Patrick Lambert describes two innovative tools that can be used by pen testers — but also by those with more nefarious plans. Here are two gadgets IT pros should know about.
Almost every month there's news of brand new hacks being done against large companies, and new ways that remote attackers can get access to sensitive corporate data. Since the Stratfor incident, where basically every single piece of corporate email and information was leaked for everyone to see, it's clear that new methods are appearing all the time. But it's not just bad guys that scoop the wires of the most sensitive networks and computer systems around - there are also the good ones — white hat hackers being employed by those companies to do penetration testing. Once viewed as a luxury that most corporate finances couldn't budget for, it's now common practice, and helps the industry find those problems and get the management aware of them, hopefully, before a disaster happens. Today however, let's see two tools that aren't so much devious or groundbreaking, but just wild and interesting, as we take a look at hacking networks in style with the Transparency Grenade and the Pwn Plug.
The culture that grew out of WikiLeaks, where many people see the secretive practices of large governments and corporations as something to fight against, gave rise to many hacktivists, going out of their ways to try and find sensitive information, not for monetary benefits for themselves, but simply to publish for the world to see. One of the most interesting projects that came out of this mindset is the Transparency Grenade. Have you ever been in a classified meeting, or looked at top secret documents on the company intranet, and thought to yourself that the world should know about this? Well, fret no more, all you need to do is pull the pin out of this life-size grenade, and the onboard computer inside it will capture everything it can from audio to network traffic, and publish it all online! Created by Julian Oliver as a one-off project, this impressive looking device is the size of a genuine Soviet hand grenade, and can sit on a desk, ready to be activated. Now, of course, this isn't very secretive, and can be seen by everyone, but the idea behind it is provocative. Also, it's not a real product that you can order, but simply a side project; although, the website says the core concept will live on as part of an Android app.
A second tool that's of interest to many people is an actual product, and can be bought by individuals and companies alike. It's the Pwn Plug, a small power adapter that seems like a very innocent looking white box plugged into the wall, next to many similar ones. But this device hides a full computer system running Ubuntu Linux, and filled with penetration testing software. The concept of a drop box, a small computer that can be left behind in a sensitive location, isn't new. But any suspicious box would likely be noticed, and may run out of battery at some point. This Pwn Plug solves both problems, since it looks like a normal power adapter, and gets its power right from the wall. It could stay behind for months without being detected, collecting network information and transmitting it to the outside. This product is being sold to companies and pen testers by Pwnie Express, and the basic box comes with all the software you need to do your testing, able to be accessed in a myriad of ways to bypass most firewalls, along with a web interface.
But even better, the elite version comes with a built in GSM radio, so that it can be accessed over the air, from anywhere. All you need to do is insert a SIM card into a small USB adapter, plug it into your PC, and you can access your Pwn Plug regardless of where you left it off. This concept is so simple it's brilliant, and has been used successfully already by a lot of pen testers, since it makes the process so much easier. You no longer need to come into a client with a computer or a bunch of devices, just a simple plug which you can leave behind, and before you even leave the building, you get a text message on your phone from the device telling you that it started working.
There's no question that creative people are coming up with very interesting ways to get around security, for good and bad reasons. Without going into the ethical issues of the type of disclosure given by the Transparency Grenade, or the destructive potential of the Pwn Plug, these types of innovative tools are really interesting, and IT pros should be aware of them. Both of these devices can be used for legitimate purposes, but they can also be put to highly damaging uses. Either way, it's clear that we'll keep seeing more items like these in the future.