All in Digital
Sometimes all the hard work and no play gives you some rewards. This was the case on one project. This was a simple "hole in the wall" assessment. Basically, go in and test whether you could connect to their network either via an ethernet plug or using any wireless network. The idea is to help their security department find the weak points in their security, and well, alloing someone to just plug a computer an get an IP and presto! Be part of the network is a big problem.
The infil into their offices was relatively easy. The company rests half a floor on a building where other companies are located. The security guards at the ground floor are used to seeing different people, and they didn't bother us as we walked in with our suits, air of confidence and on our phones. They just looked at us and we continued walking... We hit the stairs (remember Rule 80: Never take the elevator) and climbed to the 8th floor. There, we simply walked into the company's area by tailgating an employee after he came back from the restroom. Simple.
Morning chaos is usually a good time to tailgate someone and sneak into your target. Each company has its own morning chaos time, a little recon can show you when it's the best time to try this.
The trick is to appear as if you belong. Wear the right clothing, have a fake badge that looks the part (again, recon will help you with this, take pictures of actual badges), be on the phone with a customer and just walk right in.
Once you are inside try to get to the network and begin your digital recon.
JS and I managed to get inside our target a while back. This was one of those projects where everything works and you just have it.
Some time ago, we had one of those really fun projects. In this project the target was the CISO (Chief Information Security Officer). His boss was concerned that he was too open and wanted to see whether we could extract information from him.
CISOs are public figures, especially on large corporations. Because of this, there is a lot of open source information available. LinkedIn, Facebook and other social media sites provide a really detailed picture of the target.
After about a week we had pictures, personal information, and other useful tidbits of information relevant to our project. The main piece of information was that he owned an Android phone.
It happened once. It happened again.
While we were visiting several customers in Europe, we went to visit one of our customers that always requests for deeper and better assessments on their networks and plans. A large multinational corporation, last year we managed to get their marketing plans after blending in with their marketing staff.
This year, the security director asked us to try to penetrate the Board of Director's meeting. Like last year, blending in proved to be a good tactic.
Sometimes you are in the middle of a recon for a physical assessment and you find a way in, right there on the spot. Do you exploit this vulnerability or just note it for later?
I say go for it.
This was the case a few weeks back. We were performing an on-site recon: we would walk the perimeter and try to go inside the target building and learn as much as we could from atmostpherics and their security measures in place.
After about 40 minutes of roaming inside and outside the building, dressed as business people with a suit and a tie and a cellphone that never left our ears, we thought we had the site main security features, entrances, location of the targets and other details sketched, when I noticed that the service elevator on the far end of the 1st floor had the door open and no one was using it.
A few years back we performed a routine follow-up after a full Red Team assessment. The assessment was stuck after 3 days. Our customer really took our report and suggestions to make their security tighter to the letter.
We were unable to find a way in via their public facing networks. On the physical side, the recon showed us that their guards and general security posture were also upgraded. During the 3 days phyical recon, we observed they put in place not only our suggestions but also hired an expert to make sure their security was tight. It was good to see this.
However, now we had a challenge and since we don't like to give an empty report to the customer...