← All talks

Hacker Toys for Hacker Boys & Girls

BSides Charlotte · 20141:21:38503 viewsPublished 2014-06Watch on YouTube ↗
Speakers
Ronin
Tags
StyleTalk
About this talk
BSidesCLT 2014: Presentation by Ronin on all the cool toys to have if you're a hacker boy (or girl). Enjoy!
Show transcript [en]

All right, so everybody for getting started a little late. We were updating the slides and had some issues between getting things from point A to point B, C, D, E, and F. Those never happen. What? Those never happen. No, we've never had any issues with slides. So yeah, our talk, and I know the calendar just has me, but we had actually talked about this a while ago. And earlier today, Tom was like, hey, we talked about it. Do you want me to join in? So I'm like, heck yeah, let's do this thing together. So this will be good to get two people's perspective on how we've used a lot of these toys throughout the years.

And it is throughout the years stuff that we've done both professionally and on our own for hobbying and research and stuff. So we both work in the security field. We both do security red teaming, penetration testing. I do consulting work. So I deal with wireless and hardware. And so a lot of people just think you pop your laptop onto the network. And that's what general consulting or internal hacking or pen testing is. But a lot of times we have to do custom stuff, or with wireless, or other technologies. We have lots of toys and gadgets. And I am very much a toy and a gadget person. I'm sure this is the right crowd. No matter what, if it's security related, we're kind of toys and gadgets, latest

and greatest, or not always the big buzzword ones, but we have our little niche things we like to play with. So what we thought we'd do, which we've collected all these things throughout the years, and you can see a lot of them up on stage, thought we'd talk about some of the tools we use, the specialized ones, the best ones out there for whatever purpose we're talking about. And a little bit about each one. We're not going to go into great detail. We're going to tell you this is the hardware and this is what it does. And you can go on your own if you want to do more research. Or feel free to ask either of us. We're going to be around the rest of the weekend.

And yeah, so that's my intro to it. Do you have anything else to say? All right. You can take this one. I didn't realize he had this slide in and we both kind of fit right we've got the cargo pockets generally when when I'm running around with cargo pockets I have a tablet in one and I've got my injectable based a Theros Ethernet card you know wireless card in the other pocket and my hand is stuck my other hand is busy let me help you with that real quick now so But yeah, I mean, so I had these in my pockets, and he flipped those slides. I showed him the slide. He's like, oh. OK, cool. We're good. Yeah. So

the actual story behind this, and I'll go quick the rest of this, but at CarolinaCon, has anybody been to CarolinaCon? CarolinaCon. All right. So it's in Raleigh, pretty close by. And it's put on by 2,600. It's been going for a few years now. But the first one I ever went to, they had a competition at night. They said, all right, whose pants weigh the most? That was it. And we all laughed. I'm like, no, really? we're going to give you prizes, whoever's pants weigh the most. So of course I went up and took my pants off and weighed them. And I came in second, even though I had a tablet, an actual computer in my pocket. Somebody had all their ham radio equipment on them, the CD radio and

everything. So I came in second by a lot. But still, it was funny to see half a dozen of us my pants and weight and scale and everything like that. So that's where the origin of that came in. That's when I realized, oh my gosh, it really is true. We all have that stuff around. I'm not alone. That's right. Feel accepted. All right, so we'll start off with some of the wireless equipment that we use. Actually, I put the Alpha and we're going to talk about specific models for a lot of things and the features you want to look for in the hardware. And you have to realize some of this hardware stuff comes down

to the individual chip, so it doesn't matter the brand so much as the chip that's on them. And there's a lot of the Alpha ones, and I actually forgot, do you know off the top of your head the model number for the Alpha, the standard one, the 3050? You've got it on you, right? Yeah, it's the S036H. I'm sorry. Yeah, it's the AWUS. 036H, which I'll put up there. We're going to update the slides before they go online later on. I'll have all of that. A few things are missing just because we had some technical difficulties. This is the exact card that, if you look online, for years and years and years people have been using. It's

got a great chipset for sniffing. It's the RTL8187 chipset. So it's the one that's been around forever. So if you look, wireless attacking, wireless sniffing, this would be highly recommended. It's not necessarily the best. It's older, and it was the best one out for the time. But another really good one is this one, this Roswell card here. And this one is good because it does 5 gigahertz. So I'm talking, how many people kind of Wi-Fi-ish tech? So Wi-Fi, the newer ones do on two different RF bands. And a lot of the cards that we predominantly use for attacking are just for 2.4. So we're missing out on the secondary band, so we can't attack or sniff or anything, capture data on those bands. So this is a really nice

card because it does both bands. And very few of them have support to do sniffing. So there's four things you can do with a Wi-Fi card. You can normally do manage mode, which is how you connect to an access point. You can sniff traffic. You can inject traffic and you can pretend to be an access point. Sniffing and injecting, sorry, injecting and access point are similar. And then you can do ad hoc mode. But you can pretend to be an access point, which blows a lot of people's minds that I can set this card as an access point on my computer, trick your computer into connecting to me because I pretend to be AT&T Wi-Fi, which is what Starbucks uses, and yours are on that connect. And then I'm

routing through all your traffic is going through me. So that's a common attack that we use professionally when doing testing. And this card is good. This one up here, and we're going to talk about this tablet a little later on. But the top card here is this TP-Link one, which is a Chinese brand that started to make headway in the US and it's phenomenal. It's got a little extra connector. Yeah, go ahead. It's the TLWN722N and it has an Athero space chipset which is capable of all the modes that he just went over. So that's one of the things you'll see. If you start looking at wireless chipsets, The ones he's showing you are capable of all four modes. A lot of them are neutered to

a point where they'll only support managed mode or one of the other modes, a few of the other modes. But most of them are not capable of injection. These three are very good at injection, and that's very important when you're pen testing with it. Yeah.

keeping it. Why would you ask me if I'm hacking wireless? I feel like you're stereotyping me, guy. Every time. All my adapters are disconnected.

Why are you ass looking at us? I don't understand. If anything, I'd do that for my phone. Yeah, so I know a lot of this would, you know, kind of going over the hardware and not so much the software side, but it is very important, the injection. A lot of our really advanced attacks will use injection of packets or pretending to be an AP and stuff like that. And a lot of, we won't go over the tools that we use, the software backend. Just a very brief, if you want to do any of this stuff, look up. There's actually a distro out here that I haven't had much interaction with. What's the Arch? Arch Linux? No, the Arch, there's Arch Linux, but what's it called? They've got

a black, They have Black Arch Linux that's out for pen testing. Arch of Salt. Arch of Salt is out there. And I just recently heard of them. So I want to go check out that booth. That sounds interesting. But there are other Linux distributions that are packaged for doing pen testing scenarios. So those have a lot of tools built in. So a lot of this hardware will either work generically or some setup work with those systems. And almost everything we're talking about runs Best on Linux, surprise, surprise. Most of these tools will interact with Linux systems and not, and they're also, most of them aren't commercial grade. So these that we're focusing on here are generally the DIYers version versus the very high grade professional ones that

you might need or finance that are like $1,000 or something like that. So we're trying to focus on something you can kind of do at home for the most part. And we'll hold questions at the end. I know we're going to go through a lot of different technologies here, but because we were late, we'll try to go quickly. Bluetooth. So moving from Wi-Fi, those three cards are good. Normally I have all three of them because they do different things better. So that's about $100 worth of Wi-Fi cards, but one of them will suit you if you want to get into testing. If you want to do Bluetooth stuff, this is the best one I've found,

bar none. It's about $40. It's the Pirani UD100. It's great because it has, do you have? We can pull it off the Nerf gun. If you want to grab. How many of you guys have seen, I've got it in the booth around the corner of the Nerf gun. So I'm not going to talk about it specifically in this talk. We'll pull some stuff off it. But if you have questions, please do come by later. So this Bluetooth card is great because it has a connector at the back end that I can add additional high gain antennas, which is also the case with all of these dongles. so they have additional antenna connectors, which you can use as opposed to so you can extend the range a lot.

So this is a great one, has a good chipset, a lot of Bluetooth stuff works well with this. And that comes in very handy sometimes, just based on range, but also just based on the build of the building that you're in. So sometimes walls are thicker, it's harder to to see what you're wanting to attack. Sometimes you don't want to be in the same room as where you're attacking or the individual that you're attacking. So having that capability to have an external antenna on it is huge. So you can sit in the parking lot or the hotel across the street, point it at whatever your target is, and hit it there. So their cameras can't pick you up. Nobody sees you on site. And that's what

a lot of these high gain antennas allow you to do. A lot of them will work. Antennas work with the WiFi antennas for RF reasons. A cool little tool here at the bottom is the Ubertooth, which does Bluetooth sniffing. So unlike WiFi, where you can use a lot of WiFi cards to sniff, the Bluetooth chips don't support that, so this is a custom tool, a hardware for sniffing Bluetooth packets. It's a lot of fun. I ported it over to the N900 phone, which we'll talk about a little bit later, so I can run this off of my phone I did a couple other things with the phone. That's my funnest gadget of the evening. We'll be talking about the phone. But that's a good

one if you want to get into the Bluetooth space, a hobbyist. Zigbee. How many people have heard of Zigbee, know a little bit about Zigbee? That's a pretty good amount, the crowd. What's it predominantly used for in our everyday lives? What's the thing that's coming? Who said smart meters? All right. We'll get you a swag bag. You have a drink over there, so there we go. We can put a drink in there. Smart meters are a good one, a good example. The Internet of Things is a big one. A lot of low-power devices are using this now. So they're trying to use this and the next technology we talk about for low-energy bursts of updates. So these two are very common now, and they're being put in embedded

systems quite frequently. So one tool, and I'm not sure if this is still available, somebody made, Dragorn, if you're familiar with him, he did Kismet. He made like 100 of these as an initial batch, and was going to do a follow-up one. But this hardware, much like the UberTooth, is specifically designed for hacking, testing, testing, Zigbee technology. And it runs on the Android. Most of his stuff for this is running on Android. I keep trying to get him to port it to normal Linux land, but he's starting to support it a little bit. So you can do the same things with this. You can sniff. You can inject. You can monitor. You can try to join networks or disassociate devices. And there's a lot you can do with

that, trying to penetrate a network and jump into the network and attack other nodes and read the water meter or modify it or tell everybody, no, I haven't used any water. That's a low end one. Think of a larger attack scenario, SCADA systems. If you can get in through a wireless technology there, what can you control? Can you turn something on or off? That's a high possibility with these low power technologies. You'd have to look on the Kismet website. He'd have the link on there. So we were talking about providing links for a lot of these things. But unfortunately, they get scattered around a lot. So looking up the KISB is probably your best bet. And a lot of times, multiple different

vendors will sell these products somewhere. We don't want to really endorse one specific vendor over someone else. But these names are very unique in most cases. So if you go and Google for it, use some Google Foo, you'll find several places. DuckDuckGo? DuckDuckGo, yes. I'm sorry. Anti-Google. Another one with Zigbee. So that one was a custom-made hardware for Zigbee testing. This one was a modified firmware for Zigbee testing. It's the Atmel Raven. We're very familiar with Atmel in this room for all the Arduino projects. They all are Atmel-based. This was a testing device they came out with for 2.4 gigahertz testing. And somebody flashed, Josh Wright flashed it with special firmware for kids, for for the killer bee stuff. So you

can sniff and inject and do a lot of the same things. The problem is the hardware really wasn't designed for it. So the other one does a little bit better. I have both of these in my arsenal for my testing, and I kind of bounce off. This is a little bit easier. The problem is flashing this one is a big pain. You have to have some very expensive equipment. So it's out there. It's been an open source project. The backup for this is most of these are open source projects. Some of them are open source hardware. So this one is nice to have. I've used it a lot. But I have to mail it to

him, the guy who did the project. I mail him my hardware. He flashes it and mails it back, which is very nice of him. But if thousands of people started doing that, he might get a little more upset. So moving from that onto RFID. How many people use RFID at work? Badge systems. Badging in and out, very common. Credit cards nowadays. All over the place. Have you played with this one at all? Yeah, we talked about it some. Do you want to? Go ahead. You need to know more about it than I do. This one does the 13 gigahertz, 13.56 or 5.4, I always get that messed up, gigahertz range, which isn't what most of our badges use here. But it is what some of the door access

ones won't, but a lot of other badging systems, sometimes for hotels and places like that, Or a lot of conferences give up the other frequencies, because the cards might be just a little cheaper. And so this particular one, I have it covered by a pirate sticker. But you can look it up by that number. It works with Linux. It's the PC, or CDP, PCDC, I think is something like that, the library name that interacts with this. But there's a bunch of tools written for, again, the same things of reading the cards, replaying the cards. potentially writing new cards if you have special cards, analyzing the different signals. Because with RFID, if you're not familiar, there's different frequencies, and there's a lot of different

standards, lots of different standards. So your badge access might be different from the badge access of the company across the street. A lot of variants in there. So some of that's firmware, and some of that's hardware. But this is the best one that I've found that works in Linux for testing. And I can bump badges with this to a certain degree. The best one, and I apologize again, there'll be a few pictures missing, is the Proxmark. And this one, it's a little more expensive. It's a couple hundred dollars to get the entire kit. But it does all the RFID stuff, and we use this a lot for badge bumping. So if I'm on a physical pen test and I want to break into a building, I go

to the New York Starbucks, I wait there until I see somebody with the badge of the company that I want to break into, and then I get behind them in line, three centimeters and I can bump them and clone their card, their badge access card. And then I walk in the front door by using this case. And this is the antenna for it. So it's a flat antenna. It could all sit right there in that little case or you could put it in like a tablet case, something like that. Very inconspicuous. That's right. So this is what I'm holding in my hand, which just looks like a camera case or something like that. Or I

have in my bag and it's just, you know, that's it. That's all it takes to clone the badge. And it runs on a portable battery. And then you just put it into a different mode and it'll replay. So then you walk up to whatever badge swiping mechanism, if it's a door micro or something like that. You put it up to it, it'll replay when it senses it's next to an RFID sensor and you're in. And you're in, yeah. One of the guys I work with wrote some firmware for this that'll actually escalate the badges. To say, most of the badges are going to buy a stack of them as a company. And you're going to

issue it to you and then issue it to you and issue it to you in increments, right? I'm going to just pop them off the top. But you might have access to the, you know, you have access to get in the building, but you have access to the server room. And then you have access to, you know, you're a CFO or whatever. You're getting into a different portion of the building. Well, if I can increment the serial number that's assigned to that card, once I get one, I can either decrement or increment to say, I got in the building and I keep trying that until I can get into different portions of it. So that's

something else you can do with RFID. And there's lots, lots more. And again, we're just scraping the surface of sort of the hardware to look into. But yeah, there's a lot. And most of them use the insecure versions of the badges. That's what we've found. Because security is hard. Security is hard, yeah.

GPS, you want to talk about war driving? Well, I mean, so if you're doing a physical assessment and you're trying to get an idea of how far away you can be to attack a specific location, or if you want to look for other networks that are around it, How many of you have war-driven at some point? There's phone apps, right? I mean, you don't even really have to have specialized equipment to do it anymore. OK. I mean, looking around for networks and tracking with GPS, there's nothing wrong with that. Consult a lawyer before taking anything I say seriously. That was my post preface. Yeah. But so, I mean, you can map out that network and

the networks around it and find out what range at which you can attack. If you use, like, a Yagi antenna or something that's directional and has good range, And as long as you can keep a good signal rating, you can map out specifically where you want to attack this down to a GPS location and just start from there. Or if you're providing intel to someone else that's coming in to help you perform the assessment, then they can use that information from you. And so I forget. I use Velcro to attach everything to everything. So it actually covers up the number. The model number for this one, it was like the top USB one on Amazon

for a long time. And this one works really well with the GPSD, which is what comes with Linux. And it's like 20 bucks. So I know a lot of things have GPS built in. Yeah, what's the model number? You can see yours. It's like Global Star, right? BU353. OK, it's like a Global Star USB. on wherever online vendors. And so most places, most things have GPS built in, like your phones all do now. But if you want it on your laptop, not always the case. And this one has been around forever, but it works great. You can tell, I've taped mine together because I've dropped it so many times. But I really like this one for, if you need to plug it into a computer and do

your war driving, it's a great one to have. Which, you know, I have clients that want to know how far away I can see their devices, so I have to use this on occasion. to track exactly where I'm at. And this is a nice, cheap one. A lot of clients don't realize how far out their signals are reaching either. So when you show them how far out it is and that they're, you know, if they're using, you know, industry equipment, most of the time they have the ability to turn down that signal frequency to prevent their wireless from being prone to that type of attack.

This is another one, didn't have the slide for it, that I'll hold up. And a lot of this stuff, we'll have, again, if you have questions or wanna see it, see me after the talk and have it around later on today and tomorrow. So I talked about Z-Wave a little bit. Is anybody here familiar with Z-Wave as much? A little less people. Z-Wave has been around for a long time, but it's kind of up and coming, but it's not as predominant as Zigbee here, but they're essentially the same thing. So we're looking exactly at the same target audiences. Their implementation is a lot different, but they kind of serve the same purpose. And so the

ZTIC STIC S2 is a really good one. It works with several Linux stacks with a few tools in it. And it's flashable firmware through Serial. So there's a lot of fun stuff about this particular one. There's only about a dozen USB Z-Wave dongles. A lot of them are, just like Zigbee, there are very few dongles that do it because they're not designed to work with your laptop. They're designed for embedded devices. And to control them, how many people have used XB on their Arduinos? It's a pretty common way. So you're doing like a serial shield to control lots of things. So there aren't many USB sticks for a lot of these things. You're going through

and embedding them and stuff. But this one in particular is pretty good if you want to start testing some Z-Wave stuff. And if you do a little searching, you may find firmwares out there on the internet. Quite possibly searching for firmwares, you might discover ways to flash it and sniff things. So I've heard.

They're totally different protocols that do similar things. So they're working on low power systems. They're beaconing out. They're there to remote command and control and not feed lots of data through. Like the bandwidth that Wi-Fi has, you can stream a video over. This is like, turn on, turn off. I'm a thermostat, here's what I'm at right now. They do it every few seconds, so it's really there. The goal, I remember reading about Zigbee was supposed to have a device that could sit in the corner on batteries for five years and operate. Because it turns off the radio so often that it can last a long time. The thermostat on the wall doesn't have to be

plugged in. to actually power sources just to run off batteries forever. So that's the idea with these technologies. As I said, they're up and coming, but they're the ones you don't see as much, right? Because they're not on your phone. So you're not necessarily aware that that's how they intercommunicate. But if you start using these tools, you'll see them more and more in places you might not expect. So they're definitely emerging technologies that we're going to have to look into seriously for security issues. Yeah, they utilize security through obscurity a lot. They don't document a lot of the portions of the the protocol and how to be able to get the ability to write to it or to control devices that are Z-Wave unless you can give

them a certain dollar amount that most of us can't reach. Yeah, you have to join their SIG to get their documentation. They're very much more closed source than even ZigBee is. But even a lot of them have proprietary stuff residing on the layer of ZigBee or Z-Wave and go above. They're a little bit more difficult to target than Bluetooth and Wi-Fi that are very standardized and very public.

All right, moving off of wireless stuff. There's some other cool wireless tools out there, but these are the kind of the ones that I've played around with a lot and that we've both used a little bit. So it's funny because those were things none of you have probably ever heard of, right? Those exact models are things that are kind of obscure. And then we go to OTG adapter. Well, all of our phones and stuff now have OTG, but it becomes really handy for pen testing from a phone or from a tablet, and that's what we can do. And we'll discuss the devices we use a little bit later. But keeping adapters, I'm an adapter hog. I love adapters. If I see something adapts to something I don't

have, I want it right away, even if it's a stupid little serial adapter to something obscure, like serial to ethernet. I'm like, oh, I have to have it right away. Yeah, bags and bags of adapters. This usually scares people. That's right. All adapters and, yeah. That's why we're both giving this off. We both hoard. little toys and everything, like nobody's business. If I tip it over, it'll all fall out. This is a big deal, right? Because I can hook up to my tablet device, all the stuff I just talked about, in theory, if I can get it working with drivers and whatnot, now I don't have to carry around a laptop, right? I can carry around my phone or

a tablet and perform the exact same tasks. So OTG cable, great. Or if I still flash drive off somebody's desk or I'm on site, I can plug it into my phone or tablet, copy it over and put it back versus stealing it, popping up a laptop looks a little bit more suspicious than just having a phone or something available. You recently did a little gig with just your phone, phone, right? I did an entire, I'll talk about the phone at the end, but I did an entire pen test with just my phone recently, which was life goal. Check that off the bucket list.

USB to SD card reader. I don't have a prize. I don't have to ask about what's the benefit of using an SD card over using just a standard USB thumb drive. Write protector. You want a t-shirt or a cozy?

Yes, that is correct. Right, oh, yeah, close enough. Write protecting. So the SD card, not the micro SD card, although there's no good reason for it, because it's just copper wires running from one end to the other if you crack it open. There's a little tap on the side, right? It says lock, and it has a little arrow. And that will right block the micro SD card. So coming from a perspective, if I want to plug in them, I might want to use my hacker tools to assess the local system or gain further access to the network. Yeah. So you can see the little tab on the side here. Very advanced. Very advanced, yeah.

So I want to like, you know. You all know what it is. Yeah. All the, you know, the pesky antivirus wants to say, no, you can't run your hacker tools, and then it deletes all of them, and that makes me sad. So in this case, I can flip a switch, and it says, you can't use those hacker tools, but it can't delete them. So at least when it fails, I can go, okay, plug it in this one. Oh, that one didn't have AV. All right, all my stuff is still there. It also protects if you want to share files, even in your everyday life, it can't write to them. So if I have to share

a file with you, I can use this method and, you know, your maybe possibly infected system won't upload. So it's good for me as a pen tester, but also if you're doing forensics, it's kind of nice because you can load your tools and it's not going to write to it. Fair warning, this is not in the hardware. This is a suggestion to the operating system to do this write block. However, I've never had any issues with any OS not obeying that. So whatever level the antivirus is running at isn't low enough to say, no, this should be not There should be read-write, and I want to delete these files. So I haven't run into issues with that yet, but it's not a foolproof hardware write block. They have those

exist, and they're just super expensive. So I use this. I use this at DEF CON. Are you guys familiar with DEF CON? Big security conference in Las Vegas. So I distributed, I have a tool called Katana, which is a kind of conglomerate of a lot of distros. And I wanted to give up my beta, but I didn't want to burn tons of DVDs like I did before. So this is on a table, and the hackers for Charity Table at Def Con. I was distributing it and saying if people wanted to donate, that's up to them. So I hot glued a micro SD card into the SD card slot, then I hot glued, locked it, hot

glued that into the adapter, and then I tied using Fishingline, I tied this physically to the table. And then I said, OK, you guys, you can come over and copy over the files. And so people couldn't read right to it. But yeah, that was like the day before. I just had my hot glue gun around, copied a bunch of stuff over, and had people copy it from the flash drive. So that was kind of entertaining to actually tie it to the table itself. But it worked. works pretty well. In the same vein, having a microSD card reader is really handy, because I want to switch off my phone microSD card. to the laptop or a small flash drive is way better than a big flash drive when you're doing

a pen test because you don't want to stick out there and look noticeable because if you have to bail right away, you have to walk away and you're on site, you can leave it there. If it's on the back or something, it doesn't look, it doesn't stand out as much. So I personally prefer to have only a micro SD card adapter and use that as my flash drive and I can make that multipurpose. And you can get those for like Two and three bucks off of the Electream or something like that. They're super cheap and some of them work better than others and again there's no branding for either of these. This is just using

SD card reader, micro SD card reader, generic, figure out whichever ones you want. But these are things that I always keep in my kit. USB adapter kit, always handy. You never know what kind of device you might come across and you want to plug in and it might have some obscure USB connection or it might be like the iPhone or iPhone 5 or you have different connectors there, different sort of adapters. So having a kit full of those, if you're on site, wanting to test something, and you'll be able to grab any kind of phone and plug it into your laptop right away and interact with it and dump stuff off, you gotta have that

all on you right away. So that's why I keep a big pile of USB adapters with me. Yes.

Yeah, that one does come into handy a lot if I have to do things like that because it's the dual male one at the bottom, which is the odd cable, but I've actually had to use that several times to have different sort of connections where it wants to be the male-to-male. That or the little on-to-go cable that you showed a little bit ago, if you want to take that to a male USB, then something like that will convert it over. Yeah, exactly.

USB hubs are friendly. I'm USB, USB, everything I try to get USB, USB, USB. This is a cheap one I found that was solar powered and had the battery pack in it, which I thought was super cool. But just, you know, that alleviates some of the power from your laptop if you're doing a lot of stuff. Wi-Fi cards, yeah, suck out a lot of power. If you're sniffing Wi-Fi and you have, you're unplugged, your laptop's going to die quick because that sucks out a lot of power. So this is helpful for me and my little gadget down here. to save some power and offload a little bit of that. But generally, a portable USB hub

is a must. Because, I mean, what, normally three USB ports? How many people have more than three USB ports on their laptop? More than four. See? That's why we all need to get together and design a laptop. I want a laptop that would be like an entire array of USB on either side. I don't need all these other ports there. Yeah, I need like... I want eight. I want eight on my laptop. I don't care about your fan. There's no room for a fan in here. I just want an array of USB. So that's why I have to carry around the USB hubs all the time. And powered versus unpowered is a big deal. So if you're not used to using USB hubs, you want the ones

with at least two prongs in them, because they need additional power for USB 2.0 or three. So having one that, you know, additional power pack or something like that. is handy. These do not like unpowered USB ports or USB hubs. You get nothing. And they get extremely hot and tend not to work afterwards, right, Chris?

I've burnt up a few. Yes, they do. It's not even overclocking. If you're overusing them for sniffing, cards do die, unfortunately. It's not uncommon to see. Cat5 to Ethernet adapter. You're going to take this one? Yeah, I mean, you know, sometimes you're going to run up to a system that has, say, one physical Ethernet connection. It's already on the network. Or say you want to pipe someone's traffic through your system. If you only have one NIC in your laptop and then you have a USB NIC, then you can use IP tables or, you know, you can use IP forwarding and route that traffic through. You can either sniff passively in a...

network situation where you're between two network connections. But they come in extremely handy. Another great use for them is when you're using virtual machines. So if you want a virtual machine to be on a physical network, on one physical network, but your host is on a different one, you can use a USB adapter for that. These wireless adapters, the TP-Link as well as the Alpha, are also very handy when it comes to working with virtual machines to perform your testing. So a lot of VMware or VirtualBox, any of those, most of them cannot utilize your physical systems wireless adapter. So if you have a USB wireless adapter for that, then you can have your primary system on one network and your virtual machine on a different network.

So the same goes to play with physical ethernet. It gives you that separation that allows you to be able to do deeper testing without possibly muddying the waters on a different network. I do that all the time. Whenever I go into a network, I like to keep my host system with all my corporate documents and email, blah, blah, blah, separate from my attack VM physically, because I don't want to even have to plug it into the client network with my normal stuff. I'll go through some other method, and then the test system or systems will be directly connected there. It's more convenient. It makes things a little bit faster, and you're not screwing up with accidentally setting it in NAT instead of bridge mode. So I very commonly use

this method when I want to attach my systems that I'm testing with to the network. You just do USB pass-through. And also, I think you're hinting towards it, but setting up your own router, like setting up my Linux system as the router, plugging in your box to me, and then routing it through is the same concept as being the wireless access point, right? If I can get you to connect through me and become your router, I control your DHCP, your DNS, all traffic comes through me. You know, if you control DNS, what's a fun attachment? attack if you control DNS? Anybody? Like an actual? What?

That is a fun attack. Security wise, but see me afterward. Are you getting too cozy, sir? Note to self, how to screw with, you know, who has roommates? That's a fun one. I'm going to get a roommate story later on. Yeah, you're physically man in the middle at that point. So anything you want to do is technically possible. You can inject into their traffic. You can clone a website. Yeah. Cloning a website is another good one where you go to Gmail and I clone Gmail. And so now you're going to me and I pass your credentials on. That's our classic man in the middle. But everything looks up and up and looks fine and everything. How many of you use SET, Social Engineering Toolkit? So it's a

very quick way to be able to clone any website that you want, tell it to harvest credentials, or physically attack the system that pulls up that web interface. And if you're controlling DNS, you can pull it in every website to come to that one. So you pretty much drive, it's herding cattle right into your attack system. So moving back to the wireless a little bit, the hardware of antennas, we have two types. that we're going to talk about. Omni-directional, which are the ones that stick straight up and go around. These are small. We judge it. DBI is sort of related to range. I know that's not the official relational cause, but it does. It's the DBI and the size does matter

with antennas. But this one's like a 5 dBi antenna. Generally you go up to like a 9 dBi and that's what I'll carry around when I'm actually doing a pen test and I want to get a broad range, which isn't always the case. Sometimes if you're doing like a Wi-Fi based attack and there's, you know, say I'm in a building and there's an apartment complex nearby, I don't want to broadcast an attack then. I want to make sure that I'm only attacking my local system. So keeping a scale of antennas or, you know, I have a very, very tiny antenna for keeping it as local as possible is good to know how far you're reaching

But if you want to walk around and sniff as much as possible, this one will cover around you, right? So you want this to stick up and it will sniff or inject or interact sort of in a, it's actually like a donut shaped. Versus Yagi Directional, which is targeted. So you see up here, the ones that I'm going to shoot everybody with now. are several kinds of Yagi directional. There's actually flat ones, and there's long ones here. And they're kind of pointing out, depending on the type of antenna, we'll say roughly 45 degree angles out from the middle, so kind of a 90 degree area. These are the professionally purchased ones. These are what are known as cantenas that you make for fun and kind of work OK. Or

you have to tweak them for a very long time. So if you look up cantenas, it's a really fun project. This was one of the first things I ever soldered was the cantena together. And that was a fun thing for me. But these are good if, like you mentioned before, if you want to be across the street or a couple of miles away and I can target your building, I'll just point this directly at it and be able to do whatever sort of wireless tech I'm using. interact with your remote server. And then we have satellite dish ones that'll go even further. It's all line of sight at that point. And some of them you're working on, we're worried about the curvature of the earth that can go

so far. So you have to be, you can't just go straight out, you have to be high enough that the earth's curvature doesn't interfere with what you're doing. So you can get pretty far depending on what you're testing. And when you're broadcasting at that level, sometimes it requires more power. So again, that power Look up FCC first. Yes. Sniffing, okay. Power outage, very important to not roast yourself. Was that a centaur that just walked into the... What? Did I miss a centaur? You messed with me. I was looking down at the slides. I was paying attention to the slides. So here's some card readers, generic card readers for all kinds. Yeah. Yeah.

Right. Right. Ham license helps with how much power you can output essentially with broadcast. It's still limited to amount of not frying your hand when you reach it above there. But if you get certain ham licenses, you can play in the wireless field a lot more.

Yeah. It gets expensive to actually before you get in trouble. Your neighbors get upset if you run them. They do, yes. They kind of wonder what's going on when you have a dish sitting out of your apartment. So this is generic card reader. Again, this is if you're on site, you want to pick up something. The blue one is a SIM card reader, writer, whatever you want to do with the SIM cards. The older ones were easier to dump somebody's credentials, somebody's phone book and stuff. Now they encrypt a little bit. But if you want to write your own SIM cards and people that do their own cellular networks, which we had at CarolinaCon a few months ago or weeks ago, There was a guy there who was

setting up his own local cell network and just had his own SIM that he wrote to and just a hobbyist thing. But for our purposes, we could potentially read data off of the SIM card. I like this one. This is my USB spaghetti monster. It's just a universal charger. It's got all the adapters there. I use it all the time, but it's also good for powering devices. And it just does, this just does power. This is why so many rippling off. So like if you have your portable USB power pack and you need to charge something or you want to run a Raspberry Pi portably, something like this will work across the board with whatever

devices you have. So this is one that everybody's familiar with the concept of, right? Key logging. So you can do physical key loggers, you can do virtual key loggers, but the physical key loggers You can set it and forget it for a little bit and then come back. This is a PS2 one, which is probably not going to ever be used again. Pour one out for one's homie. Yeah. And then USB. And so basically, when you plug this in line, it's very inconspicuous. It doesn't get seen very easily. As long as they're using an external keyboard, it'll work like a champ. It does not show up in the OS at all. So it's completely hidden.

It's just an HID device. So it doesn't matter what your credentials are, it'll install. So what happens is when this plugs in, it just starts logging everything to internal storage. If you know the right key combination to hit, then it'll dump everything that it's recorded into a notepad file. But that can also be changed through the administrative interface. So it's sneaky, scary, but very useful for physical.

Plain text passwords, awesome. That's great. It doesn't matter how good your back end is, you have to type in your password at some point. Land tap. How many people saw the land tap I had sitting out earlier? Okay, yeah. So this is the same, this picture, the same one. And there's lots of ways this goes down. The first one, I actually made one using two cables and soldering. There's some instructions online how to DIY one. If you're getting into soldering, the first thing I ever soldered was a completely wired LAN tap without any PCB board. It looks awful. The globs of solder are there and electrical tape wrapping everything together. I still have it. I can't believe it still works. This is better. If you want

to look for this, look for Throwing Star LAN tap. If you took off the

the RJ, the Jacks, it's actually shaped like a throwing star. And the guy who made it, I saw his presentation, this is his business card that he was giving out without everything soldered together. And he was giving a presentation and was like, oh, that's a good, you know, somebody answered a question, he's like, that's great, here's my business card. And it was like, so that lasted a little while, and it was like, oh wait, that's not, okay, come up, here you go, here's your lint tap. But this is great, because you can't physically, inject on this network. So the data comes through this way, right? I've got my computer here, connects in here to the

wall. Everything's fine. And these ports are passively sniffing. So they're getting the transmit from this way and the transmit from this way. And they're reading it in, but they can't transmit into the network because there's no actual wires going there. So you get to have it sitting there and sniffing. And this is a nice little tool to plug into a local network and monitor completely passively without having to join or have any authentication. Word of caution about this is because it is so minuscule and small is that you do have to have two ethernet connections to your attacking system to capture both sides of the conversation. If you just have one, you're only going to get one side of the TCP or GDP conversation. So you have

to have both of them plugged in to get the full conversation. And you can set that up using separate PCAPs or however you want to handle that. I was looking for it. I thought I had it in my bag. I don't. Another option to this is I've got a five port dual com gigabit switch. It has port five spanned to port one. So anything that, so say I go into an organization, I plug in port one into their physical network. I can have three other devices on that and then my attack system that's monitoring the traffic that's going in and out. So it basically has a hard bar, you know, hard bar span port and I can capture any of that traffic and manipulate

that traffic if I want to. But they range about 100, 150 bucks.

15 bucks and you build it yourself and it's a fun little soldering project. We're both on the same page as wanting the cheapest DIY version of everything. Everything here pretty much is going to be the cheapest DIY one. This works well if you want the 95% awesome and then you want to pay 10 times as much for the 100% depending on how accurate you have to be.

Yes, it gets the whole conversation. The other piece about it is it's gigabit. capable, so you get full speed. This one, actually, the resistors on there will drop it down to 10 megabit for capture. So it's 100 megabit at the port, and when you plug it in, it looks like 100 megabit. But it tries to squeeze everything down to 10 megabit. So it's a little limited, but it's very small. You can put that in your pocket. If I pull out a switch, and then I have a USB cable plugged in for power, and then I've got three network cables coming out of it, that's a little bit more, you know, More conspicuous. So different purposes

if I need to do a gigabit, probably in our repository of stuff we'd have this. But if you want to get into the field and learn a little more, definitely do this first. And unless you have to have gigabit, this is pretty good. If you're doing an on-the-wire assessment and don't want to drop a packet, get the dual-com switch. Absolutely. And this is another one, having an access point or router, a small one. is the most ideal. All of us want to put, of course a lot of people here are putting Mato, DDWRT, OpenWRT on there. So those are better because you have much more control over them, right? So for purposes, I don't really care which one of those I'm using. But I need port forwarding.

I need to control every aspect of UPnP. And sometimes the generic routers, you uncheck a box, and it says OK, and it just ignores you. So putting the open source ones on there is better. So for this testing, the same scenario as before, I want to be able to control the routing of my target. I didn't think I did anything. Boo. Just shut off the projector. Really, it's that boring. So nobody in this room has an access point powered up right now, right? Yeah, okay, all right. Only the people with devil ears could possibly, oh wait, no, it's just evilness in the crowd. So having the access point there is nice. Another thing is if we're, for example, how many people know what the Mac filtering

is to block Mac filtering, right? So if you want to somehow block me from just plugging into your network, you might have a whitelist of Mac address or some certificate base or something like that. So a lot of the computers that we run into in our environments have that built in. So they know they can authenticate in some way, shape, or form to the network. But a lot of times things like printers don't. So I walk around, I find a printer, great, I can use the MAC address of that printer to get in the network. But I don't want to clone that and then sit there for a week with my laptop in whatever obscure

area the printer's at. So instead, I use a router. And most people here have cloned their MAC address, right? I mean, you can clone the MAC address of a router. So you tell the router, hey, use this MAC address for your internet WAN port, which will be the MAC address of the printer. You plug in the network, it says, oh, great, the printer's back there. Or you change the name and a few other things, forward all your ports to the printer, so the printer acts the same, people are able to print, nobody knows the wiser, but actually this access point under my control could be broadcasting, I could have it, I could connect into it

as a network, and I can sit, you know, somewhere else down the line. And we're gonna talk about a tool in a minute that helps with that scenario as well. But this is really handy if I wanna sort of be between an area and not, you know, not have to sit there. Yeah.

Yeah, which doesn't help. It doesn't matter to me, because I'll just clone the MAC address. So unless you're doing like 802.1x certificate-based, I can get your MAC address, because I can see. It's literally, you know how to get a MAC address on a printer? Who besides this guy knows the easiest way to get a MAC address on the printer? Print out the . This is for you. You're going to get another one. I don't want to throw it out that far. You print out a test page, right? Super simple. Go to settings, print, done. MAC address there, IP address there, subnet there, what ports are open there. Everything is printed out there, so you don't have to even unplug it before you preset your router. As

soon as you plug it in, it's just plug in, plug in, everything is good, life is good, I have all my attacks up there. How many of your networks run network access control of some sort of another, right? Most of the time your network access control is completely useless when it comes to the printers because the type of traffic that they're running and the way they have to authenticate and their uptime requirement because someone's going to have to complain they have to walk down two aisles to print something. Most of those are white listed. So it's a very common attack vector. You need to look and try to find ways to secure that in most organizations. So this is a follow-up to that. Has anyone messed with these at

home or at work? So it's Ethernet over power. We're used to POE, power over Ethernet, the power device. This does the opposite of, there's two of these and they're twins, or sisters, I don't know why you wanna, twins, Basil? Twins. So I can plug, I have, I plug one into the wall over here, plug an Ethernet device, like a printer, like my access point in to that. and then I plug in the other power cable somewhere else in the building. Over the power lines, it transmits ethernet. And then the other one, the twin on the other side, I plug that into my laptop. So I can be anywhere on that same power circuit line area and connect with my laptop. So I could find a closet. I could find

a desk. I can go wherever. generally within the same floor or region of the floor and set up and it's going to go through Powerline. And how many people's IDS detects Powerline based Ethernet? No? Really? You guys are detecting it. Wow, OK. So would this attack work? Yeah, it's really good to get anywhere you want to outbound traffic. So that's a quick one. Those are very common too. Go to any tech store, you can pick that up. If you put the Ethernet on the Powerline, you need the power extension to get back on. Right, that's what this is. That's why you have two of them. It's wired. I mean, if you want to somehow monitor your power lines for data, you could. There's nothing

stopping you at that, but I don't know of anybody that does that. We're going to speed up for some of this stuff. We're, of course, going over a little bit. USC PowerPack, you know, by itself. Everybody has one nowadays. I used to get really weird stares when I was charging my stuff with this like two years ago, and now everybody's got one. So now I'm, I don't know if I say less weird, maybe more accepted people. Less weird doesn't fit. I'll let you cover this one. Yeah, so the little USB keyboard, it's about the size of a phone. And has a little detachable dongle with USB. So kiosks. Anybody have kiosks in their environment? Most of the time you hide the keyboard, right? Well,

that doesn't really work for this, because as long as I can find a USB port, I can sit back and make it look like I'm playing on my phone and completely control everything you've got. It's got your touchpad. It's got a pretty good range. Sipping coffee over here, looking at the kiosk over there, trying to brute force things. A little laser pointer on it, too, if you want to mess with people. But it's really awesome. You know, make them chase it like a cat. Just keep moving the mouse over. I was smart. I tried to click on the right-hand corner. No, no, no. These are also very fun pranks. So, you know, you have a

co-worker that... has been messing with you or something, you plug the dongle into their machine. Which is IT people we never get upset with any of our coworkers. The people we support, right? Stand behind them, ask them to help you find something, and then just sit there and continue moving their mouse around. Freaks them out. It's awesome. Good morning, Dave. Whoa! It's HID. It's RF, so you don't have to install any Bluetooth drivers. And I think they're like $20. Tons of fun and very useful on a pen test as well. Lasers. Mini me. You want to blind the entire audience? Just point it up. Oh, we've got the... So sometimes motion, like if you can see, it's like a glass door

and there's a motion detector on the other side. Sometimes lasers will actually trigger the motion detector. And you can unlock a door from the outside by pointing a laser pointer and then wiggling it around and stuff. How many of you in your comms closets, things of that sort, have a motion detector on the inside that unlocks the door when you walk out? Right. That's very common in most environments. So you can you can use something like this sometimes and shine it underneath the door if there's enough of a gap. And sometimes it'll see that and trigger the internal mechanism. And you can just open the door and walk right in. Another thing that I've used

and we don't have it in here is you can fish a little balloon. underneath and have a small helium tank and fill it up. So if that doesn't work, you just fill it up, let it go, it'll fly up, and usually it'll. So you just have a pack of balloons you keep trying until the door opens. Which is great. I'm sorry, but I haven't ever done that. I know people have, but I'm sure if you don't get in the next day, the admin's walking in like, was there a party? Who threw a party in here and didn't invite me? That's so uncool. They are getting better at this. I hate you guys. Some of them

are checking for specific heights, and they're checking for bodily forms and stuff like that. So I had a buddy that resorted to a blow-up doll. But that's a little bit different. What are you doing? Nothing. Go away. Show them the flashlight. I'm John. Don't shut at them. This thing is insane. Yeah. Yeah. I got one of those. So that will set it off, too, in a lot of cases. Yeah, get some rave. We need digitally imported going on here. But yeah, so sometimes just a simple flashlight can set it off. Or sometimes when you're crawling through someone's closet, they don't have proper lighting. They're trying to keep it cool. you may need a light to be able to find a switch port that you can plug into. Right, or

if you're just ducking into a closet that happens to be like the server rack room, like, oh, well, all right. You don't want to always flip on the light, right? Because sometimes it'll show into the door. If you're doing like an on-site pen test, you don't want to flip on the light because it's like, oh, that's weird. The light's on. So you use a much lower powered light, and you're kind of pinning on looking for what you want to, essentially doing sneaky ninja style stuff. That one, you put it through your shirt. That's right. Yeah, exactly. Dull it down a little bit, or use a black light. But yeah, so sometimes you need the simple

things work well. We have a lot of hardware people in here, and I'm not going to cover what all of these are. But if you're going to be targeting a specific hardware or you need to bypass some sort of hardware, getting the programmer for that, possibly uploading, or pulling off the firmware and modifying it, standard serial adapters, things like that are great. Because the security community as a whole has been very, very software driven. for the longest time. It's always software stuff, network hacking, wireless hacking. And in the last couple of years, it's starting to sort of get that hardware is actually the fundamental issues. If you can bypass things in hardware, malicious firmware, things like that, that's really a big concern. If I can ship you something, you

plug in and it's evil, then who's going to think if I plug a TV into my network, it's bad, right? But if I put evil firmware on it, it could be. So I think hardware hacking in the malicious sense, not just the modification DIY fun project, is becoming bigger and bigger. Just a word to the wise, be careful buying used electronics now because it's very possible it's been backdoored and just returned to the... to the retailer to sell out again for someone else to utilize. Because everybody who does electronics knows there's really only so many chips, right? There's tons of products that are all based, like 1% of the products out there, they're all based on the same 1% of things. Like

you think it's 100% of the space, which boils down to these small number of chips. So you just didn't know how to write for those chips, modify the primary firmware, and bam, you've got a malicious system. So getting hardware programmers and serial adapters and things like that is also a must if you're going to be doing any hardware stuff, which I do quite a bit of. Wi-Fi Pineapple is awesome. I've used it for everything. So who has heard of the Wi-Fi Pineapple? Okay, Hack5.

I built my first one out of a LaFanera router and flashed it and did all the hard work for it and you learn a lot about it when you build it that way but the Mark IV and the Mark V have a lot more functionality but I've utilized the Wi-Fi pineapple for everything as far as like credential stealing poisoning networks to mobile application testing so you could set up, say you have to test a mobile application to see if it's passing credentials through the clear. You can use this as your access point that it connects through, have it wired into the network, utilize it as your access point, and use the application and see very

quickly with a very limited tool set what the traffic is that's going back and forth. But there's tons of uses for this thing. You can control it over IRC. which is pretty cool. You just leave it somewhere for a little while and have fun with it from afar. But yeah, Pineapple's awesome. It's a very fun tool. The Pwn plug, and this kind of goes into the Dropbox scenario. A lot of what we try to use now, you know, sneak into a company, plug this in the corner, and walk away. It creates an SSH session back out to you. You're in the network, you don't have to physically be there anymore, and you're away, proxying through this or telling whatever's on these

boxes to attack the network. So the Pwn Plug was one of the big popular ones and is sort of an industrial one. There are a lot of DIY ones out there as well now. You know, there's Pi-based ones, there's router-based ones. But the scenario is you're dropping this box in there and then wherever you are, casually walking away and then getting a session, some sort of session out, you know, we'll call it the target attack where you go IP ping packets back out to you when you create some sort of session or something like that, or DHCP or DNS, something like that, the requesting packets. But whatever your filtering method to get back out is, tunneling it through HTTP or HTTPS, you have a backdoor into the

physical internal network. A lot of the Pony Express guys have released their stuff open source, so you can put it on a Raspberry Pi. There are other distributions out like PwnPi that are very good. MiniPwner is another one. Yeah. You're not going to be cracking hashes on that kind of a device, but you can pipe those hashes back to yourself and crack them on another device. But it's very awesome to have that physical presence without physically being there. And a lot of those have all of those egress methods. built into the firmware, built into the distribution so that you don't have to think about how that's working. Yeah, so if you're a network guy, you're looking at SSH going out from your internal. That seems weird

sometimes, right? But you're seeing HTTP, HTTPS going out, web browser. Who cares? Who's monitoring that traffic, especially if it's SSL encrypted and you're not able to view the middle of it. So a lot of them do have built-in methods of backdooring out.

And the Raspberry Pi, in more of this vein, was a good Dropbox scenario, but also in the fact that it does lower level hardware stuff. And talking about lower level hardware stuff, this is a Kickstarter project that I did a while ago. This is my shameless plug, but also Arduino stuff based. This is basically what I wanted to put together as an Arduino for hackers doing pen testing stuff. So you can see in the middle there, that little black device, that's the glitch and I've embedded it in a mouse. So it acts as a head attack system. So yeah. Lasers. Yeah, in the middle there. So it's actually, this is a USB hub that I've attached to the mouse and to the glitch. And then the cable that

goes to the host comes from the hub. So you plug it in, it acts like a mouse. It moves like a mouse. but it's actually an attack platform. So in this scenario, we're doing a keyboard injection, but, you know, able to wait for a while and then maliciously upload a file or have it go to a specific browser or whatever you want. And so there are other hardwares that do this sort of thing or you use your Arduino and you want to put like a Zigbee module on it or, you know, a Lots of stuff, obviously, that we can do with Arduinos for specific projects. But I think a lot of people using these lower

level embedded hardware systems as attack platforms, because I can ship this to a client. I can get a really nice mouse or a bunch of nice mice and say, hey, you won a promotion. Congratulations. Oh, I didn't sign up for that, but it's a cool mouse. They plug it in the computer, and that's all I needed, because it's got these embedded malicious devices in there. So something like that. quite a bit. I've developed it. I've done a lot of payloads and stuff for it that I play around with, and I won't go into all the things that I do with it, but it comes in handy quite a bit when I'm doing physical related stuff.

And he doesn't work for the NSA. Yeah, that's right. I solemnly swear. And yeah, so this is the one that, like, a DIY project, right? I mean, imagine, you know, the scale of attacks we generally talk about is guy in his basement, you know, maybe organization like anonymous or you know, some of the Liberation Army, Digital Army, stuff like that. So that's a loose organization. Then you have government level, you know. So they, you know, aggregating or like the mafia or something, right? They have some resources behind them. They're the ones going after credit card numbers. They've got some backing. And then you've got government level. And this is what I did. I can make this smaller and easier. This was

just what I designed on my, you know, bench at home. So this is what I have. Imagine, right, the NSA or, or, organizations can do with hardware level stuff. I've personally used the glitch several times and it's awesome. Very cool tool. That's a TV Beyond. This is another DIY TV Beyond that you can do from Adafruit. Just a little kit that you can put together. They're really not extremely useful on a pen test unless you come across a NOC that's using old school monitors. In which case, you can just hit a button and shut them all off. Do your bidding. If they have physical displays as far as their camera systems and things of that sort, you can shut them off. Or another thing

that you can do is you guys can't see it, right? You can't see anything shining at you. It's shining at you right now. You can see the little green button. Possibly you might be able to see it flashing. But if I have that around my face and I'm walking around a facility, this does get picked up by pretty much any camera that you have. And if it's constantly blasting at whatever camera may be by, they're not going to be able to tell who I am, that I don't belong. White blob circles. Yeah, it's just like a flashlight shining directly at it. Even though they're omnidirectional, it doesn't have to be pointed directly at it. So

you're a ghost. You're a creepy ghost person. Yeah. It's like Slender Man. This is how it started. Did you see it? I'll see it. It's a real small dot on there. Most of the time. So these batteries are probably dead because it's been sitting in my bag for a long time. Generally, it's extremely bright. It'll white out a camera. Yeah.

Let's move this up a little bit. I know we're going over time, and I thank everybody for staying. Lockpicks, we're not going to talk about that at all. Go see the Fail Guys. If you haven't been over there yet, you'll have lots of fun. It'll be awesome. You get to pick your first lock and not feel guilty about it at all. Wallet lockpicks are fun. These are the general lockpicks. I have my emergency lockpicks that I have used before on a pen test. I have the Bill of Rights, Shim, which is obviously what they intended it. These don't go through the TSA very easily. That does. Yeah. But this is another set of wallet lockpits too. I've never had a problem with TSA.

Not that I would ever do that. Okay. But this is another set of, you know, it looks like a thick credit card, but a nice little set of picks that are very strong and work well. Those wallet ones sometimes are very dainty. It rips up your fingers if you have to use it, but it's an emergency case thing. Social engineering, talked about it a little bit. That's something that I do that we both do in life and in business. And badge holders, hold on to your badge holders there, because really, to piggyback, somebody, you need a lanyard that looks somewhat like theirs or a little clip and a badge holder that only points the right direction. So you either have vertical or horizontal badge holders. So you

need two and you need your hotel card and you'll be good. Because it looks like a badge-ish thing hanging from wherever you hang it from. Then you piggyback in, and there's a badge thing hanging there, a white piece of paper in a lanyard. You're obviously good to go. Hold on to these and look for other ones out there. It's just the back of his badge. It's okay. It's flipped over. Everybody's badges flip over here. They're designed to flip over for a weird reason. Mini screwdriver set, really robust screwdriver set, very helpful, breaking in physically, opening up a desktop, stealing a disk, or bypassing locks and things like that. This set I have here is not your standard set you

get at a hardware store. I ordered this one online because it's got the weird two-prong ones and the oct and all these other ones that you see in devices. It's the funniest thing to think. They can't unlock it. Why? Because we have this weird screw type that we use. Oh, I've got it right here. Exactly. It's like, well, I just bought the same tool you use. Like the elevators are very commonly, they do this, so you can't unlock the elevator panel. It's like, oh, it's using the two-pronged one. So, oh, no, nobody could ever build something like that or just file one down. Or they have the little pin thing in the middle. Has anybody

encountered that? So you scrape out the pin. You just use a file or something or a knife, and you cut that part out, and then you use a regular screwdriver. So that's good. It took me at least 10 seconds to bypass it. Security through obscurity. Right, exactly. Velcro is my best friend. That's all I'll say about that. Having some sort of multi-tool, great to have on site for scissors, knife, whatever. I like the Leatherman personally. We both are Leatherman fans. But then there's a lot of other really great multi-tools out there. Leatherman Wave. And those do not go through TSA. They frown upon that. Mine was taken from me by TSA in Singapore. They were

not super happy that I tried to bring an iPhone board. I went through two scanners. I went through a scanner once before I boarded, and I thought I checked it. And then I was getting on the plane, like, excuse me, sir, what's this? I'm like, I don't know what it could be. I pulled out my Leatherman, and I'm like, I'm going to lose my Leatherman. No! It wasn't like getting in trouble. It was the fact that my Leatherman is now halfway across the world, or all the way across the world. Duct tape, or tape in general. Electrical tape, duct tape. I keep electrical tape. Electrical tape's probably better to have, for the most part. It's

just that emergency thing where you might need to tape something together or bypassing something. Having tape on hand. Keeping a door open. Yeah, the shim where it's normally going to lock back. Stuffing something in there or putting tape in there. It closes all the way and it looks closed but actually you can just push it open. Another thing you can do, how many of you have magnetic doors like the magnetic locks? A simple quarter will bypass that. In most cases, if you can reach the top of the door right above where that sits, you just set the quarter on top of it, let it close, it'll open right back up because it's not conductive. It

won't allow it to pull that magnetic lock. Paracord.

This is what I have attached. So we'll get to the computers now. This is sort of wrapping up things. This is my personal favorite computer for a portable. I've had it for many years. It's an old system. It's probably from 2006 or 2007. If you saw my Nerf gun, this is what's powering it. I looked at, they call it UMPCs. These are ultra mobile PCs. And this is a thing a few years ago that they had, this sort of concept. And now we're all looking at, it might fall out. Oh gosh. Put it down, put it down. It's going to die. Now we all have little tablets. But this is a tablet. When tablets were

tablets, before tablets are tablets now. So we used to call it a tablet back in the olden days of 2008. But it's great. I really like it. It's small, portable. If I'm doing a wireless pen test, I can keep it in my bag, walk around with it, so I don't have to hold my laptop out and antenna and do this thing, which is what most people end up doing for wireless pen tests. Is there a touchscreen? Yep, there's a touchscreen. Is there a spare battery? I have a spare battery for it. It generally lasts. pretty long for me. And these are, I mean, it hasn't been built in many years. There's probably still some on

eBay, but yeah. So instead of walking around with your laptop, you walk around the back to the experience. Yeah, exactly. That's right. Nobody will notice that I'm doing anything wrong if I'm holding a Nerf gun. That's the distraction, right? I have to do that and then have lockpicks in the background. Like, oh, it's the Nerf gun. I'm not picking the door over here. Tablet, I'll let you take this one. It's like a pen testing tablet. Yeah, so there are a lot of different distributions, a lot of different tablets you can run. You can run truted environments of whatever pentesting environment you want on a lot of them. The one I use is the Nexus 7.

I initially got it to put the Pony Express Pwnpad distribution on it. I've played with multiple distributions. The one I have on it right now is Calipone. And so it is basically a full-fledged Linux environment running on top of my tablet. It will pick up, you know, the tablet is capable of host-based USB, so I can plug my little Etheros wireless adapter into it through my OTG cable and perform full-out wireless assessments, whatever, with this directly. They've done a good job of putting together scripts that you can launch it directly, you know, you can launch specific wireless tools directly from the on the interface and then just pick which wireless adapter that you wanted to utilize. That's

Wi-Fi, if anyone's heard of it. I'm going to shut that off now. I don't have the adapter plugged in, but yeah, we'll shut that off. But it's an extremely useful tool. Another thing that it can be used for is when we were talking about drop boxes, if you are able to get onto the network, so I can plug a USB hub into this, I can have it wired physically into the network and then have it running an AP over my Atheros external adapter or the internal adapter. I can connect it over wireless and then this is my persistence within the organization. I can sit outside in the smokers area or whatever and perform whatever dirty deeds I need to on the network internally. So,

awesome. And that's the Nexus 7. Yeah, Nexus 7. Nexus 7, Nexus 10. For some reason, a lot of them have been focused on the Nexus devices. So I'm not sure about, a lot of them, those are their dev platforms. So if you're going to get a tablet, the Nexus 10 or Nexus 7 seems to be what people are targeting now. I'm not saying that that's the best tablet out there, but it seems like a lot of the distributions are focusing primarily on those. It's a very powerful little Snapdragon processor. And I've done all kinds of stuff. I've compiled binaries across it. So it's a very, very slick little platform. So I highly recommend it. If you haven't already, you can keep your normal stuff and

run this on there as well. Yeah. So I submitted another talk. I'm going to sit down. OK. And one talk was literally I was going to talk the entire time or the entire day about the N900. How many people have N900s? What? How many people know about N900s? you Linux guru is you. Yeah, that's what I'd like to see. So the N900 runs, I'm pronouncing right, Mamo, right? Is that how we all name Mamo?

Which is purely Linux. It's not like Android abstraction Linux kernel-ish stuff. It runs a Debian for ARM. You can compile Debian for ARM, port it over, as long as everything matches up library-wise. I mean, there's a development environment for it. It's great. I have GCC on here. I compile straight from my phone for my phone. I did it for the kernel once. Don't do that. I wanted to get the Bluetooth drivers installed so I could put an external Bluetooth on them. And I'm like, I'll just do this really quick. Check the bright boxes and compile. And it came back the next day. I'm like, all right, I get it. I get it, guys. I'm not going to mess with that anymore. This is, as he said

before, I've done an entire pen test with this one phone, which was great. It's got UST OTG. It's running, you know, as I said, Debian. So all the stuff you want to compile, all the open source tools that we've talked about on all the distributions will run on here natively. You don't have to do too much modding. We mentioned the Pony Express guys before. They've released the Pwn phone image, and I've contributed some to that and hopefully contribute more in the future to a newer version, which they sell the Pwn phone and also have an open version for people that are more DIYers. But a lot of the hacking tools are on here. The wireless

chipset, I mentioned before about the adapters, the one on here is beautiful, does everything. This can be a fake access point that I can route through, do exactly what he was talking about. This can be my Dropbox. And I recently discovered, I got super giddy, I booted another computer from my phone.

Yeah, that's where I was at, mind blown. So it mounts a micro SD card, right? If I reboot, tell boot from USB, this acts as a mass storage device. I have the mass storage device micro SD card on here as a bootable. I put Katana, which is a distro I put together. I had it boot to that. So that computer is running the live distro from my phone, and my phone is still working fine. I can use the phone for everything as the phone does. It just doesn't have access to my micro SD card. And I wrote a script on here that totally write blocks everything else. Like I mentioned before, the SD card could

write block, and it's a suggestion. I can write block on here so when it mounts, it tells it I'm read-only. It doesn't matter what you say. You can't write to me. So I have all of my tools on my SD card on my phone, and I plug that in to the target system, and I can, you know, attempt to run all this stuff. And if it says no, you know, it doesn't have deleting process. And also, if I want to boot from a flash drive, that looks weird. I'm on site, I plug it into a kiosk, like, wait, what are you doing there? You know, they're flash drives. We don't allow flash drives. If I

plug in my phone, what am I doing? charging my phone. Who says, no you can't charge your phone here. You don't get yelled at for that. Like, oh no, hold on, my phone died. I was on a call, a very important call, and I need to plug it back in. So I can sit there all day long, wait for them to go away. Be like, I'm just waiting for my phone. All day back, I'm still waiting for my phone, and run everything I want off the phone. And that's not even talking about all the other awesomeness of this phone. I absolutely love it to death. I carry it with me all the time, no matter

what I'm doing. Whenever I fly and I get bored, I pop this open and I start writing code on here, or bash scripts, or whatever my idea is. I don't pop on my laptop. Like, oh, it's all the way in my bag. I'll just write or edit some code on here and compile it, which isn't really great, because this is a tiny little keyboard and you have to type it all out, but it's a lot of fun. So even as Linux people, it's great. It was Nokia. supported originally. They've dropped, completely dropped support from it. It's all user land now. They have to install a custom kernel that's all user land kernel. There's a, there's a, still a strong showing of people that are really dedicated to this

phone line, even though it came out in 2008 or seven or something like that. Yeah, and you can get on eBay for $200. A lot of people are selling them now that they're not super cool. Some drawbacks, it's only 3G, but it's got Wi-Fi. I mean, it's old, but there's actually a project now. Look up the Neo 900. Somebody is deciding to update this hardware. It's going to use the exact same case. You have to have purchased one, but it replaces all the guts inside. So it's going to have RFID. It's going to have 4G. They're updating the processor, the RAM, everything like that. So for me, I'm ranting. I really enjoy this product. I'll

be able to do all this stuff, but also have new capabilities that modernize the phone. So from my security perspective, I love it. As far as Linux people should be concerned, it runs a Debian core. Need I say more? You don't have to root it or anything. That's it. It's so great. Exactly. Yeah, so a lot of them, just a word of warning, I look at there a lot. A lot of them will ship over from China. I prefer to buy the ones that are used locally here because there are a lot of knockoffs. But the knockoffs are actually just as good. For some reason, they started cloning them, and you get the cloned ones. And other than some aesthetic features, they seem to work.

Everything I've ever read says, you know what? My knockoff one actually works pretty well. So for whatever reason, they were popular. They were much more prevalent in Asia than here. They didn't make it over here and become very popular here. But there are a lot of them floating around. A lot of people in the security field are gobbling them up like crazy. If you get one, make sure you do re-read.

It's very scary, especially if it comes from China. Just rewrite the firmware.

Yeah, absolutely. And so there are a lot of knockout ones. So buyer beware with eBay, make sure it looks like this, and verify the seller, and blah, blah, blah. But these are out there. They're cheap. If you're doing it for fun, they're awesome. It does host mode and everything you might want. So I can't walk around without this phone. I love it so much. If you get it off Craigslist, you'll probably need someone So this particular phone, I met a nice gentleman on Craigslist who wanted to meet late at night in the parking lot of a Lowe's. So obviously I agreed to that and got into his car and I gave him some cash out

of pocket and got my phone. So that's the story of what not to do. So I was like, it's either going to be a great story to tell or the end of me. That's right, exactly. No, dude, I was just buying a 900.

Yeah, exactly. Somehow Craigslist turned out to be sketchy. I had no idea. All right, and that's the rest of our slides. I know that we've gone pretty quickly through this, so any Q&A, you know, please tell us, you know, ask us afterward. Our handles and our Twitter handles and stuff. We'll leave this up there for a second, but I know we're way over and want to change around. So thank you very much for staying a little bit late and holding on while we had some issues with the slides early on. I really appreciate it. Thanks for coming out to B-Sides. And we've got one more talk coming up that we're going to have a general panel Q&A. So some of the stuff, questions you had, if you want

follow us up with that, we're both going to be on the panel with a few other people. Do stick around, because it's totally open to any questions you guys might have. Thank you very much.

Related talks

49:50
LTE Security: Facts & Fictions
BSides Charlotte · 2014
1:04:53
Smashing the Stack to Building ROP Chains with Gadgets
BSides Charlotte · 2016
29:30
Intro to the ArchAssault Project
BSides Charlotte · 2015
50:56
Hacking With REST For Love
BSides Charlotte · 2016
5:57:18
BSides CLT - Track 2
BSides Charlotte · 2022
7:55:42
BSides CLT - Track 1
BSides Charlotte · 2022