Digital Recon

Morning chaos is usually a good time to tailgate someone and sneak into your target. Each company has its own morning chaos time, a little recon can show you when it's the best time to try this.
The trick is to appear as if you belong. Wear the right clothing, have a fake badge that looks the part (again, recon will help you with this, take pictures of actual badges), be on the phone with a customer and just walk right in.

Once you are inside try to get to the network and begin your digital recon.

JS and I managed to get inside our target a while back. This was one of those projects where everything works and you just have it.

We tried to find an empty office or cube so we could start scanning the network. We found one. When we opened our laptops and scanned for wireless networks we were surprised to find 3 different networks. Two protected and one open. So, while JS plugged his laptop to the wired network and got to work, I connected to the open wireless network.
Running a ping sweep I discovered several servers connected. Some of them with web services on them. Scanning further I discovered some more systems with databases and other things that shouldn't be connected to an open network.

I set to work.

Surface scanning of a web server with Nikto, it's a rather fast way to start the scan. I use Notational Velocity for note taking.

Surface scanning of a web server with Nikto, it's a rather fast way to start the scan. I use Notational Velocity for note taking.

I tried to figure out if I was part of a domain that had a domain controller, one I can get my hands on. But the information I was getting was that this wireless network allowed anyone to connect to it. Furthermore, I could reach any and all the systems connected to the network.
I left nmap and nikto performing a surface scan on all the live systems, at this point I wasn't really trying to be covert anymore, and I focused on a Windows system that had Apache installed in it. The classic administrative shares (C$, D$, ADMIN$, etc) were open and a little NULL connection foo gave me access to it. The reason I focused on this system was its name DEVxxxx (name removed). The DEV part was interesting.
The Windows system had .NET code, PHP code, C++ code and a collection of test tools all over the place. It looked like a developer computer.

It was a good find. I copied some source code, documentation for a product and the inbox contents into my laptop.

In the meantime JS managed to get a connection to their main network, ruled by a domain controller that gave him only low level access. He was trying to escalate. I scanned the computer I was in and I saw it had 2 NICs, one was connected to the network that JS was trying to recon, the main wired network.
I copied my crawler into the development computer and set it loose. We then focused on the development wireless network. Nmap showed several MS SQL and MySql servers, along with more Windows systems and some Linux boxes. All in the clear via this wireless network.

One of the Windows machines had VNC. I opened my client and tried to connect to it. It asked me for a user name and password. Just to try, I hit enter (blank username and password) and I was presented with a desktop. Now we had control over another computer in the network. We set the VNC client to record video.
JS also managed to get himself into two other computers, one via the adminutrative shares and the other via a remote desktop connection, also without password. The rest of the systems we tried were locked, but we had 4 systems under our control. It was just a matter of time from there until we could own that network.

We copied as many files as we could and installed a backdoor. While we were doing this, the owner of the system with the VNC began working. He opened Visual Studio and started writing code. We had all this in video for the presentation as well. Very neat.

We used the backdoor to retrieve all the data from the crawler we had launched and forward it to our listener back in our HQ.

A week later we had a map of the network, we had credentials for several users in the admin group and we had source code, documents and pretty much a way to shut the whole develoment network on.

When we presented the findings, we found out that the development manager, tired of IT denying his requests for a private network just for the developers, decided to bring his own wireless router, set it and connect all th developers to it. He, however, neglected to set any kind of security. Furthermore, he connected their source control machine to this network so the developers could access it from anywhere in the company, inscluding the cafeteria. Bad move...

Needless to say, at the end of the presentation, the IT director, the security director and pretty much all those involved in the assessment were furious. Not at us, but at the development manager.
The CTO asked us to go one step further and begin attacking the developmet manager specifically.

Stay tuned for what happened next.

The Three C’s of OPSEC

Why use a Red Team?