The Fun House - Part 2

Continues from Part 1.

While I was calling the guys at the office I decided to check the sniffer. I browsed the captured packets and to my surprise I saw a couple of netbios connections. Working backward and running a bunch of tools I managed to decrypt the credentials used to connect to those computers. One was a user and the other was an administrator.

Now I not only had two backdoors on their internal network, but also I had an admin password. Administrator to what, I still didn't know at this point.

The next day at the office we were getting plenty of unrestricted access to the customer's network. The first thing we tried was to find the email server and see of we can have access to the top execs emails. While I was looking for the server, one of the guys in the team found the domain controller and when he tried the admin account I captured the previous day he found out it worked. Yes, now we had the domain controller under our, well, control. We have control of the domain and we can impersonate the administrator.

It was time to start having fun.

We searched the different users in the server and found one labelled "SecurityGuards" (not exactly that, but something similar), this user was the security guards at the reception area of the HQ. Of course we went at it. We added to the caledar of this user a appointment stating that Mr Jones (me) and Mr James (another guy on the team) had a scheduled review of the server room for software license and other stuff. We added in the notes that there was no need of a security guard present on the server room since the two technicians were already cleared. HA!

In the meantime I found the email server and was able to gain control using the same credentials used for the domain controller. Now we could also read the emails. We found several documents labelled confidential containing future products.

A couple of days later we arrived at the customer's HQ wearing our best suits and pretending to the be technitians. The guards checked their logs and saw that indeed we were expected. They checked our ID's and we were issued badges with full access to the server room.
Once inside we took plently of picture of us possing in front of all the servers. We also used one of the terminals to log in using the admin credentials and took pictures and screenshots as well. From there we sent an email to the CTO and the security director from the the administrator's own email account stating that we essentially owned the network. We told them to come join us on the the server room.

15 minutes later, they both opened the door of the server room with serious faces.

We spent the next two months working with them to make sure their security was the best it could be.

As a parting note, the last time I went to the HQ I noticed they have a picture of me and some of the team guys at the security desk int he reception area with the message: DO NO LET THEM IN.


Bypassing a padlock with Quick Sticks

Using red teams to track criminals