Continues from Part 1.
While I was calling the guys at the office I decided to check the sniffer. I browsed the captured packets and to my surprise I saw a couple of netbios connections. Working backward and running a bunch of tools I managed to decrypt the credentials used to connect to those computers. One was a user and the other was an administrator.
Now I not only had two backdoors on their internal network, but also I had an admin password. Administrator to what, I still didn't know at this point.
The next day at the office we were getting plenty of unrestricted access to the customer's network. The first thing we tried was to find the email server and see of we can have access to the top execs emails. While I was looking for the server, one of the guys in the team found the domain controller and when he tried the admin account I captured the previous day he found out it worked. Yes, now we had the domain controller under our, well, control. We have control of the domain and we can impersonate the administrator.
It was time to start having fun.