Drones for Pentesting? Sounds like fun, doesn’t it?

Larry Pesce, Hackfest 2015

About me

• Penetration Tester/Hardware Hacker, @

InGuardians (Sr. Managing Consultant, Director

of Research)

• SANS Instructor

• Paul’s Security Weekly crew

• Extra class ham radio operator (KB1TNF)

• Built a prototype drone for radio analysis for the

energy sector.

• Discussion on Practical application of drone

technology to the pentestig space

• Information for you to determine if drones are a

good fit in your methodology

• Pentest uses

• Attack scenarios

• Practical information gathering

• Physical pen test

• Practical payloads

• Detractors

• Cautions

What this talk is

• Step by step plans for implementing each

• Attack path

• Information gathering techniques

• Drone building workshop

• Discusion of the best/worst drone platform

• Legal advice

• I am not a lawyer, nor do I play one on TV

What this talk is not

Show of hands:

How many have flown a drone?

The PROS

• PAYLOADS!

• Data, data, data

• Platform, Platform, Platform

• All sorts of fun can be had

• Recon

• Data aquisistion

• Attack

How can we have fun?

• Capture and analyze later

• Limited by size, weight of storage

• Need successful recovery

• Realtime

• Transfer speeds, depending on data

• Distance, dépendant on speed and radio selection

• Radio selection, frequency range, battery power

Data Acquisition Issues

• We need a computing device that is

• Capable

• Small

• Low power draw

• I’m a fan of the RasPi

• B+ model is low power draw

• Pi 2, untested by me, but more horses

• Many options

• Arduino, Beaglebone, Cellphone, ODROID

• Even custom solutions

• Power? Onboard battery or supplemental

• See my other talk on “If it Fits, It Sniffs”

Platform, Platform, Platform!

• Recon? I think pictures and video

• Building layout

• Roof access

• Physical security, locks, guards,

camera

Recon Payload

• Depending on purpose, HD video

rules

• Modern DJI, built in

• Add GoPro!

• HD video, storage and battery

• On a big drone, add DLSR

Recon Payload Hardware

• So many options here!

• This will need computing platform

• Data can take many forms

• In this case, all wireless

• Let’s talk awesome wireless payloads

• SEC617 anyone? :-)

Data Acquisition Payload

• Wifi

• Alfa AWUS051NH *(v2) is the best in the game

• AWUS036H is ok, but no 802.11a

• GPS helpful

• Add on or use a “second feed” from onboard

• loc-nogps

• Record data with with

• Kismet*

• airmon-ng

• Process after landing

Data Acquisition Hardware (1)

• Zigbee

• Atmel Raven RZUSB rocks

• No external antenna

• Riverloop API-mote also rocks

• External antenna, slower startup

• Control and record with Killerbee, api-do

• Killerbee for device discovery, packet capture

• api-do also for capture and channel hopping

• Analyze data after landing

• Capturing “good” data may take longer than flight time

• Drop and recover payload?

Data Acquisition Hardware (2)

• Bluetooth

• Not as easy…

• Parani Sena UD-100 great for scanning

• Ubertooth One great for discovery

• Requires some work for automation

• Also great for BTLE/BLE/Bluetooth 4/Bluetooth Smart

• Need realtime care and feeding!

• Bunches of other BTLE tools emerging

Data Acquisition Hardware (3)

• All the other radio

• This one can get overwhelming quickly

• So many options on the SDR front

• Same for what we may want to detect

• Initial recon may require several

extended trips

• Frequency of radio use

Data Acquisition Hardware (4)

• All the other radio(2)

• My favorite, the RTL-SDR

• Cheap (losable, run multiple)

• Modestly robust

• Especially great for 900Mhz cordless…

• Depending on target, realtime data may not be feasible

• Post processing is possible, but storage gets chewed

up quickly.

• Potential issues with interference from C&C, telemetry,

video and EM interference.

Data Acquisition Hardware (5)

• Many of the acquisition payloads can be used for attack

• Selection of wireless card, injection

• UbertoothOne for Bluetooth

• Modified RZUSB of zigbee

• General radio needs upgrades

• BladeRF, Ettus SDRs, HackRF

• Larger payloads, more offline analysis

• Delivery requires robust automation, accurate target selection

• Or work with a partner and longer flight times.

Attack Payload

The CONS

• Noise?

• For those that have flown one, you know they are

loud

• Even the tiny ones sound like an overgrown

bumblebee

• Larger = more payload = more noise

• Small = little payload = still some noise

• No social engineering your way out of this one…

• Wait for a crash and retrieval!

Opsec

Show of hands:

How many have crashed a drone?

• Yes, drones get expensive!

• So do repair costs

• Even a modestly priced ready to roll model is easily

$1500.

• Not including additional payload

• More payload, more expense

• Not just the payload!

• More power = more payload = more $$$

• Also more noise!

Expense

• With commodity gear we can keep costs

down

• Until we lose it

• Over and over again…

• Even losing commodity gear can get

expensive depending on our payload

Payload expense

• We will likely need single purpose

payloads

• The more we add the

heavier/unbalanced we get

• The heavier we get, the harder to

fly

• The harder to fly…

Payload Size

Show of hands:

How many have flown a drone in restricted

airspace?

Keep your hands down!!!

Let me rephrase…

Show of hands:

How many may have flown a drone,

unknowingly in restricted airspace? Read as, “I don’t know if I have or not!”

• Depending on where your customers are, you

may be restricted from

• Flying above a certain height

• Not flying at all, due to

• Airport proximity

• Geofence

• Other FAA regulations

• This gets fairly complex if not an every day task

• …and you have to get it right!

Did you know?

• Model Aircraft rules largely applied to multi-rotor

based aircraft

• Not technically “models”, but new aircraft

design.

• Largeley lumped in the same category

• No actual case law

• Smart rules to observe!

Application of law?

• New proposed regulations from the Department of Transportation, FAA

• Proposed for implementation before Thanksgiving 2015

• Just in time for the holiday giving season!

• Requires Drone registration, 9 oz or more!

• Unsure of retroactive purchases

• Registration infrastructure

• Security

• Likely be challenged

• Jurisdiction? FAA…

• Exceeding mandate? Not transportation…

• Where does the regulation beyond drones end?

Registration

• FAA proposed rules

• Need endorsement on pilots license

• Means you need a pilot license already…

• FAA requirementes?

• Likely to be challenged

• Model aircraft exemptions

• No case law

• Yet, whole conferences devoted to commercial applications

• http://dronelaw.net/

• http://www.gpo.gov/fdsys/pkg/PLAW-112publ95/html/PLAW-

112publ95.htm

Commercial purposes?

• Proposed need endorsement on pilots license

• Means you need a pilot license already

• FAA requirementes?

• Likely to be challenged

• Model aircraft

• No case law

Commercial purposes?

• Yes, Yes, Yes we can have fun

• Before daddy takes the T-bird away…

• That fun needs to be tempered with cost,

application,

• Commercially, we need to keep an eye

on new, current rules

• Seek legal advice before engaging!

Conclusions

@haxorthematrix

Thanks!

lllarry@inguardians.com