How a rPi can be used during your Pentest!

Defense Penetration Testing (Pentests)

    Many pentesting firms have done this for a while now so there's nothing new here, but I'd like to show you why and how pentests can be performed by shipping a raspberry pi (small, single board computer) and letting your staff power it on or setting it up to be left there. But before we do that, lets discuss why this would ever be a thing. There is a number of problems that arise that merit this sort of working as a defacto/standard operating mechanism and it only makes sense to offer the same. 




Problem 1: "Scheduling/We can't perform testing during work hours"

    Often employers won't have a way to get people to unlock the doors for you after hours and stay with you to perform testing, including wifi, physical, or internal pentesting techniques. This is the most common reason to say "okay well we can setup a laptop and leave it there".  This would work great for many reasons, because then they have all the tools they need with some form of connecting back in for themselves.

    But maybe the pentesters don't have something prepped and forgot to disable updates and setup firewalls and maybe it being on your network still has some nonsense running they forgot about and now its added exploitable functionality to your network. Some actual attacker is already in the network and sees that, pivots using the pentester's own activities and now they've secured everything they know on top of the network. There's just so many ways lack of prep for this can cause problems. Any cybersecurity professional knows this is a possibility, but good professionals prep for such events. In many cases, this means creating an image with trusted firewall features, vpns, and contains all the tools they're going to want/need. The best practices tends to be blocking all services listening except over the vpn network, and connecting to a vpn network  So long as those images are kept updated, and don't increase exposure to the network, they can connect through those systems without causing additional harm.

Problem 2: "Physical access"

    Many companies and individuals come across the problem of "we can only allow you to connect by having physical access", this could be they don't have a vpn of their own they could setup an account for you on, or this could be part of the requirements for the testing. In either case, by providing a physical device to connect, this allows us to have physical presence for the duration of the test. Enabling more depth to the testing, longer testing cycles, and greater return on investment for the client companies.

Problem 3: "We can't have the disruption to our staff"

    This is another big one for our clients, they just don't have the staff to deal with it. So we can go in there and put the pi in place, verify connectivity, and leave. This also prevents clients and other staff from knowing testing is going on, which leads us into our next problem.

Problem 4: "Creating a user for you with remote access, is unrealistic"

This, I tend to agree with. If I was doing criminal hacking, I'd drop a pi in place after lifting the ceiling tile of a bathroom stall and use lte connection back to myself, or a secondary wifi in master mode if there's a network cable running past there I can hop in between. There's always the need to test External testing, and we shouldn't forget that, but if we assumed the breach was already done, physically is the most realist way in many many situations. The access with a user account is a valued test however for providing testing based on a known compromised account without actually risking any user accounts. Along with this, you should always request a search for publicly exposed credentials from your users and if any of those users have exposed creds within the timeframe of your last reset date, they should be cycling those credentials.

Solutions!

    So there is a common solution for this. Its using a small device capable of doing whats needed to stay online and active while testing is performed. Here is an example picture where we have this connected to a wired network to provide network connectivity. I also have a wifi device build int which I can use to connect to the wifi and a secondary wifi card I can use for testing the wifi. There is also a gps chip which can assist a bit with network mapping when working with other tools like kismet and wigle.net. 



    We have ours setup to a standard (monthly updates) image that on connection connects to our wireguard vpn and enables our access. Each of these are setup for one specific network and will be network segregated on connection. Meaning from our auditor's side, we have to connect to the network specific to your testing, then login to the test rpi, to gain access to your system.

From the Client's side

    Once the pi is setup, if you actively scan new devices on your network, you should expect to see something like this from your end, where no ports/services are active, ssh is actively dropped on all but the wireguard vpn connection. If you detect wireguard and block it's connectivity, we can switch to openvpn as well, but should discuss that before implementation. This takes roughly 3 hours of setup to be ready (spinning up openvpn/wireguard vpn server, creating new connection files, and prepping the pi for the test). 


    There's still evidence that it's clearly a pi (assuming we don't need to configure with spoofed mac), but no ports default open, no services creating additional threat landscape on your network.

From the Auditor's side

    On the auditor's side, over the wireguard connection, we can see once it's on the network then login through ssh (blocked on all other networks).


    We've also enabled podman for containerization, in the event we need to have any custom services or tools available as part of the pentest.

What does this mean for you?

    Well at the end of the day, this only means that when you request a pentest, you have additional options for performing those testing scenarios. There are some people who want their home networks tested, but for the most part this tends to be relevant for people testing their company/business networks for ways hackers could move within the network. This allows an easy drop-in-place way to perform that testing remotely, from anywhere there's internet connection. 

Future upgrades

    Looking into getting the costs down for an lte connection so we don't rely on your network connection to connect back to our vpn. We can do this, but it will end up at a higher cost due to service costs currently associated with using that. If anyone has any advice on getting that as cheap as possible while not loosing connectivity frequently, please reach out would love to hear yalls techniques on this! 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

Yara hunting phishing samples

Image
     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...
Read more

pyscript, nim, aaaaand go

Image
     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...
Read more