Kevin Mitnick and Dave Kennedy share two more pentest stories: one involving a rogue certificate and the other one based on exploiting powerline communication.Dave: We have a little bit time left, so Kevin do you want to fly through this one? This is the external and wireless penetration test (see right-hand image).
Kevin: Oh, yeah, a company had us do a wireless security assessment, but also it was a web app assessment.And through SQL injection we were able to breach the external web servers. And so, using a tool – Jason Geffner wrote the whitepaper on the tool – we were able to export the private RSA keys (see left-hand image). Based on this whitepaper, actually, he had some code that he released that lets you export the private keys to the certs, so, basically, steal the web server cert. And because this company is running one of Cisco’s wireless products. What we realized is, since they had their own CA, they loaded their own cert onto the Cisco device, or actually onto the box that was doing the authentication. And we realized that this cert was signed by the same root CA as the web server cert. So we stole the web server cert and were able to leverage that to create a rogue AP to get clients that would connect to the network through certs (see right-hand image). We were able to leverage that to get them to connect to our rogue AP and then exploit them through our client-side exploit. So it’s kind of cool: you steal something from one location and you leverage it somewhere else, and there are no scanning tools on the market that are going to do something like that. It just takes human knowledge.
Dave: If you remember correctly, when you penetrated that server you ran into a lot of dead ends. I mean, that was really a locked down DMZKevin: Yeah, we were like “Okay, we’re sitting on the DMZ and we’re trying to get to the internal network.” Basically, everything was blocked (see left-hand image). It was taking too much time. So then we had to figure out how else we could get to the internal network and we thought “Well, let’s just steal the cert and the private keys, create a rogue and then have clients associate to it.” And it worked. It was very simple. A little bit of debugging, but it was easy. Dave: Company 4 – this is for powerlines (see right-hand image). At DefCon, we released a talk called “Pentesting over Powerlines”, which leveraged an attack against home automation systems and controllers-run X10 devices. And so, we were doing a physical penetration test against an armed guard facility. When we started doing reconnaissance of the systems we took pictures of the camera system, the people entering the system itself, and looked at the brand names and the X10-based controllers that they were leveraging for the systems. They were using powerlines to communicate those devices and transfer data over in those different routes. We decided to be kind of unique on this. After researching the brand names, we decided to attack X10-based controllers and see what we could get with it (see left-hand image). So we started doing some work, and I have to give a shout-out to Rob Simon because he, really, was instrumental in creating all of this. Here’s the X10 Kit that we were leveraging (see right-hand image), and Rob was testing this device right here – some lights and the actual device itself, you can turn it on and off with different things – you know, it’s home automation. It’s the same thing that these security systems were leveraging. So we decided to create a jammer (see left-hand image) to jam the devices so that, if we were to go into the facility and start attacking it, there wouldn’t be any type of alarms going off and everything would be, basically, blacked out. We started with an Arduino-based device (see right-hand image), and we started to go a little bit smaller. Rob started modifying the TW523 (see left-hand image), so we started soldering it into the home automation device. We are not any type of electrical engineers whatsoever, so we fried that one Teensy and many more until we figured out what we were doing (see right-hand image). All in all, we had a product that we ended up fixing, which was this guy right here (see left-hand image). Essentially, this device right here is what we call the “blackout jammer” for X10. It is a modified Teensy-based device. What you should see is, if you were able to go to external plug on the outside and plug this, you could jam the X10s so that they wouldn’t be able to communicate. Now the X10 is inoperable, and if I try to turn it on and see what’s going on – nothing, it’s dead. Once I take it off, the device pops back on. So, what we were able to do is we did a night-operation, we disabled the security systems, we lockpicked the back entrance door, no security alarm ever triggered, and we had full access to the infrastructure, so from there we were able to go on and do everything we wanted to (see left-hand image). Again, what we wanted to get out of this was to be creative, do something that hadn’t been done before, do something unexpected; to be a hacker, right? So, instead of giving the customer a 400-page report, we decided to do something unique and had some fun with it (see right-hand image).
Read previous: Adaptive Penetration Testing 6: The Teensy Attack