USB Penetration Testing
USB ports are some of the most vulnerable parts of a computer, they exist on desktops, laptops, and servers. Most time they are fully accessible if you have physical access to a machine. Personally getting access to a USB port on a server or even a desktop linked to the target network is a very high priority when I’m pen testing any company. Many times you only need access to a USB port once to gather enough information to compromise a organization.
USB Switcblade / Hacksaw
USB Switchblade is the product of Hak5 and the surrounding community way back in 2006. It has the ability to capture and record information about the computer it is used on, but can also take password hashes, IP information, auto-fill information and some versions of Switchblade can create backdoors in the system for access at a later date.
In order to do this Switchblade uses a U3 drives ability to create a virtual CD-ROM drive allowing autorun to function. It can capture and record password hashes for later cracking. Switchblade can also take browser history (not Chrome history!) and any autofill information on the system. As well product keys for any installed Windows products. Some versions can also create a ghost administrator account for later access. The biggest advantage of using Switchblade is that all this can be done hands free within a few seconds.
USB Rubber Ducky
USB Rubber Ducky is the next generation of Switchblade. It has it’s own code called duckycode for writing plugins for it. You can buy it pre-installed for 59 $. But the source code is also open.
I’ll be posting later about how to install it on a 3rd party device. The post is now here. For now though you can check it out on Hak5’s store. Or you can download the source code from github.
I recently wrote an article about USB keyloggers and how a top executive had found a suspicious USB device inserted in between his keyboard and his computer. It turned out that the device was a physical keylogger, and unless you are doing physical inspections of hardware they are nearly undetectable. Of course these types of loggers require that you have access to the target machine on a regular basis to make them useful. They are also rather pricey. But can really change the tide of a pen testing attack.
The Best Option
I use USB Hacksaw/ Switchblade depending on the kind of attack I am preforming. It is by far the cheapest option and can give you tons of very valuable intel as well as a discreetly installed backdoor with Switchblade.
Setting Up USB Switchblade
Picking a USB drive
I will be setting switch blade up on a U3 drive because they have the ability to emulate a CD drive and automatically executed the Switchblade payload without any interaction other than plugging it in. Potentially allowing you to attack a locked computer.
These are the drives I will use to setup on. Two very unassuming drives that will draw little attention plugged into a target machine. But also with enough space to take a lot of information from several different computers.
Installing on the Drive
I’ve put together a package of all the required information for you to download. Switchblade is no longer being maintained and is very difficult to find on the internet. Before you start download that package at the bottom of the page.
Once you download it unzip it all follow the instructions exactly.
1. Unzip the NarwhaleUSB package you downloaded.
2. Open the Switchblade folder.
3. Unzip the Universal Customizer to “C:\Universal_Customizer“
4. Unzip the -=GonZor=- Payload V2.1 to “C:\Payload“
5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN replacing the old one.
6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in U3 smart drive.
– Select Accept and click Next.
– Close all U3 applications and any applications that access your U3 drive and click Next.
– Set a password for the backup zip file (Empty password not allowed)
– Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
– The modification should now be complete, Unplug your U3 Drive and plug it back in
7. Copy “C:\Payload\SBConfig.exe” to the mass storage of the flash drive
8. Run SBConfig.exe from flash drive
– Select the check boxes of the Payload options you would like to use
– Enter your email address and password for the HackSaw if you wish to use it.
– Click “Update Config” button, a message box should appear to confirm this is completed
– Toggle between using the payload or not by clicking the “Turn PL On”/”Turn PL Off” button
– Toggle between using the U3 Launcher or not by clicking the “Turn U3 Launchpad On”/”Turn U3 Launchpad Off” button
9. You now have -=GonZor=- Payload V2.1 in your U3 smart drive which can automatically steal password once it is plugged in to a computer with administrative privileges.
I’ve tested it and it’s very scary because when I plugged in the hacked U3 smart drive with USB Switchblade payload, the payload ran silently and invisibly! It did not modify any system settings nor sent any network traffic. There is a log file created at F:\System\Logs\COMPUTERNAME (F: drive is the storage drive) by the payload and I am shocked to see that my network configurations, router password, Windows Live Messenger password, Google Talk password, Gmail password, all Firefox passwords, Internet Explorer passwords, ICQ password, Windows Product Keys and etc being recorded in that log file!
As you can see from this guide USB drives can be very dangerous when network security is involved. I recommend securing all servers inside locked racks and regularly inspecting workstations as well as private and company laptops. Basically any computer that may connect to the network you are attempting to secure. Have any tips for securing USB ports or any tool you use for making your drives dangerous? Tell us in the comments.
NarwhalUSB Package – When you download it will show up as a virus. Because thats what it is.
Recently evilsocket released a Android app called dSploit, it’s basically a stripped down version of Metasploit for Android. You can preform Man in The Middle attacks and also scan for vulnerable operating systems. But one of the MITM attacks that I think could be the best, is the ability to redirect all traffic on a network to a web page. For example you could go to a coffee shop having before hand written up a legitimate looking sign in page for the target shop or public wifi network.
You join just like any other patron open up dSploit and redirct all traffic to a fake login page being served off you phone. Rather than just having guest sign in you could also have them register to pay to get access to the wifi, they are unsuspectingly handing you their credit card numbers or logins to any site you chose. All you need is a Android cell phone or tablet and a few minutes to set the server up.
- I will be using kWS for serving my fake login pages. You can download it form the Android store.
- You will need to download dSploit for the developers web page I posted earlier about installing and using dSploit.
Hopefully you get a return from the server that looks exactly like this one. Take note of you local IP address. If you don’t there’s something wrong with your setup. Go back and make sure that the server is looking for the html in the right place. If that doesn’t change anything try again with a different port. Once you get it running correctly, all you need to do is open up dSploit and it will scan the network you are attached to. Select 192.168.1.0/24 then select MITM and finally Redirect. Fill out the menu with your phones local IP address that you found when you started the web server and what ever port the server is using.
Finally click Ok and it will begin redirecting all HTTP traffic to your fake web page. The few times I’ve used this I simply redirected people to a fake Facebook login where I saved the email and password to a text file. But this could be used for a much more malicious purpose. If you have any problems or suggestions tell me in the comments and I’ll try to work them out for you.
“Hi, this is Rick from [Internet Service Provider]. We’re seeing some unusual traffic from your location. It’s most likely nothing to worry about, but we have a field tech on his way to diagnose the problem. Can you make sure he has access to the network to run some quick tests?”
At most, this phone call may take 3-5 minutes, and already the risk for the target being compromised is very high, especially if the individual on the other end of the line agrees to help the “field tech” (very likely the same person who called). This technique is one very specific example of “Social Engineering,” and throughout this post, we will see how these techniques are often leveraged by attackers to exploit the human element of security for malicious gain.
What is Social Engineering?
Social-Engineer.org describes social engineering as “the act of manipulating a person to accomplish goals that may or may not be in the “target’s” best interest,” however the actual scope of social engineering is usually more general, applying to the leveraging of any physical or social vulnerability that results in the disclosure of confidential information or produces the desired outcome. Using this broader definition, social engineering can be thought of as an assessment of non-technical vulnerabilities. This includes things such as:
- Testing the Human Element of Security
- Dumpster Diving
- Physical Security Assessment
Social engineering can be very effective. For example, it accounted for 7% of the security breaches in 2012 included in Verizon’s 2012 Data Breach Investigation Report. While this number may seem low, these attacks resulted in 37% of the total records compromised, and very likely took less time to execute than the other methods of attack.
Many people may wonder why social engineering works as well as it does. This is largely due to the inherent trusting nature of people. Individuals either don’t want to believe that someone is trying to manipulate them, don’t think they have anything worth stealing, which, as we will see, is a common yet dangerous error in judgment.
Some Key Terms
Since social engineering encapsulates many different areas of study (including those such as psychology and physical security), there are some key terms that will help when understanding the anatomy of a social engineering attack:
Active Information Gathering – Means of obtaining information through techniques that involve contacting the target directly
Dumpster Diving – The process of searching one’s garbage in an effort to reveal sensitive information, or information that will further help develop a pretext.
Passive Information Gathering – Means of obtaining information without directly contacting the target.
Phishing – The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal information
Preloading – influencing subjects before the event
Pretexting – the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
Rapport – A close and harmonious relationship in which the people or groups concerned understand each other’s feelings or ideas and communicate well. In terms of social engineering, this could be considered the measure of comfort and trust an individual has in the social engineer.
Spear Phishing – The practice of sending specially crafted phishing e-mails to specific, targeted individuals (usually of a high-profile nature) in order to increase the chances of obtaining personal information from the individual.
Anatomy of a Social Engineering Attack
A social engineering attack generally follows the same process as any penetration test, in that the attacker first performs reconnaissance to enumerate possible attack vectors. Then, the attacker performs the social engineering, and will then use the gained information (if successful) to perform further attacks. The primary difference between a standard penetration test and a social engineering attack is that the social engineer usually knows what information or action by the target he/she needs ahead of time, and obtains bits of information to lead up to the acquiring of the targeted information or action by utilizing the most beneficial attack vectors.
this leads us to one of the chief philosophies of social engineers:
All Information is Good Information
Social Engineers thrive on information, and the ability to elicit information without raising alarm in the target is an absolute necessity. There are many techniques that can be used to gather information including passive information gathering and active information gathering. There are many sources of information that can be used for passive information gathering including (but certainly not limited to) the target’s website, WHOIS documentation, general surveying of the target’s physical location (or even Google Maps viewing of the location), general server information (such as running services and versions, operating systems in use, IP addresses, make, model, etc.), and social media (see “Social Engineering in Social Networks”). There are even some automated tools such as Maltego which can automate this information gathering process.
In addition to using technical resources to gather information about a target, an attacker can also leverage vulnerabilities in the way the company disposes of sensitive information. This is commonly known as dumpster diving. If a company does not take measures to effectively shred sensitive documents (such as customer information, equipment listings, third-party contracts, etc.), then an attacker can find all of these sitting in a dumpster outside of the building. This passive technique is commonly employed by attackers because it proves to be very, very effective. For example, if a social engineer needs a good pretext, he/she can sift through the target’s trash to find a bill for services provided by, say, an Internet Service Provider. Then, he/she can pose as this ISP (see example at the beginning of the post) to get closer towards achieving his/her end goal.
After the social engineer has obtained information via passive means, he/she will use that information to generate possible pretexts and attack vectors to be used in active information gathering. Let’s take a look at a couple of examples:
- Company A provides a service to customers through a third party web application created and maintained by Company B. The attacker, by viewing Company A’s “robots.txt” file, finds an administrative control panel to this application that requires a username and password. Then, by viewing the WHOIS documentation for the domain finds the name and e-mail address of Company A’s system/network administrator. The attacker could then contact Company B with the pretext of being Company A’s administrator, with a request for a password reset in order to gain administrative access.
- By sitting in a vehicle in Company A’s parking lot, the social engineer sees that access to the inside of the building requires a unique badge with an embedded RFID chip. However, he/she also notices that around 11 AM, some employees gather outside of the building to smoke and carry a conversation. Seeing the opportunity, the attacker joins them for the daily smoke break posing as a fellow employee, politely carrying on conversation. Then, when everyone begins heading back inside, the attacker simply tailgates behind one of the employees, holding the door for the rest. The attacker now has gained unauthorized access to the building.
- By viewing the “Letter from the CEO” portion of Company A’s website, the attacker is able to find the CEO’s e-mail address. By searching for this e-mail address in Google, the attacker is able to find a business executive’s forum where the CEO has asked questions in the past. The attacker is then able to send a specially crafted e-mail which contains a malicious link (that appears to come from this forum) to the CEO, which will very likely be opened and successfully compromise the CEO’s workstation.
In these examples, the attacker would create a believable pretext which would allow him/her to
pose as someone in order to achieve the desired results. These pretexts could range from a fellow employee, to support personnel (as seen in the beginning example), to the targets themselves. The key for a social engineer is to pick a pretext that is believable and effective. A good example of a social engineer using the pretext of a Fire Inspector can be found here.It is very common, however, that an attacker might have to make multiple active contacts with the targets to elicit information one piece at a time – perhaps using a multitude of pretexts. For example, if the goal of the attacker was to gain access to a critical server that housed intellectual property, he/she might first contact the company as an employee in the field who needs technical support in order to find out the internal extensions to the administrators. Then, they might try to use phone information eliciting techniques to find out the standard procedure employees must follow to change their passwords. After all of the necessary information has been gathered (along with discerning any internal “lingo” that might help make the attacker seem more credible), the attacker would make the final call to the administrator as an employee and attempt to manipulate him/her to create an account or change the password on an existing one. This would allow the attacker to effectively bypass any technical controls in place and steal the intellectual property.
It is important to remember that the goal of both passive and active information gathering techniques is to increase the effectiveness and credibility of the attack. A social engineer wants to achieve the desired result the first time – and usually does.
Phishing, or “attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication”, is the most common social engineering tactic (as everyone has most likely received SPAM mail before), that I felt as though it deserved its own section to discuss it.
We’ve all gotten SPAM e-mails that attempt to lure us to a (usually malicious) website. Most of the time these are obvious and stick out like a sore thumb to make it easier to delete – if it managed to bypass the filters in place. However, there is a particular type of phishing called “spear phishing” that can be surprisingly effective.
As noted above, the difference between spear phishing and phishing is simply that spear phishing is specially crafted to be more effective when sent to a particular target. Everyone has interests and things with which they are familiar. If we receive an e-mail pertaining to those interests or familiarities, then we are much more likely to click on them. This can be used in a variety of ways by social engineers. Since e-mail headers can be easily spoofed, an attacker can send an e-mail to the CEO posing as the CFO of the company, that includes “urgent financial reports,” which would really be a malicious trojan that would compromise the CEO’s computer.
Although SPAM filters have greatly increased in accuracy, there will always be some that slips through the cracks. In defense, one must be aware of this, and always verify with the supposed sender before opening a suspicious attachment or link.
Just like Metasploit offers an automated exploitation framework, there are different toolkits available to automate the process of crafting and deploying a social engineering attack.
The first (and arguably more well known) of these toolkits is call the Social Engineer’s Toolkit (SET). Developed in Python by Dave ‘ReL1K’ Kennedy, and included in the popular pentesting distribution Backtrack, SET has become a very useful tool for penetration testers. While this is not a tutorial on how to use SET (though this may come later), it has the ability to primarily perform the following:
- Creating a malicious clone of an existing website which contains one of numerous different payloads, ranging from Java-based attacks to Metasploit payloads.
- Crafting and sending phishing e-mails via mail-relays or Gmail.
For more information on SET, visit: http://secmaniac.com/
Another well known and commonly used social engineering toolkit is the Simple Phishing Toolkit (spt). This toolkit, originally designed to help system administrators measure social engineering awareness and the effectiveness of training given to employees.
SPT works primarily by allowing administrators (or social engineers) to create “campaigns”, which are the equivalent of a social engineering attack. This works by creating phishing e-mails and sending to a list of targets, and then tracking the results.
For more information on spt, visit: http://www.sptoolkit.com/
Social Engineering in Social Networks
The creation of social networking sites such as Facebook creates new opportunities for social engineers. The ability to share links can be a very useful feature, but also a very dangerous one. Consider all of the “Facebook scam” posts. These usually include an appealing title designed to provoke the user into clicking the given link to see the enticing content. While one might think that these can be seen and avoided from a mile away, it should be noticed that these scams can have a very large impact in a very short time.
In addition to the active attack vectors found in submitted malicious links, social engineers can use popular social networking sites for passive information gathering as well. The premise for this tactic is simple: essentially everyone has a Facebook. This includes the targets of the social engineers. These accounts contain information that would prove to be very useful when creating pretexts to use in an active attack. One could argue that, if configured properly, this type of information wouldn’t be accessible. However, the counter-argument to this would be that:
- Many people don’t configure their privacy settings properly.
- Even if people have their privacy settings configured properly, an attacker could try to “friend them” on Facebook with an appealing profile.
- If someone refuses to accept friend requests from people they don’t know or trust, an attacker could change angles, try to befriend the target’s other friends first, and then send a friend request to the target. By seeing multiple mutual friends, the target is more likely to accept the request. An example of this in action can be seen here.
Conclusion Hopefully this post has given you some insight to the ease of attack and the danger associated with social engineering. By preying on the people’s trust, social engineers are able to extract information or manipulate people to perform specific actions very quickly and very easily, usually with a low rate of detection.
With the nature of these vulnerabilities, the only real mitigation techniques to social engineering attacks are awareness and training. Testing employees by exposing them to mock-social engineering attacks that emulate the real attack process (perhaps using tools such as spt mentioned above) will cause them to realize just how easy they can be exploited. And, just like any mitigation, being reactive accomplishes nothing. Being proactive in training employees can be the difference between a successful or unsuccessful social engineering attack. However, it is important to note that training is not a panacea, as people will always be inherently trusting of others, however at the least it might cause an employee to think twice before opening an attachment, or giving network access to the ISP field tech who walks in the door.
Security is always only as strong as its weakest link, and unfortunately, with the ever-trusting nature of people in addition to the lack of foolproof mitigation strategies, the human aspect of security will always the weakest.
- Social-Engineer.org – Provides a complete social engineering framework (more thorough than what was provided here), as well as a blog to keep up-to-date on all things social-engineering related.
- Social-Engineer.org CTF – The team at social-engineer.org host started hosting a Capture-the-Flag contest at Defcon in which contestants attempt to use social engineering techniques to extract specific, yet fairly benign, data from large companies. The results of these contests (found at the link) can provide excellent information into the types of attacks and information gathering techniques employed, as well as the success of these methods.
- Social Engineering: The Art of Human Hacking – Written by Christopher Hadnagy, this book provides a very in depth look at what social engineering is, the psychology behind it, and methods that attackers would use in a social engineering attack. This book also provides great examples and case studies of attacks – I would highly recommend it!