Pen Testing with the Fipper Part 2: Grab Data and Exfiltrate

-

 Social Engineering is a big part of this kind of pen test and it can work quite well (phishing emails are another good example of social engineering), but it can't do everything. At the end of part one, our fictional pen tester gained access to a building using social engineering and the card scanner function, but if you walk up to the front desk and say, "May I have some sensitive files, pretty please?" you'll get thrown out. 

When it comes to grabbing data, the BadUSB function is your best bet. For that, you need to access a computer that both has sensitive files on it AND it logged in. That could be tricky. Now, if tools other than the Flipper were allowed, the second part would be easy. Anybody with just a little know-how and a USB stick can get a computer's password. No, not the Hollywood "I'll look around the room for 30 seconds" method, I mean the "boot drive > access system files > grab password" way. But, if other tools were allowed, this would be a far different hypothetical. So, how do you get logged in?

Since no function on the Flipper (that I'm aware of) can bypass passwords on computers, you're going to have to be smart about this one. Social engineering is pretty much your only option, specifically relying on looking like you know what you're doing. If you have a fancy lanyard and a quick tongue, people will let you do almost anything. Specifically, find someone who looks gullible and say you're from IT, that you need to change network security architecture, or some nonsense like that.

Now, this method varies in effectiveness based on a few factors. In smaller companies, the higher ups with the nice juicy data know the people in IT and would ask questions if you just showed up out of nowhere. Newer employees, while more vulnerable to this kind of thing, probably don't have anything too interesting on their computers. Now, if its a big company with lots of workers, you'll have a better shot, since higher level employees are much less likely to know people in IT, making your lie a bit more convincing.

Alright, so you you've managed to get access to an unlocked computer. Now what? By this time, you should have a suitable BadUSB script pre-loaded on your Flipper. Just plug in and push the button. The things you could do at this point are numerous. A keylogger would be easy enough, sending all the files over email would be charming, but lets stick with physical extraction for now. The Flipper can hold a MicroSD card with up to 256 GB of space. The Flipper's firmware takes up less than a MB of this, leaving plenty of available space for files. Write your own script or load a pre-written script to copy over all files in the documents and downloads folders, for instance. If you really want to be nasty, you could also set it up to delete the computers operating system after a few hours, but that's not what we're looking for here. 

From there, you leave the building, call the company, and inform them that the test is complete. They failed.

So, how well does the Flipper Zero accomplish its goal of being a pen tester's playground? Not badly, really, but most pen testers will have the real version of most of these tools (the ones they need anyway), so this fun little gadget is mostly for interested people who want to use it to learn more, or for hacker wannabes looking for social media clout. Either way, it's a lot of fun and, so long as you know what to expect, I would recommend it to anyone looking to get familiar with some of these tools.

Comments

Post a Comment

Popular posts from this blog

Introduction: The Flipper Zero

-
In august of 2020, an odd little device was put on the market. It was cute, white and orange, and would be more influential than anyone expected. This unassuming little handheld toy was marketed as a pen-tester's playground. For many of the real tools used by cyber security professionals, the flipper zero came equipped with a downsized (and powered) but fully functional version.  Within a few months, rumors about his device spread like wildfire all over the internet. Videos popped up showing it doing everything from opening charging ports of Teslas to cracking electronic locks with the push of a button. People would change the channels on restaurant televisions, turn their menu screens to news channels, and much more. Its sale was banned on Amazon after rumors arose that it had credit card skimming capabilities and its sale was banned entirely in Canada after videos showed it getting into locked cars.  So, what is this device really? What can it do and what can't it do? Which ...
Read more

RFID and NFC: The Key Issue

-
 Some of the more popular demonstrations of the Flipper Zero's capabilities are of the RFID and NFC functions. Viral videos showed the Flipper instantly bypassing electronic locks on hotel rooms, homes, businesses, and even cars. Others showed it copying and emulating credit card information. These videos earned the Flipper Zero a nation-wide sales ban in Canada as well as a sales ban on Amazon.  But is there any truth to videos? It's a bit complicated. The Flipper comes with built in RFID and NFC readers, writers, and emulators. Using this function, something like a business key card can be scanned, cloned, and emulated. To the lock, there is no difference between the emulated code from the Flipper and the actual key card. It's a neat little function, but without having physical access to a card, there's not much you can do. In most of the door unlocking videos, that's all that's happening -- they've cloned a card and are emulating its signature. I said mos...
Read more

Sub 1-GHz: The Key Fob

-
 Some of the first viral videos to include the Flipper Zero were of people driving by Teslas and opening the charging port. Once the Flipper had gained a bit of momentum online, more videos came out, this time unlocking doors on various cars, or even starting the car, all with the push of a few orange buttons. In response to the potential for car theft, Canada banned the sale of the Flipper outright. So, is this fact or more fiction? Well, here's where things get interesting. As usual, it's a bit of both. The videos of people popping open the charging ports of Teslas are, for the most part, completely real. Some videos of doing things like unlocking car doors are also real... sort of. You see, cars have used radio signals to remotely perform operations for some time. Your car's key fob is simply a little radio made to serve only the purpose of making your car easier to use and interact with. When you push the unlock button on your key fob, it sends out a radio signal. Your ...
Read more