Sometimes all the hard work and no play gives you some rewards. This was the case on one project. This was a simple "hole in the wall" assessment. Basically, go in and test whether you could connect to their network either via an ethernet plug or using any wireless network. The idea is to help their security department find the weak points in their security, and well, alloing someone to just plug a computer an get an IP and presto! Be part of the network is a big problem.
The infil into their offices was relatively easy. The company rests half a floor on a building where other companies are located. The security guards at the ground floor are used to seeing different people, and they didn't bother us as we walked in with our suits, air of confidence and on our phones. They just looked at us and we continued walking... We hit the stairs (remember Rule 80: Never take the elevator) and climbed to the 8th floor. There, we simply walked into the company's area by tailgating an employee after he came back from the restroom. Simple.
No one even challenged us. We just walked and searched for a cube or office to sit.
After a few minutes we found an empty office. Inside there was a sheet of paper that said: "Reserve for the XXXXX". XXXXX was a customer of theirs. So, we plastered that paper on the door and closed it. Perfect. Now we had a place to work and we hoped that no one would come bothering us.
After opening the computer we found two wireless networks, one securred using WPA and the orther with the (really?) less than secure WEP. Alright then, WEP it is.
It took us about 8 minutes to figure this out and crack the WEP network. We were now connected to it and had a valid IP address in their domain. Now for the fan part: network discovery.
There are many ways to know where you are and what you have around you. You can use the OS tools such as traceroute, arp or route (just to name a few), you can also run network scanners such as nmap and perform a very good ping sweep.
We usually combine both ways and after we have the initial layout of the network and the devices connected, then we let loose our drones. While the drones perfome a deeper, automated network recon, we focus on those systems that seem interesting, like domain controllers, databases, web servers and workstations that seem to have an easy way in, which, in this case, were about 50 of them. Using different tools PsExec and some of our own tools, and the simple, yet powerful netcat, we gained access to over 50 computers running different versions of Windows. Now, extracting credentials from Windows is not so hard and after trying with different systems we were lucky to find a user that was part of the Administrator group. So, now instead of using SYSTEM as the user to achieve all kinds of things, we could use a real user. That means, setting less alarms. Using SYSTEM is OK, but on the long run you will be found if you have a good security team monitoring the network.
Anyway, all this playing allowed us to really test their security awareness. Logging into the mail server using the Admin credentials allowed us to send a company-wide email. We purposedly left out the hacked admin-'s email account out of the mass message because we didn't want to tip him. He would get enough complains after our email was out...
We wrote a very nicely html-formatted email that stated that the company was going give a big award to one person that was selected as the employee of the year. Everyone was require to vote and in order to do so: Click this link to submit your vote.
No this link would send the user to a nice website that would try to exploit several IE vulnerabilities. Giving us remote access, I.E. from the internet, to as many computers as we could. Sure, we could achieve the same by just installing the backdoor ourselved, but we really wanted to test the eployees awareness.
We sent thr mail, see that it actually arrived (by tapping into another user's mailbox), packed our things and we left. Again, unchallenged. No one was aware that we were there.
By the time we drove back to the hotel, Z called us to say that she had 27 shells to the different computers.
The presentation to the upper management that we did a week after that, contained screenshots of 10 different system's desktops and filesysterms, copies of documents that were stamped with the Company Confidential and live video from the one backdoor we kept open to demostrate what we could do.
They learned. And a few months back, when we tried to repeat this, we were cuaght.