Attacking Network Attached Storage on a Pen Test

Attacking Network Attached Storage on a Pen Test

Henry Dalziel | Hacker Hotshots, Resources and Tutorials | August 19, 2013

This Wednesday August 21st, usual time, 1200 EST, come and join us to discuss: “Opening the Treasure Chest: Attacking Network Attached Storage on a Pen Test” with Russell Butturini.

Brief background about Russell Butturini
Russell is the senior enterprise security architect for an international health care company based in Nashville, Tennessee. He is also the creator of the U3 incident response switchblade and has written dozens of papers on advanced denial of service techniques. With his expert skills as a web application security tester and penetration tester with vast experience across multiple platforms and environments we are delighted to welcome Russell on the show! In particular, if you have an interest in understanding which are the best (or preferred) security tools to use, Russell would be a great person to ask.

Summary of the presentation
Russell will outline, amongst other topics, the following three points:

  • Where the typical network attached storage security model falls short.
  • How to audit their network attached storage configuration.
  • Why software included with storage devices can introduce risk into the network.

Based upon information from previous presentations Russell has delivered, he might also have time to explain how a pentester or security professional can find storage devices on a network. He might also have time to explain how to execute exploits with examples, and network profiling using storage appliances.

Network Attached Storage
Network-attached storage (often abbreviated to NAS) is a subject that you ought to understand if you work in security – not least because if an attacker had access to your network he could place a physical device and capture all traffic traveling throughout the wires. For those that don’t know NAS can be defined as being ‘computer data storage that is connected to a network’s’ Ethernet, LAN or by a wireless protocol. NAS provides data access to a collection of clients or end-users on a network.

NAS and DAS – what’s the difference?
You might come across DAS when learning about NAS. DAS, an abbreviation for Direct-Attached Storage refers to a physically attached data server or storage hard drive. NAS on the other hand is typically a self-contained solution for sharing files over a network. NAS is generally considered to be less customizable with regards to certain hardware such as CPU, memory, storage or software when compared to DAS.

Attaching hardware to a network: Hacking 101
On the subject of network security, we are, like millions of others, big fans of the Raspberry Pi. Not that long ago we posted our list of Raspberry Pi uses, and had a Hacker Hotshot web show titled: “Raspberry Pi Hacking” with DJ Palombo which went down a storm. A recent article explaining how to attach a Raspberry Pi to a network recently caught our eye and shows just how easy – and unbelievably affordable it is, to monitor a victim’s network using a Raspberry Pi, and owing to its’ size, avoid detection. The device and hacking tool could be configured to a be used as a remote hacking tool. The project requires that you create and manage four vital processes:

  • Partition a Raspberry Pi with a Linux OS (Raspberry Pi/ Kali Linux ought to do the trick)
  • Configure the Pi to receive a DHCP address
  • Configure the Pi to receive SSH connections
  • A seperate linux server that is reachable by ssh from the internet; preferably via a static IP

If networking is your thing then join us! If you miss the date (Wednesday August 21st, usual time, 1200 EST) then fear not, the event will be recorded and on the same URL. Interestingly we also have another networking event the day after titled: “Free Tools to Monitor and Secure Your Wi-Fi Network” with Jason Wood, which will have a lot of similarity in that Jason will be outlining measures to protect and monitor a wireless network – emphasis being on the ‘network’.

We look forward to welcoming Russell on the show and encourage you to join us and interact!

Leave a comment or reply below...thanks!