Contact
  • Home
  • A pocket-sized network device for simplified penetration testing
Back

A pocket-sized network device for simplified penetration testing

Image Slider

August 13, 2024

In the ever-changing world of cybersecurity, the need for effective and portable tools is more pressing than ever. At a conference at Hack 2024, an innovative device based on a Glinet router was presented, perfectly meeting this need.

In the ever-changing world of cybersecurity, the need for effective and portable tools is more pressing than ever. At a conference at Hack 2024, an innovative device based on a Glinet router was unveiled, perfectly addressing this need. This small device, which fits in a pocket, promises to revolutionize penetration testing, Red Team operations, and physical intrusions by offering power and versatility in an ultra-compact format.

Speaker Clovis Carlier, better known by his pseudonym Joytide, is a cybersecurity expert with several years of experience. He captivated his audience by demonstrating how his device can overcome complex environmental and logistical challenges. He currently works at Cogiceo, a company specializing in security audits.

The need for portable network devices

Background and challenges 

Cybersecurity professionals, particularly pentesters, often encounter situations where bulky, cumbersome devices are simply impractical. The varied and sometimes hostile environments in which they must operate require tools that can be easily adapted without compromising performance. Discretion is often essential, making large devices undesirable, for example during penetration testing.

In addition, the ability to avoid moving bulky or fragile equipment is an advantage, both financially and environmentally.

One of the major constraints for computer intrusion testing is that it is often mandatory to be physically on site (or possibly set up a VPN with the client, which can quickly become extremely complicated, both logistically and in terms of time). The solution is therefore to send someone directly to the site, which is neither environmentally friendly (depending on the mode of transport) nor cost-effective (loss of time for the person), as well as often being complicated from a logistical point of view (site outside the city, combination of modes of transport, accommodation and catering difficulties, etc.).

It is therefore necessary to have a device that is as compact as possible, can be sent by parcel, and is capable of autonomous WAN access, in order to set up a VPN between the device and the auditor for remote auditing.

From a customer data security perspective, the implant must not contain any data, in order to prevent data leaks in the event of the package being lost or intercepted.

The solution must be "turnkey" for the audit client, as there may not necessarily be IT-competent staff at all the sites to be audited.

Examples of common uses

I mentioned intrusion tests earlier. The advantage of a device the size of a smartphone is that it can be easily hidden once installed, but also that it allows the listener to move around the premises with the implant without arousing suspicion. 

In addition, sending a standalone box in terms of network and configuration allows, for example, the implant to be sent to a factory or branch office, enabling anyone without IT expertise to connect the implant to the company network.

Presentation of the device based on the Glinet router 

Technical presentation of the implant 

The miniature implant is based on a GLiNET XE300 4G router. A 4G router, the size of a smartphone, small, silent, and inexpensive. Its two required RJ45 ports will enable NAC (Network Access Control) bypassing.

It runs on OpenWRT (Linux-based), a free router OS that offers extensive plugin development capabilities, and some tools are already integrated, such as VPN servers.

The router has a built-in battery that allows it to be completely autonomous when paired with 4G.

It will be able to carry tools that cannot be used through the VPN tunnel (bandwidth limitations, monthly data limits, mobile coverage) such as Responder, NMAP, etc.

Its installation and logistics are therefore very simple.

Implant security

As the implant is sent by mail and may be installed in an unsecured area, it is essential to assess the security of the implant.

From a storage perspective, the internal memory and microSD card are encrypted.
The router's firmware has been customized, making reverse engineering more complicated (secure serial TTY, local firewall, Linux hardening).
The router still needs to be physically secured, such as the physical debug pins (allowing local access to the system), for example by applying Super Glue.

Practical scenarios

The implant can easily be used, for example, in an audit at a factory located far from the city (saving the auditor time traveling to the site for a few hours of auditing, and possibly saving them hotel accommodation), and plugged into a standard network socket or computer rack.

Another scenario would be to enter a company's premises (as part of an audit) and connect the discreet implant between a socket and a piece of equipment (PC/printer), for example, thereby bypassing the NAC.

Implant limitations and workarounds

The main limitation of the router is its 128MB of RAM, which restricts the use of certain resource-intensive tools (such as SCAPY, a tool used to manipulate, intercept, or generate network packets).

How can this be done without SCAPY? Using IPTABLES/NFTABLES (with the tee or dup option)? Impossible, as it is essential to declare the packet target (which is unknown when listening to the network, particularly during the NAC bypass phase).

A tool was therefore developed by Clovis and Cogiceo to compensate for the absence of SCAPY. The tool is called AAN. It consists of creating a transparent bridge between the router's two RJ45 interfaces and retrieving information from the supplicant in the process.

4G depends on the coverage of different operators (dead zones, etc.) as well as actual bandwidth limitations (4G categories 4 and 6 theoretically allow for 300 Mbps speeds, but in reality speeds are closer to 30 Mbps), which can be circumvented by connecting the router to the customer's Wi-Fi or directly to a connection that is not NAC, etc.

802.1X bypass feature 

Explanation of the 802.1X protocol

The 802.1X protocol is a network protocol that allows different devices on the network to be authenticated. It is used on both wired and WLAN (wireless) networks.
To authenticate devices, 802.1X can rely on the following elements, depending on the configuration: MAC address, user, certificate, etc.
The 802.1X protocol involves the following three parties:

  • The supplicant: the device (computer, printer, smartphone, etc.) that is attempting to connect to the network and must be authenticated.
  • This is the initiator of the authentication process.
  • The authenticator: this is the network equipment to which the supplicant is connected. (For example, a switch for wired connections or an access point for WLAN).

It acts as an intermediary with the authentication server.

  • The authentication server: This is often a RADIUS server.
  • Its role is to verify the supplicant information sent by the authenticator.
  • It then determines whether or not the supplicant is authorized to connect to the network.

802.1X authentication process:

  • When the device (supplicant) connects to the network (either wired or WLAN), the device port changes to "unauthenticated" status, meaning that the port is no longer down but does not access the network, so no IP address is assigned if DHCP is present.
  • The supplicant will communicate via the authenticator, which will act as an intermediary, using the EAPOL (Extensible Authentication Protocol over LAN) protocol.
  • The first message is sent by the supplicant, which sends an EAPOL-Start message to initiate the exchange. The authenticator responds with an EAP-Request message to ask for authentication information.
  • Once the exchange between the supplicant and the authentication server is complete, the latter will send a "Success" or "Failure" message to the authenticator (e.g., switch or access points), depending on whether or not the client's authentication is accepted.
  • If the EAP-Success message is sent, the port switches to "authenticated" status and network access is granted. Otherwise, the port remains in "unauthenticated" status, which does not allow network access.

Communication between the authenticator and the authentication server is carried out using a pre-shared key, often in PSK, making it more difficult to intercept and/or modify communications between them.

In summary, the 802.1X protocol is essential for verifying whether a device is legitimate to connect to the corporate network.

Main attack vectors of 802.1X

Several attack vectors are widely used to bypass 802.1X, including the following attack, which aims to bypass the authentication service: Man-In-The-Middle. There are also attacks that will bring down the authentication service, such as DDoS (Denial of Service) attacks.

A Man-In-The-Middle (MITM) attack involves spying on the network, often by placing a spy device, usually between a legitimate device and a network device, with the aim of listening in on all network traffic between these two devices.
Once the network traffic has been listened to and analyzed, it is possible to retrieve a number of interesting pieces of information for the purpose of authenticating oneself on the network: MAC address, username and its hash, certificate of the legitimate equipment, etc.

It is now possible to perform ARP spoofing using the MAC address of legitimate equipment in order to impersonate it and thus gain access to the network.

It is also possible to carry out the same type of attack using the certificate or login/hash combination obtained during the listening phases.

With a MITM attack, it is also possible to carry out an EAPOL session hijacking attack (protocol used for authentication). The implant must manipulate EAPOL messages when the legitimate supplicant authenticates itself in order to gain access to the network.

A DDOS attack, or denial-of-service attack, consists of making the service unavailable to legitimate users. This attack can be carried out in various ways: attacking authentication servers (sending a large number of unwanted EAPOL-Start requests to overload the server, sending a large number of EAPOL-Logoff requests to log legitimate users out of the network).

Other attacks (which we will not discuss), such as exploiting vulnerabilities on RADIUS servers and network equipment, are also possible in order to authenticate or sniff network traffic.

Bypass tool to be used on the router implant

The implant, thanks to its two network interfaces, allows MITM attacks to be carried out: one interface connected to the supplicant side and one to the network equipment side.
The auditor, connected via 4G and their VPN tunnel, can therefore sniff network traffic and retrieve information for the purpose of authentication.

This attack is very effective because it is difficult to identify on authentication servers (provided that the implant replicates the exact traffic of the supplicant and does not send its own traffic, such as its MAC address. It must act as a transparent bridge).

This tool can be used when intruding into a company's premises. Simply connect the implant to a network port connected to legitimate equipment, which is often unmonitored and located in a common area (e.g., a printer, TV, or IP phone). The best approach is to connect the implant between a user's PC and network equipment in order to obtain their network credentials.

Given the size of the implant, this procedure may be fairly easy to perform.

Conclusion

Summary of key points

The major advantages of the implant are its size (the size of a smartphone) and its autonomy (battery and 4G WAN).

These two advantages greatly simplify logistics operations, whether for transporting equipment or the need to have an auditor physically on site.

The implant can also be used to perform multiple audits simultaneously at several different sites.

The final advantage is the reduced cost of the implant, which makes it possible to have several implants.

Importance for the future of cybersecurity

These implants, which are kept to a minimum size, are as useful to legitimate listeners or testers as they are to hackers. Given how easy they are to transport and use, as well as their low cost, hackers will have no trouble obtaining and deploying them.
This is why it is essential to add additional layers of security to network authentication and access to premises (physical security). Anti-disconnection systems could also be considered for unmonitored outlets such as those for printers, in addition to partitioning the network for the latter.

 

Thomas ESKENAZI
Cybersecurity Consultant

Automation of infrastructure-as-code projects via Gitlab-CI pipeline, Docker, Bash, Proxmox, Ansible, Trivy hosted on a private cloud cover
October 2, 2024

Automation of infrastructure-as-code projects via GitLab CI pipeline, Docker, Bash, Proxmox, Ansible, Trivy hosted on a private cloud

Automation of infrastructure-as-code projects via GitLab CI pipeline, Dock, etc.
Learn more
Economic warfare and personal data protection cover
September 5, 2024

Economic warfare and personal data protection

Economic warfare and personal data protection
Learn more
Innovate without compromising security: WAX Conf 2024 cover
July 17, 2024

Innovating without compromising security: WAX Conf 2024

In the world of cybersecurity, managing secrets is a real headache...
Learn more
Configure log collection in AWS environments with CI/CD cover
July 4, 2024

Configure log collection in AWS environments with CI/CD

When you want to send logs from various sources to a SIEM...
Learn more
Exploring the advanced features of IGA cover solutions
June 25, 2024

Exploring the advanced features of IGA solutions

Discover the essential features of IGA solutions, including management...
Learn more