The fun house - Part 1

Once in a while you have a project that you know will be a lot of fun. One of the biggest telecom providers dropped a project exactly like that a couple of years ago.

They wanted a full red team assessment, including external and internal digital assessments as well as a physical one. The scope: the entire company. This included the corporate HQ and its employees, the service stores across different cities, local offices, mall stores and the factory. This was a HUGE project. They time allotted? 6 months. Perfect.

The first few weeks were spent gathering information about the company, their digital footprint, employees and products. We performed digital and physical recon on their HQ, 10 of the services stores and the factory.
Their digital presence was medium size, with the websites and mail server hosted by service providers with no direct connection to the telecom's internal networks. We could DDoS them but that would be only an annoyance. So we decided to focus on either a physical penetration, so we could connect directly into their network from inside, or on a social engineering attack (an email with a weaponized PDF) so we could have remote access to their internal network via an unsuspecting employee.

Then an interesting thing happened.

While some of the guys were preparing the needed exploits and backdoors I went to one of the mall stores to check what I could learn. We haven't visited one up to that point and I thought that at least we needed to visit a couple, if nothing else to just see what we could take from that.
I arrived at the store near noon, it was packed. People in line, people waiting on the lounge and people browsing the different products. It was noisy and wherever you'd look you'd see movement and people. A great place to blend in.
As usual I was dressed in a suit and tie and after some wandering I found an empty seat at the executive lounge. This part of the store was reserved for people that represented companies and wanted to buy products for their organizations. After a few minutes sited there no one came to check what I was doing so I figure I would check what I could see. I assumed they had a wireless network so I opened my laptop and fired up the stumbler. No luck. I picked up some wireless access points from other stores but not from this one. I decided I would try to go talk to an employee and get some information when I saw on a corner an ethernet outlet. Hmmm…

I moved my chair next to it and pull an ethernet wire from my backpack. I always carry one just in case. I threaded the wire via an opening on my backpack into the outlet. I placed the backpack on the wall, so it would cover the outlet and the wire. Then I connected the wire to my laptop placing my jacket on my arm to conceal this. Fired up the terminal and… a DHCP connection!

So I had a connection, it was time to perform a quick recon and see what this network was all about. I left a sniffer running and with a few command line tools followed by a simple nmap ping scan I had a good idea of the network I was connected to. The routing table and a simple traceroute showed me the perimeter and other bits information that suggested that I was on a subnet of a much larger network.
The ping scan showed a lot of systems up. I widened the scan to include other subnets and after about 30 minutes I had a really good idea of the network I was in. For some reason the telecom chose to connect the execute lounge to their internal LAN.

By then the store wasn't so chaotic. I figured I needed to do something in case I was discovered. I searched the standard set of backdoors I had on my arsenal and found two I thought would be great from what I learned on the scan. One backdoor that would work great for Windows XP and Vista and another as a backup that would also provide me with crawling capabilities. I configured them to transmit to a server in our office using as first egress vector any connected application and as a secondary vector a simple HTTPS request. Both backdoors would allow us to control them remotely and had the capabilities of taking screenshots, search for documents and execute command at SYSTEM level. I ran a few exploits and after a couple of tries I had my foot inside three computers. I installed the backdoors, confirmed that I had a way out to our server and closed the connection.

With that done I closed my laptop and called the guys at the office.