I want to attack company X, that has eg. 5000 employees. How should I start?
Just for sure: do you represent the eligible entity? Please read this page, before you go any further.
Plan the whole operation.
Exfiltrating ~5000 computers is a big challenge. Demanding technically, but also physically. To properly execute attack of this size, you will need:
- more than one Drive Badger USB drive (see below)
- more than one attack operator involved (divided into specializations or areas)
- to gather as much information as possible
- a good plan
If you're thinking about particular company, then you probably already have some initial knowledge about it. Start from answering these control questions:
- which (or whose) computers in that company are "interesting" for you, and why? which not?
- are there any "conditionally interesting" computers? what are these conditions?
- from "interesting" computers, which are the most important? are you able to list the 10-20 most important ones?
- are these "interesting" computers comply with 80/20 rule? (would it be sufficient to exfiltrate only them, or do you need to exfiltrate all company?)
Honest (and detailed!) answer will help you find the best strategy: attack the entire ~5000 computers, or only eg. 10-30 ones in a way smaller action.
What do you need to know to make a good plan?
Let's start from gathering information. What you need to know before starting planning, are:
Offices and physical security
- physical locations: buildings, floors, locations of interesting departments (obviously you need to know, where to find the interesting computers, instead of just exfiltrating everything randomly found in the building)
- how many interesting computers there are on which floor / building segment?
- types of computers: desktops vs laptops vs servers, Windows vs Linux vs Mac
- where software developers, graphics and marketing specialists are located (or other positions, that typically have faster computers, but store much more data on them)
- at which hours most devices, that typically leave the office "after hours", can be found in place?
- what about cameras and other forms of physical security? for example, access cards allowing access to certain rooms only? how to circumvent all of these? is Proxmark enough, or will you need some other tools?
- are there multiple physical routes between important locations? which ones are unprotected? what about fire exits?
- how computers, users, accesses, passwords etc. are managed? Active Directory? Azure integration? ManageEngine or similar management tools?
- is internal LAN protected with 802.1X or anything other, that prevents cable-connected computers from getting IP from DHCP server? is Internet access allowed? are there any devices (possibly unprotected or poorly protected) visible in the same network?
- what about their drive encryption policies? do they also encrypt drives in computers that are left in the office? or just in laptops that are taken home?
- are you able to get (eg. buy from IT employee) recovery codes for encrypted drives? maybe they use recovery codes based on computer serial numbers - are you able to get such serials, eg. for newly bought computers?
- are you able to calculate the possible schemes of generating recovery codes from serial numbers, and safely verify them on a few different computers before going any further with the attack?
- are you looking for something particular? or just for anything useful/valuable? your communication strategy amongst individual employees should depend on this answer
- can you point the specific person(s), from whom it is (at least theoretically) possible to buy recovery codes for encrypted drives? what methods are you ready to use to "convince" them?
- what about other employees? do you have any ideas, how to use them? people are often the weakest point of all security plans, but you still to work on the details...
Having all this information, you can start thinking about a plan (planning is however far beyond the scope of this page).
Choose the proper hardware
At this size of attack, you definitely need fast and rock solid hardware. Look at our curated list of recommended hardware, but skip sections about pen drives and magnetic drives. Start reading from "Samsung Portable SSD T5" and consider only models listed there.
You will need the following combinations of hardware architectures and device ports:
|Kali Linux version
||this configuration typically handles 80-95% computers
||to speed up the exfiltration process on NVMe-compatible computers with lots of data (optional)
||to speed up the exfiltration process on older Macs (2016-2020, optional)
||only as a backup for old/small computers with 32-bit CPU
||only for Mac M1 computers
Think about personal security, avoid leaving traces
There is no way to distinguish between Drive Badger and ordinary Kali Linux, or to prove the fact of data exfiltration, until:
- someone knows the proper LUKS password to your persistent partitions
- it is caught in the act (including after the attack has finished, but Kali Linux is still working)
- you use the non-encrypted persistent partition
- someone finds any form of "documentation" of the attack (eg. instructions written on individual drives)
Because of the last reason, it is much safer to operate only on multiple drive brands, models, capacities and colors, than to write anything on them. As part of risk mitigation plan, all USB devices and other equipment should look as generic as possible: no personalizing, no instructions, no numbers etc.
For example, Samsung Portable SSD T5 is available in different colors:
IMPORTANT: any device used for the attack, in case of being lost (left or found during search) should NOT suggest, that there are more devices to be found, or there is some plan, action in progress etc.
Calculate required drive capacities and speeds
Since you paralellize the operation, you don't always need 2 TB per drive. In real life scenarios, it's better to have more smaller drives, than fewer biggest ones:
- the more drives, the faster the attack (more computers can be exfiltrated at once)
- both risk factor and cost impact of losing one of the drives are smaller
- external SSD drives are expensive
- according to the above table, you will need from 3 to 5 different configurations of Drive Badger
Now, to go further, you need to:
- have at least some initial estimations about interesting computers: how many in total, how many per building/segment/floor, where are Macs (especially new M1 models) vs Windows (vs Linux) etc. - the more precise the better
- understand the attack timing (how long it will take to execute each phase: some phases depend on hardware brand and BIOS settings, while others on the amount of data to be exfiltrated, CPU/overall performance)
At this stage, it's useful to make a detailed capacity plan - its form (Excel list, graphical floor projection etc.) is not important, as it's only for you. The goal is to allow you to quickly update computer types and quantities per location.
Example input data
For example, let's count the required capacity for a part of fictional company, for 2 example floors:
||Expected amount of data
||HR Department reception
||Windows laptop (unknown, so USB)
||Low to moderate
||Macbook Air, year unknown (again USB)
||Macbook Pro, Space Gray (probably models with Thunderbolt 3)
||Macbook Pro, newest M1 model (with Thunderbolt 3)
||Windows laptop, looking quite old (USB)
||Windows high-performance workstation, most probably NVMe-compatible
And, to keep things simple, let's say that you have 10 hours for the operation. So don't worry about the time yet.
Let's analyze the requirements
Now, let's count the required capacities:
On 8th floor, you have:
- 19 Windows/Mac laptops that can be exfiltrated using USB port, with low to moderate expected amount of data (where typical attack should take below 10 minutes per computer)
- 1 Mac M1 with Thunderbolt 3 with moderate/high expected amount of data (where typical attack, due to Thunderbolt speed also should take below 10 minutes)
On 7th floor, you have:
- 2 old Windows laptops that can be exfiltrated using USB port, with moderate expected amount of data (where typical attack should take below 20 minutes per computer)
- 14 high-performance workstations with NVMe support (assuming that you managed to verify exact models), with hundreds of gigabytes of expected data per computer (where typical attack even with NVMe drive should take between 0.5 and 1.5 hours per computers)
Let's start from the fact: a single 2 TB drive divided into 20 gives 100 GB average capacity for 20 computers.
So, for 8th floor you need:
- 19 * 64-bit USB drives with no special capacity requirements - this can all fit on a single 2 TB drive
- 1 * ARM64 Thunderbolt drive with moderate/high requirements - typical storage in 2020 M1 Macs is up to 512 GB, so a single Samsung Portable SSD X5 Thunderbolt 3 500 GB will be enough
However it still would be good to parallelize exfiltration from these 19 laptops, just to reduce risk - eg. to 4 drives, 500 GB each.
And for 7th floor you need:
- 1 64-bit USB drive without special capacity requirements (500 GB should be enough) to exfiltrate first 2 laptops
- 1 32-bit USB drive, just in case these laptops have problems with 64-bit Kali Linux (especially if these are Dell laptops)
- 14 * 64-bit NVMe drives, at least 1 TB each - and this part needs to parallelized, so the recommended quantity would be:
- 7 * NVMe 2 TB - so each drive will handle 2 computers (5-8 drives per involved attack operator is usually maximum number, that 1 person is able to effectively handle - there is no point in giving 14 drives to a single person)
- 2 * USB 2 TB - just for sure, if something fails with NVMe (compatibility issues between particular motherboards and particular SSD controllers), to have additional space for the most important data
Required drives and their capacities
- 6 * USB 500 GB
- 2 * USB 2 TB
- 7 * NVMe 2 TB
- 1 * Thunderbolt 500 GB
The rule of thumb: the more precise information you gather during early preparation stage, the less capacity overhead you need to buy.
The real target
You should be able to split your target company in similar way, into buildings, floors, departments, and amounts/types of interesting computers within each of them. If you can't plan something similar to the above example, it means that you don't have enough information about your target.
Warning: trying to execute such attack despite not having all required information, carries a very high risk of the required improvisation (eg. risk of leaving unnecesary traces). Think twice before going this way.
Final advices regarding performance
Remember that attack has several phases, and some of them differ between computer models - understanding these phases and differences is crucial to choosing the most effective number of people involved into the attack:
- the more people you have, the more parallel attack streams you can run to finish everything sooner (and reduce risk)
- on the other hand, each another person involved, increases the overall risk - so in general you should rather try to reduce the attack team, than to expand it
- depending on various details, each attack operator reaches his maximum performance, having between 2-3 and 6-8 computers to handle at the same time