A day in the life of a Pen Tester: how our Test Team infiltrated a client’s network
Posted on 13 Aug 2019 by Charles Worrell
As a pen tester, I’m only as good as the tools at my disposal, the team by my side, and the handy skills in my back pocket. When it came time to conduct a Red Team Assessment, my team and I needed to combine all our special skill sets to test our client’s defenses.
The first thing we needed to do was to understand the client’s Internet footprint. This understanding would provide valuable intelligence for the rest of the engagement. We quickly identified network ranges and email addresses. We also visited Facebook, LinkedIn and other publicly accessible external data sources to see if we could find information that would help us gain access to the client’s network. Facebook actually showed a picture of an employee wearing an employee badge, providing our team with an opportunity to recreate the look and feel of employee badges before we stepped foot on premises.
As we continued to probe for information, we were careful not to trip any detection method the client might have set up. Avoiding detection meant avoiding any type of vulnerability scanning and most automated tools, except for the most common ones that organizations see on a regular basis.
External penetration test
The next step was to use the information we gained through reconnaissance and identify potential targets for exploitation. We set up three different compromise attempts to phish for company information. See our three phishing campaigns described in this case study.
Next up: physical entry to the building. If we got in, the team was ready to run an attack on the internal network.
How did we physically infiltrate the building and network?
In this infographic, see each step we took to gain physical access to the client’s network. The illustration shows how we launched a social engineering attack on premises. Click here to expand our Pen Testing Case Study Infographic for Financial Services..
Step 1: Tailgate an Employee
- The path of least resistance was the stairwell because it wasn’t actively monitored. After an initial survey of the premises, our team left and came back several hours later to tailgate an employee via the stairwell.
Step 2: Find a Room and Start Testing
- After locating an open conference room, we continued network intrusion attempts and discovered sensitive network infrastructure information. We were able to compromise internal file shares and gain access to sensitive information while remaining undetected.
Step 3: Remain Undetected
- When a security guard approached us, we said we were waiting for a co-worker. The guard let us go without checking our badges or asking for asking for any identification.
Step 4: Access the Network
- Our team went to another floor to gain network access. We achieved some elevated access but didn’t have the permissions to dump plaintext credentials. We made one last attempt to import a command and control script – but once it was discovered by the client’s SOC team, we closed our testing attempts.
Despite limited success, tough to gain access
We give the client credit: they didn’t have vulnerable external devices and network services that we could easily exploit from the Internet. They made it tough for us to gain access to their network.
Still, we were able to gain entry to the client’s internal network by using a convincing remote social engineering campaign and spear phishing a very small targeted set of users. Moreover, we were also able to gain access to their internal network on a second occasion by physically compromising one of their facilities.