All in Physical
Site casing
A reader asked me yesterday whether it would be easier to draw a sketch of the site I am casing on a piece of paper instead of using an iPhone or iPad.
The truth is that it is. And I've been doing this since I can remember. Here's an example.
Based on experience, people think adversaries (they call them hackers) always find vulnerabilities (on networks, applications, protocols, etc) and write or use exploits in order to have access to their targets.
While up to some extent this might be true, a lot attackers use other techniques to gain that initial way in. Social engineering is a great way to convince someone to download and open a *weaponized* document or binary file and have him or her infected with a piece of malware that will allow the attacker to remote access the system.
Social engineering doen't necessarily means calling or emailing the target. Sometimes sending a bunch of *product samples* might do the trick. For example, sending cheap USB flash drives or leaving them at the reception of your target can do wonderful things. Have the USB point to a malicious binary that will be automatically run when inserted on a computer or have a seemingly harmless PDF file called something along the lines of "Get more free samples.pdf" outfitted with some malware and you now have access to the system, remotely.
Sometimes the developers are the weakest link
Like the title says, sometimes the careless developers are the weakest link and the reason an organization's network gets compromised.
In this particular assessment the team spent close to a month trying to find a way in via the organization's main website, email server, database servers, routers and firewalls. We were hitting well configured and security hardened systems and we were getting close to the finish date for our project. I am sure that had we have more time we would have found an exploitable vulnerability.
Another physical pentest
A while ago I had to perform a physical penetration test in which I was tasked with trying to infiltrate the building of my customer, find the CEO or any other high-ranking executive's laptop and make a copy of the hard drive.
I performed my recon for 2 weeks. The building had cameras everywhere so I had to be careful where I was walking, I wasn't sure whether the security personnel was monitoring the cameras or whether they can recognize me as someone that wasn't an employee but I didn't want to set any alarms if I could avoid it.
The big problem was that in order to avoid the cameras I needed to take the elevator. The stairs were a no go, cameras everywhere, but the elevator had a possible bling spot (which I discovered on a recon walk when I went into the building pretending to be a UPS guy). However, in order to take the elevator I needed to call it first. I couldn’t do this because I needed a company access card to enable the calling button. So I waited.
A few minutes later someone walked out of one of the elevator. I pretended to be on the phone. As the door was closing I walked right into the elevator.
A few years back, a customer asked us to test their newly installed (and very expensive) surveillance and security system. The products promised them an automated system that was so secure they wouldn’t have to place a security guard there.
After some recon we discovered that while the entrance was guarded by a very secure keypad + access card combination lock, the inside had an automated “unlock” sensor so if anyone wanted to come out, the door would unlock from the inside.
After some careful review of the pictures we took we found out that the top and bottom of the doors were not sealed tight against the floor, we could see a tiny bit of light from there (we took the pictures with a high resolution night capable camera). A plan was set in motion.
We arrived, we approached the door and we remove the piece of gear that would, hopefully, allow us to bypass the very secure lock: a old credit card.
We slid the old credit card under the door and… nothing.
A few months ago I had to perform a physical penetration test in which I was tasked with trying to infiltrate the building of my customer, find the CEO or any other high-ranking executive's laptop and make a copy of the hard drive.
I performed my recon for 2 weeks. The building had cameras everywhere so I had to be careful where I was walking, I wasn't sure whether the security personnel was monitoring the cameras or whether they can recognize me as someone that wasn't an employee but I didn't want to set any alarms if I could avoid it.