When VDA Labs conducts internal penetration tests, application security assessments, or product security reviews we typically use what we call a ‘dropbox’ in order to grant our team members access to the network or system that we are testing. These might be physical devices, if necessary, but also might be a virtual machine that you run on your network for us. Since we’re passionate about security, and the infosec community, we wanted to share a bit about our penetration testing setup.
Why use a dropbox at all?
Clients sometimes ask us why we want to use a dropbox to conduct our tests because, “a real attacker wouldn’t have a dropbox”. Generally we use dropboxes for our tests for these reasons: remote access, testing efficiency, or covert access.
Remote Access for Our Team
VDA Labs is a remotely distributed team, with members across the country, and we work with clients that are spread across the country. It makes sense for most of our work to be done remotely. In fact the only work that can’t be done this way is physical penetration testing. We also feel strongly that teamwork delivers the best results. Other companies might send a single consultant on site, VDA prefers to send a dropbox. That way we can involve multiple minds in the process and get better coverage.
While we are typically able to penetrate from external to internal, a dropbox allows us to start the internal assessment at the same time as the external. Also, the reality is that when we are conducting a test our time window is limited. We want to be able to provide as much value as possible to our clients. Deploying a dropbox, with our tools and access set up, allows us to get to testing for security issues instead of sorting logistics. We also consider it best practice to ‘assume breach’ in your network, and using a dropbox follows mindset. Remember that an adversary would be able to take as much time as they want to when infiltrating your network.
Covert Remote Access
Many of our tests are done in a more white-box, purple team fashion, but we also do ‘red team’ engagements. These tests might also include physical penetration testing. That is why we have our physical penetration testing devices. One of our main goals on a physical penetration test typically is deploying a physical drop box. These devices are intentionally small and easily hidden and we employ tools like dnscat2 to establish remote Command and Control to access remotely.
Penetration Testing Dropbox Hardware
We actually have a few different hardware dropboxes that serve some different purposes. These are affectionately named after everyone’s favorite SciFi Drones – C3PO, R2D2, and BB8 and pictured above with a DerbyCon poker chip for scale. If you see them on your network though, these are not the droids you are looking for.
Three-Pee-Oh – Odroid XU4 (pictured center)
This is our original hardware dropbox. We chose the Odroid XU4 platform because it can run Kali Linux and has an OctaCore CPU. This allows for some heavy multi-tasking, which is somewhat common on penetration tests. The photo above shows the bare board, but we do have a case that makes it somewhat less conspicuous. We also typically deploy 3PO with at least one USB wireless adapter for WiFi testing.
BB8 – Raspberry Pi 3 (pictured right rear)
This is a standard Raspberry Pi 3, but with one or two special tricks up it’s sleeve. See the white ball (hence BB8 ;P )? That’s a motion sensor. And the small circle is a camera.
R2D2 – Zotac Zbox CI327 Nano (pictured read left)
R2 is the newest edition to the fleet. We chose this hardware for it’s x86_64 processor, but still a very small frame. It also has dual ethernet adapters, which are handy, as well as internal Bluetooth and WiFi. We also like to set it up as shown below with a few offensive USB adapters – an Alfa 802.11AC wireless adapter and a Crazy RF wireless device for conducting mousejacking attacks.
Typically we prefer to run Kali Linux on our penetration testing dropboxes. That gives our testers a familiar environment to work from, with many of the tools needed preinstalled. Recently, however, the Kali ARM images have fallen behind on their kernel versions, so we are considering a move to Ubuntu. :/ We also use Kali for our Virtual Machine setup with a pre-built image that we have configured for our needs. It is very easy for clients to play the VM (on any normal computer or in a virtualized space), after we have shared it with them.
All of our penetration testing dropboxes (physical or virtual) are configured to phone home to a secure server we have set up on AWS to handle sharing access to our team. This is done through autossh and port forwarding. The dropboxes create encrypted SSH connections to our server, and forward their own SSH port to that server so our team can connect. This is done via an autossh command that looks something like this:
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" \ -NR 1234:localhost:22 firstname.lastname@example.org
Lastly, some fun bits
A couple final items really complete the picture. We set up a custom slackbot that monitors logins from our SSH tunneling server. We use that to tell when our dropboxes have succeeded in calling home.
And we also rolled some ASCII art into MOTD on each box so we know when we have connected to the right one.