Pen-testing lite

Penetration testing efforts don’t always get launched from a room full of computers with a crew busily working on them. Like wireless wardriving, it can go mobile. Here are two devices that can help put your pen-testers in motion and right in the thick of the action, even inside the physical perimeter. One scenario that has been mentioned is to mail such a device to the target, and while it’s sitting on some desk, penetrate the wireless component, compromise the network and phone home with key data before the package is even opened. If your target has publicly accessible areas, a walkthrough can be done easily. Another similar scenario involves placing a mobile pen-testing unit inside a nerf football and throwing it onto the roof of the target building. As mobile components get smaller, defending against them will become much more difficult.

Weaponizing Apple’s iPod Touch – [darkreading.com]

Thomas Wilhelm, associate professor of information system security at Colorado Technical University, showed attendees at last week’s Defcon17 conference in Las Vegas how Apple’s seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device.

“Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get us [penetration testers] into areas where we couldn’t before,” Wilhelm says. “If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect],” he says.

The future of wireless security assessment – [immunityinc.com]

Immunity’s approach to WLAN security, as it is with all other security challenges, is aggressive. SILICA and SILICAQ are the only automated wireless LAN exploitation solutions on the market. The units come pre-configured and ready to go straight out of the box. The small, portable, PDA-like devices allow you to perform all the usual penetration testing exercises, automatically, from your pocket! SILICA and SILICAQ will quickly and automatically grab screen-shots or password hashes, upload and execute software on target systems, or intercept and record network data. Both units include standard Wi-Fi auditing features such as capturing live signal, spectrum and packet data. Immunity’s advanced research team continues to contribute updates to the software so the latest attacks are programmed in.

Leave a Reply

You must be logged in to post a comment.