drones for pentesting? · • modern dji, built in ... heavier/unbalanced we get • the heavier we...
TRANSCRIPT
![Page 1: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/1.jpg)
Drones for Pentesting? Sounds like fun, doesn’t it?
Larry Pesce, Hackfest 2015
![Page 2: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/2.jpg)
About me
• Penetration Tester/Hardware Hacker, @
InGuardians (Sr. Managing Consultant, Director
of Research)
• SANS Instructor
• Paul’s Security Weekly crew
• Extra class ham radio operator (KB1TNF)
• Built a prototype drone for radio analysis for the
energy sector.
![Page 3: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/3.jpg)
• Discussion on Practical application of drone
technology to the pentestig space
• Information for you to determine if drones are a
good fit in your methodology
• Pentest uses
• Attack scenarios
• Practical information gathering
• Physical pen test
• Practical payloads
• Detractors
• Cautions
What this talk is
![Page 4: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/4.jpg)
• Step by step plans for implementing each
• Attack path
• Information gathering techniques
• Drone building workshop
• Discusion of the best/worst drone platform
• Legal advice
• I am not a lawyer, nor do I play one on TV
What this talk is not
![Page 5: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/5.jpg)
Show of hands:
How many have flown a drone?
![Page 6: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/6.jpg)
The PROS
![Page 7: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/7.jpg)
• PAYLOADS!
• Data, data, data
• Platform, Platform, Platform
• All sorts of fun can be had
• Recon
• Data aquisistion
• Attack
How can we have fun?
![Page 8: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/8.jpg)
• Capture and analyze later
• Limited by size, weight of storage
• Need successful recovery
• Realtime
• Transfer speeds, depending on data
• Distance, dépendant on speed and radio selection
• Radio selection, frequency range, battery power
Data Acquisition Issues
![Page 9: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/9.jpg)
• We need a computing device that is
• Capable
• Small
• Low power draw
• I’m a fan of the RasPi
• B+ model is low power draw
• Pi 2, untested by me, but more horses
• Many options
• Arduino, Beaglebone, Cellphone, ODROID
• Even custom solutions
• Power? Onboard battery or supplemental
• See my other talk on “If it Fits, It Sniffs”
Platform, Platform, Platform!
![Page 10: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/10.jpg)
• Recon? I think pictures and video
• Building layout
• Roof access
• Physical security, locks, guards,
camera
Recon Payload
![Page 11: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/11.jpg)
• Depending on purpose, HD video
rules
• Modern DJI, built in
• Add GoPro!
• HD video, storage and battery
• On a big drone, add DLSR
Recon Payload Hardware
![Page 12: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/12.jpg)
• So many options here!
• This will need computing platform
• Data can take many forms
• In this case, all wireless
• Let’s talk awesome wireless payloads
• SEC617 anyone? :-)
Data Acquisition Payload
![Page 13: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/13.jpg)
• Wifi
• Alfa AWUS051NH *(v2) is the best in the game
• AWUS036H is ok, but no 802.11a
• GPS helpful
• Add on or use a “second feed” from onboard
• loc-nogps
• Record data with with
• Kismet*
• airmon-ng
• Process after landing
Data Acquisition Hardware (1)
![Page 14: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/14.jpg)
• Zigbee
• Atmel Raven RZUSB rocks
• No external antenna
• Riverloop API-mote also rocks
• External antenna, slower startup
• Control and record with Killerbee, api-do
• Killerbee for device discovery, packet capture
• api-do also for capture and channel hopping
• Analyze data after landing
• Capturing “good” data may take longer than flight time
• Drop and recover payload?
Data Acquisition Hardware (2)
![Page 15: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/15.jpg)
• Bluetooth
• Not as easy…
• Parani Sena UD-100 great for scanning
• Ubertooth One great for discovery
• Requires some work for automation
• Also great for BTLE/BLE/Bluetooth 4/Bluetooth Smart
• Need realtime care and feeding!
• Bunches of other BTLE tools emerging
Data Acquisition Hardware (3)
![Page 16: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/16.jpg)
• All the other radio
• This one can get overwhelming quickly
• So many options on the SDR front
• Same for what we may want to detect
• Initial recon may require several
extended trips
• Frequency of radio use
Data Acquisition Hardware (4)
![Page 17: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/17.jpg)
• All the other radio(2)
• My favorite, the RTL-SDR
• Cheap (losable, run multiple)
• Modestly robust
• Especially great for 900Mhz cordless…
• Depending on target, realtime data may not be feasible
• Post processing is possible, but storage gets chewed
up quickly.
• Potential issues with interference from C&C, telemetry,
video and EM interference.
Data Acquisition Hardware (5)
![Page 18: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/18.jpg)
• Many of the acquisition payloads can be used for attack
• Selection of wireless card, injection
• UbertoothOne for Bluetooth
• Modified RZUSB of zigbee
• General radio needs upgrades
• BladeRF, Ettus SDRs, HackRF
• Larger payloads, more offline analysis
• Delivery requires robust automation, accurate target selection
• Or work with a partner and longer flight times.
Attack Payload
![Page 19: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/19.jpg)
The CONS
![Page 20: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/20.jpg)
• Noise?
• For those that have flown one, you know they are
loud
• Even the tiny ones sound like an overgrown
bumblebee
• Larger = more payload = more noise
• Small = little payload = still some noise
• No social engineering your way out of this one…
• Wait for a crash and retrieval!
Opsec
![Page 21: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/21.jpg)
Show of hands:
How many have crashed a drone?
![Page 22: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/22.jpg)
• Yes, drones get expensive!
• So do repair costs
• Even a modestly priced ready to roll model is easily
$1500.
• Not including additional payload
• More payload, more expense
• Not just the payload!
• More power = more payload = more $$$
• Also more noise!
Expense
![Page 23: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/23.jpg)
• With commodity gear we can keep costs
down
• Until we lose it
• Over and over again…
• Even losing commodity gear can get
expensive depending on our payload
Payload expense
![Page 24: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/24.jpg)
• We will likely need single purpose
payloads
• The more we add the
heavier/unbalanced we get
• The heavier we get, the harder to
fly
• The harder to fly…
Payload Size
![Page 25: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/25.jpg)
Show of hands:
How many have flown a drone in restricted
airspace?
Keep your hands down!!!
![Page 26: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/26.jpg)
Let me rephrase…
![Page 27: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/27.jpg)
Show of hands:
How many may have flown a drone,
unknowingly in restricted airspace? Read as, “I don’t know if I have or not!”
![Page 28: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/28.jpg)
• Depending on where your customers are, you
may be restricted from
• Flying above a certain height
• Not flying at all, due to
• Airport proximity
• Geofence
• Other FAA regulations
• This gets fairly complex if not an every day task
• …and you have to get it right!
Did you know?
![Page 29: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/29.jpg)
• Model Aircraft rules largely applied to multi-rotor
based aircraft
• Not technically “models”, but new aircraft
design.
• Largeley lumped in the same category
• No actual case law
• Smart rules to observe!
Application of law?
![Page 30: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/30.jpg)
• New proposed regulations from the Department of Transportation, FAA
• Proposed for implementation before Thanksgiving 2015
• Just in time for the holiday giving season!
• Requires Drone registration, 9 oz or more!
• Unsure of retroactive purchases
• Registration infrastructure
• Security
• Likely be challenged
• Jurisdiction? FAA…
• Exceeding mandate? Not transportation…
• Where does the regulation beyond drones end?
Registration
![Page 31: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/31.jpg)
• FAA proposed rules
• Need endorsement on pilots license
• Means you need a pilot license already…
• FAA requirementes?
• Likely to be challenged
• Model aircraft exemptions
• No case law
• Yet, whole conferences devoted to commercial applications
• http://dronelaw.net/
• http://www.gpo.gov/fdsys/pkg/PLAW-112publ95/html/PLAW-
112publ95.htm
Commercial purposes?
![Page 32: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/32.jpg)
• Proposed need endorsement on pilots license
• Means you need a pilot license already
• FAA requirementes?
• Likely to be challenged
• Model aircraft
• No case law
Commercial purposes?
![Page 33: Drones for Pentesting? · • Modern DJI, built in ... heavier/unbalanced we get • The heavier we get, ... Drones for Pentesting? Author: Jennifer Santiago Created Date:](https://reader031.vdocument.in/reader031/viewer/2022022016/5b5e10ea7f8b9a057e8b7a73/html5/thumbnails/33.jpg)
• Yes, Yes, Yes we can have fun
• Before daddy takes the T-bird away…
• That fun needs to be tempered with cost,
application,
• Commercially, we need to keep an eye
on new, current rules
• Seek legal advice before engaging!
Conclusions