Presented at
DeepSec 2020 „The Masquerade“,
Unknown date/time
(Unknown duration).
When designing redteam attacks, the scope can be quite complex. We are not only speaking about websites and pentesting, but finding and exploiting human vulnerabilities. Most of the social engineering attacks imply using gadgets: from mock "pendrives" to sniffing, hardware plays a very important part in real life scenarios. For this purpose, there are tons of gadgets from official trade marks such as Hak5, The Hacker Warehouse, Dangerous things and others. Although this gadgets usually work like a charm, sometimes we have to rely on more flexible gadgets, designed for a specific purpose in specific scenarios. And in that case we should know a bit about electronics and open source hardware for building our own gear.
Relying on Open source Hardware is a good idea as it's easier to find manuals, support, community help and more. A lot of pentestings most used tools are open source and we love them, so why not do the same with open sourced hardware? The maker community is one of the most friendly in tech, let's take advantage of it!
Once you complete the training you will have learned about:
* Electronics and basic circuits physics
* C for electronics
* Choosing from different kind of boards for a (security) project
* Setting up a Rasperry Pi
* Use and configure Arduino IDE for different kind of projects
* Using DFIR for Arduino
* Using Bluetooth in Arduino
* WiFi in RPI and Arduino
* How facial recognition works
* Using Attiny85 as a rubber ducky
* GSM and geofencing
* Looking for circuit designs and ordering custom boards
* Hardware debugging
* The steps for designing a whole hardware project
* Usability and how to build hardware not only for you but for your team
* Understanding the risks and limits of using hardware
* Maker community and the importance of keeping open sourced stuff
WHAT WILL STUDENTS USE
I will lend hardware hacking kits to groups of students that will be organized in the training, they will need to return the stuff when the class finishes. This kit will include: Attiny85 and nano boards, Bluetooth, DFIR, and others components/sensors, resistors, wires and other assisting components. They will have to use their own computers, preferably Linux based.
During the training I will do some capture the flag-like activities in which the students will be able to win some stuff from the training.
WHAT STUDENTS SHOULD KNOW
A bit of C knowledge is recommended, but knowing programming in general is the true requirement. The training is meant to be available to those who haven't used C as well. Basic Linux commands are strongly recommended, as that's what I will be using and it might be confusing for those who haven't used it before.
WHAT STUDENTS SHOULD BRING
They should bring their computers. I personally recommend Linux based (mostly because this way they will follow the exact steps I take and I will be most likely able to solve issues) and they should install Arduino. If they already have any board they are willing to learn about (Arduino, RPI 4/Zero, ESP8266, etc) they are encouraged to bring it.
WHO SHOULD ATTEND
Anyone interested in Hardware or Redteam, both students and professionals are welcomed.
Presenters:
-
Paula de la Hoz Garrido
- Telefonica TECH
24 years old senior Redteam offensive security expert at Telefonica TECH. Previously worked as a redteam member for another company, as a pentester, security and systems auditor. Also worked as a robotics teacher at a private school in Switzerland. Writing about security in English, Spanish and Japanese at dev.to/terceranexus6 and speaking about technology on a social radio in Madrid. Co-founded a digital rights and privacy awareness association in Spain called Interferencias with more than 1k members.
Also tattooing.
Links:
Similar Presentations: