One out of a movie, sort of...
Well, I guess movies do base their stories on real life... The last project was, to put it simple, one for the movies.
The objective was to gain access to the offices of my customer and prove how well were the servers and workstations protected against a physical intrusion, were the USB ports cold? Where the servers locked in their cabinets? Could I brute force my way into a server?
The building was a standard 4 stories building that had a fence on the back. The back part served as a loading dock for trucks and had also the trash containers.
The day recon showed that the front door was a no go since there were too many security guards and every time I called to social engineer my way through I was blocked. The back loading area was, for the most part, unguarded. I needed a key card to open the door to the building, but bypassing the fence was easy. I focused on that and I decided to plan it as I went. Sometimes there is no way to really plan the pentest, there are too many unknowns, you have to improvise once you are on the field.
The following week, on a Saturday, I arrived dressed in a cheap suit on the back of the building. My plan was to appear as a city hall bureaucrat and tell any of the drivers or workers in the loading dock that I was conducting a surprise check of the facilities. I decided for a Saturday since there was a chance that the security would be lax and there would be no people to deal with inside the building. For whatever reason it worked... The person with the clipboard counting the boxes being loaded to a truck opened the door for me! He said: these are cool people here, they work hard. Don't be too hard on them... WTF?
Anyway, I found myself inside the building. I took the elevator to the first floor. I didn't know where the servers were, so I began SWAGing it (SWAG = Scientific Wild Ass Guess). My idea was to start at the first floor since in my experience most server rooms or labs are located in the lower floors. I stepped into the floor and found offices with computer terminals but no servers. Since those were part of my objective I decided to check a few workstations. Those powered-on were locked by a password, those powered-off were locked by a BIOS password. I had tools to try to bypass both but I wanted to focus on the servers first. I continued.
I went to the second floor. Still I didn't see anyone. I was keeping myself plastered to the walls as much as possible in those places where I saw cameras. There are usually blind spots under a wall-mounted camera immediately underneath. I didn't want any security guard to see me on a monitor. After a few minutes I found the servers. They were inside a locked room. The lock seemed simple enough so I decided to give it a go. Grabbed my lock picking tools and after a few minutes I had it unlocked. When I opened the door... The freaking alarm went off!
I ran inside, I needed to do something. I knew the guards were going to appear soon. All the server racks were locked and I couldn't access the servers per se, however I saw a router on one of the shelves that appeared to be hot (connected to a network). I grabbed my custom portable 802.11n wireless router (the size of a mid-size USB flash thumb drive) and connected it with a long ethernet cable to the router. I hid it behind a stack of boxes on the top shelve and tried to disguise the wire behind the rail that supported the shelves.
Then I ran toward the door. When I exited the server room I saw one security guard coming out of the elevator. He saw me and froze for a second with a funny look. That was enough time for me to start running towards the stairs. On the way out I pulled the fire alarm button. By the time I hit the stairs the lights were off and the fire alarm with a recorded message saying to evacuate the building was being heard on the loudspeakers.
I went down, towards the docking area and came out running like a maniac out of the door. The guys on the truck all moved out with surprised looks. And then I was out.
I know the guards called the police, but by then I was far away.
So, was the test a failure? Yes and no. I was discovered and couldn't physically access the servers and workstations, however the wireless router I left there proved to be the right thing to do. The next morning I went back with my car and started scanning for the wireless router. I thought that since I triggered the alarm they would search the server room and surely would find the wireless router. I haven't called my customer at that point yet because I wanted to test the wireless router first. Well, luck was on my side. I found the router, and although the signal was weak I was able to connected to it. After running some tools I was part of their domain, a flat Windows domain with pretty much access to everything. I copied a few files to my computer and added the customary I was here text file to their domain controller.
I then called my customer, who was fuming. The fire department and the police arrived the day before and gave him grief. I told him what I was able to achieve and explained to him that while the alarm and security guards were the right thing to have, he needed to train people on basic security awareness and have more security measures on the back, but most importantly he needed to make sure that there were no unnecessary points of access to the network. I mean, what was the point of having a totally secure server, locked inside a cabinet, if you could simply connect to the network via an insecure router and access the server from there?
That pissed him off more, but he understood my point.
That was one of the wildest pentests I've done. My heart was pounding and even though I have experience in combat, it was scary.
My GORUCK Echo with the kit for the pentest