4. Problem #1
You left behind a device inside a client network, and were
unable to retrieve because 1) someone stole it 2) it was
discovered by an employee and taken offline
The above devices can look out of place randomly installed in
the client network…
5. Problem #2
On-site at a customer, you want to look inconspicuous when
performing a penetration test
6. Problem #3
You take A LOT of gear on
a pen test (and its never
the RIGHT gear)
7. Problem #4
You send pen testers into the field with a smartphone AND tons
of gear, then:
“I bricked my phone trying to jailbreak it”
“I am out of battery on my phone because I was running
wireless tools”
“I can’t call you right now, I’m doing a wireless assessment”
“I accidentally Tweeted the pics of the datacenter”
“I need SIMS with data plans, one for me and one for hacking”
14. Bluetooth Sniffing
I did most of this while driving in my pre-mid-life crisis car
(2010 Mini Cooper S R56, racing stripes, custom wheels/tires,
intake, exhaust, sprint booster)
26. http://securityweekly.com Copyright 2014
The hard thing
• Is not getting in…
• It is retrieving what you left behind
• Many times we will not even try to recover our devices
• Simply have the customer contact recover them for us
• This goes just about as well as you would expect
• We still have gear from assessments two years ago not returned
• So, we tend to use crap
29. http://securityweekly.com Copyright 2014
I left my phone
• This happens all the time to people
• It is so easy to simply call it… Like 30 times. Then try to
retrieve it
• They will happily give you the device back
32. http://securityweekly.com Copyright 2014http://securityweekly.com Copyright 2014
Conclusion
• A forgotten phone will be seen as just that, without you
getting caught (risky!)
• Be completely inconspicuous when performing on-site
testing and social engineering
• Bring a large set of tools, and replace the endless amount
of devices, on a penetration test
• Save money by providing your pen testers with one
platform for both a smartphone and pen testing device