After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of our new podcast “Breaking Into Infosec: Advice from an Ethical Hacker,” he was met with a flurry of questions about Red Teaming and hacking corporate secrets as part of a Red Team in general.
So he decided to do his first reddit “Ask Me Anything” session.
His thread “I’m an ethical hacker hired to break into companies and steal secrets – AMA!” shot to the top of the “IAmA” subreddit and into reddit’s front page, where it remained for most of the weekend. Among the more than 3,000 comments, redditors asked him if he ever got into trouble with the law, how he got into red teaming, and what the weirdest thing he ever came across while being paid to break into a business.
All of the answers are worth reading but Tom’s response to the question “What does your hacking kit look like?” caught the imagination of a lot of aspiring hackers and even some of his F-Secure fellows.
Tom explained to me that while he understands why kit is interesting, it’s important to keep in mind that tools alone won’t make you a competent ethical hacker.
“I can watch one of those master chef shows on TV and ask what kind of knife and oven the chef is using and go buy them. But the right knife cannot replace of years of experience,” he said. “These are tools and are means to an end. What matters most is social engineering know-how and understanding how a company fundamentally works so you can exploit the shared responsibilities that come with running the technology, processes and people of a company or organization.”
His kit is also not available straight off the rack.
“All the electronics used have been customized to meet our needs to ensure we have a wide range of older and the latest and greatest attacks ready to try out so that testing can occur more cost-efficient and to maximize our chances of success as an attacker. The default attack tools and hardware right out of the box will usually get you detected and usually do not offer what we need not only for an attack but also for logging our actions accurately. Logging is something a real attacker doesn’t have to care about, but it’s something we as Red Teamers are obliged to do so that the customer can later backtrack as part of incident response. Customization is key to stay under the radar at least for the first phases of the attacks while providing value to our Red Teaming customers.”
With these warnings in mind, Tom said he’d be happy to follow up that introduction to his red teaming kit with some more explanation and visual documentation.
So here’s what is inside Tom’s kit:
1: Clipboard, fluorescent vest, helmet or any other clothing that will fit in to the environment you want to get into fitting the pretext scenario the attacker devised based on extensive information gathering
2: Ethernet USB adapters, WiFi adapters for credential extraction in conjunction with (4)
3: Ethernet cables and other cables
4: Rogue network implant for later persistent access to the internal network from the internet, controlled by F-Secure
5: Proxmark3 (above) & special purpose (below, in white) RFID/NFC access card/token copier and cloner
6: Customized “Rubberducky” or similar automated keyboard/mouse HID device for fast payload selection and typing out or for opportunistic password brute-forcing depending on target
7: “PocketCHIP” mini-computer with WiFi antennas for on-the-fly rogue WiFi access point attacks and attack tools including credential harvesting or ethernet based credential theft or man-in-the-middle payload delivery tools. Power banks (not shown)
8: Banana for scale, and for walking around the building with. People holding things aren’t regarded as suspicious and “belong”
9: Pliers, screwdrivers and other tools are used to get past certain locks, lockers (holding access cards, backup tapes, keys, access tokens, etc) or rack locks
10: Lockpick kit along with (not shown) pick-guns, “bump keys” and “jiggler keys”
11: Foldable keyboard for when needed
12: Lanyard with key and USB thumbdrive holding fake documents that are attractive to the lucky finder to open in order to compromise the computer of the target company; if the computer is part of the target company’s infrastructure only. These are dropped inside the building when possible or outside on the parking lot or bike shed as part of a “lost my keys” social engineering scenario.
13: “LAN Turtle” for miscellaneous stock and custom made network based attacks
14: FLIR infrared camera module to be hooked up to a smartphone in order to photograph the latent heat left on keypads when standing behind employees. This will result in the PIN being exposed even if the employee covered up their fingers typing in the PIN up to a minute after typing it
15: USB keyloggers with WiFi allowing us to see what you are typing from outside the building or over the internet when combined with the rogue network implant from (4)
Follow Tom on Twitter for his further adventures in #protectyouraccesscard and so you’ll know the next time he steps up for some more questions, either in the #CyberSauna or on reddit.