net-sec-samenvatting/07_physical_attacks.md

Physical attacks

Physical recon

• Google street view is handy
  • can be outdated
• drive-by
  • just stalk them

Physical barriers

• doors, gates
• motion sensor door locks
  • canned air can trigger motion sensor from outside
• doors with keys and padlocks
  • lock picking (manual and electronic) open these easily
• door unlock button
• RFID door locks
  • backend systems often very dumb
  • plenty of devices can copy cards
  • Flipper Zero

Drop boxes

• device that gets stealthily added to local network
• preconfigured to provide connection for attacker
• make it inconspicuous
  • in cable tray
  • behind desktops
  • ...
• when using multiple, make sure they don't communicate
  • finding one shouldn't find the others

Lan turtle

• looks like USB ethernet dongle
• routes attacker traffic through VPN into victim network

Packet squirrel

• [https://shop.hak5.org/products/packet-squirrel-mark-ii]
• mostly aimed at network interception and manipulation
  • logs network traffic
  • captures print spool jobs
  • intercepts DNS request and directs them to server of your choosing

Hidden camera

• drop boxes that contain hidden camera
• look like ordinary devices (e.g. USB charger)
• position is key

HID injection attacks

• attacks using devices that act as Human Interface Devices (HID), e.g. keyboard
• Rubber Ducky
  • USB that acts like HID
  • sends lots of keystrokes to e.g. install malware
• Bash Bunny
  • more advanced Rubber Ducky
  • emulates ethernet, serial and flash storage as well
  • typical attacks
    • QuickCreds: run Responder on device to extract NTLMv2 hashes
    • BunnyTap: funnel cookies of user to attacker
    • Kon-Boot: allows access into password-protected PC by booting with Kon-Boot enabled on USB
• drop attacks
  • leave thumb drive for people to find
  • curious people will plug it in
• devices that look like cables also exist
• destructive attacks
  • killer USBs that send high voltage through device
  • destroy mission critical devices

WiFi attacks

• capture handshakes of devices
• pass handshake to hashcat
• most tools require monitor mode
  • not present on most devices
• WiFi pineapple
  • preconfigured WiFi attack tool
  • rogue access point
  • reroute traffic
  • capture handshakes
  • ...

Mitigation

• proper training of staff
• network scans for unauthorised devices
• monitoring and incident response