The hole in the wall

One of the classic security tests is the hole in the wall. Basically you try to penetrate the premises of your customer, find an ethernet plug and you connect your computer. If the ethernet connection is hot then you try to find what you can do: are you connected to a network? Do you have a valid IP? Can you see other computers? Etc. If the plug is cold you move to the next one.

Another test that can fall in this category is the wardrive scan, or wireless recon. In this test you scan outside the building for any wireless signal (WIFI, bluetooth, etc) emanating from the building and try to either penetrate the network or gather intel via that connection.

I had a project where I had to do both.

During the wardriving phase of the test I grabbed my MacBook, loaded it with several network stumbler apps (kismac, kistmet for mac, and others), bluetooth and other RF scanners, pack it on my GORUCK Echo and make several passes around the building. I used a different stumbler app on each pass. Sometimes different programs detect different things. Made notes on the go on each pass and check my results.

The Mac was safely stored in the laptop compartment with only a small wire antenna sticking out of the zipper. That antenna gave the laptop the extra boost of reception needed for this test. Once I had all the info I checked for any networks available and noted all those that were open or needed to be cracked. The WIFI networks usually are encrypted using one of different methods. On older equipment this means WEP and that it’s too easy to crack. On newer equipment WPA or WPA2 is used, which is trickier but not impossible. With all this information at hand I could start planning how I would attack the problem and the best point to do it: where would the best physical spot be to get the best reception and when would be the best time to do it, when the network appears to have more traffic. More traffic sometimes means faster cracking time, like in the case if WEP. In the case of Bluetooth the problem is to be close enough to be able to connect to. Laptops and smart phones with the bluetooth on provide a wealth of information and in many cases they include the mobile version of FTP so you can upload or download files. It’s great.

On the second phase of the project I had to use my skills to enter the building. I did a short recon and opted for a direct approach. Using social engineering and some web programming skills I managed to set an appointment with one of the IT engineers so that I can check software licenses. They usually leave you alone after a while and that’s when you move.
After a short while I found an ethernet plug on one of the empty offices, pluged my laptop but the plug was cold. Moved to the next office and it was the same. Then I found a third one and this one was hot. I received an IP address and I was part of their network. If they had some monitoring they would see this immediately and a security guard would be knocking on my door so I quickly started scanning to see what I could find. Five minutes later I was still alone so I slowed down and started pocking into several systems. Found a few interesting documents labeled confidential and went back to checking licenses in the server room (which I also included in the report as a problem since I had access to their entire server farm without anyone checking on me).

Overall it was a successful project and my client is now safer.

Here’s hole in the wall.