Have you heard of Continuous Penetration Testing?
How to choose the right hardware and software setup for your pentest appliance/dropbox.
In this article, we'll discuss choosing the right hardware and software setup for your pentest appliance/dropbox. In part 2 I share my OpenVPN setup for connectivity and management. Part 3 describes how I provision a dropbox for testing.
There are two types of dropboxes used, covert and overt. Overt means the recipient knows we'll be shipping them a dropbox to be installed on their network. In this blog series, the term "dropbox" will refer to an overt pentesting appliance. This is handy for conducting assessments remotely.
If you perform remote security assessments this article is for you.
There are plenty of write ups for building covert, small, under-powered dropboxes. Our goal is different. We need a system beefy enough to support all types of assessments and work activity.
Consider your requirements:
Should it have multiple nics - I prefer at least two. One used for dedicated management, the other used for testing.
Does the onboard wireless chipset need to support packet injection - For wireless assessments I prefer to have two wifi adapters. Using a non-injectable onboard with a USB alpha or tp-link works well.
Cost - You'll be building many of these so the cheaper the better.
Rackmount or desktop - Desktop PCs in a datacenter will be an issue (see below). From my experience, this is more of an issue with PCI pentests requiring local internal testing of CDEs. For most pentests, I prefer to have the dropbox installed where end users are. So having a small desktop PC sitting on someones desk works well, but when it doesn't, you might annoy a datacenter admin.
I've narrowed this list down to what I believe are the best options. I've personally used each of these systems as a pentest dropbox and they all perform well:
Intel NUCs - There are numerous options to meet any requirement (except dual nic). [UPDATE]: Hades Canyon (NUC8i7HVK) supports dual nic.
At Sprocket we use the ZOTAC ZBOX-MI527 (For more CPU power checkout other options in the M series). We chose this system for its dual nics, small form factor, professional design, and cost.
Laptops and netbooks for two reasons:
Web cams - A lot of datacenters have rules that no devices with web cams can be installed in their datacenters.
Built in mics - Same as above
Spinning disks - Any moving part will fail at some point.
Systems that don't have any video out or are VGA only. - You may need to walk someone through changing settings at the console. Make sure this is painless for them.
If you follow these tips, you'll greatly reduce the chance of errors during installation:
Label nic ports and plug any unused ones - Label ports ethx and/or color code them. For unused nics, I insert a crimped RJ-45 connector:
Include instructions - Sounds silly, but it seriously helps. Below is a screenshot of what I include on my instructions:
Ship using good packaging, and supply return packaging - If you don't, you'll often receive your dropbox just thrown into a box with no protection. I use pelican cases because it comes with foam and in the long run, its cheaper than buying packing material. Note: You still have to ship it in a typical cardboard box, but those cost pennies and are easily available at shipping centers.
Email a pre-printed return label - You or someone in your office should do this because it makes the shipping process easier for your point of contact, plus you get a tracking number.
You have two options, Kali or anything else. I won't walk you through installing Kali, you know how to do that. But here are some tips to consider during provisioning:
Automate as much as you can - Your goal should be to streamline the provisioning process so it is easy for an office assistant or intern perform it. But until you get there, the best option is to write a simple bash script for the post install will do. If you can PXE boot and perform a complete setup, consider yourself a wizard!
Disk encryption - Full disk encryption usually requires user input during boot and that can be troublesome. I have remotely decrypted disks by adding SSH keys to initramfs and entering the password during boot. I never kept this setup because it was unreliable. Message me if you are interested in this, I have some setup notes. I might revisit that setup and tweak it, but for now, I simply ship the box with nothing sensitive and shred the whole system before the client ships it back. At the very least, encrypt your home directory and store sensitive information on encrypted volumes/partitions.
Use gitlab or github to host your custom tools - I create a separate gitlab key that gets provisioned with all dropboxes. This allows my setup script to automatically clone my custom tools.
Use OpenVPN instead of autossh - Autossh is ok for quick connections, but spending a few more minutes building a robust OpenVPN server is much more powerful. Part 2 will cover this in detail.
Have multiple callbacks channels - No need to go crazy on this. Your covert dropboxes need this more than your overt. You just want to have multiple fallbacks. I use ssh and OpenVPN on ports 80, 443, 8080, and 53 tcp. (see part 2)
Continue to part 2 - Setup OpenVPN infrastructure
Protect your company with Sprocket
When your environment changes, or new threats affect your attack surface, we perform security testing. There is a lot more value from this modern approach to testing.