Weapons of a Pentester

hmm

hey guys how's it going uh big round of applause for b-sides for having all these great talks this is the last talk and i promise it's gonna be short fun and a great way to wrap everything up so looks like we're all set okay my name is nick i am the ceo and director of alex security i am a penetration tester and i also start the toronto ethical hacker meetup group downtown toronto uh there's about 50 hackers and i noticed a couple of faces here so hello to you guys and um i'm going to be just showcasing a lot of these tools and weapons as a penetration tester as the red team so it's going to be

about four tools and uh and actual physical devices and uh we're gonna go from there so i'm gonna do a brief little overview of what is pen testing for those of you who don't understand what it is trying to wrap your head around how is hacking legal how can you do that and so it is a well-defined organized security test and it's not only limited to the it department so i know a lot of guys like to give a lot of heck to those network admins and security execs but security is everyone's responsibility it's a real world objective test in my in my opinion an external third-party system comes in and tests to their entire knowledge and

their might to try to get into your system now obviously you can get different types of testing white box black box testing gray box testing but it all depends on the type of test that you're looking for with your system and the name of the game is to find the vulnerabilities and to see if you can exploit them not all vulnerabilities are important you know when it comes to pen testing it's different than an antivirus scan because you can actually see where actual critical data lies so if i were to actually exploit a vulnerability i can then see okay i have some critical like key information here that i could use so and my number one vulnerability is

the people in the company so a lot of the tools i'm going to be showing you are in a way social engineers in themselves so without further ado i'm going to sort of talk about the methodology of penetration testing so the very first is footprinting there's an active and passive type of footprint that you can do before you engage in a penetration test so you always want to start with a passive test this is utilizing google utilizing monster.ca to see if your target actually has any posts on hey this is what i'm looking for i'm looking for an it guy he needs to know mysql he needs to know php he needs to know this you know version of

windows server it's a great tool for me to actually see a posting like that so i can actually see what kind of technology a company is using afterwards i can use more active scanning i could use more active ping sweeps trace routes the gnosis vulnerability scan is great and then from there i will go and conduct hacking so my number one favorite type of hacking is just walking in the facility dressed up as onyx fire security tester you know i'm gonna go around check your fire equipment make sure everything's up to date oh what's this a server room i wonder what it looks like in here and physical security that's huge for me we always talk about

ids systems ips systems but no one really looks at you know what are these physical security controls that we have protecting this infrastructure protecting these digital files on these computers so the first tool i want to show you guys is the usb rubber ducky this guy has been around for a while and i'm sure some of you guys know about him the great thing about this guy is he actually mimics a keyboard and keyboards are inherently something that humans use and computers trust keyboards but with this guy he actually has an encoded payload that i can type in and i can put in whatever i want so some of the things that you can actually do with this guy is

let me just pass through here you can use them for reconnaissance so you can grab a computer a computer's id computer information you can grab a user information based off of where you plug it in you can get the installer updates network scans port scans all of this is can be used as a reconnaissance tool you can also use it as like an active exploit or hacking you can do reverse ssh by just simply plugging it in and hopefully if it works properly

this should be the shortest demo ever

go ducky done i just wrote a reverse shell into a server that i have access to so now i can go ahead and play around with all my files on this computer um one of the really great things about this usb rubber ducky let me just get back into the presentation is it has a great community the guys over at hack5 develop this they have an awesome repository that allows you to just download little check marks that you can literally say like hey i want to grab the information and it'll encode this in the actual ducky encoder really great a lot of people online that are using it and i highly recommend that you guys

pick it up um this is how much it goes for it's about 42.99 if you buy one you can get a discount if you keep going the next tool i'm going to be talking about is the wi-fi fisher now the wi-fi fisher is similar to like a pineapple like a wi-fi pineapple in the sense that what it uses is it uses these two wi-fi cards and if they're capable of injection you can conduct the actual hack so what i would use this in a penetration test is i would sit outside of a corporate parking lot or outside of the actual door and i would try to actually de-authenticate the company's router and all of their clients attached to it

and then the other access point would try to mimic the router it would try to grab its ssid it would try its best to display an actual web server for the clients that were trying to reconnect to the router they would actually be shown a fake sort of router firmware update screen where they're asked for their wpa or wep password in order to run the firmware update so the great thing about this type of tool and this this hack is that it uses the social engineering technique of you need to update your your router and anyone who's connected to this router can do this and if i'm listening i could essentially just take one person

grab the password and the entire network is compromised just a little picture of how it kind of works so like i said all it takes is just one person to fall victim to the attack and the entire network becomes compromised and i don't even care about the encryption standard you use whether it's wp wpa2 wpa doesn't matter it is open source python you can grab it on github this is kind of what it looks like when you actually plug it in you can see here it'll automatically scan and put one of the cards into monitor mode and it'll try to actually pick up all of the ssids in your in your area what you'll then do is then do a

tiny little keystroke of what what uh access point you want to attack first it'll try to clone all of the settings then it'll actually jam the devices connected to it it'll de-authenticate and bring everyone down now the one thing that i learned about this type of attack is you need to have a higher power gain than the router so you need to be really close to these to these targets that's why i said you know i'm outside the parking lot or if i could kind of like post up like really close to the building itself and then at the bottom you can see where the web server is actually running and i can see the get and post requests from

the clients that actually fall for this wonderful website here i don't even know they just chose some random product dsl whatever i'm sure that you can customize it yourself because it is all open source but this this does the trick trust me so the requirements this thing usually runs in a kali linux environment and you need two network cards not just one you want to do the de-authentication and the other one to do the injection and to actually broadcast the web server these tp links they're great you know 150 megabytes per second they're about 12 really great the third tool is this guy right here um he is the usb ethernet adapter also known as the land turtle the

physical man in the middle device so he'll actually grab an ip address from the dhcp server from whatever network and it will actually pump out a different ip address to whatever computer i connect it to some of the things that you can do with this are incredible there's a whole bunch of actual modules that you can download online you can do url snarfing dnf spoofing really great device some of the things that you can really use this for is like a persistent sort of after the fact that you've hacked into your company you go in and you plug this into their infrastructure it'll act as like a persistent auto ssh so you'll automatically have access to this

entire lan whenever you want you know it actually says usb ethernet adapter so i guarantee if i just put this around somewhere in a company someone's going to say hey i'm totally gonna plug this in and just like get some ethernet

and uh for the last the legendary hacking tool of lock picking so when it comes to physical security we have our cameras our biometric scanners the man traps rfid tags the motion detectors but the number one most common physical security system is your typical lock you know these locks can be found on doors executive offices even the server rack will have a lock to protect all of its cables and stuff so the art of picking a lock um not sure if anyone really here also does lock picking it is not illegal in canada to actually have one of these devices here uh i'm gonna give you yeah so here you guys can see that um

i have all of my actual rakes tools i have my tension wrenches all in this wonderful little pouch here but i rarely use this the tool that i'm going to be showcasing to you guys when it comes to lock picking is the snap gun the stamp gun works off of transmitting kinetic and uh infra energy from the steel rod of the snap gun here into the bottom pins of the lock the bottom pins receive that energy and use the inertia to hit the pins that are right above the shear level of the actual lock so when i go into the lock and i do that a couple of times i'm actually knocking the pins into place

and they stay there because i'm applying with one of my tension wrenches at the bottom of the lock a constant force so when i go in just like that eventually that door actually opens within just 10 to 30 seconds the reason why i brought the honey goo is because this works a lot better than wd-40 so if you guys are looking into doing it honey goo there you go um another one of the actual devices here that go with the usb rubber ducky is this tiny little usb adapter that allows you to plug it into an android device and androids also accept keyboard strokes so you can conduct usb rubber ducky hacks on mobile phones

now the way that you actually encode the payload in the usb rubber ducky sorry i'm like jumping around a little bit is with this device here so you can't just plug in that usb rubber ducky into any device and start writing to it it has a small little tiny micro sd slot card and you take that out and you plug it into here and you plug that into your computer you can write whatever code you want here's a little demo of the actual snap gun

upside down mounting cylinders

with one of the supplied tension wrenches i'm just going to go in and feel for the back of the keyway with the straight needle i'm just going to apply a very very light but look at how long that video is and he's explaining it as he goes along it takes no time at all for him to get into that dead bolt lock no time at all i'm not connected guys the presentations are going to be actually showcased um afterwards besides gonna host it so you guys will have all the access to these links on the slide any questions i know what i was going to keep it short sweet demo some of these tools for you

questions questions questions what's your most used tool most used tool um my resume yes

now the rubber ducky uh a lot of the people that are part of the community they actually write the encoded payloads in in windows however when they try to actually bring up that command button the keystroke in in mac it does not work so i tried looking at it and i tried actually finding a way to to mimic that keystroke for the command button but it like the rubber ducky tries its best to hit the um the windows button so that's why i started off with spotlight it automatically typed terminal for me and went from there

yeah and i can see how it is suspicious um the wi-fi fisher isn't a tool that i use regularly i'll i'll mainly use the aircrack suite especially if i see like a wep connection and um but wi-fi fisher will bring down or at least try to redirect all all the users to me and all i need is just one password

it's a it's like a it's a two-way attack so it does attack the ap and it does attack the use it hits the a yeah it hits the ap and i and i send the d off pack it and then just de-authenticate some yes

that's something that i was trying to experiment with earlier before the talk and uh i believe so but i'm going to get back to you what's

ducky up uh it enables you to have a full linux distribution on the device and it's like trusted hardware and stuff like that you could probably do that sort of fingerprinting like finding out what uh host os you're connected to and then act yeah awesome i'm gonna go over to this side of the room over in the back there

so the question was um is it just raw output or

so yeah so what the rubber duckie allows for um you can you can utilize it for like mass storage device media and you can actually write to the rubber ducky based off of you know what you find so if i use it for like a reconnaissance mission and i plug it into someone's computer or someone's laptop i could actually grab information on their laptop and and during the process not so much it would yeah but what you could do is if you have the file already loaded on the rubber ducky there's a little tiny button on the rubber ducky itself that allows you to redo the payload again and once you press that button you can just write a

simple condition that says if that file is there run it differently yes

um i've seen a couple of individuals use the rubber ducky for booting into a windows machine that isn't encrypted or not windows a mac machine that is not encrypted in a single user mode and was able to actually get into the because you have to type in a whole bunch of commands in single user mode and if you just plug in the rubber ducky you can get right in get root access which tools in your experience like during your experience

so during during my like my my day-to-day like when i'm working with like uh like small and medium-sized businesses these tools here uh they aren't tools that i use all the time um i brought these get these like these guys up here because i find them as more like toys and i just wanted to demo them for you guys and sort of showcase that these are easy to get like people can buy them online they can start plugging them into your networks these are things that we have to be you know reasonable and understand but um some of the tools that i do use every day kali linux core impact it's great for a lot of

reporting afterwards nmap it's the best uh yes over here

um yeah so lock lock picking is legal to have the actual lock pick sets are legal in canada um but how you use them and what you use them on like i could not

um

um so this gun only works on one-sided locks on locks that have pins on the top um your typical car will have pins that are located on the top and the bottom they're they're dual pin locks the gun won't work for those type of locks i'm sure that there might be some people out there who are like grand locksmiths that can find a way to do it or they use just their hands but they would actually use the the actual picks themselves and not the gun for for you know really intense locks like that

i guess that would work yes

no the the ones that are bump key resistant it would not work um you would need to actually have the skillful hands of traditional lock picking yes

uh those actually require a couple more inputs than just you know a single password uh so i haven't actually used the wi-fi fisher for any of those networks

yeah just just if it requires just like one single password that's it it's pretty simple um like wi-fi fisher is built to just receive that one entry and the ui front end it just works um i also have uh ex like back end like full stack development experience but um i'd much rather break things now one more question yes

the contract okay

okay so before you disappear you get to give away a 50 ebook gift voucher from no starch press to the whoever had the question you thought was worthy

yes i'm tired dude don't bag on me

you