Drones for Pentesting? Sounds like fun, doesn’t it?
Larry Pesce, Hackfest 2015
About me
• Penetration Tester/Hardware Hacker, @
InGuardians (Sr. Managing Consultant, Director
of Research)
• SANS Instructor
• Paul’s Security Weekly crew
• Extra class ham radio operator (KB1TNF)
• Built a prototype drone for radio analysis for the
energy sector.
• Discussion on Practical application of drone
technology to the pentestig space
• Information for you to determine if drones are a
good fit in your methodology
• Pentest uses
• Attack scenarios
• Practical information gathering
• Physical pen test
• Practical payloads
• Detractors
• Cautions
What this talk is
• Step by step plans for implementing each
• Attack path
• Information gathering techniques
• Drone building workshop
• Discusion of the best/worst drone platform
• Legal advice
• I am not a lawyer, nor do I play one on TV
What this talk is not
Show of hands:
How many have flown a drone?
The PROS
• PAYLOADS!
• Data, data, data
• Platform, Platform, Platform
• All sorts of fun can be had
• Recon
• Data aquisistion
• Attack
How can we have fun?
• Capture and analyze later
• Limited by size, weight of storage
• Need successful recovery
• Realtime
• Transfer speeds, depending on data
• Distance, dépendant on speed and radio selection
• Radio selection, frequency range, battery power
Data Acquisition Issues
• We need a computing device that is
• Capable
• Small
• Low power draw
• I’m a fan of the RasPi
• B+ model is low power draw
• Pi 2, untested by me, but more horses
• Many options
• Arduino, Beaglebone, Cellphone, ODROID
• Even custom solutions
• Power? Onboard battery or supplemental
• See my other talk on “If it Fits, It Sniffs”
Platform, Platform, Platform!
• Recon? I think pictures and video
• Building layout
• Roof access
• Physical security, locks, guards,
camera
Recon Payload
• Depending on purpose, HD video
rules
• Modern DJI, built in
• Add GoPro!
• HD video, storage and battery
• On a big drone, add DLSR
Recon Payload Hardware
• So many options here!
• This will need computing platform
• Data can take many forms
• In this case, all wireless
• Let’s talk awesome wireless payloads
• SEC617 anyone? :-)
Data Acquisition Payload
• Wifi
• Alfa AWUS051NH *(v2) is the best in the game
• AWUS036H is ok, but no 802.11a
• GPS helpful
• Add on or use a “second feed” from onboard
• loc-nogps
• Record data with with
• Kismet*
• airmon-ng
• Process after landing
Data Acquisition Hardware (1)
• Zigbee
• Atmel Raven RZUSB rocks
• No external antenna
• Riverloop API-mote also rocks
• External antenna, slower startup
• Control and record with Killerbee, api-do
• Killerbee for device discovery, packet capture
• api-do also for capture and channel hopping
• Analyze data after landing
• Capturing “good” data may take longer than flight time
• Drop and recover payload?
Data Acquisition Hardware (2)
• Bluetooth
• Not as easy…
• Parani Sena UD-100 great for scanning
• Ubertooth One great for discovery
• Requires some work for automation
• Also great for BTLE/BLE/Bluetooth 4/Bluetooth Smart
• Need realtime care and feeding!
• Bunches of other BTLE tools emerging
Data Acquisition Hardware (3)
• All the other radio
• This one can get overwhelming quickly
• So many options on the SDR front
• Same for what we may want to detect
• Initial recon may require several
extended trips
• Frequency of radio use
Data Acquisition Hardware (4)
• All the other radio(2)
• My favorite, the RTL-SDR
• Cheap (losable, run multiple)
• Modestly robust
• Especially great for 900Mhz cordless…
• Depending on target, realtime data may not be feasible
• Post processing is possible, but storage gets chewed
up quickly.
• Potential issues with interference from C&C, telemetry,
video and EM interference.
Data Acquisition Hardware (5)
• Many of the acquisition payloads can be used for attack
• Selection of wireless card, injection
• UbertoothOne for Bluetooth
• Modified RZUSB of zigbee
• General radio needs upgrades
• BladeRF, Ettus SDRs, HackRF
• Larger payloads, more offline analysis
• Delivery requires robust automation, accurate target selection
• Or work with a partner and longer flight times.
Attack Payload
The CONS
• Noise?
• For those that have flown one, you know they are
loud
• Even the tiny ones sound like an overgrown
bumblebee
• Larger = more payload = more noise
• Small = little payload = still some noise
• No social engineering your way out of this one…
• Wait for a crash and retrieval!
Opsec
Show of hands:
How many have crashed a drone?
• Yes, drones get expensive!
• So do repair costs
• Even a modestly priced ready to roll model is easily
$1500.
• Not including additional payload
• More payload, more expense
• Not just the payload!
• More power = more payload = more $$$
• Also more noise!
Expense
• With commodity gear we can keep costs
down
• Until we lose it
• Over and over again…
• Even losing commodity gear can get
expensive depending on our payload
Payload expense
• We will likely need single purpose
payloads
• The more we add the
heavier/unbalanced we get
• The heavier we get, the harder to
fly
• The harder to fly…
Payload Size
Show of hands:
How many have flown a drone in restricted
airspace?
Keep your hands down!!!
Let me rephrase…
Show of hands:
How many may have flown a drone,
unknowingly in restricted airspace? Read as, “I don’t know if I have or not!”
• Depending on where your customers are, you
may be restricted from
• Flying above a certain height
• Not flying at all, due to
• Airport proximity
• Geofence
• Other FAA regulations
• This gets fairly complex if not an every day task
• …and you have to get it right!
Did you know?
• Model Aircraft rules largely applied to multi-rotor
based aircraft
• Not technically “models”, but new aircraft
design.
• Largeley lumped in the same category
• No actual case law
• Smart rules to observe!
Application of law?
• New proposed regulations from the Department of Transportation, FAA
• Proposed for implementation before Thanksgiving 2015
• Just in time for the holiday giving season!
• Requires Drone registration, 9 oz or more!
• Unsure of retroactive purchases
• Registration infrastructure
• Security
• Likely be challenged
• Jurisdiction? FAA…
• Exceeding mandate? Not transportation…
• Where does the regulation beyond drones end?
Registration
• FAA proposed rules
• Need endorsement on pilots license
• Means you need a pilot license already…
• FAA requirementes?
• Likely to be challenged
• Model aircraft exemptions
• No case law
• Yet, whole conferences devoted to commercial applications
• http://dronelaw.net/
• http://www.gpo.gov/fdsys/pkg/PLAW-112publ95/html/PLAW-
112publ95.htm
Commercial purposes?
• Proposed need endorsement on pilots license
• Means you need a pilot license already
• FAA requirementes?
• Likely to be challenged
• Model aircraft
• No case law
Commercial purposes?
• Yes, Yes, Yes we can have fun
• Before daddy takes the T-bird away…
• That fun needs to be tempered with cost,
application,
• Commercially, we need to keep an eye
on new, current rules
• Seek legal advice before engaging!
Conclusions
Top Related