An air freshener with network connectivity? Better disguises immediately come to mind.
The power brick approach is an improvement but still makes the following assumptions:
* location of network ports is at floor level hidden under desks
* power and network cable colours match
* an employee won't disconnect a seemingly useless box when they need to charge their phone
* port security is not in use
A replacement "trojan horse" computer or printer that has been modified externally is a stealthier approach. Such devices have a reason for being connected to a power source and the network and do not raise suspicion (especially if the replacements are soiled and have worn asset stickers attached). Local IT staff will ensure the devices have network connectivity and will likely assume (in the case of a computer) that suspicious network traffic is the result of a virus.
Failing that full blown approach, even a "signal booster" could be a better disguise. An average person will think of their analogue TV and radio signal boosters. Further disguise can be added by soiling the devices, attaching asset stickers and stickers for a matching fake brand name and fake website where suspicious users can have their fears alleviated. The website has the added benefit of alerting the attacker that their device has been potentially compromised.
You're assuming that the local IT staff regularly monitor network traffic and are generally competent. Sadly, that isn't always the case. The attacker may also only need a few hours to get the data he is after, a fairly small window. As well, they'd have to be monitoring internal traffic, not just outgoing, as with one of these plugged in an attacker would be on the internal network. Most likely this type of attack would have to be detected by noticing that someone was accessing files, or trying to anyway, they had no business accessing rather than network traffic per se.
I like the idea of a signal booster. That is actually a great idea for disguising these things. I've seen these things before and figured it would be best to just run the Ethernet behind a printer or something and hope that people don't notice it was still continuing on past the device, but your idea is even better. Everyone complains on some level about their Internet, just install the 'signal booster' to give them a stronger connection. ;-)
I built a similar device myself, following instructions given at [1]. Very handy little device, for multiple non-malicious reasons. I can carry a wireless router, power supply and cable around in my jacket pocket, and you can do fun stuff like telling the wireless router to transparently send all traffic through something like OpenVPN (or Tor, if you're paranoid). Makes security in potentially hostile environments very straightforward.
It's interesting that the article never mentions that to use that he had to find a power plug with a free ethernet plug next to it. That might not be trivial in all environments. It gets a lot more suspicious if he has to search for that for a long time in the bank. Also someone might question the why the ethernet cable is there at some point. Just saying the article makes it sound easier it actually is for a non technical person.
I think the cluster of bricks around power outlets in bank offices is rarely examined nor questioned by anyone with any kind of background. And if the chap sent out to change the printer toner questions it, someone will just tell him someone from IT put it there a few weeks ago...
I've done pen testing in the past and I've made similar 'plugs' like this. It's quite simple to make one of these, all you need is a router that can run openwrt and a case of some sort (pelican cases work nicely), tear it apart, flash it, paint the case and that's about it - total cost was about ~$100 + 2 hours of time and as an added bonus openwrt comes with a webui. Maybe this offers more...
Same. I built one in the late 90s as a pen test project. It only had network support, no wifi, but you could plug it in anywhere and it would arpflood and then passive listen for everything, before running through some rules on what to keep and then sending it back to a dump box (and saving it to disk).
I was part way through setting it up to spoof as an active directory backup (or primary auth server) before we had the
plug pulled.
Did two real pentests with it. Went back to the client with a list of 90% of their passwords and hundreds of web account authentication details (shopping sites, email, amazon, slashdot, etc.).
I'd love to build one again today. Battery powered and a lot smaller than what is seen in that Ars article. They would be so cheap that it wouldn't be worth retrieving - just letting them run for a week and being able to reverse shell into it to control it.
Hacking an android phone would be good for this. remove the screen and get 10+ days of battery life of just the OS running (remove bluetooth, etc.). package it as something that looks innocent of place it under carper or in a void space in a wall.
It is certainly easy to flash openwrt on a linksys router and throw it in a case. This thing may not be the best thing since sliced bread but lets be honest what you described is a far cry from what is being displayed here (which also has a webui). I am not affiliated with these guys but I am also not going to pretend that this is nothing more than a linksys and two hours on a Sunday.
Does your $100 include 3G hardware? Or is it included in the $80 price tag that you mentioned in a different post downthread?
Does your pelican case looks as innocuous as this thing does plugged into the wall at XYZ Corp?
Do you think you could mod a vanilla openwrt installation to do the NAC/802.1x/RADIUS bypass in two hours?
Do you already have a reliable/repeatable process to get through basic corporate IPS/FW and get a reverse shell? Can you rattle it off the top of your head right now? If not its going to be tough to implement in two hours...
Indeed. And if you look at it from a cost basis think about what a fortune 50 company would have to do to get an IT department to design and deploy an appliance like this. A lot more than $500 I bet...
I've made a fine living doing just that using Sheeva's and alix's before that and Soekris before that. Corporate IT is completely unprepared to do what it takes to wrangle these little embedded monsters. If it hasn't already got a web gui, they're more or less sunk. $520 is a bargain to (ahem) plug and play.
They're not trying to fool anyone by saying that they've made a magical new product. Its straightforward software, as a service, in a can.
Well the 'elite' version is ~$750... that's getting pretty ridiculous when I could and have built something similar with openwrt a pelican case for ~$80 + the 45 or so minutes to tear the router apart and flash openwrt on to it.. As an added bonus it comes with a webui
I never had to use 3G, just an connect to an unbroadcast SSID of the router. If I was really determined to have 3G I would tether a pay-and-go phone to a usb port, but I don't see the usefulness of 3G when I have wifi..
You said similar for $80. Does your busted pelican box look as innocuous as this thing does in an average corporate environment?
Have you done a lot of large scale corporate pen tests? I used to do a lot of pentest/wireless audits for IBM. Sure I could sit in the parking lot of Dr. Bobs Dermatology's practice and maintain a decent signal strength to his wireless network. But what are you going to do in downtown Manhattan when the client is on the 25th-35th floors of a building in the financial district? Does your pay as you go phone fit into your classy corporate looking pelican box? How does that pelican box look now that there is a second cord running out of it to charge the pay as you go phone?
Now do you see the usefulness of built in 3G?
PS: I just noticed that you have posted your description twice now. Is it $80 or $100?
The power brick approach is an improvement but still makes the following assumptions:
* location of network ports is at floor level hidden under desks
* power and network cable colours match
* an employee won't disconnect a seemingly useless box when they need to charge their phone
* port security is not in use
A replacement "trojan horse" computer or printer that has been modified externally is a stealthier approach. Such devices have a reason for being connected to a power source and the network and do not raise suspicion (especially if the replacements are soiled and have worn asset stickers attached). Local IT staff will ensure the devices have network connectivity and will likely assume (in the case of a computer) that suspicious network traffic is the result of a virus.
Failing that full blown approach, even a "signal booster" could be a better disguise. An average person will think of their analogue TV and radio signal boosters. Further disguise can be added by soiling the devices, attaching asset stickers and stickers for a matching fake brand name and fake website where suspicious users can have their fears alleviated. The website has the added benefit of alerting the attacker that their device has been potentially compromised.