Insights from Black Hat and DEFCON 2015: Red Teams: “Check Your 6”
“Check your 6.” In the military, this means: “Look behind you for an attacker.” Wesley McGrew used this phrase in his DEFCON23 presentation about the danger pen testers are bringing into the environments they are paid to ethically hack. In short, pen testers are experts on the offensive techniques to infiltrate and find vulnerabilities, but they often are not mindful that bad actors may be using pen testers to infiltrate their customers or exfiltrate data that pen testers legally and ethically acquire doing their jobs.
McGrew attributes this to three factors: 1) Lack of training; 2) Lack of pen testing tool maturity; and 3) Lack of documented incidents.
That last point may make some think, “Well, if there aren’t many documented incidents, what’s the big concern?” Don’t go there. We’ve learned that just because we don’t have cases of something, doesn’t mean it isn’t a problem—especially now that McGrew has presented to a bunch of hackers in an open forum!
He specifically talked about the security of Kali Linux and implantable devices like a WiFi Pineapple and Pwn Plug-type devices.
While many of the tools inside of Kali Linux have vulnerabilities, three in particular were highlighted as dangerous to use. BeEF, cymotha and nc all had enough issues for McGrew to recommend that pen testers find other ways, if possible. Four were denoted as “Use with Care”: sqlninja, dirbuster, Metasploit (Meterpreter specific), and SET (also Meterpreter specific).
You can find a full list of Kali Linux tools and recommendations on page 22 of McGrew’s presentation here. (NOTE: This document is hosted on DEFCON servers. My resource to acquire the presentation is not open to the public, and I was not able to find an alternate source.)
Many pen testers use physical devices that can be implanted or used in close proximity to the target environment. The vulnerabilities of the Pwnie Express Pwn Plug had been presented in another session called “Pwn the Pwn Plug” at DEFCON23, and McGrew pointed to that session for more details. The main threat was command injection possibilities, making it possible for attackers to execute on systems the pen testers had successfully accessed.
The Hak5 WiFi Pineapple was highlighted as having authentication issues, but McGrew said that he had been in conversations with Hak5 to release an update that would fix the issues. That means that pen testers who use the pineapple need to be on the lookout for those firmware updates to their tool.
McGrew recommended that pen testers avoid “off brand” solutions because most of them were more dangerous and less secure than the name brands seem to be.
Client Data Management
One of the things that is obvious, but may not be followed well is what pen testers do with the data they have legally and ethically exfiltrated while doing their jobs. First and foremost, all client data should be securely encrypted while on the job. No data should be transmitted or stored at rest without adequate encryption policies. Second, the data should either be archived in an equally encrypted fashion or deleted completely (DOD approved way!).
McGrew’s recommendations were straight forward:
- Check your six!
- Test tools and exploits before operational use
- Be aware of exposed information
- Know the network environment between you and the target. Minimize it.
- Take care when extending networks
- Keep client data, at rest & in transit, encrypted
- Secure archiving, deletion between engagements
- Secure communications with client
If you are a pen tester, work with or manage pen testers, it’s highly recommended that you download and implement McGrew’s recommendations in his white paper. (NOTE: Again, this document is hosted on DEFCON servers. My resource to acquire the presentation is not open to the public, and I was not able to find an alternate source.)
For more juicy updates on Black Hat and DEFCON sessions, keep checking back on our blog!