The Way of the CV - Part 2

Continues from Part 1.

After some time planning and a few days after our job phone interview, we decided we would attack this from all fronts.
The physical team will support the digital team.

The idea was that John Smith would bring his girlfriend with him and while he was being interviewed, she would wait for him. The plan called for her to try to hook a wireless router to any hot ethernet outlet in the company. Then the digital team would connect to the wireless signal from outside and try to find a way into their network. She would have the fake badge with her, in case someone saw her walking in the building.

We performed several dry runs where we tested the range of the wireless router and signal, the different ways to hook and hide it, different techniques for tailgating and using our fake badge to our advantage.

The interview day came and we were ready.

John Smith arrived at the target with his girlfriend. Both dressed sharp in business attire. Both looking very professional.
At the front desk, the security guard asked for credentials and of course we had them. John Smith mentioned that his girlfriend was here as well because of a meeting taking place next door after the interview. The guard asked her for a driving license and handed her a "Visitor" badge as well.

Security issue number one: if she doesn't need to be inside the builsing she can wait in the reception area unde the careful watch of the guards.

The guard told them what elevator to take and what floor to go.

Security issue number two: leaving them alone without any escort.

Once they reached the floor the guys split. John's girlfriend swiches her "Visitor" badge for the fake one we did on the previous assessment and she acted like she was another employee. She belonged in this place. Walking with purpose, as if she knew where she was going, she searched for an empty office or cubicle. After about 10 minutes and no luck (most empty cubes had cold outlets) she headed for the stairs and went down one floor. Down there it was developers land. The doors leading from the stairs to the office space didn't need a badge to be opened, so she just walk in.

Security issue number three: people can wander via the stairs.

Once there it took her about 5 minutes to find a "visitor's" cube with a hot ethernet connection and closed to a window (so the signal can reach the street). She plugged the wireless access point, check with her iPad to see that the network was up and walked back up one floor where she would wait for John Smith. She sent a text message to the guys in the car outside that the wireless router was ready.

Security issue number four: any new and unknown device being plugged into the network should send an alarm to the security guys.

John Smith, in the meantime, was acing the interview. So much that he was offered the possition at the end of the interview. He politely said that he needed to review the offer and walked away with his girldfriend.
They both returned visitor's badges and walked out of the building.

The digital team in the car connected to the wireless using a old but still very useful wardriving antenna and began trying to move inside the network. The target's network was set to a DHCP so the router was assigned an internal IP address and became part of the network.

Security issue number five: unknown devices should not be assigned an IP or be allowed to connect in any way to the network.

The network was segmented, that we knew, we recommended that. However, after some playing around for a few hours, we managed to capture a bunch of user credentials. We used them to move around and scan the network. We discovered that by default the administrative shares were still open (we pointed to them this last time. Administrative shares are the C$, D$, ADMIN$, etc). These shares were configured in tha way that anyone with a domain user can use them. So, using our captured credentials we moved even deeper into the user's systems and copied document, mails, and other good stuff.
We also paced a backdoor that would allow us to connect to the network from our office.

Our job was done. Total time: a little over 9 hours. Not bad.

The next days were spent exfiltrating information.

Security issue number six: Data being exfiltrated didn't set any alarms on their monitoring center.

The following week I called our contact in the company and explained what we did. She was not happy.