Covert Pen Testing Has Arrived

 
 
By Ryan Naraine  |  Posted 2006-08-21 Print this article Print
 
 
 
 
 
 
 

Immunity's silica is a pocket-size hacking device loaded with 100-plus exploits

A portable hacking device equipped with hundreds of exploits and an automated exploitation system will go on sale in the United States in October.

The wireless handheld, called Silica, is the latest product to be developed by Immunity, a Miami-based security company that sells penetration-testing products and services.

An early version of Silica, which supports 802.11 (Wi-Fi) and Bluetooth wireless connections, has been fitted with more than 150 exploits from Immunitys Canvas product to allow security professionals to conduct pen tests while walking past office cubicles.

Pen tests are used to evaluate the security of a computer system or network by simulating an attack by malicious hackers. A pen tester typically assumes the position of an attacker, actively exploiting known security flaws to search for weaknesses in the target system.

Immunity researcher Dave Aitel said Silica allows a pen tester to perform testing while appearing to perform an innocuous behavior—instead of carrying around laptops through a targets office space.

"You can tell Silica to scan every machine on every wireless network for file shares and download anything of interest to the device. Then just put it in your suit pocket and walk through your targets office space," Aitel said.

Aitel, a well-known security researcher who created and distributes several hacking tools, said he believes the slim, PDA-like Silica will "redefine" the pen-testing environment.

Using exploits from Canvas, Aitel said, Silica can actively penetrate any machine and have all successfully penetrated machines connect via HTTP/DNS (Domain Name System) to an external listening post.

Canvas makes available hundreds of exploits, an automated exploitation system and a comprehensive exploit development framework to pen testers and security professionals worldwide. It is used by pen-testing companies, government agencies, large financial companies and other businesses to simulate attacks against their infrastructures.

With Silica, Immunity is extending the concept to the handheld space, and Aitel said that covert pen testing is just as important to businesses.

"You can mail Silica to your targets CEO, then let it turn on and hack anything it can as its sitting on the CEOs desk," Aitel said.

Silica also can be used to conduct MITM (man in the middle) attacks against targets on a wireless network.

In addition, Silica is capable of connecting to a network or computer system using Ethernet via USB.

Immunity expects to sell Silica for about $3,000 and is working with external beta testers to iron out kinks before the products projected October launch date.

"The primary interest has been from very large consulting organizations, so we know there is a market for it. Law enforcement agencies have contacted us, expressing interest in having something someone can carry with them to do pen tests," Aitel said.

The Silica software is based on open-source Linux and will run on several hardware platforms.

A Fistful of Fun

Heres what you can do with Silica, a new PDA-type handheld tool full of exploits for penetration testing:

* Tell Silica to scan every machine on every wireless network for file shares and download anything of interest to the Silica device. Then just put it in your suit pocket and walk through your targets office space.

* Tell Silica to actively penetrate any machine it can target and have all successfully penetrated machines connect via HTTP/DNS to an external listening post.

* Mail Silica to your targets CEO, then let it turn on and hack anything it can.

* Have Silica conduct MITM attacks against people on a wireless network.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel