Late last year, the Triskele Labs team embarked on a large penetration test with a new client, testing approximately 15 of their web apps. We wrapped up this testing (this blog post is not about the multiple issues we found even though they had been 'tested' before, that's for another blog post) and moved on to the final part of the assessment, the social engineering included in the engagement.
We started with our normal approach. Targeted phishing to approximately ten employees we scraped through Hunter using a commercial SMTP server on a Tuesday afternoon with a targeted and well-crafted campaign. Strangely enough, no opens. For a company of 250 people, this is quite odd and after a few days, we still had no bites.
Back to the drawing board with the red team and we decided on a larger campaign, scraping all user details from LinkedIn. Still possible even though this ability was 'shut down' a few years ago. So using the commercial SMTP server on a Friday afternoon, we sent a campaign that has not failed to date. Until this time. Still no opens... Ok, seems the SMTP server is blocked. Serves us right for suggesting SPF, DKIM and DMARC during pen testing and the client actually listening!
OK, what now. Well, let's spend the time setting up our own SMTP infra. So, the team goes fourth setting up postfix and dovecot in a hosting provider (who will remain nameless) who still allows 25 outbound and doesn't throttle mail, unlike AWS.
After setting this up, we go on to send a campaign with a burner domain based loosely on an MS domain. Launch the campaign and this time we can see through our logs that we are getting blocked. Surely, it's because of the MS reference. Take 2 with a Dropbox campaign. Still thwarted! This client really has spent the time to configure O365 properly, remember there are hundreds of config settings!
So we move to the part we were trying to avoid. Physical testing. Now, we love physical testing and have only been unsuccessful once of about 50 tests and that was a very secure Data Centre. So why didn't we want to do this office located in inner-city Melbourne? Let me tell you, this two-level standalone office has access control via HID swipe cards down-stairs, a locked access control door to the car park out the back and a permanently manned reception upstairs. Not an easy task by any means.
So, Manish and I head out to the office with the plan to grab a coffee at the coffee shop around the corner and keep an eye out for an employee. Heading towards the office, it is 3 pm on a Monday and we loiter for twenty minutes without any success. Ok, new plan. We walk upstairs in an attempt to blag it past reception. As we head upstairs, we clock the previously unseen cameras. As we head downstairs to regroup outside, a very friendly team member of the client was heading out downstairs. Thinking we were colleagues; she gleefully held the door open to let us in. Bingo, mission 1 success.
Upon entering, we could feel eyes on us. So, we followed the same game plan as always, head straight for a meeting room. After finding a free room, we connected to the network. IP address success (thanks DHCP) and after a few lookups, we had found the domain controller. Fortunately, we had conducted internal pen testing a few months earlier and the client fixed responder issues.
As our mission was to get access and connect, we decided not to progress further. Now we had succeeded, we went for broke heading upstairs as if we were noticed, we had already been in the office for an hour, connected and scanned without a peep. Heading upstairs, the door was again held open. This time not so bad as the door is unlocked as reception is right behind however, it allows us to breeze right past reception and into the open-plan office. Another success!
Now this is the tricky part, walk around a full office of 100+ people, looking for passwords and sitting down at locked machines not getting caught. Well, 5 laps later and sitting at several machines taking photos and no questions were asked. Being 'on the phone' helps.
Our mission was a great success both upstairs and down. Connecting our machines and sitting at client machines. We are 100% confident we could have connected some minipwners for persistent access, but this was out of scope.
So, what are the key takeaways here?
1) Information Security still exists! It is not just about cybersecurity.
2) I don't think we can say this enough, your people are your biggest risk! We can bypass physical controls and it's up to your people to help. Remember, people process and technology.
3) Monitoring helps. Know what is on your network. If a new machine pops up, you should be aware.
4) Put monitoring in place. If someone is scanning your network from inside looking for your DC, you should know.
This was our second compromise of the last week through bypassing physical controls so not just a fluke. Give us a test, we have some really fun new toys to try out!
