Fieldcraft for Digital Operations
Penetration tests, risks and vulnerability assessments, Red Team operations and others fall under what I call digital operations (DO).
In a lot of cases DO is done from the safety and comfort of an office, however a lot of times it is done in the field. Performing DO in the field can be challenging and sometimes, depending on the operation, dangerous. There are several reasons for performing DO in the field: You need to remain fairly anonymous by using public networks. You need to appear to come from a specific IP and the only way to do it is by physically being at that location. You need to be close to the target because you are also performing recon on it. You were in the street and something came up and you need to check it right away.
Regardless of what the reason is, basic fieldcraft can make the operation easier and help you remain fairly anonymous and secure, and protect the sensitive information you might discover while performing the operation.
I put together this guide based on my own experience and might not work for everyone. Still, I think these points below will provide enough information so you can be prepared.
Each project should start with a recon phase. You should allot enough time to prepare the DO. Recon in this case includes scanning the area for any wireless signal (open or encrypted) and making a map of the best locations to perform the DO. These can be cafes, bars, parks, offices with a waiting area and others. Reconing the area will also give you a good idea of the best way to move around and escape routes (should you need one).
Some people I know like to hire a local, send him a portable wireless signal finder/scanner and have him map the area; however I prefer to do it myself or have someone from my team do it. I usually arrive two or three days earlier and recon the area. I might carry with me also a wifi antenna booster connected to the laptop and use a good stumbler to help me map the WIFi signals from a safe distance.
During the recon you can also perform some basic HUMINT and social engineering if you need. You can ask the locals where the best cafes are and if the know a good place to take business people for lunch. Then go to those places and ask whether your target comes to these places. Knowing where your target will be sometimes might give you a chance to actively scan him (vulnerable phones with bluetooth open, using a laptop on an open network and entering login credentials, etc).
A short but useful recon can help you prepare the gear and software you will need.
Basic computer preparation
The computer is your main tool and as such it has to be ready for the project. Ideally you would have a blank, brand new hard disk for each project. You then install your preferred OS, virtual machine with other OS's and tools. Unless your client is paying you very well, having a brand new disk per project is most likely not possible. In these cases you need to prepare the disk prior to the project.
Start by wiping the disk clean. Formatting it is not enough, information can still be retrieved from there and we don't want information from previous projects to be accessible. Wiping the disks usually includes writing every part of the disk with 0s, then 1s and then random data. Then repeating this several times thus making it very difficult to recover any old data. Once you have your disk cleaned install the OS and tools, but be careful. Don't install anything that is not needed and disable system services if you don't need them. The tools you need vary from project to project and adapt. I usually have also several boot-on-cd or boot-on-USB OSs ready to go. For example BackTrack and Deft to name a few.
The next thing to do is to create an electronic dead drop. Create an email account on any free webmail (Gmail, Yahoo! Mail, etc). Give the username and password to the team members at HQ and agree to 4 times during the day where you will check the email and where the team will check it. You will use this email address as a dead drop. The way it works is as follow: You have information you want to send to you team for analysis. Zip the files, encrypt them and attach them to a new message, however don't send the message. Save it on the Draft folder and logout. Your team member will login to the account and see a new message waiting in the Draft folder. He will download it and erase the draft message, then work on it. If he has information for you or a reply he'll upload a new encrypted file and leave it inside the Draft folder. This way there is no email trail.
It is important to mention that this email account will only be used for this project. After the project is finished you need to delete the account or forget about it. DO NOT reuse the account. Another way of sending information via the dead drop is to use Steganography, essentially hiding information in plain view. You can hide the encrypted information in pictures, mp3 files or even in the white space of text files. The advantage of steganography is that if the email dead drop gets compromised all they'll see is a picture or an mp3 song.
Finally use a full disk encryption program to encrypt the entire disk.
Although I like to rely on my mind more than my gear, having the right gear can mean the difference between success and failure. As part of the recon you should also prepare a list of things you might need based on the information you gathered. DOPE can also help here. DOPE is a sniper term that means data on previous engagements or data on personal equipment (depends on the branch). Learn from past projects, check what worked and what didn't and adapt the kit. For example if you are going to be wardriving have a wifi antenna booster, several stumblers, a portable wireless signal finder/scanner, etc. If you are going to try to penetrate a network and need more than one computer then bring along several ethernet wires and a switch, that way you can repeat the signal from a wireless access point or a plug in the wall you found. Remember: The target dictates the weapon, and the weapon dictates movement. Get the right tools for the job.
Try to get a backpack with all you need, but try to blend (see below). Do not bring a large duffle bag, or a fluorescent backpack for example, you'll stick out. If you have too much gear, grab the gear you will need for the day and leave everything else behind at the hotel. If you are in a bar frequented by college students try to get a small hiking pack or something similar for example.
Bring backup gear. Two is one and one is none.
Always test your gear and software as if it were the actual project. More often than not you'll find what works and what doesn't. You can avoid nasty surprises when you test your stuff, from software and driver incompatibilities, to hardware that needs to be replaced. Test your gear.
One of the most important things is to blend with your environment. Try to adapt to whatever environment you are. If you are in a cafe, buy a coffee, grab a newspaper, alternate between the computer and the newspaper. If you are on a park using an open (or not) wireless network move to different locations inside the park. Observe what people are doing where you are and try to mimic what they do.
Blending will give you a way to remain anonymous and not draw attention to you and what you are doing.
The recon you performed prior to the project should also provide information about this. For example, if you go to a cafe where most people are executives from companies around the cafe and all wear suit and ties, do not arrive wearing a Hawaiian shirt. You don't have to wear a suit, but try to wear a business casual attire at least.
Blending also mean keeping your footprint as small as possible. If you are sitting on a cafe or the reception of a company, do not bring out the laptop, wireless scanner, network switch, three external hard drives, etc. That will make you noticeable. Instead, try getting longer wires and leaving everything hidden inside the backpack. Just the laptop or the occasional portable hard drive will be on the table or your lap. If you are wardriving by foot, do not have the antenna visible, hide it inside the pack; furthermore, disable the sleep mode on your laptop, open your network stumbler and set to log everything on disk, close the lid and stash the running laptop and stumbler on your backpack. Then walk. No one will pay attention and you'll have a neat log with all the networks available to you. Be smart. Learn from your environment.
Move. Don’t stay too long in one spot, people might notice you. In the case of a coffee place, don’t stay longer than 40-60 minutes. During the recon of the area prepare a map with all the different locations where there are wireless signals, hotspots, etc and have them ready. You can then move between them. On each point blend.
Try to randomize the locations you use and do not use the same location two days in a row. By doing this you avoid people noticing and remembering you. You want to fly under the radar. Moving helps. In order to move you have to be light, so prepare your gear accordingly (see Kit).
Be quiet. It is part of Blend but since it is important I am writing it separately. Do no bring attention to yourself. Be quiet. If you need to talk to someone sitting on the same location do it quietly. If you need to communicate with someone off site try not to use the phone and use the dead drop you set or SMS text messages on a burn phone (dispose of this phone when the project is done).
Rule 4: Always have a backup plan.
Sometimes what you think is going to happen, doesn’t. That wireless signal you found during recon and spent 4 hours breaking the password? Gone. The owner went on vacation and powered off the device. Have a backup plan. Move to the next location.
Everything you prepare for the project, from traveling methods to gear used, must have a contingency plan as well. I found myself in different occasions in situations where the train I was supposed to take didn't run, or the hardware I brought alone for the project stopped working. I immediately adapted. Failing your project because you were not prepared is not an option.
Rule 1: Always have an escape plan.
This applies to projects where you are providing your services to track criminals. You don't know how these people will react if you are made so plan accordingly.
Always know the best way to exit your location or escape. If you need to evade the security guards from your customer, know the exits, which one leads to where, which one is the best to reach the street. When you recon the area and the different locations, take note of stair cases, doors, cameras, one way streets and shopping malls. Shopping malls provide a great place to hide. Stash gear in different locations, like lockers on a gym or train station. If you find yourself in need of running, leave everything behind and grab the gear from the next stash point. The disk on the laptop should be encrypted so it'll be OK.
Rule 1 is followed closely by Rule 5: Never get caught.
I hope this made sense to you and that it will help with the preparation and execution of your next digital operation.
Remember the 7 Ps:
Proper Planning and Preparation Prevents Piss Poor Performance.