We spend two days camped out in your parking lot. We monitor the milkman, waterman, pizza delivery guys, and those security guards you have working from 6 p.m. to 6 a.m.
We get our gear ready: our lock picks, bump keys, slim set, card readers, and clone devices. We have more electronics packed into four USB keys and two laptops than is in most damn data centers.
We have Kali, YARD Sticks, HackRF’s AirNG, Katana, Samurai locked, loaded and ready to deploy. We have Spybots and all sorts of nasty and nefarious programs ready to crack, break, pry open your inner most secrets.
We are in fact READY!
We’ve plotted the strategy, and we execute according to plan. We’ve managed to “follow” an unsuspecting individual in through the sidedoor. (NEVER shall this country ban smoking, for it will be the undoing of an entire branch of Information Security Penetration Testing!)
We’re in. We look like a cross between a ninja and a geek on a 25-mile hike with all of our equipment—poised and ready to deploy.
We find a nice quiet spot in a corner of an office and begin. Plugged into the network, your poor port is wide open to abuse and we are happy to oblige and quickly accept the DHCP assigned internal IP address.
Yay, score one for the bad guys! DHCP server is in the same chunk of the network as the rest of the servers, systems, and all things good that go beep in the night and keep your company running.
All this late-night work, training, gym time, and experience with dark and nefarious things is paying off. We pat ourselves on the back and chug another can of toxic, carbonated red stuff.
What’s this? A switch! A nice juicy switch, the keys to the kingdom, the source of all things virtual and data related. Silently cursing that we’ve found it—knowing it’s the storage fabric switch and will be guarded by lights, traps, and three-headed dogs answering to Cerberus—we note it and prepare to move onto a Windows server or something equally as mundane to crack. However, what’s this?
Our switch has port 80 open, and is asking me for a login ID/PW. The fiends, I curse! How dare they tempt me! How dare they provoke me with something that will be 20 characters long and impossible to guess! You can see where this is going can’t you?
Dejected, we bash the keyboard a few times with some random acts of violence, and the field pre-fill decides to interrupt and puts “administrator” in one field and “pass” in the other. Cursing Firefox, we go to close the browser but are interrupted by an applet loading. What’s this, we ponder, another fiendish device mocking my pathetic attempts to break in? No! Score two for the bad guys; we own the aforementioned juicy switch.
Thinking it’s a mistake we try it again, and again, and then again for a third time. Yep, works and we are in. We own the infrastructure, the systems and the data. Hmm, this poses a problem. We’re sitting here with our picks, probes, and all things that go tick in the night and we haven’t used them. Our SANS “Hacking Everything” course laid to waste, and the rest of the night off as we’ve planted a flag and can go have a coffee.
We get up, bashing our head against the cupboard. We ponder as we pack up all our tools and toys, and realize that for all our technology, all our training, and all our methodologies, we’ve been defeated by a default ID and password.
We are going to go back in our cupboard. We’ll replace the “break in case of emergency glass” and wait until the overall levels of competency have risen beyond the defaults.
This is NO ONE SINGLE assessment in particular. No one particular company can look at this and go, "heck, that's me... damn them!" However, many companies we have worked with will see some similarities, and some whom we have NOT worked with might think about this and hopefully will internalize it and review their own practices. It's intended as a learning piece, and one that's light hearted and (hopefully) a little educational. Our aim is to learn from the assessments we perform, and to pass that knowledge onto others—sometimes in this forum, sometimes in presentations, and ALWAYS in how we approach new assignments.