A few years ago all you needed was a 4 port switch and Kali VM to reliably bypass most controls and have domain admin in a few hours. Defenses and networks have improved and so should your red team arsenal. Spoiler alert; you’re going to need a bigger backpack. This talk will provide a practical guide to bypassing NAC controls, taking over workstations from the parking lot, and breaking into locked PC’s. We’ll walk through 5 different hardware devices; how to build them, use them effectively, and how to protect against them.
7. PI GOT UR NAC?
Problem
Active NAC attempts to auth to any
system plugged in along with host
checking
Solution – NAC Honeypi
Raspberry Pi + Power LineAdapter + Air
Freshener orTissue Box
SSH Honeypot
Cowrie based
https://github.com/micheloosterhof/cowrie
Responder
https://github.com/lgandx/Responder
9. I’VE GOTTHE POWER
Problem
Need to Hide Physical Location
Solution
Ethernet over Power Line
Simple to use
Transmits signal here to there
Allows for stealthier ops
Hide network taps
Hide raspberry pi’s
Hide origin of systems/traffic
11. USB DROPS & SCREEN UNLOCKS
Problem
Need Shellz but Can’t Plug Into the
Network
Solution – Getting Shellz
USB Rubber Ducky
Inherently trusted in most
environments
Easy to pretend to be a keyboard
https://hakshop.com/products/usb-rubber-ducky-deluxe
Labels may help: Beach Pics, Harassment
Evidence, HR, etc..
Curious Users
They plug anything in…
Or take to HR, who then plug it in…
12. WHEN USB DUCKS ATTACK…
Ducky Script
Load a custom payload onto your
Rubber Ducky
https://ducktoolkit.com/
PowerShellAttacks, Drop Malware, Etc.
Attack Scenarios
USB Drops
Go Aggro!
Or slightly less aggro…
13. PERIPHERAL ATTACKS?
Problem
Need Shellz but Don’t Have Physical
Access
Solution
Wireless peripherals + keystroke
injection
Logitech Unifying Receivers
Assorted Microsoft Keyboards + Mice
Can exploit to get remote C2’s
Arduino Mouse Jacker
https://github.com/phikshun/uC_mousejack
JackIt
https://github.com/insecurityofthings/jackit
15. SOWHAT NOW??
USB Rubber Duckies
HID/USB device whitelisting (GPO)
Epoxy USB ports
Mouse Jacking
Provide wired/non-vulnerable
peripherals
Log external calls for PowerShell
Patch it yourself
16. SOWHAT NOW??
Powerline Adapters + NetworkTap
Physical security & user awareness
Limit use of clear text protocols
Raspberry Pi
Rogue device detection
Don’t auth to every system
Ensure NAC service account passwords
are complex as in RANDO…
Don’t SSH auth to every system… (or
use certs)