How to Build Your Own Penetration Testing Drop Box by Beau Bullock.
With politics bleeding into even highly filtered feeds, thought it might be amusing to look at a hardware construction project.
I compared three single-board computers (SBC) against each other with a specific goal of finding which one would serve best as a “penetration testing drop box”, and maintain an overall price of around $110. Spoiler Alert: At the time I tested these Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space. If you want to skip the SBC comparison and jump right to building your own pentest drop box you can find the instructions below and also here.
Overview
A few weeks ago I was scheduled for an upcoming Red Team exercise for a retail organization. In preparation for that assessment I started gathering all the gear I might need to properly infiltrate the organization, and gain access to their network. Social engineering attacks were explicitly removed from the scope for this engagement. This meant I wasn’t going to be able ask any employees to plug in USB devices, let me in certain rooms, or allow me to “check my email” on their terminals (yes this works).
Essentially, what were left at that point were physical attacks. Could I get access to a terminal left unlocked and perform a HID-based (think Rubber Ducky) attack? If the system wasn’t unlocked, perhaps a USB-Ethernet adapter (like the LAN Turtle) could be placed in line with the system to give me a remote shell to work from. Even if I could get physical access, without any prior knowledge of the network’s egress filtering setup, was I going to be able to get a shell out of the network? So this led me down the path of building a pentest drop box that I could place on a network, could command over a wireless adapter, automatically SSH out of a network, and just be an all-around pentesting box.
Some Device Requirements
Looking into the available options already out there it is very clear that I could either spend over $1,000 to buy something that did what I needed it to do, or try to build one comparable for significantly cheaper. So I set some very specific goals of what I wanted this device to do. Here they are:
- Device has to be relatively unnoticeable in size (could be plugged in under a desk unnoticed)
- Has to be able to be controlled over a wireless interface (bonus points if multiple wireless interfaces can be used so wireless management and wireless attacks can happen concurrently)
- Persistent reverse SSH tunnel to a command and control server
- Fully functional pentesting OS (not just a shell to route attacks through)
- Decent storage space (32-64GB)
- Actually be a usable pentesting box that is not sluggish due to hardware restrictions
- Cost around $110 total to build
…
I like that, requirements!
Assuming you have a briefcase or bulky coat, not a bad piece of hardware to have on you. Unless you anticipate physical searches. Can’t ever tell when you will be curious about something.