carry out. The physical security side of the testing can be a lot of fun and a bit nerve-wracking, so it's important to have your hardware ready to go and tested before going on site.
There are a several hardware options that someone performing a physical penetration test can use once inside the target facility. Some were never designed for the express purpose of breaking into a corporate network, but others were built commercially with that sole purpose in mind. No matter the original intent of the device, the penetration tester's intent is to get into the building, plug the device into the network, and get out.
The first and often cheapest option is simply a wireless access point or wireless router. There are a plethora of models to choose from, but the best choices are those that can be reflashed, or reprogrammed, with custom firmware, like OpenWRT or DD-WRT. Those firmware options allow full access to the underlying Linux system for configuration and can be fully customized with penetration-testing tools. Some examples include nmap, netcat, and even the Metasploit Framework; however, the latter is not recommended due to underpowered CPUs and limited memory in these devices.
What's great about choosing a wireless access point or wireless router is these devices come in all different sizes. Some are smaller than a deck of cards, making them incredibly easy to conceal. There have been numerous "hacks" to make them easier to deploy, including powering them from battery packs and USB ports to adding additional storage through USB flash drives and SD cards. Dark Reading contributing blogger Steve Stasiukonis has an excellent example of a physical penetration test paired with social engineering and a wireless access point in "Using HVAC To Set Up A Hack."
A second option is to use a laptop, preferably as small as possible to avoid detection. A laptop is generally going to be more expensive and less inconspicuous, but it has a lot more power to run penetration-testing tools, like the Metasploit Framework or Core IMPACT. Laptops have the same benefit as wireless access points because they have wireless and wired ports. The wired Ethernet port can be plugged into the target's network jack, and the wireless can be configured to allow the tester to connect in from outside the building sitting in the parking lot.
So how does a penetration tester connect in once his attack device has been deployed? The obvious method in the previous two device examples is via wireless.
Another method is to include the ability for the device to "phone home" once it is plugged into the target network. The easiest method is some type of SSH connection out to a system the penetration tester controls. Using SSH reverse tunnels, the tester can then connect back into the device and perform scans and attacks against the internal network. Creating an automatic SSH reverse tunnel is possible on the wireless devices mentioned above and on the laptop. There are many "how to" articles available online, like this one, to help you get started in case you're not familiar with the concept.
GSM or CDMA cellular connections using the many USB adapters available on the market also work. Plug in the laptop or "drop box," like the Pwn Plug, into the network and let it phone home via the cellular connection. The device is now practically invisible on the network (if configured properly) because it isn't attempting to make connections through the target's network, and very few target environments would have the capability to detect the cellular connection. The tester can now ride the cell connection back into the internal network unnoticed.
A third hardware option for penetration testing is a custom hardware drop box that has been designed with pen testing in mind. The idea has come up many times over the years about how it would be cool to create one based on the plethora of microcomputing platforms available, like the Sheevaplug, but few public projects exist for doing so. The Pwn Plug from Pwnie Express is the first publicly available drop box designed with physical penetration testing in mind.
With more computing power than most wireless routers but much less power than a laptop, the Pwn Plug comes in a small form factor that can be easily disguised as a power adapter for a printer. The different models available include wired Ethernet ports, wireless, and cellular modem capabilities, making it a versatile device. You could walk into your target's network, pretend to be the copier machine repairperson, and deploy one of these with ease -- making it an attractive option if you don't want to take the do-it-yourself approach.
Physical security is an important aspect to any company, but its impact on internal network security is overlooked. The typical impression is that physical security is there to prevent someone from stealing physical property, but as you can see with the different hardware options for physical penetration testing, it's even easier to make off with the digital goods.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.