The Little White Box That Can Hack Your Network
March 4th, 2012Smaller organizations might not have the equipment or the expertise to defend against the Pwn Plug, but for enterprises to get nailed by this thing amounts to comedy gold. Note: The U.S. Department of Defense is a large Pwn Plug customer. *chortle*
The first line of defense should be to train staff to resist social engineering attacks. Without this training, people will tend to let an attacker drive a bus through the front door with little more than a smile and a please.
The article describes the Pwn Plug being installed by a penetration analyst using common social engineering methods. Hilariously, it goes on to describe how approved installations are being carried out by Bank of America:
Porcellos says that the Bank of America is mailing the Pwn Plug to its regional offices and having bank mangers plug them into the network. Then security experts at corporate HQ can check the network for vulnerabilities.
Who needs Comedy Central when managers receive boxes in the mail from “headquarters” *wink* with memos directing them to plug devices into the internal network? These antics are right out of a clown act at a circus.
Anyway, the point is that the social engineering vectors are almost always neglected, and the easiest to exploit.
Let’s turn to technical countermeasures:
If you’re concerned about your organization’s vulnerability to a Pwn Plug-type of attack (and if you’re not, you should be), make sure that your propellerheads have implemented port security on your network switches.
Here’s how to do it on Cisco gear: Configuring Port Security:
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the Media Access Control (MAC) address of the station attempting to access the port is different from any of the MAC addresses specified for that port.
…
When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The port’s behavior depends on how you configure it to respond to a security violation.
When a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager.
Now, let’s assume that someone on the inside spoofs the MAC on the Pwn Plug AND plugs it into the correct port on a switch configured for port security. Fine. Domain sign on should be required to access anything.
The last place I worked at in the U.S. implemented this on the internal network after a devastating attack cost them millions of dollars. Some of the IT staff tried to get their own devices connected. They knew that alien MACs would result in messages showing up on the Blackberries of people they didn’t want showing up at their cubes. Mmmkay? They also knew their approved MACs and they knew to which ports they were assigned. Unfortunately, spoofing the MACs AND plugging into the correct ports on the switch just landed them on the domain controller prompting for login. Ah well, back to work…
So, if your IT staff is the temp-receptionist and you selected your network switches from a grab bag of sale items at Fry’s—mixed in amongst the dehydrated ice cream and $2 laser pointers—you’re probably going to experience severe pain.
As for you bozos running Cisco gear without port security… Have a nice day! But first, could you just walk into the network closet and plug this box into any open port on the switch? You know, that thing with the blinky lights. Yeaaaaah, that would be great.
(If it has been a while since you’ve seen Office Space, here’s a sound board that you can use to augment my commentary with helpful statements from Bill Lumbergh.)
Via: Wired:
When Jayson E. Street broke into the branch office of a national bank in May of last year, the branch manager could not have been more helpful. Dressed like a technician, Street walked in and said he was there to measure “power fluctuations on the power circuit.” To do this, he’d need to plug a small white device that looked like a power adapter onto the wall.
The power fluctuation story was total bullshit, of course. Street had been hired by the bank to test out security at 10 of its West Coast branch offices. He was conducting what’s called a penetration test. This is where security experts pretend to be bad guys in order to spot problems.
In this test, bank employees were only too willing to help out. They let Street go anywhere he wanted — near the teller windows, in the vault — and plug in his little white device, called a Pwn Plug. Pwn is hacker-speak for “beat” or “take control of.”
“At one branch, the bank manager got out of the way so I could put it behind her desk,” Street says. The bank, which Street isn’t allowed to name, called the test off after he’d broken into the first four branches. “After the fourth one they said, ‘Stop now please. We give up.’”
Built by a startup company called Pwnie Express, the Pwn Plug is pretty much the last thing you ever want to find on your network — unless you’ve hired somebody to put it there. It’s a tiny computer that comes preloaded with an arsenal of hacking tools. It can be quickly plugged into any computer network and then used to access it remotely from afar. And it comes with “stealthy decal stickers” — including a little green flowerbud with the word “fresh” underneath it, that makes the device look like an air freshener — so that people won’t get suspicious.
The basic model costs $480, but if you’re willing to pay an extra $250 for the Elite version, you can connect it over the mobile wireless network. “The whole point is plug and pwn,” says Dave Porcello, Pwnie Express’s CEO. “Walk into a facility, plug it in, wait for the text message. Before you even get to the parking lot you should know it’s working.”
Research Credit JS
–Pwn is hacker-speak for “beat” or “take control of.”
“own” (as in ownage).
type fast & own becomes pwn.
Once you’re inside your average network it’s pretty easy to do anything you want…