- Home
- Techniques
- Enterprise
- Hardware Additions
Hardware Additions
Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping [1], man-in-the middle encryption breaking [2], keystroke injection [3], kernel memory reading via DMA [4], adding new wireless access to an existing network [5], and others.
Procedure Examples
Name | Description |
---|---|
DarkVishnya |
DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[7] |
Mitigations
Mitigation | Description |
---|---|
Limit Access to Resource Over Network |
Establish network access control policies, such as using device certificates and the 802.1x standard. [6] Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. |
Limit Hardware Installation |
Block unknown devices and accessories by endpoint security configuration and monitoring agent. |
Detection
Asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.
References
- Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.
- Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.
- Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained. Retrieved March 30, 2018.
- Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.
- Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.
- Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018.
- Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.