Unusual types of devices and gadgets are not limited to special services and 007 agents. Quite a few devices have been specially designed for the needs of hackers and security researchers. What are they? We decided to put together a real hacker's suitcase.
Why is this needed?
Anyone who is seriously involved in pentesting or hacking has probably at least once found themselves in conditions when literally one step was not enough for a successful attack. Kevin Mitnick's book, The Art of Intrusion, details the story of a penetration test in which a well-configured firewall was an obstacle to inspectors. It would seem that there is no chance to get into the company's internal network. But one of the team members found a working connector in the receiving area for connecting to the network and discreetly plugged in a miniature wireless access device (which no one paid attention to until the end of the test). Thus, the pentesters team gained direct access to the company's internal network via Wi-Fi. This is one of many examples to illustrate that you shouldn't underestimate hack devices.WARNING!
All information is provided for informational purposes only. Neither the editorial board nor the author is responsible for any possible harm caused by the materials of this article.1. WiFi Pineapple Mark IV
wifipineapple.com
WiFi-Pineapple-Mark-IV
Price: $ 99.99
The animal thirst for free Internet leads to the fact that people, having arrived at some institution or, say, an airport, immediately begin to check: is there a free Internet there? At the same time, few people know that a specially configured router can act under the guise of an open hotspot, which intercepts all open traffic (it is not difficult, it still "goes" through it) and uses various types of MITM attacks to intercept the data that are transmitted over a secure connection. For greater success, an attacker can use a resounding network name like "Wi-Fi Guest" or even disguise himself as popular providers - then there will be no end of clients. The Rogue AP is pretty easy to pick up on any laptop. However, in hacker circles, a well-thought-out device has long been known, implementing an attack in the literal sense of the word "out of the box". WiFi Pineapple, which appeared back in 2008, is now on sale in its fourth modification. The first revision of the device was disguised as a pineapple for a joke - hence the name of the device. Basically, this is a regular wireless router (based on an Atheros AR9331 wireless SoC and a 400 MHz processor), but with a special OpenWRT-based firmware that includes utilities like Karma, DNS Spoof, SSL Strip, URL Snarf by default. ngrep and others. Thus, it is enough to turn on the device, configure the Internet (everything is configured via the web interface) - and intercept user data. The router needs power, and this interferes with its mobility; however, there are a huge number of options (which is actively discussed on the official forum) to use batteries - the so-called Battery Pack. They give the device two to three hours of battery life.
2. Ubertooth One
ubertooth.sourceforge.net
Ubertooth-one
Price: $ 119.99
Unlike Wi-Fi data interception, which is easy to set up from a laptop with a suitable wireless adapter, Bluetooth broadcast analysis is much more difficult. Rather, it was difficult before Michael Ossman's speech at the ShmooCon 2011 conference (video of the report - youtu.be/KSd_1FE6z4Y), where he presented his project Ubertooth ... Check out the difference. Industrial iron for BT ether could be purchased for amounts starting at $ 10,000. Michael told how to assemble a suitable device, the cost of which does not exceed a hundred bucks. Basically, this is a USB dongle with the ability to connect an external antenna, built on an ARM Cortex-M3 processor. The adapter was originally designed so that it could be switched to promiscuous mode, in which it is possible to passively intercept data from the Bluetooth air transmitted between other devices. This is an important option, because most dongles pay attention only to what is addressed to them, ignoring everything else - and this behavior cannot be influenced. In the case of Ubertooth One, you can freely intercept frames from the Bluetooth air, and use familiar utilities like Kismet. You can assemble the device yourself if your hands grow from the right place, or you can buy a ready-to-use device in one of the authorized stores.
3. ALFA USB WiFi AWUS036NHA
bit.ly/OokY6l
Alpha
Price: $ 35.99
If we talk about auditing wireless networks, then the most frequent and, in fact, the only obstacle for the implementation of attacks is the inappropriate Wi-Fi module built into the laptop. Alas, manufacturers do not think about choosing the right chip, which, for example, supports injection of arbitrary frames into the air
. However, quite often there is no more ordinary possibility - just to extract data from the air. If you dig around in the forums, you will find many recommendations on which adapter is best for warriving. One of the options is ALFA USB WiFi AWUS036NHA. This is an Alfa AWUS036NHA high-power Wi-Fi USB adapter built on the Atheros AR9271 chipset and working in b / g / n standards (up to 150 Mbps). Without unnecessary dancing with a tambourine, it can be used in major operating systems, including the script-dis-distribution BackTrack 5, in which all the necessary tools for wardriving are already collected. By the way, an external USB adapter allows you to work in a familiar Windows, while using all the capabilities in a guest system (the same Backtrack) running under a virtual machine with a USB port forwarded from the main OS. The adapter is also compatible with the Pineapple Mark IV. Starting with firmware version 2.2.0, Pineapple can use it to carry out so-called deauth attacks. The essence of the attack is quite simple: deauthentication frames are sent to clients, which forces them to reconnect. An attacker intercepts WPA handshakes, which are then used to brute force the WPA key. at the same time, use all the possibilities in the guest system (the same Backtrack) running under a virtual machine with a USB port forwarded from the main OS. The adapter is also compatible with the Pineapple Mark IV. Starting with firmware version 2.2.0, Pineapple can use it to carry out so-called deauth attacks. The essence of the attack is quite simple: deauthentication frames are sent to clients, which forces them to reconnect. An attacker intercepts WPA handshakes, which are then used to brute force the WPA key. at the same time, use all the possibilities in the guest system (the same Backtrack) running under a virtual machine with a USB port forwarded from the main OS. The adapter is also compatible with the Pineapple Mark IV. Starting with firmware version 2.2.0, Pineapple can use it to carry out so-called deauth attacks. The essence of the attack is quite simple: deauthentication frames are sent to clients, which forces them to reconnect. An attacker intercepts WPA handshakes, which are then used to brute force the WPA key. which forces them to reconnect. An attacker intercepts WPA handshakes, which are then used to brute force the WPA key. which forces them to reconnect. An attacker intercepts WPA handshakes, which are then used to brute force the WPA key.4. Reaver Pro
bit.ly/IRrZfF
Reaver-Pro
Price: $ 99.99
As you know, a long passphrase for connecting to a wireless WPA network practically negates the likelihood of its brute-force. However, the complexity of this attack evaporates if the wireless network supports the WPS mechanism. We described the vulnerability in this technology in detail in] [ 03 2012, including its exploitation using the Reaver utility. The author of this tool has released a special whale that allows you to implement this attack. It consists of a wireless module and a bootable USB flash drive with a pre-configured distribution kit. The purpose of the attack is to pick up a WPS pin, as soon as it is received, the wireless point will happily provide us with its WPA key. Thus, as you can see, the length and complexity of the key do not affect the duration of the attack. On average, Reaver needs 4 to 10 hours to find a WPS pin. Honestly, when I first read that there is a hardware implementation of this attack, I imagined a small portable device that could be hidden discreetly in the zone of reliable reception of the desired access point. Indeed, unlike WPA key brute-force, which can be carried out anywhere (all you need to do is intercept the handshake), the attack on WPS is active. That is, it is necessary to be in the immediate vicinity of the access point: if the reception is not reliable enough, then the search will quickly stop. A good alternative to Reaver Pro can be the implemented software module for WiFi Pineapple Mark IV (and a serious set of rechargeable batteries to power it). So far, all that the creator of Reaver Pro offers is the ability to pause the attack to resume from the interrupted place next time.
5. 16dBi Yagi Antenna
bit.ly/MXT1Tv
16dBi-Yagi-Antenna
price: 30 $
All wireless devices have a serious disadvantage - limited range. Reliable reception is often a key parameter for a successful attack. The closer you sit to the goal with your "strange" boxes-devices - the more attention you will attract and the more suspicion you will arouse. The further from the goal, the safer and more invisible it is. There are omni-directional antennas as well as narrow-beam antennas. As an example, we took a representative of the second type - 16dBi Yagi Antenna. This highly directional antenna allows you to stay at a sufficient distance from the wireless network and maintain the required signal strength. Thanks to the RP-SMA connector, it can be connected to the ALFA AWUS036H adapter, WiFi Pineapple box, Ubertooth One dongle, and many other Wi-Fi devices. It is important to understand that this is just one of thousands of different antennas. On the Web, not only are there a huge number of different antennas with various characteristics, but there are also a lot of instructions on how to quickly bungle an antenna from scrap materials (for example, from a can or wire).
6. USB Rubber Ducky
usbrubberducky.com
Rubber-ducky
Price: $ 69.99
In one of our recent issues, we had an article about malicious USB devices built on a Teensy programmable board. The idea is to emulate a HID device (keyboard) and, using the fact that the system perceives them as trusted, emulate the input that creates the necessary load on the system (for example, opening a shell). USB Rubber Ducky is analogous to Teensy. The heart of the device is the AT32UC3B1256 60MHz 32-bit AVR microcontroller, however, there is no need to hardcode anything at a low level. The device supports the surprisingly simple Duckyscript scripting language (similar to regular bat scripts), which, in addition, has already implemented all kinds of payloads. Launch an application, create a Wi-Fi backdoor, open a reverse shell - you can do everything the same as if you had physical access to a computer. Even more flexibility is provided by additional storage in the form of a microSD card, on which several payloads can be simultaneously placed. The functionality can be expanded through plug-in libraries, especially since the firmware itself, written in pure C, is completely open and hosted on the github. The microcircuit is very small, but in order to make its use absolutely invisible, the developers offer for it a special case from a flash drive.
7. Throwing Star LAN Tap
bit.ly/LYOW2f
Throwing-Star2
Price: $ 14.99
The next hack device also provides that the attacker has access: however, not to a specific computer, but to the LAN cables. And it is needed for passive and maximally invisible monitoring of the network segment. The trick is that it cannot be detected by software - in fact, it is just a piece of cable that does not give itself out in any way. How is this possible? Throwing Star LAN Tap looks like a small cross-shaped chip with four Ethernet ports at the ends. Let's imagine that we need to intercept traffic between two hosts (A and B) connected by a cable. To do this, simply cut the cable anywhere and connect the resulting gap via Throwing Star LAN Tap. The break must be connected through ports J1 and J2, while J3 and J4 are used for monitoring. It should be noted here that J3 and J4 are connected only to the cores responsible for receiving data - this is intentionally done so that the monitoring machine could accidentally send a packet to the target network (which will give out the fact of monitoring). Throwing Star LAN Tap is designed to monitor 10BaseT and 100BaseTX networks and does not require any power supplies to operate. Due to the fact that the device does not use any power supply, it cannot monitor 1000BaseT networks. In this case, he has to reduce the quality of the connection, forcing the machines to communicate at a lower speed (usually 100BASETX), which can already be passively monitored. The device is easy to solder by yourself, all circuits are open (Open Source hardware concept). so that the monitoring machine can accidentally send a packet to the target network (which will give out the fact of monitoring). Throwing Star LAN Tap is designed to monitor 10BaseT and 100BaseTX networks and does not require any power supplies to operate. Due to the fact that the device does not use any power supply, it cannot monitor 1000BaseT networks. In this case, he has to reduce the quality of the connection, forcing the machines to communicate at a lower speed (usually 100BASETX), which can already be passively monitored. The device is easy to solder by yourself, all circuits are open (Open Source hardware concept). so that the monitoring machine can accidentally send a packet to the target network (which will give out the fact of monitoring). Throwing Star LAN Tap is designed to monitor 10BaseT and 100BaseTX networks and does not require any power supplies to operate. Due to the fact that the device does not use any power supply, it cannot monitor 1000BaseT networks. In this case, he has to reduce the quality of the connection, forcing the machines to communicate at a lower speed (usually 100BASETX), which can already be passively monitored. The device is easy to solder by yourself, all circuits are open (Open Source hardware concept). it cannot monitor 1000BaseT networks. In this case, he has to reduce the quality of the connection, forcing the machines to communicate at a lower speed (usually 100BASETX), which can already be passively monitored. The device is easy to solder by yourself, all circuits are open (Open Source hardware concept). it cannot monitor 1000BaseT networks. In this case, he has to reduce the quality of the connection, forcing the machines to communicate at a lower speed (usually 100BASETX), which can already be passively monitored. The device is easy to solder by yourself, all circuits are open (Open Source hardware concept).
8. GSM / GPS / Wi-Fi jammers
www.google.com
price: From 100 $
Talking about hacker devices, we could not get around such a class of devices as jammers or, speaking in Russian, jammers. We deliberately did not select any separate device, but decided to look at a whole class of such devices. All of them, regardless of the technology that needs to be damped, are based on the same principle - littering the air. This works the same way for cellular networks (GSM), where the phone communicates with a base station, or, for example, a GPS receiver, which must communicate with several satellites to determine coordinates. Devices differ in range, power, size and overall appearance. Signal jammers can be stationary (large bandura with antennas) or mobile, disguised, for example, under a pack of cigarettes. You can find a huge number of jammers on the Web, especially if you look at Chinese online stores. Now debates are raging about how legal the use of such jammers is in Russia. Last year, they were seriously suggested to be used in schools, when it turned out (this is a discovery!) That, despite all the prohibitions, schoolchildren still carried cell phones during the exam.
9. RFID 13.56MHz Mifare Reader and Writer Module
bit.ly/MQlw6e
RH
price: 65 $
Over the past few years, one of the essential attributes of every office worker has become a plastic card that allows you to open the door locks of offices and rooms. We are talking about Mifare Classic 1K cards. The card is a plastic card containing a microcircuit (chip) with protected memory, a receiver, a transmitter and an antenna. The memory capacity of this card is 0.5, 1 or 4 KB, and the entire memory is divided into 16 sectors. Each sector consists of four blocks (three informational and one for storing keys). The minimum storage life of data in the memory of a Mifare card is 10 years, and the number of write cycles is about 100,000. Such cards are passive data storage devices, that is, energy and a battery are not needed for its operation and contactless data transfer. Distance to the reader at which the data transfer starts, is determined by the power of the transmitter of the reader and the sensitivity of the card receiver. If you need to copy such a card or just see what is written there, there are various kinds of devices at your disposal. It's so convenient: cards sometimes break or get lost
. The most popular device for such undertakings is bit.ly/MQlw6e, costing only $ 65. It comes with several "blank" cards that can be cloned, allowing you to immediately plunge into the world of socio-technical hacking methods. By the way, transport companies that carry out passenger transportation very often use Mifare Ultralight technology. In addition, there are a myriad of other devices for working with less popular clients in wireless networks, such as NFC, ZigBee, and many others. NFC technology, by the way, is a logical continuation of the RFID family, which can be operated even with the help of advanced mobile devices.10. KeyGrabber
www.keelog.com
KeyLog
price: 38-138 $
Once upon a time in the "Phreaking" section we wrote about how to solder your own hardware keylogger yourself. The idea is simple: the device connects between the computer and the keyboard and writes all the entered characters to its drive. Naturally, there are a huge number of commercial implementations of this idea, including the KeyGrabber series, which offers models for both PS / 2 and USB keyboards. The manufacturer thought about how to make the use of such devices more invisible. After all, not only is it necessary to connect such a keylogger, it is also necessary to periodically remove data from it. It turned out that the latter can be simplified by equipping the sniffer with a Wi-Fi adapter that can unnoticeably connect to the nearest access point and send the intercepted data to e-mail. The same manufacturer also offers several other useful solutions. In addition to ready-made devices that look like an adapter, you can buy the KeyGrabber Module - a ready-made microcircuit that can be embedded in a PS / 2 or USB keyboard. Also on sale are VideoGhost devices - an "adapter" that connects between the monitor and a computer, which saves screenshots of the screen to the built-in storage (2 GB) every ten seconds. Versions are available for DVI, HDMI, VGA and start at $ 149.99. which saves screenshots of the screen to the built-in storage (2 GB) every ten seconds. Versions are available for DVI, HDMI, VGA and start at $ 149.99. which saves screenshots of the screen to the built-in storage (2 GB) every ten seconds. Versions are available for DVI, HDMI, VGA and start at $ 149.99.
11. MiniPwner
www.minipwner.com
mini_pwner
price: 99 $
Situations when access to the corporate network has to be obtained with the help of social engineering skills and special devices are quite common in practice. MiniPwner is a device that, in the case of its invisible connection to the target network, provides an attacker / pentester with remote access to this network. The device was designed by Wisconsin engineer Kevin Bong, who built the first miniature spy computer prototype in a candy box. The gadget is designed to connect to a local network and quickly collect information. Immediately after connecting, the computer establishes an SSH tunnel and opens a login to the system from the outside. If you look inside, then this is a regular TP-Link TL-WR703N router equipped with 4 GB memory and a wireless interface that supports the 802.11n standard and a gigabit Ethernet port. A modified OpenWrt is used as a firmware, in which a large number of utilities necessary for conducting reconnaissance activities are preinstalled: Nmap, Tcpdump, Netcat, aircrack and kismet, perl, openvpn, dsniff, nbtscan, snort, samba2-client, elinks, yafc, openssh- sftp-client and others. The battery life, which is extremely important for real use, is provided by the 1700 mAh battery, which lasts for five hours of intensive work, even when the wireless network mode is on. So by connecting such a device to the network under investigation, the researcher can get enough time to gain a foothold in it. snort, samba2-client, elinks, yafc, openssh-sftp-client and others. The battery life, which is extremely important for real use, is provided by a 1700 mAh battery, which lasts for five hours of intensive work, even when the wireless network mode is on. So by connecting such a device to the network under investigation, the researcher can get enough time to gain a foothold in it. snort, samba2-client, elinks, yafc, openssh-sftp-client and others. The battery life, which is extremely important for real use, is provided by the 1700 mAh battery, which lasts for five hours of intensive work, even when the wireless network mode is on. So by connecting such a device to the network under investigation, the researcher can get enough time to gain a foothold in it.
12. Pwn Plug
pwnieexpress.com
pwnieexpress
price: 595 $
Like the MiniPwner discussed above, Pwn Plug belongs to the class of so-called drop-box devices - that is, devices that, when invisibly connected to the target network, provide an attacker / pentester with remote access to it. Outwardly, the device looks like a power adapter plugged into an outlet. For greater conspiracy, the developers of the device provide special stickers that disguise the Pwn Plug as air fresheners and similar household appliances. In fact, this is a full-fledged computer running Debian 6, which, despite its small size, is stuffed to the eyeballs with various devices and hacker software. Let's take a closer look at the Elite version - it is more "charged". So, this "freshener" is equipped with three adapters at once: 3G, Wireless and USB-Ethernet. Supports external SSH access over 3G / GSM cellular networks. It has such an interesting feature as Text-to-Bash: you can execute commands on it in the console by sending an SMS message. Supports HTTP proxy, SSH-VPN and OpenVPN. The rich set of hacking tools includes Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth / VoIP / IPv6 tools, and more. A 16GB SDHC card is used as additional storage. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. SSH-VPN and OpenVPN. The rich set of hacking tools includes Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth / VoIP / IPv6 tools, and more. A 16GB SDHC card is used as additional storage. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. SSH-VPN and OpenVPN. The rich set of hacking tools includes Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth / VoIP / IPv6 tools, and more. A 16GB SDHC card is used as additional storage. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. the device is really cool, but its price tag, frankly, bites. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. the device is really cool, but its price tag, frankly, bites. The wireless version lacks 3G and USB-Ethernet and, accordingly, cannot boast of support for remote access via cellular networks. Otherwise, both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites. the device is really cool, but its price tag, frankly, bites. both versions are the same. In general, the device is really cool, but its price tag, frankly, bites.
13. AR.Drone
ardrone.parrot.com
Parrot
price: 299 $
This device is strikingly different from all the others. After all, with its help you can ... no, not to intercept traffic, not to catch keystrokes and not to save screenshots of the desktop - with it you can ... spy! Yes Yes. Modern penetration testing is more and more like espionage, so experts do not neglect this opportunity. Honestly, after seeing the AR.Drone in the store, I hardly would have thought about penetration testing or hacking. This is a pure toy: an ordinary quadcopter with a camera attached to it. The second version of AR.Drone is equipped with a high-resolution camera, so no matter how fantastic it sounds and resembles a spy thriller, you can peep through the window what is happening in the room, what equipment is used, how employees behave ... And you don't have to have a sharp eye and photographic memory: you can attach a USB flash drive to the camera to record video. Controlling the device is as easy as shelling pears: you can use iPhone, iPad and Android as a remote control, after installing a special application. The device can be used for peaceful purposes as well, taking stunning bird's-eye views. So, even if there is no one to spy on, you will not get bored with such a device. If you want to save money, then you can assemble such a device on your own, then I recommend that you study the following resources: you won't get bored with such a device anyway. If you want to save money, then you can assemble such a device on your own, then I recommend that you study the following resources: you won't get bored with such a device anyway. If you want to save money, then you can assemble such a device on your own, bit.ly/GVCflk - a post on Habré, describing in some detail the process of creating a simple quadrocopter; bit.ly/o8pLgk - English-language site completely dedicated to the construction of quadcopters; bit.ly/fhWsjo - A resource on how to make robots, also contains articles on quadcopters.
14. Raspberry Pi
raspberrypi.org
Rasberrypi
price: 25 $
Our review ends with a device called Raspberry Pi, around which there is a lot of noise now. This is a simple single board computer made by the Raspberry Pi Foundation. The microcircuit is made on the basis of an ARM 11 processor with a clock frequency of 700 MHz and is comparable in size to a bank plastic card. One of the advantages of this "computer" - it comes without a case, just in the form of a microcircuit, and this allows you to disguise it as almost anything. The board contains I / O ports, two USB 2.0 connectors, a compartment for SD / MMC / SDIO memory cards, an Ethernet controller, composite and HDMI video outputs. As you can see, it is ideal for creating your own budget drop-box. In general, such a device with a good processor, low power consumption, the ability to connect a Wi-Fi adapter via USB and Linux on board is a sin not to use it for hidden installation. Any Linux distribution can be used as an OS - Debian, Fedora, Ubuntu, but a specialized distribution is better. PwnPi, released by craftsmen specifically for installation on the Raspberry Pi. It already contains all the necessary hacking tools. In addition, craftsmen willingly share their experience of installing a hidden server on it in the anonymous I2P network, installing Metasploit, creating a hardware sniffer, and much more.
