Immunity, Inc. has built a new hand-held penetration testing tool that resembles a PDA, enabling penetration testers to crack enterprise defenses without raising as much suspicion as they did with laptops.
The Linux-based Silica tool -- slightly bigger than a SideKick PDA -- will ship in October, says David Aitel, CTO of Immunity, who announced the tool today on his message board and on Immunity's Website. "The idea is that you [the pen tester] can put it in a pocket and walk around and do what you need to do," he says. Silica supports 802.11 and Bluetooth wireless, as well as a USB connection to Ethernet LANs.
Lugging around a laptop can be tricky for penetration testing and social engineering firms, which often make clandestine visits to their clients in order to test their defenses.
"Rather than [carrying around] laptops, being mobile and moving freely is a big deal, especially when you're trying to punch a hole in a guy's network," says Steve Stasiukonis, vice president and founder of Secure Network Technologies, which performs pen testing and social engineering services. "[Clients] start to wonder why you're in the parking lot all the time," especially when you have to charge a laptop with a dead battery, Stasiukonis says.
Silica is a mini, hardware-based version of Immunity's Canvas penetration testing software, which ships with a variety of exploits and vulnerabilities. Canvas competes with Metasploit, a popular, free penetration testing tool. (See Metasploit 3.0 Makes Splash at Black Hat.)
"With the ability to put Canvas in the palm of your hand, you can do things like sit at Starbucks next to the CEO you're pen-testing," says Aitel.
Canvas can accomplish some of the same exploits with a laptop and wireless card, "but it's difficult to hide, and you'd look like a big dork walking through the room with it," Aitel says.
Silica also lets a pen tester plug into a USB port, ostensibly to copy a file but also to do other types of pen-testing on the sly. It currently uses Canvas exploits but will eventually do Bluetooth attacks as well, Aitel says.
Silica can automatically scan all machines on a wireless LAN for file shares and downloads, Aitel says. It also can automatically penetrate a machine and make it connect via HTTP/DNS to an external listening post based on Immunity's Canvas Professional. A pen tester could even leave it on a user's desk, where it can hack into anything, he says.
Immunity hasn't yet set pricing for Silica, and the product is still in beta.
Kelly Jackson Higgins, Senior Editor, Dark Reading