All tagged pentest

Once in a while you have a project that you know will be a lot of fun. One of the biggest telecom providers dropped a project exactly like that a couple of years ago.

They wanted a full red team assessment, including external and internal digital assessments as well as a physical one. The scope: the entire company. This included the corporate HQ and its employees, the service stores across different cities, local offices, mall stores and the factory. This was a HUGE project. They time allotted? 6 months. Perfect.

Convincing new customers...

You have two types of prospect customers in the world of Red Teams: Those that believe they need help and are willing to invest in proper security, and those that believe their security is the best but since it's required by their oversight they will hire a security consultant to *try* to find security vulnerabilities.

The former are easy to convince that they need to perform different tests, including a physical penetration test. The latter... Well, those take some convincing to do.  

I can show them presentations and hard data on why their security is lacking but they are too confident that their security is so good that they won't listen. In these cases I have to show them first hand. I usually would ask for permission to try to penetrate their building/network but sometimes I do it and then show them.

This last customer I had to convince authorized me to, quote: "try to bypass my security guards, I dare you...". 

​Based on experience, people think adversaries (they call them hackers) always find vulnerabilities (on networks, applications, protocols, etc) and write or use exploits in order to have access to their targets.  

While up to some extent this might be true, a lot attackers use other techniques to gain that initial way in. Social engineering is a great way to convince someone to download and open a *weaponized* document or binary file and have him or her infected with a piece of malware that will allow the attacker to remote access the system.

Social engineering doen't necessarily means calling or emailing the target. Sometimes sending a bunch of *product samples* might do the trick. For example, sending cheap USB flash drives or leaving them at the reception of your target can do wonderful things. Have the USB point to a malicious binary that will be automatically run when inserted on a computer or have a seemingly harmless PDF file called something along the lines of "Get more free samples.pdf" outfitted with some malware and you now have access to the system, remotely. 

Internal assessments

​Red team assessments and digital penetration tests not always involve trying to penetrate an organization's network or premises from the outside; sometimes you are tasked with checking what an insider or an adversary that physically got in can see from within your networks.

I've talked about this a bit in the hole in the wall and chasing the ghost in the machine but I just want to give you another example.

Sometimes the developers are the weakest link

​Like the title says, sometimes the careless developers are the weakest link and the reason an organization's network gets compromised.

In this particular assessment the team spent close to a month trying to find a way in via the organization's main website, email server, database servers, routers and firewalls. We were hitting well configured and security hardened systems and we were getting close to the finish date for our project. I am sure that had we have more time we would have found an exploitable vulnerability.

​This is an idea I've been playing with for a while. It's still under development, but the basic technique is similar to the one snipers use to search and detect targets.

One of the skills we learned at the scout/sniper school was the detection of targets. We would lay on our bellies and try to find hidden objects that the instructors placed in the field via the use of scopes. We also needed to detect an instructor acting like a sniper.  

All the objects (or potential threats) were hidden in a large piece of land, some close and some far. It would have been almost impossible to randomly start scanning for the targets in such a large area, so a simple technique was used: begin scanning with the naked eye for objects near and from left to right, then move a bit farther from right to left, etc. Once you get to a point where the naked eye is not good anymore, use a scope.  

Essentially you create a grid on the area where you move from close to far and from left to right and scan each sector for a potential threat, then you log everything you see.

One project I was involved in earlier on was the testing of the customer's digital quick reaction force (QRF). This group of security and IT professionals were supposed to be at the ready in cases where the organization's networks or systems were being compromised.

Usually the best way in would be a social engineering attack where we would send the target an email with a weaponized document or a link to a site with code that can exploit different vulnerabilities on their browsers, however this time we also wanted to see how good their security hardening practices were, how their perimeter was set and whether they were monitoring the different network devices at all.