This is from one of the PT pages that I like to read. The actual link is at the bottom of the page. AWESOME JOB!!
THE WAY OF THE CV - PART 1
A few years back we performed a routine follow-up after a full Red Team assessment. The assessment was stuck after 3 days. Our customer really took our report and suggestions to make their security tighter to the letter.
We were unable to find a way in via their public facing networks. On the physical side, the recon showed us that their guards and general security posture were also upgraded. During the 3 days phyical recon, we observed they put in place not only our suggestions but also hired an expert to make sure their security was tight. It was good to see this.
However, now we had a challenge and since we don't like to give an empty report to the customer...
After several days of debating and trying to figure a way in with the information we had, we decided that we were being played by our own minds. We knew the networks and systems. We knew the physical security. Not anymore. Everything changed, but we kept on trying to hit the same systems and the same patterns of physical security.
We needed to stop. We needed to approach this as if this was the first time we did the assessment, on a new customer. We switched our heads and now we went into full Plan, Execute and Vanish mode.
We divided the team into two. One would recon the digital footprint of the company, while the other would focus on the physical aspects of the project. The idea was that after a week of work we would get back into our TOC and present to the other team the findings. This way each team could get feedback from the other team on things that people might have missed.
After this, we usually verify the findings: someone from the other team checks to see if the finding is something we can use. It's good policy and saved us a lot of pain in the past.
I was part of the digital recon team.
After a couple of days of searching, we found an ad that the company placed on a well known forum searching for an engineer. The ad listed the requirements and where to go to upload the CV (resume).
A little pocking around the website showed us that they were vulnerable to a bunch of IIS simple exploits. One of them allowed us to see the directory listings of the uploaded files.
Yes... Now we can see every uploaded resume, cover letters and... The HR department's notes on each candidate. Yes...
This would be a good finding to show the customer. And even though this website was not on their network, the fact that personal, private information of candidates and potential employees of the company, was really bad. It would be sufficient to make anyone go crazy. Yet, we wanted to go all the way in.
We searched the notes and we compiled a bunch of those that had more potential. Then we crafted our legend. We prepared a cover letter and resume that would stand out, or at least give us a chance to get into the company for a first interview. We created John Smith. We used one of our oldest customer to help us. The director of security would pose as John Smith's former manager in case we needed to provide credentials.
Then we uploaded it.
In the meantime, the physical team kept on digging for a good physical approach. They observed atmospherics, patterns of activity around the building, guard's patterns, etc. They did this during the day and night. They discovered that they still get a bit overwhelmed in the morning when there is a rush of employees arriving first thing in the morning. We could leverage this to sneak in. We still had a fake badge we made for the last project. It was something to consider.
But first we all wanted to see if we could get "legally" inside the building. It was more fun this way.
Ten days later John Smith had a call from HR. After a short and very convincing conversation, we had our first interview for the following week. We were in.
Now we needed to figure our plan of action.
After some time planning and a few days after our job phone interview, we decided we would attack this from all fronts.
The physical team will support the digital team.
The idea was that John Smith would bring his girlfriend with him and while he was being interviewed, she would wait for him. The plan called for her to try to hook a wireless router to any hot ethernet outlet in the company. Then the digital team would connect to the wireless signal from outside and try to find a way into their network. She would have the fake badge with her, in case someone saw her walking in the building.
We performed several dry runs where we tested the range of the wireless router and signal, the different ways to hook and hide it, different techniques for tailgating and using our fake badge to our advantage.
The interview day came and we were ready.
John Smith arrived at the target with his girlfriend. Both dressed sharp in business attire. Both looking very professional.
At the front desk, the security guard asked for credentials and of course we had them. John Smith mentioned that his girlfriend was here as well because of a meeting taking place next door after the interview. The guard asked her for a driving license and handed her a "Visitor" badge as well.
Security issue number one: if she doesn't need to be inside the builsing she can wait in the reception area unde the careful watch of the guards.
The guard told them what elevator to take and what floor to go.
Security issue number two: leaving them alone without any escort.
Once they reached the floor the guys split. John's girlfriend swiches her "Visitor" badge for the fake one we did on the previous assessment and she acted like she was another employee. She belonged in this place. Walking with purpose, as if she knew where she was going, she searched for an empty office or cubicle. After about 10 minutes and no luck (most empty cubes had cold outlets) she headed for the stairs and went down one floor. Down there it was developers land. The doors leading from the stairs to the office space didn't need a badge to be opened, so she just walk in.
Security issue number three: people can wander via the stairs.
Once there it took her about 5 minutes to find a "visitor's" cube with a hot ethernet connection and closed to a window (so the signal can reach the street). She plugged the wireless access point, check with her iPad to see that the network was up and walked back up one floor where she would wait for John Smith. She sent a text message to the guys in the car outside that the wireless router was ready.
Security issue number four: any new and unknown device being plugged into the network should send an alarm to the security guys.
John Smith, in the meantime, was acing the interview. So much that he was offered the possition at the end of the interview. He politely said that he needed to review the offer and walked away with his girldfriend.
They both returned visitor's badges and walked out of the building.
The digital team in the car connected to the wireless using a old but still very useful wardriving antenna and began trying to move inside the network. The target's network was set to a DHCP so the router was assigned an internal IP address and became part of the network.
Security issue number five: unknown devices should not be assigned an IP or be allowed to connect in any way to the network.
The network was segmented, that we knew, we recommended that. However, after some playing around for a few hours, we managed to capture a bunch of user credentials. We used them to move around and scan the network. We discovered that by default the administrative shares were still open (we pointed to them this last time. Administrative shares are the C$, D$, ADMIN$, etc). These shares were configured in tha way that anyone with a domain user can use them. So, using our captured credentials we moved even deeper into the user's systems and copied document, mails, and other good stuff.
We also paced a backdoor that would allow us to connect to the network from our office.
Our job was done. Total time: a little over 9 hours. Not bad.
The next days were spent exfiltrating information.
Security issue number six: Data being exfiltrated didn't set any alarms on their monitoring center.
The following week I called our contact in the company and explained what we did. She was not happy.
http://redteams.net/blog/2014/the-way-of-the-cv-part-2
