Building Penetration Testing Dropboxes

Right.

Uh before we get to the speaker in this room, heads up for a 1:30 workshop coming up by Balash Buchai. Uh defeating encryption by using Unicorn Engine. So that's at 1:30 the workshop. And now the uh speaker in this room um Chris Carlos from Zurich Insurance building penetration testing dropboxes. Chris explores the art and complexity of building effective penetration testing draw boxes guiding attendees through critical decisions on hardware, software, stealth, and legal considerations to create reliable goal-driven tools for internal network access. Chris, floor is yours. Thank you very much. Wow, this nice. This microphone is like super sensitive.

Okay, everyone. Thanks for coming back from lunch to learn about building penetration testing dropboxes. As mentioned, I'm Chris Carlos. Hey, that's me. Uh, a little bit about me. Uh, I work in offensive security, red teaming, penetration testing. I've been doing that for a bit over a decade now at that point. Um, you meet a lot of people who say, "I I was a pentester. I used to be a pentester." And then they move on to some grown-up job in security like blue team or or CISO or something. And uh, so far that's not me. Uh, I love hacking. I love penetration testing. I love coming to conferences and talking about it. It is the coolest [ __ ] out there. I will

keep doing it until they make me stop. Uh, when they pry your computer from my cold dead hands, that's when I'll be done. Um, I love the work that I do. I've worked for a number of years uh as a penetration testing and red teaming consultant at various different places. Uh, I work now in-house at Zurich Insurance. They don't care uh about me enough to like have their name on the slides or something. So, screw them. Buy insurance somewhere else. I don't care. Boss, if you're watching this YouTube video, that was a joke. Um, I also do some, you know, freelance penetration testing stuff. Just fun stuff. Uh, I like hacking. I like talking about it, like I said. And

that's what we're going to do today. Um I'll tell you a little bit about the journey of this and uh how we got to this talk and maybe you'll learn something maybe you won't but at least an hour will have passed approximately why Dropboxes I started making this talk and I started telling people about this talk I'm like I'm going to do a talk uh about making Dropboxes and uh even amongst the security industry folks I was talking to, I got a lot of, "What are you talking about?" Um, I'm like, "Oh, we should maybe back up." Uh, what are Dropboxes? What am I talking about here? Uh, it's kind of niche. Even for pentesters, is a little bit niche. Uh in

this situation, a Dropbox is usually a relatively small system that uh we used to provide remote secure access generally for some sort of security testing purposes into an internal network environment. Uh we have a box and we're just going to drop it on your network. There's other ways to get this done, but in this case, we're going to talk about actually building out these little physical boxes and making them work and making them do what they want. Everyone on board? We're all cool. Yeah. No questions about what the heck I mean by a Dropbox, not the the software company, not the file sharing stuff. Boxes. Uh so why why talk about Dropboxes? Like a lot of

the things I like to talk about is because uh I did this and I screwed it up. Like I a lot of red teamers, a lot of hackers, penetration testers would like to get up on stage and tell you about all the cool [ __ ] that we do and like ah I'm such a badass door kicker. I I broke in. I hacked the network. The password was admin admin. That kind of crap. Um in actuality, we screw stuff up all the time. We do the dumbest stuff possible. We just don't tell you about that part. Except I'm going to tell you about the part cuz I I screw it up a lot. and uh

you can hear about it and then if you decide to make your own Dropbox, you don't have to make those mistakes. You can make your own stupid mistakes. I look forward to hearing your talk about it. In truth, I've built a lot of dropboxes over my career. Um boxes for penetration testing, boxes for red teaming. Uh, I build them just for like the CTF that they have going on. Sometimes you're at a conference and you got a team of friends, some some random people you just met and you want to do a CTF and it's actually can be a bit easier to collaborate if you're like, "Hey, I got this little box. I'm going to plug it

in, connect to it, Wi-Fi, we'll all jump on sharing files and and it has all the tools we need built into it." That kind of stuff. Uh, so you start building these things and and like I'm going to build a Dropbox and you look on the internet. Um, and there's guides, there's blog posts. In like 2014, uh, a gentleman, uh, uh, Philip Pstra, he wrote a book called, uh, hacking um, hacking and penetration testing with low power devices. And, uh, they'll be like detailed steps. They'll say, here's the code, and here's the hardware that you buy, and here's how you put it together, and here's how you make it work. And you can do that

maybe. And generally, yeah, it'll work, but you're not gonna have your your your Dropbox. You're gonna have someone else's bo drop Dropbox made to do what they wanted to do. Aside from all that, nobody updates this [ __ ] The blog posts, the the book, uh the guides, they are all out of date. this talk I'm giving right now, I'm going to mention [ __ ] that's already out of date because I put it in there and then like last week someone's like, "Oh, I got new stuff." I'm like, "Damn it. It's impossible to keep up with this." So, I can't stand up here and say like, "Here's here's what to buy. Here's the, you know, the code to use." Um, instead,

we're going to talk more about the process. Um, just real quick, you might be saying like, "Hey, can't I just can't I just like give Hack 5 some money and uh and and they'll just sell me a Dropbox?" I mean, one, what did I just say? No. But yes, of course you can. You can you can give them money. And are you guys familiar with Hack Five? Anyone want to name all this kind of crap up here? Obviously, you can give HackFive money or whoever money at selling these things and they'll do kind of mostly what they're they're supposed to do. This is what all this stuff is. But you're still going to run up into

the same problem, the limitations of the hardware that they chose and the software. And let's be honest, kind of like the trading wheels guard rails that they put on their software so you can't do whatever you want with it easily. Uh, make it so it's not the ideal situation. I mean, does anybody have a Wi-Fi pineapple? No. Good. Like, I've Here's the thing. I And I'm sorry, Hack Five. I do not like the Wi-Fi pineapple pretty much because I've spent all the time I've ever spent with that Wi-Fi pineapple has been trying to get it to work and it it never has. Uh, and I'm like, I'm going to do this wireless pen test. We'll use this pineapple. I

own four of them. I don't I'm not even sure if they just they're growing like fruit in the house. So yeah, if you can buy stuff if you want to make easy mode, you know, pick up the packet squirrel or something, see what it does. Maybe it'll do what you need it to. But for the most part, uh building your own little custom stuff is is fun and there's lots of options and it's pretty easy to do nowadays. So uh that's what we're going to talk about. We're going to talk about the decisions that you need to make to build a Dropbox that suits your needs. And uh really it's a talk we're going to have

to make some decisions. Not so much like I don't give you answers. I'm like here's here's a bunch of annoying other questions you're going to ask ask yourself in order to to get this project done as well as some pitfalls. That's going to be like nothing interesting, just me yelling up here the entire time. Uh, we'll talk about that and we'll talk about um some of the hardware and and uh communication options, some stuff out there like you've probably heard of a bunch of it, but maybe some that's a little bit weirder. Some fun stuff to try out uh as you're poking around uh to run through. Oh, hold on. I got I got like bells and whistles.

No, thought I had at least one bell, one whistle. There we go. Ah, check that out. Uh, whatever. What we're going to talk about, uh, we'll talk about testing goals, which is really, really going to drive the majority of the actual decisions you have to make as you're you're putting this together. So, like, what the hell are you trying to do? Like, if you're just like, I'm making a thing. Oh, well, fantastic. But usually if you're building this for work, you have a specific job. You need these things to do. Uh the budgets which are going to throw a whole bunch of super annoying constraints on what you can actually do. Uh we'll talk about the hardware options

and some stuff within there. Some software which is eh software. uh the fun stuff which is like the communication options and uh some of the accessories that I generally recommend that you at least consider. Um and then we'll we'll cap it off with some operational security so you don't do all this work and then immediately have stuff ruined. And then tips on not screwing it up any more than you have to. Um or at least try to avoid getting yelled at or having the cops called or something like that. testing goals. What are we looking to do? Um, assuming it's not like some CTF thing you're just doing for fun. Generally, it falls into penetration

testing and red teaming and uh these things are they're fairly similar, right? Yeah. Like penetration testing is just like red teaming is a penetration test after marketing got a hold of the material and they're like, "Oh, we can charge we can charge a lot more money if we call it a red team and like what do we do different?" Like nothing. No. Uh you'll get my opinion on it. uh which is there's no hard and fast standard. But in general, in my experience, penetration tests are looking to answer how an attacker with access to an environment uh might look to compromise a target. Uh it's generally somewhat limited in scope, specific like internal network, external network. Uh stealth, being

quiet, being sneaky, not not not the top priority. uh often like it might just be announced. Everybody knows it's going on or you know you got a job and you got to get it done and so you're not trying to be quiet and so someone quickly notices like there's a weird system on on the network doing stuff. Um and they say, "Oh yeah, it's a penetration test." It's like, "Oh, okay." And then you just keep on working. Um you're testing in general the combined uh in place controls to see uh if there's any gaps that can be exploited in there. penetration testing. Red teaming, uh, on the other hand, is more like an an attack simulation.

Um, where what's being tested now includes how the defenders detect and respond and react to the attack that's going on. Like hopefully they see it. Um, hopefully maybe they can stop stuff. Dropboxes that we build can be used for, you know, both penetration and and and red teaming, but generally red teaming, you're trying to not get caught. You're trying to be stealthy. And so the box that you would build to do a penetration test might be considerably different than the box you would build for red teaming work. What kind of stuff do we mean by that? Uh, two pictures. No. All right. I don't even know why am I trying this. I can just do this.

Let's do some red teaming. This is a small little box. We'll talk a little bit more about that later on. Um it's tiny. It's hard to see. This uh from my friends at Secure Yeti, uh they call it the beast. It is a a massive penetration testing dropbox loadout. They send this entire Pelican case off to the client. It is built to do specific work. It is built to support a team of penetration testers all working at the same time. Um, it allows it has like a a solid number of of network connections. They can test multiple well segmented VLANs uh concurrently. So, it's just plug this thing in. It has everything they need. Infrastructure instructions.

You got to have a client that can support um this level of effort. But it's a beefy little setup here. Um, it it's running its own hypervisor. You can they spin up new VMs. We need a Windows VM for this test. Spin it up. Everybody wants their own testing virtual machine. Let's do that now. Um, and so obviously like they put some thought into what they needed to do to do penetration testing. And it's, you know, no one's going to sneak into an office and try to install this level of crap. it'd be crazy. So, this is what we mean when like the goals that you have for your test are going to drive the

decisions that you're going to make when building these boxes out. Um, we're not really building general purpose boxes. Um, the penetration boxes will give you more flexibility. Um, and really like back in the day, cuz I'm old, uh, we just like would send out a laptop. Why not? Like people know how laptops work. You ship that off and you say, "Hey, plug this into your network." And you hope that they can. Uh and uh and then you you do the test and you're like, "Please send us back our laptop." And hopefully they do. It's a bit hit or miss. uh other options nowadays aside from these boxes which I happen to like we see a lot of stuff where here's a

virtual machine spin it up in your virtualization environment or really just like VMware player or whatever on one of your boxes and and run this or conversely like uh some sort of agent like like a mythic or C2 agent uh that's running on a compromised host for purposes of testing still getting the same basic job done from a software point of view. But um in certain situations the physical boxes come in handy. So we can um yeah, can you use your penetration testing box for red team? Maybe. Kind of depends how you build it. Might be stealthy enough. Might, you know, you might be able to place it somewhere where no one's going to notice it. Can you use your red team

box for penetration testing? probably. Um, but is it going to be strong enough? Is it going to have enough options? If it's going to have what you need in order to get the job done, the budget, nobody wants to deal with this. If we were all at Google, Mandant Cloud, um, he's not here to yell. Oh, hi. Uh, with where I assume they just have unlimited budget. Yeah. Uh, you could just have custom hardware made, get some of those devs to make you some custom software. You You don't You got whatever budget. Um, you can convince the boss uh to give up. Uh, you have whatever you can convince your partner is legitimate to spend on this crazy little hobby of

yours for making these little computers. Uh, it's an annoyingly limited factor. The good news is there's just a lot of options nowadays. Like honestly, computers have gotten cheaper and more powerful pretty consistently. So, aside from just how much money we can spend, not only getting this hardware purchased and set up, but also um whatever backend support you need on that. Uh, another major budget we consider is the time because maybe you're broke, but you got like a lot of time to be broke and you're trying to fill up that that bucket of like let's get this project done. Like you need ultimately the idea is like I want to have a box that does what I want and works at the end of it

and I don't have a lot of money but I got a lot of time. So or maybe you have a lot of money and no time to fill that bucket up, get your box working. Um generally no we all we're all busy so how much time can you all lot to like all the stuff it adds up just the research trying to figure out what hardware should I buy uh keeping you know software up to date actually putting these things together how many do you need the backend infrastructure for all this stuff uh it's all just a time sync so how much time do we have to get this thing up and running and make a like a realworld

functional device something that you can deploy out in the field. And that's where like the kind of like the third option comes in here. How much crap are you willing to deal with? More importantly, since like 57% of like red team is is team, how much crap are your teammates willing to deal with? Because we've all like made stuff and like I think this is cool and it works and I know how it works because I've made it. And then you show it to someone and they're like, "I have no idea what's going on. It seems like you built a nightmare box." And now you want me to go out in the field and try to use your

your your disaster, the world's ugliest baby to get the job done. Uh so what is your personal budget for annoying [ __ ] What is your team's budget for that? Um, so if you if you make something that works but is so annoying to use and almost impossible to maintain that uh everybody hates it and they never actually want to use it, you can't really succeed in the task of anyone. If you've had a situation like I have where you just get so annoyed trying to make this stupid thing work, the goddamn computer that you never actually finish the project and you're like, "Let's just shove you into the pile of never finished projects." Uh,

yeah, you've also blown that budget.

Welcome to the club. Here's an important uh 100% factual pie chart. 90% of hacking easily is just trying to get the goddamn tools to work. And that's because most of the tools for hacking are made by hackers. And let's be honest, we're not the greatest at at building stuff. If we were, we'd be like engineers or something. Uh 10% of it is finally actually getting your job to get the hacking done. That's the the it's all kind of fun, but that's the the actual fun part. Uh not not shown here. Uh doing the actual report for your penetration test. That that time is gone, my friend. Um penetration testers hate writing reports. If you've never

had to deal with uh like we just become the most annoying whiny punks in the world, I will do anything. I will paint my house rather than write a report for like the coolest, funnest hacking I've ever done. And they're like, "Can you write that down?" I'm like, "God, no, I can't." H I could literally stick this this slide into any talk and I think it still just be relevant. Let's talk a little bit about hardware. What kind of decisions do we need to make uh when we start looking at what hardware we want to use? Um, just like size. How big is this thing? What does it look like? Does it look weird? Does it look interesting? Does it Does

your hardware look dangerous? Is is there like circuit boards showing, wires hanging out of it? Is a bomb squad going to be called when someone sees your hardware and like this red team got real serious real quick? Uh, will it get the job done? like is it based off of your known level of effort and how hard your co-workers work at their job. Uh can it can it handle the workload? Um and a lot of this will even depend on what type of work you're looking to have it do. Some testers like to test from the device like remotely log into it and they'll run tools locally and they'll test whatever they're looking at. Um, in

other situations, people like to just kind of take all the they'll they'll run everything locally and then they'll just shove it through an SSH tunnel or some sort of tunnel, whatever tunnels you like. I'm not going to tell you. Uh, and they'll just we'll just use this to proxy all of our traffic into the environment. Certain tools work well with that, other ones less. So, it's kind of a personal decision, which is largely what we're talking about anyway. So, will this box handle like five testers logging in and each one's like, "You know what? I haven't run in forever. Metas-ploit. I'm going to fire up my own instance of that." And next thing you know, all of your processors

being used by Ruby for some reason. How much do these things cost? Um, some of the stuff you look out look at out there. Um, do you need a lot of these things? Can we buy them at scale? Um, is it fancy but expensive. Is it built to do something else but you're like, I think I can make that thing do what I want it to instead. Um, is it going to handle the real world use that I want to put it to? Um, will it what architecture is it running? Is this an ARM processor? Is this uh an Intelbased processor? Um, and then is it easy to use? uh specifically like everything's easy to use at home with like all of your

tools and well lit and plenty of time to do stuff. Is it easy to use if you're building like a red team box for an operator in in you know at 3:00 in the morning when he's laying underneath somebody else's desk and you're like, "Oh yeah, you need to you need to hit the reset button in order to make that that particular thing work." And they're like, "Where's the reset button?" I'm like, "Well, you need a a screwdriver to open up the case and take it apart a little bit, and then there'll be a little reset button you can press with uh with like a safety pin, and it'll be like, I have none of that [ __ ] with me.

Why did you give me this terrible box?" So, is it easy enough to use? What are options? What What can we actually use kind of stuff here? Uh, this is just kind of like the elephant in the Dropbox room. Ah, the delicious Raspberry Pi. Uh, everybody, does anybody not own a Raspberry Pi? Not trying to call you out. I mean, sure. Um, yeah. So, everybody's got one pretty much. Uh, and honestly, they've gotten a lot better. When I started using Raspberry Pi uh as a Dropbox, I did not like it because they were kind of flaky. Uh like you plug in, you know, it's up and running and you plug in something in the USB port and it reboots kind of flaky.

Not great. Just the voltage drop would hit it. Uh I got tired of playing the game of like, did they find my box or did it just break again? Uh and you know, sometimes getting these things can be difficult. Uh, obviously the Raspberry Pi, very popular. So popular there's clones. Uh, oh, this one's an orange pie. Uh, there's banana pie out there. What are the, you know, what are the trade-offs with this kind of hardware cases? The orange pie has additional features and and same form factor usually as as the official Raspberry Pi, but the manufacturers will just cram additional fun stuff into there. So, like this will handle 5 GHz wireless as opposed to just 2.4.

Neat. Who's making the Orange Pie? Are they going to be around for It's just some company. I mean, they're all just some company in China probably. But like, are you going to be able to get support longterm um for this this alternative little device? What about this one? Is it still Yeah, it's it's still just a Pi. Uh, a number of years ago, PI came out with a compute module, more of like an IoT level Pi where it's here's a Pi with none none of the bells and whistles. It is just a little board and you can pop it into whatever you want. And this is what I've been working with most lately. Uh, it is a

uh a compute module case where you just whatever Raspberry Pi comput, you pop it in there and uh the functionality, you know, there's built-in Wi-Fi. It has dual Ethernet ports, which is something I tend to like in my Dropboxes because when you're red teaming, there's certain situations where you don't know what you're going to find uh in the environment you're going into. You got to go loaded for bear. You got to be prepared for the most secure things that you can possibly run up against and still try to overcome. And so when I started looking for Dropboxes to do that job, I wanted things that had dual Ethernet ports because if you run up to 802.1x

Knack controls on the wire LAN, your attack is essentially uh a physical man in the middle where you place a box like this in line with uh a legitimate system on the network. some software shenanigans take place and then theoretically you're able to operate and test on that network without the port just turning off and you know the cops showing up. So the fact that I can find a little case where this you know ends up being smaller than just the regular Raspberry Pi that only has one Ethernet. Can you use like a USB Ethernet and just plug it in and like yeah of course but it's bigger. It looks kind of janky. So, uh,

I like this little one because it has what I want in the smallest, least suspicious looking form factor, uh, that I've come across so far. But maybe you're just like, "Hey, I hate ARM architecture. I'm super mad at them. I don't want to use them." That's fair. Uh when I switched from the Raspberry Pi, I started looking for for additional hardware, something Intel based, something with a bit more power, a bit more reliability. Came across um this box. This is this thing's old. I don't use it anymore. Um it's called the Fitbit. It's made by Fit PC. It uses like laptop memory, laptop um hard drive uh option. It's built-in Wi-Fi. It has not visible in this one. There we go.

Uh, dual Ethernet. I was like, "Oh, yeah. Let's get this." And honestly, it worked great as a Dropbox for a number of years. It was cheapish. It was cheap enough for my boss to let me buy like four or five of them and, you know, test them out and use them as the team. Uh, it was small enough I could just like grab it and stick in my back pocket. Intelbased CPU, the options, the dual Ethernet port, so if we did run into 802.1x, we're all set. Um, about the only complaint I was getting from the team was the thing would get hot cuz it's passively cooled. And so the extra big heat sink that's not

stock. They give you the the low profile one from the geto. And so um, how hot would it get? Uh, not like burn you, but uncomfortable to hold. Um, and then they're like, "All right, well, where are we sticking these things?" Cuz I've taken them and like, "Well, they'll we're going to shove this this is a a a dusty fabric cube wall and like behind some guy's computer underneath a whole bunch of stuff and uh like it'll probably be fine, but uh setting fire to the building is not the preferred way to kind of like wrap up testing." So, it wasn't something I'm looking to use anymore. Uh, lately I've been looking more at I've been using this

Zema board. Uh, one of my buddies showed it to me. I'm like, "Oh, dual Ethernet. Sweet. I like that." It's still cheap. I put this picture there and then they're like, "Hey," they sent me an email like, "We're releasing like version two." And I'm like, "Sweet. I am not updating the picture." There's a newer version coming out. Looks pretty much the same way. Passively cooled still. um less options. Like it comes with the memory and the the the storage space that it has, but generally for testing, like it's still getting the job done. And I like, of course, the Ethernet ports. They also make another little device. It looks like the old school Sony Walkman called the Zema

Blade. It's still cheap. It's even newer. You can stick your own RAM in there. um only has one Ethernet port, but sometimes you don't need to. And this is a little bit like I'll use this for penetration testing where I don't have to worry about bypassing the act. I can just be like whitelist my MAC address please. Should you use those things? I don't know. Maybe none of that crap's going to work for what you need it to do. Maybe you need the beast that someone else built. Um, there's so many stupid options out there. If you're looking for stuff that won't get noticed, won't get picked up. If you start looking in like the the IoT

devices space and the hardware options out there that are just like here's a little box and you plug it in and it it does something. So much stuff. They may not want to sell you just one of them depending on where you're shopping, but you know, it's a little bit of the fun. You get to go out, find something that's going to fit your testing goals, um that's going to fall within the budget that you have. Uh and if if you're doing this for your job, is this a corporate thing? 100% use the opportunity to just try to pick something cuz it looks cool and you want to play around with it and you think you can like get this passed

and expensed and not have to pay for it yourself cuz I do that all the time and uh it works great. >> Oh god, >> that's a lot of words for one of my slides. Software stuff. We're going to dive deep into literally none of this. Software decisions that you make honestly will just have uh a lot in common with software development, which is where I stole this li list from. When I'm building a box, do I do I like run through this as a checklist? No. It's things that you kind of have in the back of your head like you push one, the other one's going to, you know, get pulled a bit. the flexibility, the cost, all these

things are decisions that you're making. But unless you're you're like got a hyper specific thing that you're looking to build, you know, generally your options are going to be what's out there and available. Um, starting at at just the base OS layer. Um, which which operating system do you want to use? Well, yeah, it's it's probably going to be Linux. Anybody here like to use like they're like a Windows penetration tester? Like the you not not attacking Windows but using window? It's it used to be like impossible pretty much. Uh but there's stuff and tools. There's a whole, you know, Windows subsystem for Linux now. Um as far as the more common options though, uh a number of things out like

honestly most of these are just Debian. Um, but what's going to run on your architecture? What's going to work for the job that you need to get done? Uh, do I just stick Cali on everything? Yeah, cuz I'm like a weird nerd and like I'm like, "Oh, I'll just run Cali on it. That'll work." And you know what? A lot of times that does not work. Uh, I ran I took Cali uh and their their Raspberry Pi image and I stuck it on that little compute module box and uh I was like, "Oh, I'm going to I'm going to plug in this new Wi-Fi card I had cuz I wanted to do some Wi-Fi work on it." And uh

and like five hours later, I realized like it's not gonna happen because the Cali kernel for Raspberry Pi was like several versions behind like what the modern like Raspberry Pi was running and like it was not supported and I was like can I make it be supported and that was a dumb decision. I should have just gone with like Rasbian or something and gotten it working out of the box. So hacking uh the decisions here you know what's going to run in your hardware what does your team like to use what are they used to what are you comfortable with that drives these decisions much aside from that yeah I stuck Windows way down here just in case someone is like

but I use Windows it's fair some more of the fun interesting stuff as far as software considerations some custom persistence scripts or just like user interaction scripts. If you're building a box for penetration testing, um, frequently what will happen or what happened in the past is as a tester, you would ask the client, you say your network is it is it static IP addresses or DHCP and like you should know that, right? Person who's paying for this testing. uh they don't or they'll tell you the wrong one and like crap I configured it one way and now I have to send it out uh a completely different way. So software in there that lets you make those sorts

of changes to uh to whatever running configuration you have whether it's for your operators or if it's for your clients to make um do you want to run virtual machines on your stuff? What kind of hypervisor do you want to use? Uh the remote access options, there's there's a lot. Um is it just OpenVPN, Tailscale, WireGuard, something like this? There's already plenty of boxes on the client's network that that don't talk to you. Uh the idea here is to get one that does. So, which option are you going to go as far as um having it talk to you? Knack bypass options uh do you think you have to deal with? There's some software on GitHub. Uh,

Doolos Cloak I believe it's called at the end I'll have a slide with like a GitHub of these slides and all the stupid stuff I mentioned as far as hardware and software options. Um, so we can go in that. Uh, do you want to use a particular C2? Does your team like using mythic? Do they like using sliver? Do they want to use your box as like a backup um, uh, server for that? if whatever other outbound communications they have kind of fail um encryption we don't want to send our clients um or or we don't want to have our secrets just available to whatever blue teamer finds the stuff running out there right so of course we want our box to be

encrypted but it gets tricky because all right so you have your boxes encrypted and it boots up and it says like hey type in your password to finish booting up and and decrypt the work stuff. Um, and your red team are lying underneath the desk and be like, "You want me to do what?" I don't have a keyboard or monitor or stuff. So, you need to have an option for having your stuff encrypted, but decryptting it in a way that is usable in the field. Um, is it going to be a UB key? Is it there's a a project called crypt my pie uh that has a number of options including stuff I've used before where like all right it

it starts booted up and then it spins up an access point wirelessly that you can connect to or rather it'll connect to an access point that it knows and then you can log in with a specific SSH key that doesn't get you anywhere but then works as a password to finish up the rest of the boot process and you're like ah try to figure that [ __ ] about blue team and then they don't care. They never care. Uh most importantly, whatever whatever janky random tools your team likes to use, in-houseuilt stuff, stuff they found like, oh, here's a proof of concept off of GitHub, it probably does what it's supposed to do and doesn't

steal a whole bunch of data or something. uh getting all those up on your box, getting stuff working beforehand. Communication decisions you need to make. I don't know why I put a bunch of dongles on the screen. Uh a lot of this stuff is kind of built in. First off, can we just shove it over the Ethernet? Like we're plugging it in anyway, right? Maybe. And honestly, back in the day, yeah, you could you could just SSH straight out of someone else's network. They didn't care. Um, or not, uh, wireless, uh, cellular. I like using cellular because it works pretty well for what I want it to do. Bluetooth. um common things except if you run it over the network,

someone's going to see that eventually. They're going to notice what's this weird thing talking on my network. Um the wireless side, there's trade-offs. Uh generally it'll work out that the higher the frequency the thing's running at as far as wireless transmission uh the more data it can shove through but the shorter range that you'll get out of it. Um we've all gotten pretty used to to the effective range of of Wi-Fi. Um but also it's easy to you know monitor Wi-Fi. Everyone knows about it. Bluetooth in the same frequency range um might get you caught. If you're going to run cellular, well, we got some additional cost and hassle and and BS to go through because you're going to need

a SIM card for that. Can you get like a burner SIM? Sure, there are things that's additional, you know, that's additional bits of your your your annoying [ __ ] budget budget coming out there. It's additional work and effort to do that. Do you think the blue team is going to be able to find your device and like take the SIM out and figure out who you are based off of the SIM? Is that something you're concerned about if they're making that level of effort? If so, then like yeah, you need to go through that level of obssec in which case you probably should be like wiping your fingerprints off all the stuff. In any case,

what other uh fun stuff am I am I am I running over? >> Do you guys want me to stop talking and move on to the next thing? I'll I'll we'll burn through stuff quick. Some of the more fun stuff, the weird stuff that like sure we can use this for comms. Uh there's a new standard out there, Wi-Fi 802.11 ah. It works in a 900 MHz frequency range. It works like Wi-Fi. Uh but you get like a couple kilometers out of it on a good day. Specialized hardware needed for it. Yeah. Um acceptableish throughput. Is it great? No. Is it, you know, better than like Laura or or some of the other stuff? Yeah, I'm I'm liking it. I've been

testing it out. Uh power line Ethernet. Not power over Ethernet, but weird power line Ethernet. Nobody's using this stuff. I kind of want to go to places and just plug one in in like the outlet in the parking lot just to see if someone has one plugged on in on the inside. But essentially this, you plug one in and you plug a network into it and it shves your internet Ethernet over power line inside your house or inside your office. So you plug in another one in somewhere that you can get to and you've got network access. Uh again in 900 MHz frequency range, these are tiny little radios made for drones. Drones need to communicate

um data over a considerable distance. Um, and it needs to be lightweight and it needs to be, you know, a decent amount of data getting shoved through. So, these particular ones I had just with Linux, you're just like, "Oh, here's another device. I can just send commands through it." Fantastic. Uh, satellite. Yeah, I don't recommend that. Even if you're using satellite and you got um whatever the stupid thing is nowadays, you still need something to jump your device from like wireless to to the satellite to make that kind of happen. Uh Ziggb or Z-Wave, same frequency range, but less common. Will it work? I don't know, maybe. Give it a shot. Uh Mocha. Mocha is another weird one. It

uses coaxial cable which is people used to just have that in their house and then cable operators are like oh you need don't need to run wiring through your house. Just take you know the signal coming out of your cable modem and shove it through the coaxial cable and now you got network drops wherever you need them. Uh that'd be weird but I'm looking to try it out uh once I can figure out one of my offices that actually has it. Um Meshtastic. Anyone like metastic? it it has some pluses but a bunch of minuses as far as like is anyone else using it um and the data throughput some other weird thing I don't know

you're going shopping you're building stuff maybe you got something fun and cool that you think this will work in my environment um but who knows all right you made a bunch of decisions you uh found some hardware that you like you found uh dongles and adapters and it's doing all this cool fun stuff um and you're ready to go plug it in the client's environment. What does it look like? Oh, that does not look good. That you made you made a Christmas tree here. We just put some presents and Yeah. No, we forgot about the obssec part. Um, we want these things to be boring and nobody cares about them. How should it look? using one of Z's Zimma

boards. One of my friends at Secure Works in this case um made a little custom 3D printed case for uh their little cellular hotspot uh and then like went through the hassle of finding like the right angle cables and and built this fairly boring looking Dropbox.

So, um I'm I'm short on time at this point. I would go into like a number of times I've screwed up OBSC, which I'm happy to do. Um after I've finished this talk, but let's just say like so many times have I screwed up something you're like that was dumb and yes, I've done that. Um and and OBSC will it's it's trickier than you'd think it's going to be. Uh additional accessories to go along. Um, all fairly obvious adapters. Uh, bring them. You don't want to try finding like a a mini display port to HDMI adapter that that Zema board uses at like 3:00 in the morning from someplace. Bring all this stuff with you uh so it can work uh cuz

it's going to break. Um, things you need to look out from like a legal point of view. I'm not sure the law is sorry in this country. Um, but in the United States at least, uh, like, hey, I have like a little computer. I can hide it wherever I want. Can I record audio of like the big boss making decisions? For me, that's a crime. Like, yeah, you can do it. Of course, plug in the microphone, make the [ __ ] happen. Bad idea. Um, video is actually like if there's no audio and there's video, less of a crime, not a crime. Your mileage may vary, but people don't like being recorded secretly without their

knowledge. So, you're probably going to end up talking to human resources and, you know, looking for a new job. Uh, if you're playing some kind of wireless Bluetooth games like we're going to deoff people and and knock them off the network and stop people from doing work, not the greatest idea. If you're going to try to do something crazy like inject keystrokes into keyboard dongles because they're not encrypted and you can do that kind of stuff, um you're going to break some stuff probably. Are you going to get away with it? Maybe. But is it what you want to be doing? And finally, if you are doing a red team with a situation where you got to break into a

building and hide this box, make sure that you have like authorization for breaking into where you need to break into. Just because your client says like, "Yeah, I give you permission. Break into this data center and place a Dropbox." 100% they don't own that data center and they cannot give you legal permission to break in and testers have gone to jail and gotten fired for that kind of stuff. So, um, just CIA on a lot of that. Uh, here's a recap of a bunch of stuff. We talked about all these things, but I'm out of time, so you're going to have to believe me. Next one. There's a big thanks

And there's the uh no QA out in the hall, I guess. Maybe QR code with GitHub. Um other weird stuff that didn't make the official list, but I'm planning on poking around at and seeing where it goes at some point. So, thank you again everyone. Um and thanks for having me here at the business side.