In this episode we did a bit of an Ocean’s Eleven move but it was for a real client which made it even cooler.
We were hired by a Defense Contractor, who got threatened. So we had to figure out how someone could get into their system. We could do practically anything as long as it was not illegal.
Rules of engagement.
Pretexting was prohibited. Which means we could not contact them at all. Also, no internet collaboration. Which means we cannot friend request or message anyone who works there.
Goals of the red team effort
1. Gather internet intelligence. Everything we can dig up on the internet about the company.
2. Compromise internet perimeter. They wanted us to do pen testing and other testing on their perimeter which was extremely well protected.
3. Gather local intelligence. Talk with people in the neighborhood and just find out anything we can.
4. Compromise physical locations. Their locations were hidden in plain sight and not marked. So, our client wanted us to find their locations.
We examined employee social networking sites. Where we learned about the employees without a friend request but we did not learn a lot. Intelligence tools were used to collect data. We looked at their resumes and documents so we can name drop if need be.
1st Week of recon: Set up a meeting with a realtor.
We came up with a fake business with everything from business cards to letter heads. We contacted a realtor who had knowledge of the surrounding area. We asked her to give us a tour of her previous business buildings that she had sold. (Our target) But the realtor said no, she could not.
2nd week of recon: Sent in a private investigator.
Our investigator was in the area for two weeks and checked out the bars and gyms. He learned that the employees were given everything they could need. Food, alcohol, futon for the office, entertainment, educational classes, they could walk your dog, and even do your dry cleaning. The employees are at work all of the time and rarely leave. This makes the building incredibly difficult to infiltrate.
Findings: Little opportunity.
We decided to infiltrate the office so we created the track jacket that they had. Right down to the manufacturer. We decided that if we could plug a Sheeva or “Pwn Plug” in we would be smooth sailing. After we watched the building for a few days we saw deliveries happen everyday. We could go in under the ruse of a delivery and try to skimmer the RFID card. When we did our delivery we had the uniform and the skimmer in the handheld computer. So, we could scan their card and make our own, then come back later and get in. But turns out they have a SkimSAFE reader which is basically kryptimite to our skimmer. It is a case around their RFID card so we could not scan in. We were shot down.
We noticed the deliveries were in hardened boxes with locks.We decided we would ship in a person to infiltrate the company. So, we made our own box and fake locks on the outside. A real lock on the inside that our guy could get out of it. We told the receptionist that the keys would be coming in a separate package because it is a classified container. Now the real delivery guy showed up at the same time we did. Which actually ended up validating us to the receptionist. After that we were smooth sailing and got our guy/box into the building.