Pen Testing in the Palm of Your Hand

A portable hacking device equipped with hundreds of exploits and an automated exploitation system will go on sale in the United States in October.

The wireless handheld, called Silica, is the latest product to be developed by Immunity, a Miami-based security company that sells penetration testing products and services.

An early version of Silica, which supports 802.11 (Wi-Fi) and Bluetooth wireless connections, has been fitted with more than 150 exploits from Immunitys Canvas product to allow security professionals to conduct pen tests while walking through office cubicles.

Penetration testing, or pen test, is used to evaluate the security of a computer system or network by simulating an attack by malicious hackers.

Pen testers typically assume the position of the attacker, carrying out active exploitation of known security flaws to search for weaknesses in the target system.

Instead of carrying around laptops through a targets office space, Immunity researcher Dave Aitel believes Silica can allow a pen-tester to perform testing while appearing to perform an innocuous behavior.

“[You can] tell Silica to scan every machine on every wireless network for file shares and download anything of interest to the device. Then just put it in your suit pocket and walk through your targets office space,” Aitel said.

/zimages/2/28571.gifRead morehereabout the Core Impact 6.0 pen testing framework.

Aitel, a well-known security researcher who created and distributes several hacking tools–The Spike fuzzer, the Spike Proxy Web application analysis tool and the Hydrogen remote access tool–believes the slim, PDA-like Silica will “redefine” the pen-testing environment.

Using exploits from Immunitys flagship Canvas, he said Silica can actively penetrate any machine and have all successfully penetrated machines connect via HTTP/DNS to an external listening post.

Immunitys Canvas makes available hundreds of exploits, an automated exploitation system, and a comprehensive exploit development framework to penetration testers and security professionals worldwide.

It is used by penetration testing firms, government agencies, large financial firms, and other companies to simulate attacks against their infrastructure.

With Silica, Aitel is extending the concept to the handheld space, stressing that covert pen testing is just as important to businesses.

“[You can] mail Silica to your targets CEO, then let it turn on and hack anything it can as its sitting on [the CEOs] desk,” he added.

Silica can also be used to conduct MITM (man-in-the-middle) attacks against targets on a wireless network.

Silica is also capable of connecting to a network or computer system using Ethernet via USB.

“Theres wireless testing. Then theres pen testing. Those are very separate things. With this, were joining those two things,” Aitel said in an interview with eWEEK.

/zimages/2/28571.gifClick hereto read more about updates to the open-source Metasploit hacking tool.

Immunity expects to sell Silica for about $3,000 and is working with external beta testers to iron out kinks before a projected October 2006 launch date.

“The primary interest has been from very large consulting organizations, so we know there is a market for it. Law enforcement agencies have contacted us, expressing interest in having something someone can carry with them to do pen tests,” Aitel said.

The Silica software is based on open-source Linux and will run on several different hardware platforms.

The market for penetration testing tools has heated up in recent months. Immunitys Canvas competes directly with Core Impact, an exploit development framework marketed by Core Security Technologies, in Boston.

Core recently shipped Core Impact 6.0, an update that features a completely retrenched applications framework that the vendor claims will greatly improve the efficacy and ease of use of its tools.

The open-source Metasploit Framework, created by hacker H.D. Moore to offer point-and-click pen testing, has also undergone a major makeover.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.