The Scenario
The client would like to test the controls in their environment as if I were an employee. This means utilizing a heavy restricted Windows machine to perform testing because outside equipment is not authorized. Users are not local admins and the group policies applied to employee workstations are quite restrictive (ex. no mass storage). To top it off, this environment utilizes application whitelisting.
The Goal
The goal of the test is to find any gaps in their procedures or controls that would allow an employee to get away with something nefarious.
The Plan
After some thinking, I decided it was reasonable to assume that a wireless dongle would be authorized. Ideally this meant I would go into the environment, plug the dongle into the desktop I was testing from and connect to my portable backpack network. I will be referring to this setup as paclan.
The Solution
To turn the paclan into a reality, I began ordering some things. If the links below die, you can mix and match pieces pretty easily. If you need help with that- reach out!
- Low Profile Edimax Wi-Fi USB x 2
- ODROID-C2
- Don’t forget the ODROID-C2 case like I did
- ZyXEL Wireless Travel Router
- Crave PowerPack 50,000 mAh battery
- Memory Card Reader/Writer
- MicroSD Card
Here’s a few pictures of it all put together (the bag comes with the crave battery):
The Attack
After getting all of my Amazon packages, I flashed Kali Linux onto the MicroSD card and plugged it into the ODROID-C2. After getting the OS configured on the ODROID-C2, I plugged in the wireless dongle and connected it to the ZyXEL Wireless Travel Router. Now that the ODROID-C2 is connected to the ZyXel wireless router, you’re ready for the next step. First disconnect your victim workstation from the corporate network (unplug the ethernet in this case) and use a wireless dongle to connect them to the paclan.
You can now attempt to escalate or bypass antivirus without setting off any alarms. Without access to the corporate network, the Windows host cannot call out and alert anyone of you activities (until you reconnect it to the corporate network). Using this tactic, an attacker can find a payload that works before alerting anyone of malicious activity. Then after their PC is cleaned, they will know exactly what payload works and effectively bypass the controls that are in place. At this point, you can shift from attacking the host to attacking the network.
To make this a bit more clear, here’s a diagram:
This setup also allows an easy way exfiltrate data. The environment blocked mass storage but that doesn’t matter if you are able exfiltrating data to an SMB server. Data being copied to a network share over SMB is a perfectly valid operation, so it is less likely to throw red flags.
FAQ
Question: How long were you able to run this setup?
Answer: The rig ran for ~35 hours (yes you read that correctly) before finally exhausting all the power in the Crave PowerPack. I was actively using the ODROID-C2 for roughly 8 hours.
Question: Did this setup get very hot in your backpack?
Answer: It got a bit warm but it never got hot enough that I was concerned.
Question: Why did you use an ODROID-C2 instead of a Raspberry PI?
Answer: I chose the ODROID-C2 because the Raspberry PI (the original one) that I had laying around did not run Kali very well. It was very laggy on the command line and I couldn’t run Metasploit as the PI didn’t have sufficient memory.
Question: Why not use a BashBunny? It can replace this entire setup.
Answer: Yes it can. I purchased one of those and brought it just in case. Sadly the restrictive GPO didn’t allow me to configure network settings so I could not give it a proper IP. As application whitelisting was in place in the environment I would not be able to make any sort of SSH or Serial connections to the BashBunny.