ch07
Jef Roosens
parent
82545225ca
commit
1ea7d28273
|
|
@ -0,0 +1,93 @@
|
|||
# Physical attacks
|
||||
|
||||
## Physical recon
|
||||
|
||||
* Google street view is handy
|
||||
* can be outdated
|
||||
* drive-by
|
||||
* just stalk them
|
||||
|
||||
## Physical barriers
|
||||
|
||||
* doors, gates
|
||||
* motion sensor door locks
|
||||
* canned air can trigger motion sensor from outside
|
||||
* doors with keys and padlocks
|
||||
* lock picking (manual and electronic) open these easily
|
||||
* door unlock button
|
||||
* RFID door locks
|
||||
* backend systems often very dumb
|
||||
* plenty of devices can copy cards
|
||||
* Flipper Zero
|
||||
|
||||
## Drop boxes
|
||||
|
||||
* device that gets stealthily added to local network
|
||||
* preconfigured to provide connection for attacker
|
||||
* make it inconspicuous
|
||||
* in cable tray
|
||||
* behind desktops
|
||||
* ...
|
||||
* when using multiple, make sure they don't communicate
|
||||
* finding one shouldn't find the others
|
||||
|
||||
### Lan turtle
|
||||
|
||||
* looks like USB ethernet dongle
|
||||
* routes attacker traffic through VPN into victim network
|
||||
|
||||
### Packet squirrel
|
||||
|
||||
* [https://shop.hak5.org/products/packet-squirrel-mark-ii]
|
||||
* mostly aimed at network interception and manipulation
|
||||
* logs network traffic
|
||||
* captures print spool jobs
|
||||
* intercepts DNS request and directs them to server of your choosing
|
||||
|
||||
### Hidden camera
|
||||
|
||||
* drop boxes that contain hidden camera
|
||||
* look like ordinary devices (e.g. USB charger)
|
||||
* position is key
|
||||
|
||||
## HID injection attacks
|
||||
|
||||
* attacks using devices that act as Human Interface Devices (HID), e.g.
|
||||
keyboard
|
||||
* Rubber Ducky
|
||||
* USB that acts like HID
|
||||
* sends lots of keystrokes to e.g. install malware
|
||||
* Bash Bunny
|
||||
* more advanced Rubber Ducky
|
||||
* emulates ethernet, serial and flash storage as well
|
||||
* typical attacks
|
||||
* QuickCreds: run Responder on device to extract NTLMv2 hashes
|
||||
* BunnyTap: funnel cookies of user to attacker
|
||||
* Kon-Boot: allows access into password-protected PC by booting with
|
||||
Kon-Boot enabled on USB
|
||||
* drop attacks
|
||||
* leave thumb drive for people to find
|
||||
* curious people will plug it in
|
||||
* devices that look like cables also exist
|
||||
* destructive attacks
|
||||
* killer USBs that send high voltage through device
|
||||
* destroy mission critical devices
|
||||
|
||||
## WiFi attacks
|
||||
|
||||
* capture handshakes of devices
|
||||
* pass handshake to hashcat
|
||||
* most tools require monitor mode
|
||||
* not present on most devices
|
||||
* WiFi pineapple
|
||||
* preconfigured WiFi attack tool
|
||||
* rogue access point
|
||||
* reroute traffic
|
||||
* capture handshakes
|
||||
* ...
|
||||
|
||||
## Mitigation
|
||||
|
||||
* proper training of staff
|
||||
* network scans for unauthorised devices
|
||||
* monitoring and incident response
|
||||
Loading…
Reference in New Issue