Upload
clubhack
View
1.464
Download
3
Tags:
Embed Size (px)
DESCRIPTION
ClubHack 2011 Hacking and Security Conference.Talk - Mere Pass Teensy Hai Speaker - Nikhil MIttal
Citation preview
MERE PAAS TEENSY HAI
OR
COMPROMISING A HIGHLY SECURE
ENVIRONMENT PART 2
Nikhil Mittal (SamratAshok)
ABOUT ME
SamratAshok
Twitter - @nikhil_mitt
Penetration Tester with PwC India
I am interested in Offensive Information Security, new attack vectors and methodologies to pwn systems.
Creator of Kautilya and Maareech
Previous Talks
Ultimate Pen Testing: Compromising a highly secure environment Clubhack’10
Here are your Keystrokes Hackfest’11
Upcoming Talks
Kautilya: Teensy beyond shell Blackhat Abu Dhabi’11
OVERVIEW
Why the Title?
Current State of Pentesting
Questions being raised to us
The answer to the questions
What’s done
What we will do
Limitations
Future
Conclusion
WHY THE TITLE?
What I Told to the ClubHack team:
I talked about compromising a highly secure
environment last year, let’s continue with the pwnage!!
Thanks to the team for buying that and allowing me to
speak.
The real reason:
A TYPICAL PEN TEST SCENARIO
A client engagement comes with IP addresses.
We need to complete the assignment in very
restrictive time frame.
Pressure is on us to deliver a “good” report with
some high severity findings. (That “High” return
inside a red colored box)
CURRENT STATE OF PENTESTING
Vuln Scan
Exploit Report
This is a best case scenario.
Only lucky ones find that.
Generally legacy Enterprise Applications or
Business Critical applications are not upgraded.
There is almost no fun doing it that way.
SOME OF US DO IT BETTER
Enum Scan Exploit Report
SOME OF US DO IT EVEN BETTER
Enum
+
Intel
Scan Exploit Post Exp
Report
WHY DO WE NEED TO EXPLOIT?
To gain access to the systems.
This shows the real threat to clients that we can
actually make an impact on their business. No more
“so-what”
We can create reports with “High” Severity findings.
<Audience>
<Audience>
WHAT DO WE EXPLOIT?
Memory Corruption bugs.
Server side
Client Side
Humans
Mis-configurations
Design Problems
<Audience>
<Audience>
QUESTIONS BEING RAISED TO US
Many times we get some vulnerabilities but can’t
exploit.
No public exploits available.
Not allowed on the system.
Countermeasure blocking it.
Exploit completed but no session was generated :P
Kya hai tumhare
paas?
QUESTIONS BEING RAISED TO US
Hardened Systems
Patches in place
Countermeasures blocking scans and exploits
Security incident monitoring and blocking
Kya hai tumhare
paas?
QUESTIONS BEING RAISED TO US
Just a bad day.
Exploit completed but no session was generated :P
Kya hai tumhare
paas?
ALTERNATIVES
Open file shares.
Sticky slips.
Social Engineering attacks.
Man In The Middle (many types)
SMB Relay
<Audience>
<Audience>
THE ANSWER TO THE QUESTIONS
TEENSY
A USB Micro-controller device.
We will use Teensy ++ which is a newer version of
Teensy.
Available for $24 from pjrc.com
Mere paas Teensy hai
USING TEENSY
Find an unattended system and insert the teensy
device in USB port.
Fool your victim by disguising it as a mouse, USB
toy, Thumb drive etc.
Generally Teensy needs just a minute to complete
the job.
You can program it according to your needs.
Undetected and unblocked, Teensy works great for
popping shells.
WHAT’S DONE
Arduino-Based attack vector in Social Engineering
Toolkit by David Kennedy
Contains some really awesome payloads.
Almost all payloads are for popping shells.
WHAT WE WILL DO
Teensy can be used for much more than popping
shells.
It can be used to perform pre and post exploitation.
We will have a detailed look at some of these
payloads and will understand how to create
payloads as per our needs.
DESCRIPTION OF PAYLOADS
More for Windows as desktops are generally based
on Windows.
Payloads vary from one line commands to powerful
scripts.
If you know powershell scripting, payloads will
make more sense and will be easier to customize.
DEMO
WINDOWS USER ADD
THANK YOU
DEFAULT DNS
EDIT HOSTS FILE
ENABLE RDP
BUT
What if even Teensy doesn’t work? With other
options not working already?
If USB ports are ripped off?
Would it be impossible to pwn such environment?
ENABLE TELNET
FORCEFUL BROWSING
DOWNLOAD AND EXECUTE
SETHC AND UTILMAN BACKDOOR
UNINSTALL APPLICATION
REGISTRY EXPORT
TWEET
HASHDUMP
CODE EXECUTION
KEYLOGGING
LIMITATIONS
Limited storage in Teensy. Resolved if you attach a
SD card with Teensy.
Inability to “read” from the system. You have to
assume the responses of victim OS and there is
only one way traffic.
FUTURE
Kautilya
Improvement in current payloads.
New payloads for non-traditional shells.
Dropping executables using additional storage
(already done).
CONCLUSION
If used wisely Teensy can be used as a complete
penetration testing device though with its own
limitations.
It’s a cheap device so use it.
Please use Kautilya and give feedback after it is
released.
Mere paas Teensy hai
THANK YOU
Questions?
Insults?
Feedback?