Hacking_and_Penetration_Testing_with_Low_Power_Devices
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Penetration</strong> testing <strong>with</strong> multiple drones<br />
193<br />
anything running Linux, even another Beagle. The net is that you can perform a<br />
pretty sophisticated penetration test from a remote location <strong>with</strong> less than $500 worth<br />
of equipment, all of which easily fits inside a st<strong>and</strong>ard carryon bag.<br />
The five XBee adapters must be configured. Three of the four XBee-PRO<br />
modems must be configured as routers. The remaining XBee-PRO device will be<br />
used as a coordinator attached to the comm<strong>and</strong> console via a USB XBee adapter.<br />
The final XBee modem should be configured as an end device. Instructions on<br />
how to configure these modems <strong>with</strong> X-CTU were given earlier in this chapter.<br />
Each of the four devices should be assembled <strong>and</strong> tested before deployment. It is<br />
much better to discover that one of the XBee modems has been misconfigured before<br />
the test begins than after things are at the PFE office. No software changes should be<br />
needed on the Beagles. Recall that none of the XBee modems will have a MY address<br />
until the coordinator comes online <strong>and</strong> assigns each node an address. Before that happens,<br />
each device will have the address 0xFFFE, which is the broadcast address.<br />
EXECUTING THE ATTACK<br />
The system hidden in a car nearby the PFE office can be deployed most any time. The<br />
conference room <strong>and</strong> receptionist drones can be installed after 5:00 pm either the day<br />
before beginning the penetration test or the first day. It may take a day or two for the<br />
head programmer to receive the Dalek <strong>and</strong> plug it in. Note that while you would want<br />
to run the systems in parallel, we will only discuss one drone at a time in order to<br />
reduce confusion in the discussion of this penetration test.<br />
The most logical place to begin the penetration test is looking at the wireless networking<br />
using the drone in the car. The Python scripts that were developed in the last<br />
chapter will come in h<strong>and</strong>y for this test. The first step is to create a monitor mode<br />
interface on the drone. Running ifconfig will verify the interface assigned to the<br />
Alfa, which will likely be wlan0. Executing airmon-ng start wlan0 will then create<br />
the monitor interface. If this is the first such interface, it will be named mon0.<br />
The list-wifi.py script described in the previous chapter uses Scapy to sniff traffic<br />
for one minute <strong>and</strong> list any discovered networks along <strong>with</strong> their BSSIDs (MAC<br />
addresses). The results of running this script are shown in Figure 7.14. From the scan,<br />
we see the PFunEd network as expected. We also get a bonus. Someone has foolishly<br />
connected their own wireless router to the PFE network. It appears to have the<br />
defaults, including no encryption. Upon further investigation, the offender is one<br />
of the sales people who wanted to use the company Internet access to surf inappropriate<br />
websites on his iPad.<br />
The rogue access point will definitely be included in your report. This access<br />
point will also be used throughout the penetration test, assuming the company<br />
doesn’t discover it <strong>and</strong> disable it before the test is over. Even though you have access,<br />
you would be remiss if you did not attempt to crack the official company wireless.<br />
The results of running the capture.py script from the last chapter are shown in<br />
Figure 7.15.