An awesome new product showed up on [Hackaday] a couple weeks ago. The [SheevaPlug] is an extremely ultra-small computing device that opens up numerous opertunities for portable and nonintrusive (IE: covert) computing. Obviously, my initial impression of the device was “Cool” but when you look at it from the perspective of a penetration tester then it really has some possibilities.

Firstly, let’s cover the basic specs.

• 1Ghz processor
• 512MB of RAM
• 512MB of Flash storage
• USB port
• 10/100 Eth port
• the size of a typical A/C adaptor
• Price: $99

Impressive eh? It’s a great little device that a couple enterprising enthusiasts have been working on making it into a home media center though it doesn’t have nearly enough processing power to handle HD H.264 decoding. However, if your goals are slightly less amitious it can make a very reasonably priced home webserver or a reasonably priced piece of networking equipment… or both!

The two biggest assets that make this device well suited to pentesting is that firstly it’s very small and inconspicuous. You could plug it into a random wall jack (or if you’re feeling particularly sneaky, into one behind some boxes) and you immediately have a foot hold into a network. Great for abusing trustful relationships, plenty of data to mine from just hanging in permiscuous mode, and the possibilities for MITM attacks are pretty appealing. The second reason this is such an appealing method is that it is a relatively low-cost/low-risk tactic. If the device is discovered or destroyed there is little to tie it back to an owner and you’re only out $100. In a perfect world, when the engagement was over you’d simply recover the device, dd on a fresh image and hit the next target.

So how would I set it up for maximum impact? Well let’s run a senerio. I want access to a particular network and the data of that network. After some initial intel gathering I determine that they don’t have particularly good physical security monitoring. (no cameras, no sign-in desks, etc) All I need is two or three employee names and a vague idea of what part of the building they work in. I don a FedEx uniform and pack by SheevaPlug into a box. I start by entering the opposite end of the building than I think those three people work in as to maximize the amount of time I have to look for a spot to plant the device. You can “walk with purpose” and no one will ask questions, and even if you look lost it’s easy enough to say one of the names and get pointed in the “right” direction if someone asks what you’re doing there. All I’m looking for is an empty office, a conference room, the break room… any place where there is an unused ethernet port and an open power plug. Another option if there is wireless would be to connect a USB wireless adaptor to the SheevaPlug. Upon finding a spot to setup all I have to do is plug it in and walk away, the rest is completely automated. First the device does a DHCP request. If there is a response it grabs an address and moves on to the reporting home part. If there is no response it listens to the ARP traffic on the network to determine a reasonable guess as to the address scheme, arp-pings for an unused address and then grabs a static address. Most organizations don’t prevent outgoing DNS traffic so we could probably just default to openDNS in the static phase. If there is a NAC in place it gets a little harder. Now we need the device to arp-spoof the gateway and watch for traffic patterns of well known NAC solutions. Depending on which one we’re able to finger print we just have to adapt. The next stage is what to do once we’re up and running and on the network. We could simply arp-spoof the gateway and start dumping sniffed traffic to the flash storage (filtering to grab credit card numbers, login credentials or other information passed in the clear) but it’d be much more fun if we can get the thing to start taking orders. We have it attempt to connect to a common social networking site (Twitter for example) every half hour (slightly randomized). It grabs the most recent post and translates it into a command. One such command could be to establish a reverse shell connection to a predetermined C&C server (for good measure we could even set this up on port 80). All of these automated processes could be accomplished within a minute or two which means it could even send you a text message as soon as it was able to phone home. If it fails you just grab the hardware and exit.

The traffic produced by all of this is really quite minimal, and is going to look like rather typical network device traffic. Anyone who notices the device is typically going to mistake it for the power plug to another device. On the other hand, the major weaknesses of this type of tool is that it requires physical access to actually be put into use, and to be perfectly honest if the location has even minimal physical security you’re going to run into problem with this. This really is better suited for targets of interest as it has a lot more variables, and the $99 price tag (while not impossible to stomach) is more than you’d want to waste if you didn’t have to. It’d be best suited for enterprise organizations, with a lot of moving parts that don’t track on each other’s movements, that haven’t even considered physical security before.