Recon and site casing
Ten meters away from the main entrance, there was a big metal box with wires going into it. The door to the container had a simple lock and we figured, well, that was the way into it.
At this point we had done the day and night time recon, and we were familiar with the patterns of life and atmospherics of the place. The container, at this time of the night, was not monitored, and there were no lights near it. We could remain fairly undetected while we picked the lock.
It took JS about a minute to get the lock open. Once the door began to move, we entered the container with ease. Inside there was an arrangement of control boxes, monitors and computers that provided the status of the main UPS (uninterrupted power supply) and controlled their work. We were now inside one of the 2 big UPS's for this complex, and after doing our recon, we found this to be one of the biggest vulnerable points. We could now work quietly and hidden, and gain access to the customer's network via their remote access to UPS.
This was possible due to the recon we performed for 10 days. Like we've mentioned many times, a good recon will likely mean the success of the project. Spend time learning your customer, understanding their environment, their industry, the key players in this industry and how they affect your customer. Understand the technology they use. And most importantly, understand their people. Their mindset and motivations.
Comb the internet for information, spend time observing and collect. Connect the dots.
After a couple of hours inside the UPS container, and given that we knew the software that was running on the servers there, we were able to gain SYSTEM access, and prepare a few pieces of malware that would be spread throughout the network and allow us to gain further access. We exited, closed the door and slowly walked out to the perimeter fence, passing under a security camera that was pointing in the wrong direction, and out to the parking lot. A fast walk for about 200 meters and we were in the next building. A factory that was pretty empty at this time of the night.
We sat on our car, and as the sun was beginning to come up, we observed as the early riserr were arriving to work. We had Z and GY in the office waiting for any connection back during the day. So, our work was done. Now coffee.
The project was successful. The IT people run the usual test on their UPS and when they connected to the server inside the container, a little dropper installed a piece of malware on the IT engineer's computer. From that point onward, we managed to secure multiple access points to their network.
As the final note, and after securing the "OK" from the security director at this company, we shut down one of the UPS's and displayed on all server console screens a message saying: The Red Team was here - all your data are belong to us.
So, spend time doing recon. Spend time knowing the place. In some cases, recon goes hand in hand with site casing. It can help you find observation points (OP), exit routes, and create 2 or more escape plans. Spend time observing. Collect. Learn.