Wednesday, July 17, 2013

Tales from consulting, part I

Mark and I just returned from a long consulting engagement, at 3 weeks on site it was one of the longer (if not the longest) trips I've taken for Immunity. I'd like to share a few things that worked, didn't work and that I would change. There will probably be a number of these posts in the future from both Mark and I.

Physical Pen-testing:

1) Simple is better. One of our tasks was to try and get into some restricted areas by posing as someone else. We made a modest investment in clothing and equipment so that I could try and blend in. While this was successful to a certain degree what ended up working best was just being what I was, an IT guy. Throw in a Fluke network tester and a keyboard as a prop and you're set to go.

2) Badges? Our client was using badges which required mutual authentication and would have been difficult to clone with the equipment we had on hand. So we took some high resolution pictures of legitimate badges, used some photoshop wizardry (courtesy of Mark), printed it out on sticker paper and created a new "badge". Any time I had to get into some place I shouldn't have been simply asking someone near by to buzz me in because my badge was "bent" worked like a charm. If you do these kind of gigs regularly investing in a card printer may be worth your while if you expect a high level of scrutiny.

3) Physical keyloggers are ridiculously effective. I'd used USB keyloggers before but they always surprise me with just how useful they are. We planted ours in conference rooms and general computing facilities and wound up with almost 40 sets of credentials over a two week period from just 4 devices. A tool like the Power Pwn would've been very nice to have as well.

4) A quick and silent way to take photos. I learned that the camera clicking noise my phone makes can not be silenced. Dave suggested some sort of slim video recording device we could attach to ourselves but I wasn't impressed with the resolution of the devices I looked at. A small, high resolution, quick shooting camera would be ideal.

5) Have a story for why you're there. One ruse I used was that one of my coworkers from the IT department had misplaced a piece of equipment in this general area over the previous week. I would ask the secretary or anyone close to the entrance if I could poke around to see if I could spot it. This got me anywhere I wanted to go, including locked conference rooms. The pretense of repairing conference room keyboards (and showing my keyboard prop) also got me out of a number of surprise visits from people coming in to use the room.

6) Don't over think it. Unless you're getting into a datacenter or an IBM campus to most people technology is magic and you can use that to your advantage. I had a trojan I carried around on a USB key that I would pop into open workstations. We debated on what I should say if I was challenged. "I'm here to inventory this system for IT" was simple but the question was raised amongst ourselves: "are you doing an inventory of hardware or software and if you're an admin you could just do this over the network..." Most people don't care about these details, inventory is a thing that IT does, you look like a nerd, therefore your story probably checks out.

Things to note:

a) When placing keyloggers or doing hardware work always make sure you have a minimum set of tools with you: screw driver with flat/philips/torx bits, headlamp and maybe a lock pick and shim set for getting into cabinets.

b) Know the schedule for the area you're getting into. If it's a conference room, when do you need to be there? Work area, when is shift change? Be familiar with the names of the areas around you, what department is on a nearby floor, who is the admin in charge of scheduling this room, etc.

c) When getting a USB keylogger be mindful of the form factor, some PCs have tight USB clusters and if your keylogger is fat enough it may block other ports that you need. Having a short F->M USB cable handy is good for quick fixes.

d) Practice, practice, practice with your picks and your shims. Beating a lock on your bench in an air conditioned room is easy. Beating the same lock in a dark room where you shouldn't be with no AC and under time pressure is hard. On this gig I got 0 locks and 1 shim, ultimately I found other ways to solve my problem but I clearly need practice.

Conclusions:

Over the past 5 years doing consulting gigs for Immunity it's been my experience that when we're on the inside of a network and our scope is sufficiently open then there's always a way to win. The same is true for physical pen-testing, if we have access to your space (or sometimes just in range) then we're on your network and we'll almost certainly have credentials. One of the most surprising things we learned was that our USB key logging was approximately as effective as our phishing was at obtaining credentials. While credentials aren't shells, as I've mentioned it's not always about shells. If the data you need doesn't require code execution to get then this is a boon for your stealth.