Industry Financial Services
Solution Type Black Box Penetration Test
Needs For several years, this company had grown rapidly through organic efforts and via mergers and acquisitions. This rapid growth resulted in uncertain visibility into cybersecurity risk, increased spending on cybersecurity, and little insight into the return on investment for security controls and resources.
In an effort to fortify their technical and physical security controls, this Fortune 200 Financial Services firm wanted to set up a Black Box Penetration Test. This type of test is designed to simulate a real-life attack. This is a hacking simulation where typically the testing team and/or client getting hacked has little to no knowledge when the attack is going to take place. The testing team must “find” information themselves using known techniques to gather information about their target.The client engaged TUV Rheinland OpenSky to conduct the Black Box Penetration Test because we have the technical range and experience to stealthily perform an assortment of tests, including foot-printing and reconnaissance, social engineering, wireless penetration testing, and gaining physical access to the building. Our team of expert testers use security and cloud infrastructure skills to create non-traditional attack vectors.
Foot-Printing and Reconnaissance
The goal of this effort was to establish the overall Internet footprint of the organization and to define the scope of the rest of the engagement. Foot-printing and reconnaissance during the Black Box Penetration Test emphasized detection avoidance. TUV Rheinland OpenSky took steps to ensure that during the passive reconnaissance, little traffic was sent to the client. The exception to this is that our team did manually browse through many of the client’s internal web assets.
The goal of the remote social engineering and email phishing campaign was to model a popular method for attackers to gain entry into an organization. By using a spear-phishing campaign targeting a very small group of users, TUV Rheinland OpenSky was able to enter the client’s internal network.
- Compromise Attempt 1: The first wave of targeted emails was sent from an email server controlled by TUV Rheinland OpenSky to specific target employees. The email campaign showed a familiar page, geared towards the client’s specific environment, with a link that when clicked prompted for login credentials.
- Compromise Attempt 2: Another user was compromised through a similar email phishing method as described above. TUV Rheinland OpenSky testers looked for sensitive files on the user’s PC and found a file that contained encrypted passwords used to authenticate different devices on the network.
- Discovered: The client’s Security Operations Center (SOC) determined the user’s computer was compromised and dispatched personnel to quarantine and examine the computer.
- Compromise Attempt 3: After the client’s security personnel discovered and blocked the first campaign, a second campaign was launched. The second campaign used was similar to the first campaign, but with changes to the configuration and different users were targeted.
Wireless Penetration Testing
The purpose of Wireless Penetration Testing was to discover vulnerabilities and security weaknesses related to wireless networks. If those vulnerabilities were exploitable, the TUV Rheinland OpenSky team would execute different techniques to avoid detection while gaining access to the client’s internal network. TUV Rheinland OpenSky was approved to perform an “evil twin” wireless attack at a site different from the site where the physical penetration test took place.
Our TUV Rheinland OpenSky team requested and was approved to perform this attack from eateries located near our client's office. This “evil twin” attack works if employee mobile devices are not properly secured. If so, devices will send their saved WPA2-Enterprise credentials (hashed) to a rogue access point if the access point is configured to mimic the real WPA2-Enterprise network. On some device types (Android), this rogue access can happen without any user interaction. The attack was ultimately unsuccessful, indicating the resiliency of employee devices.In a second attempt to access the corporate network, or at least gain additional credentials, TUV Rheinland OpenSky set up an “evil twin” access point. Our team configured an access point that broadcasted the same network name (SSID) as the real WiFi network using a strong antenna.
Physical Access to Building
The purpose of the physical security penetration test was to review physical security controls at the client’s location to determine the best method of entry. If physical entry were gained, the goal was to conduct an attack on the internal client’s network.
Despite resistance, see how our team was able to maneuver past the defenses in this corporate environment:
Physical Testing to Access Building
- Testers observed employees entering and leaving the building, badge required, with security guards and security cameras.
- No security cameras present or badge access required for both elevator and stairwell, security guards present at elevator.
- Testers left and came back several hours later then tailgated an employee accessing the stairwell.
- After accessing the stairwell, no additional badge requirements were needed to access other floors.
- The testers located an open conference room.
- The large screen in the corner room offered concealment to continue network intrusion attempts.
- Testers were able to discover sensitive information regarding the client’s network infrastructure.
- A security guard approached the testers and asked what they were doing, and if they are waiting for someone.
- Testers explained that they were waiting for a (fictitious) co-worker.
- The security guard accepted this answer and did not check for badge information.
- Testing would have likely ended if the security guard attempted to validate the testers’ story or badges -- but the security guard did not challenge our test team.
- Testers conducted a walkthrough of another floor and attempted network access again in another room.
- After several attempts, the testers achieved some elevated access, but they did not have necessary permissions to dump plaintext credentials.
- While importing a command and control script, the OpenSky Testers were alerted with an anti-virus detection message telling them they had been quarantined.
- The testers decided at this point to leave the building (now after 10 PM) and go back to their hotel.
At the end of the day
The testers observed that their command and control server was getting probed by what appeared to be the client’s SOC team. The testers shut down their C2 servers and closed testing.
The client’s SOC discovered the network intrusion activities of testers and dispatched personnel. By this time though, the OpenSky testers had already left the building.Our testing team was able to remain undetected for three weeks, while previous security companies were detected within hours.
- As a result of this project, the customer now has nearly 20 information security findings that have been identified and rated through our proprietary risk rating and risk classification scale.
- Our testing team's successful phishing campaign exposed a control failure.
- Our team was able to gain access to the physical building and to sensitive networked data, which resulted in multiple actionable security findings.