A few years back we performed a routine follow-up after a full Red Team assessment. The assessment was stuck after 3 days. Our customer really took our report and suggestions to make their security tighter to the letter.
We were unable to find a way in via their public facing networks. On the physical side, the recon showed us that their guards and general security posture were also upgraded. During the 3 days phyical recon, we observed they put in place not only our suggestions but also hired an expert to make sure their security was tight. It was good to see this.
However, now we had a challenge and since we don't like to give an empty report to the customer...
After several days of debating and trying to figure a way in with the information we had, we decided that we were being played by our own minds. We knew the networks and systems. We knew the physical security. Not anymore. Everything changed, but we kept on trying to hit the same systems and the same patterns of physical security.
We needed to stop. We needed to approach this as if this was the first time we did the assessment, on a new customer. We switched our heads and now we went into full Plan, Execute and Vanish mode.
We divided the team into two. One would recon the digital footprint of the company, while the other would focus on the physical aspects of the project. The idea was that after a week of work we would get back into our TOC and present to the other team the findings. This way each team could get feedback from the other team on things that people might have missed.
After this, we usually verify the findings: someone from the other team checks to see if the finding is something we can use. It's good policy and saved us a lot of pain in the past.
I was part of the digital recon team.
After a couple of days of searching, we found an ad that the company placed on a well known forum searching for an engineer. The ad listed the requirements and where to go to upload the CV (resume).
A little pocking around the website showed us that they were vulnerable to a bunch of IIS simple exploits. One of them allowed us to see the directory listings of the uploaded files.
Yes... Now we can see every uploaded resume, cover letters and... The HR department's notes on each candidate. Yes...
This would be a good finding to show the customer. And even though this website was not on their network, the fact that personal, private information of candidates and potential employees of the company, was really bad. It would be sufficient to make anyone go crazy. Yet, we wanted to go all the way in.
We searched the notes and we compiled a bunch of those that had more potential. Then we crafted our legend. We prepared a cover letter and resume that would stand out, or at least give us a chance to get into the company for a first interview. We created John Smith. We used one of our oldest customer to help us. The director of security would pose as John Smith's former manager in case we needed to provide credentials.
Then we uploaded it.
In the meantime, the physical team kept on digging for a good physical approach. They observed atmospherics, patterns of activity around the building, guard's patterns, etc. They did this during the day and night. They discovered that they still get a bit overwhelmed in the morning when there is a rush of employees arriving first thing in the morning. We could leverage this to sneak in. We still had a fake badge we made for the last project. It was something to consider.
But first we all wanted to see if we could get "legally" inside the building. It was more fun this way.
Ten days later John Smith had a call from HR. After a short and very convincing conversation, we had our first interview for the following week. We were in.
Now we needed to figure our plan of action.
To be continued...