Strange But True Penetration-Testing Stories

  /     /     /  
Publicated : 22/11/2024   Category : security


Strange But True Penetration-Testing Stories


Hacker gets kudos from his financial services victim, as in-house security cameras go rogue and steal users credentials



A long-forgotten PBX field-manager user account at a well-fortified Fortune 500 financial services firm was all it took for penetration testers to set up shop and await their moment to gain access into the otherwise well-secured network.
The financial firm had locked down the old Siemens Rolm PBXs administrative password, but it had overlooked the even more powerful field-technician user account.
The organization looked like it had good processes, strong security on the perimeter, some controls internally, says Rob Havelt, director of penetration testing for Trustwave SpiderLabs, who worked on the pen-testing engagement for the companys financial services firm client.
Havelt says he and his team employed the forgotten user account, which had an old default password, to get in and clone the firms help-desk voicemail box. The field-technician account is even more potent than an admin account, he says: You can use it to make yourself the admin, for example.
A PBX might not seem to be a lucrative target, but the cloned help-desk voicemail box didnt take long to reap the benefits: One day during testing, we got a voicemail from a user on the road whose VPN access wasnt working, Havelt says. It just so happens that in a previous life, I was a certified Check Point instructor, and they were using a Check Point VPN. I knew exactly the problem and how to fix it, so I called him back.
Havelt got the user to provide his username and two-factor authentication token password, and then logged in as the user and fixed his VPN connection. The guy was none the wiser, he says. And then we ran roughshod over the internal network.
If hacking via PBX isnt odd enough these days, then the victimized users response to Havelts help was: The funny thing about that one was that as we were doing our debriefing, their help-desk manager got an email he couldnt figure out that was in praise of one of their technicians ... how he had gotten back with the user after hours and fixed [his VPN problem], says Havelt, who will share this and other weird pen-test experiences his team has had during his Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests presentation at SecTor in Toronto.
All it took for this rare type of pen-test exploitation was first finding a weak link in a rarely used user account, then setting up the help desk voicemail that intercepted the VPN users call, and socially engineering his credentials out of him. Having this guys credentials led to us owning their AD domain, Havelt says. That led to accessing HR finance, wealth-management transfers, and other sensitive information.
In another odd pen-test engagement -- this one at a major manufacturing company -- Havelt and his team exploited an authentication bypass weakness in the companys network of hidden security cameras.
They had this network of hidden security cameras set up everywhere internally. For some inexplicable reason, they were Internet-accessible, he says, most likely for remotely viewing their feeds.
The SpiderLabs team discovered a zero-day flaw in the camera software itself that let them bypass authentication and gain access to the around 20 cameras spread around the facility. About half of the cameras were pointed at various workstations: As we logged into the camera, we zoomed into the keyboards and watched when people logged in and were able to harvest valid credentials that way, Havelt says. And then we used them externally to get in [the network], he says.
You dont think of your own security cameras being used that way, he says. Its better to either not have Internet access at all with the cameras, or, at the least, via a VPN, he says.
Its often the little, seemingly benign things left unattended -- a PBX or Internet camera hole -- that leave an organization open to attack, Havelt says. Its a recurring theme: You leave a default account, a default password. It might not seem like a big deal but can [become one] rapidly. If you give anyone any level of access, they will find another hole and potentially do serious damage, according to Havelt.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Strange But True Penetration-Testing Stories