My First Physical
After years of trying, I finally got onto a security project that included physical penetration testing. I'll readily admit that I romanticized the whole idea of it - how can you not get excited about being allowed to break into a company's offices and hack their network like a real intruder? I was going to do some real social engineering, maybe even some James Bond-esque stuff to get in. That or I was going to get caught on the spot, spoil our testing, and be the well-deserved subject of ridicule among my coworkers.
So it seems perversely appropriate that after days of nervous, meticulous planning, executing the whole test took a mere few minutes and was absurdly simple:
Walked into the lobby and loitered around for a while, pretending to be on the phone...
Tailgated behind someone through a badge-access door...
Wandered around the office floor, walking with "purpose" until an open cubicle was found...
Plugged into the network, hit our target servers, collected evidence. Done and out in no time.
All that build-up for nothing - but at least it was a success! Then we got in the same way three more times, at different offices altogether, to really prove our point and demonstrate that our first compromise had not been a fluke. It was really no challenge at all - no one ever questioned me or my teammate, even when we spent half an hour stealing a printer's network connection while pretending to repair it in a copy-room.
Easy or not, it was still a huge rush to pull off the attack without a hitch. The human element of security fails yet again. But in all fairness, who wants to be the jerk who says "Hey, I'm closing the door on you, you need to badge in!"
It's a good thing we didn't have to attempt one of our more absurd cover stories. One idea was to pretend we were air quality inspectors working for the office building's management company, and needed to walk the halls with our "equipment" to test some Carbon Monoxide levels. It seemed like a good idea at the time - hell, maybe it would have worked.
I guess I should also mention how the two of us spent a half hour in a locked, private men's bathroom at one of the client's offices, trying to crack a wireless access point's encryption key. It was the only publicly accessible, inconspicuous place where we could get a usable signal worth a damn. Needless to say, we exited the bathroom ten minutes apart, and very carefully. Definitely wouldn't have wanted to talk my way out of getting caught in that situation.
So it seems perversely appropriate that after days of nervous, meticulous planning, executing the whole test took a mere few minutes and was absurdly simple:
Walked into the lobby and loitered around for a while, pretending to be on the phone...
Tailgated behind someone through a badge-access door...
Wandered around the office floor, walking with "purpose" until an open cubicle was found...
Plugged into the network, hit our target servers, collected evidence. Done and out in no time.
All that build-up for nothing - but at least it was a success! Then we got in the same way three more times, at different offices altogether, to really prove our point and demonstrate that our first compromise had not been a fluke. It was really no challenge at all - no one ever questioned me or my teammate, even when we spent half an hour stealing a printer's network connection while pretending to repair it in a copy-room.
Easy or not, it was still a huge rush to pull off the attack without a hitch. The human element of security fails yet again. But in all fairness, who wants to be the jerk who says "Hey, I'm closing the door on you, you need to badge in!"
It's a good thing we didn't have to attempt one of our more absurd cover stories. One idea was to pretend we were air quality inspectors working for the office building's management company, and needed to walk the halls with our "equipment" to test some Carbon Monoxide levels. It seemed like a good idea at the time - hell, maybe it would have worked.
I guess I should also mention how the two of us spent a half hour in a locked, private men's bathroom at one of the client's offices, trying to crack a wireless access point's encryption key. It was the only publicly accessible, inconspicuous place where we could get a usable signal worth a damn. Needless to say, we exited the bathroom ten minutes apart, and very carefully. Definitely wouldn't have wanted to talk my way out of getting caught in that situation.
Labels: penetration testing
posted by Ryan at
9:00 AM
2 Comments:
getting physical in the bath room? :D Anyway why didn't you just walk to to the office, pull a hard drive out of a computer, go back to bace, and take the data of it ;D
Besides being against our rules-of-engagement, that really wouldn't prove much. The point is to show that you can get into the facility, access the internal network, and compromise their core servers and applications. Getting a random workstation's hard drive isn't going to be very useful.
A more reasonable alternative would be to just sneak a wireless access point (pre-configured to be extremely secure) into the building, disguise it in something, and hook it into the network. But that wasn't our objective for this project.
Post a Comment
<< Home