Search

Pentest story: Red Alert

This story summarizes a Red Team operation we performed for one of our customers this year.

The goal was to simulate an external threat in order to access a specific internal application, without being detected nor blocked by their internal security team. To do so, multiple intrusion vectors could be used. 

Phone probing 

After finding the press office phone number (often exposed), the team called numbers following the same format, during non-working hours, looking for voicemail boxes such as “you have reached the voicemail of <name/surname>, please leave a message”. 

Analysis  

Once a few names were gathered, an investigation has been performed on each identified person, in order to define the most adapted scenario. 

Social Engineering 

A calling platform has been used to spoof source telephone numbers. The reception desk has been called by spoofing the employee’s phone number, telling them that two “consultants” will be arriving in the morning and claiming that he/she will not be able to pick them up because of some problem: “Could you please make them two badges? They came in the past, they know the house”. 

Deploying the backdoor 

Once in, with a badge, an exploration of the premises has led to a room that seems perfect for hiding a physical implant. 

Once the implant has been connected to the network behind a printer, Wi-Fi access was provided to the team waiting in a car outside, allowing them to access the internal network.  

Exploit the realm 

A few low–hanging fruits later, a valid user account allowed exploiting a misconfiguration on the domain controller to retrieve local admins accounts clear text password. A few jumps later, the Domain Admin account was compromised. 

Access the data 

The main goal was to have an authenticated access to a thick client used by some employees. After identifying people who have access to the application, in-depth searches were carried out on their computers. This allowed direct access to the thick client while the employee was having lunch. 

De-faulty security 3

Lessons learned 

Many lessons could be learned from that story: 

  • Train employees against Social Engineering 
  • Have a robust and strict procedure before allowing any person to enter the premises 
  • Enforce Network Access Controls (NAC
  • Perform network segmentation and filtering 
  • Harden the configuration of servers, workstations, and Active Directory 
  • Never, ever store clear text passwords! 

This story is part of the 2021 edition of the Security Navigator.

Download Security Navigator

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT