Pen-testing with small networked devices

Dr. Phil Polstra

Dr. Phil Polstra

Pen testing has always been viewed by IT security and data governance professionals as something of an audit exercise, with the pen tester undertaking a series of proscribed and planned tests, then reporting back to the IT security manager – or client management professional – in a report format, complete with recommendations.

Dr. Philip A. Polstra, Sr, a Professor in the Department of Computer Security and Forensics with the University of Dubuque in Iowa, is not what you would call a conventional pen tester – he’s been building circuit board-based systems for several decades, and his enthusiasm for DIY electronics and bread-boarding was evident in his presentation at the Amsterdam Black Hat Europe event in March of this year.

But he is definitely a pen tester, and is also that rare entity – an auditor who also fundamentally understands electronics, programming and computers. He also shared his thoughts on leading edge pen-testing with a small but dedicated crowd at the final (5pm) event of Black Hat Europe in Amsterdam.

Penetration testing, he explained, has become a mainstay of many penetration testers. At the same time many organisations have moved toward wireless networks.

In the light of these changes, Dr. Polstra gave an explanation of how to pen-test a wireless network using a Linux distribution – known as The Deck – and which runs on the ARM-based BeagleBoard-xM and BeagleBone devices, the boards for which are just 3.25 inches square.

The BeagleBoard (c) Dr. Phil Polstra

The BeagleBoard (c) Dr. Phil Polstra

The BeagleBoard is Cortex A8 processor-driven and consumes less than 10 watts, yet features 100Mbps networking built in and offers 4 high-speed USB plus a USB on-the-go port.

One interesting evolution that Dr. Polstra discussed is an extension to The Deck that allows multiple devices running [on The Deck] to be connected via 802.15.4 Xbee networks.


WiFi considerations

According to Dr. Polstra, even when wireless networks are employed prolonged presence near the target organisation can arouse suspicion. Using a drop box approach, he explained, can work, but most of these devices require the user to either retrieve them or they must tunnel out of the target network in order to gain results from any hacking done by the devices.

This, he says, dramatically increases the chances of detection and/or delays reporting of results to the penetration tester.

Dr. Polstra favours the different approach of pen testing on wireless networks at a distance using a WiFi Cannon – a custom antenna designed to pick up WiFi signals at ranges of up to a 2km away.

The WiFi Cannon (c) Dr. Phil Polstra

The WiFi Cannon (c) Dr. Phil Polstra

“It’s a relatively easy way of conducting a pen test. I always look at the easy ports first – such as Port 5 – and using a Fern WiFi cracker, even though I do consider this application as something of a kiddie’s cracking tool,” he told his audience.

He argues that wireless attacks are quicker and/or more successful when performed in close proximity of targeted clients and access points.

Using ann open source penetration testing Linux distribution for the ARM-based BeagleBoard-xM and BeagleBone devices – known as The Deck – using a variant he called the Mesh Deck.

The Mesh Deck, he told his audience, allows multiple devices running The Deck to perform attacks which are coordinated using IEEE 802.15.4 networking protocols.

The BeagleBone – which is ideal for drop boxes – Dr. Polstra says, is available in Europe for €73. The BeagleBoard-xM, meanwhile, which is used as the master device and/or control console is available for €133. This is considerably less, he explained to his audience, than the cost for commercial drop boxes such as the Pwnie Plug series which sell for hundreds of Euros.

Each device running The Deck, he says, has a full-featured penetration testing Linux distribution. This, he adds, allows for much greater flexibility as devices can be easily reconfigured on the fly – and the full source code for the device is freely available, under a GNU GPLv3 licence.

Dr. Polstra went on to say that the BeagleBoard family of devices are an excellent choice for custom device-based pen testing, as they are small and affordable, as well as being a low-power USB-enabled platform.

The BeagleBoard-xM, he told his adience, works well as either a control console or a drone, whilst the BeagleBone could, he explained, be used as a command console it is better suited for use as a drone.

Both boards are relatively bulletproof in electronic/computing terms, as they store their operating system etc., on a microSD card, usually with the Angstrom version of the operating system pre-installed.

As The Deck image is 6GB, a minimum 8GB card is required. Although Dr. Polstra recommends a 16GB card to allow for storage of data in a pen test environment.


Networking attacks

Although Dr. Polstra clearly favours the building stages of a pen-testing system using the Beagle cards, he has also clearly thought out the best strategies when it comes to conducting a pen test, having installed a Deck unit – complete with power supply etc – inside a Buzz Lightyear (Toy Story) lunchbox.

The problem with WiFi attacks, he explained, is that sitting in one place with a computer whilst staging a wireless attack “just looks suspicious” whereas someone sat in a car or van eating a sandwich with the lunchbox by their side – or even out in the open – is not going to arouse any suspicions.

The Dubuque University professor is also working on the next step in his wireless pen testing strategies, and is currently seeking funding for a wireless-enabled aerial drone – using model kit components – to life a mobile drone into the air and then land the device on the top of an office building.

“This would then allow the on-board system to stage a pen test on the wireless network of the building in question,” he explained, adding that, if the aerial drone were equipped with proximity detectors, it could easily be programmed to hover up to a height of 10 to 20 metres above the rooftop of an office builkding if it detects the presence of people, and then call – over the air – for assistance from the operator.

Other future enchancements to Dr. Polstra’s designs include the ability to simply patch the Beagle-based device straight into the network that is to be pen-tested, or run the unit using a Power-over-Ethernet connection for longer periods that a battery can provide.

Rounding off his presentation, Dr. Polstra said that his Beagle-based systems allow pen testers to execute effective attacks without the need for prolonged
proximity to the systems being targeted.


General BeagleBoard xM/BeagleBone

Installing Ubuntu on Beagles

Cross-compiling for Beagles by Jan Axelson

Instructions on how to build The Deck

Dr Polstra’s blog:

Download link for The Deck:


1 thought on “Pen-testing with small networked devices

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.