All in Red Teams
You have two types of prospect customers in the world of Red Teams: Those that believe they need help and are willing to invest in proper security and testing, and those that believe their security is the best but since it's required by their oversight they will hire a security consultant to try to find security vulnerabilities.
The former are easy to work with and easy to convince when it comes to the need to perform different tests, including a physical penetration tests, social engineering and other less traditional tests. The latter... Well, those take some convincing to do.
I can present hard data on why their security is lacking but they are too confident that their security is so good that they won't listen. In these cases I have to show them first hand. I usually would ask for permission to try to penetrate their building/network but sometimes...
This particular customer I had to convince authorized me to, and I quote: "try to bypass my security guards, I dare you...".
One project I was involved in earlier on was the testing of the customer's digital quick reaction force (QRF). This group of security and IT professionals were supposed to be at the ready in cases where the organization's networks or systems were being compromised.
So we set to work. We needed to find a way into their networks. Usually the best way in would be a social engineering attack where we would send the target an email with a weaponized document or a link to a site with code that can exploit different vulnerabilities on their browsers, however this time we also wanted to see how good their security hardening practices were, how their perimeter was set and whether they were monitoring the different network devices at all.
After a short scan of their public facing IP range we found a server with a vulnerable version of IIS (the Microsoft web server software). A little digging around on different hacking forums gave us several exploits we could try.
First we ran an exploit we developed that would set some alarms. It wasn't going to give us access, but it would make IIS dump a lot of weird logs. We randomly inserted messages to be logged hinting to us attacking the server. We even added a contact email address and phone number. After 24 hours of attacking it, we had no one contacting us. We moved to phase 2.
Some time ago, while I was helping a law enforcement agency track a wanted mobter boss, I came across one of his trusted people's computer. He and I were connected to the same insecure wireless at a cafe. After some scanning and running several little exploits I managed to get a shell to his Windows XP machine.
Initially I thought the laptop was one of those burn computers: use once and discard, so I was hesitant to leave there any backdoor, however he was the only lead we had to the boss so I installed one.
The backdoor would try to connect to a server I had ready and send an "I'm alive" signal via an HTTP GET that was injected into any application connected to the internet. The idea was to utilize the app already connected as a conduit and try to remain hidden like that.
I wasn't sure if it would work because the more I searched the laptop, the more I thought this was a burn computer. My hope, though, was that this guy would eventually connect to a network where either the boss was connected or that we could find data belonging to the organization; maybe this last part would help us find the boss.
For several weeks my listening server didn't get any signals. Then, when I was about to shut down the server, I had one.