Earlier in the year I was doing some freelance security work for a friend of mine who runs a small IT consultancy business. He doesn’t really specialise in security, but when the needs arises he usually gives me a call and I can do some work for him.
This story is about a pentest I performed for him. I am not the most technically skilled hacker out there. I think I am just good at utilising the technical skills I have with my creativity. The customer in this story had the worst security i’ve seen in my whole career. The events that unfold are pretty rare and you’d be hard pushed to find any pentest as easy as this.
Obviously names have been sanitised for legal reasons. I also wish I had screen shots for this one. But at the time of the test I wasn’t thinking this would make for a good story. Boy was I wrong! A lot of legal and boring aspects have been discarded from this post and I have left the most juicy parts to make it a more entertaining read. All of this is true.
So I got a call from my friend one day, asking if I wanted some easy work. I was in the middle of a big network project at work so didn’t have much extra time to spare, but he promised it should only be a day or two over the weekend. So I agreed.
This is a pretty small consultancy and I was contracted on and off to be ‘the security specialist’ when a client arose asking for that particular skill set.
Meet AdvertisingX. AdvertisingX is a mid-sized Sydney based Ad Agency. They have 4 branch offices around Australia, Sydney being the head (There are A LOT of Ad agencies in Sydney). The CEO (lets call her Sally), called my friend’s consultancy looking for someone who could perform an IT security audit of the company. The reason for this is that one of the Desktop Support guys had complained to the CEO that he thinks the IT manager isn’t doing his job as well as he should. Desktop Support guy explained that the majority of his days are spent cleaning Spyware out of people’s browsers, disinfecting their PCs from viruses and sitting in the lab re-imaging machines because some sort of Malware has rendered the machine useless. Desktop Support guy had complained to his manager but got no where. “We have a centralised anti-virus solution and a checkpoint firewall, there is nothing to be worried about, our security is fine” was the response that Desktop Support guy would get.
Sally had no idea what the day to day grind of the IT department actually was but what she heard had made her concerned. And I can see why. I have been in-house IT before where there have been no proper security policies and management. Things get really painful, especially if you’re the Desktop Support guy.
My friend had a meeting with Sally and organised an audit (much to the reluctance of the IT manager). I hadn’t been called in at this point. My friend went in to the office, sat down with the IT team and got all the required information he needed and got to work checking out their infrastructure. I was working that day so he had to fill in for me. I spoke to him over the phone on what he needs to look out for as what I had heard from Desktop Support guy, I have seen before. “Check what servers they are running, how their AV is set up, what firewall rules they have, what other network devices or security they have. Check patch management. How accounts get distributed. How their domain is set up etc” – I told him.
I will try and spare as much boring audit details as possible here because I want to share the experience I had with AdvertisingX which I think is more entertaining than the long list of gaping holes which my friend found on site. But for a quick pre-game run down. They were running McAfee EPO on a central server in Sydney. It was set to push updates to secondary EPO servers at the branch offices and from their push out AV updates. But it turns out that EPO in Sydney was set to download updates from the McAfee site on a high port number. This port was not opened on the outbound firewall rule. And the way EPO was set up there was no logging or notifications. Someone had set this up (incorrectly) and assumed it worked. The mind boggles. So every PC in the company (roughly 300) had not had Anti Virus updates for a year and a half. Not only that, it was discovered that there was no Patch Management. This was a Windows environment, and there was no distribution of patches, and to make it worse, each PC was set to ‘download windows updates but ask me before installing’. Do you think staff would click yes to updates? I think not. And the desktop images were not even standardised. Every 20 or so PCs had a different configuration and set up. The worst thing was also that the company was running Internet Explorer 6 on the majority of workstations, and each staff member had local administer rights on their PC! It was a complete mess. So suffice to say it was not hard to get in to this network from the outside. And suffice to say that the report handed over to Sally at the end of the audit was enough to make her fire the IT manager. But I think there was some more entertaining things in that report, which I will get to momentarily.
Media and Advertising agencies are funny creatures. I have had a lot of experience with these. You can have two types, you can have the bigger agencies which are governed by SOX, and relatively controlled and secure (if they stay compliant), and then you have the smaller private companies which are an open slather of security risks. The reason for this lies with the culture of the industry. Advertising and Media agencies pride themselves on being not only glamorous and professional, but also casual and fun. People rock up to work wearing tshirts and sandals. You see people drinking beer around the office at any given time on any given day. People playing and sharing music out of their computers. Downloading games or goatse like images to send around their group of colleagues. It is a fun environment to work in… unless you are the security guy.
So my friend called me up and told me the situation. He had already done and internal audit, and with his findings I started probing around from the outside. I didn’t want to use the stale ‘scan the permitter-find sploits-then sploit’ technique which is tried and true. I wanted to try a more social aspect because this was shortly after the Aurora exploit had come out and I thought I’d give it a try.
It didn’t take me long to find the Managing Director’s PA on Facebook after looking around the company website and finding out her name. I was also looking for the CEO’s PA but that didn’t turn up any usable results. So I picked this one. (If you recall, the Google Hack was instigated using a similar technique).
I also looked around on the AdvertisingX’s list of clients and who was the individual account managers for them. Media and Ad Agencies love showing off their work. They pride themselves on it. I took a list of account manager’s names and searched for them in Facebook. Only 2 from the 9 managers did not have profiles from what I could see. (The other 7 may not have even been the managers in question, I don’t know – but it’s not relevant at this point because the 2 names which came up blank are all I need to go on)
So I picked one at random, and created a Facebook profile using her name. Let’s call her Mindy. I just set her profile to private with no information and sent a friend request to the PA with a message “Hey! I thought I’d join the club and finally get on Facebook”.
Within 30 minutes I got an email notification informing me that me and the Personal Assistant were now friends. Yay.. I have a new friend! (Goes to show how much work must have been getting done in that office!)
Now that I had her trust, I set up a Metasploit session on of my Lab PC and configured the Aurora exploit to listen for any incoming connections on localhost:80/AdXparty09 with a reverseTCP shell. I created a NAT rule on my router to make sure that any port 80 traffic (which I had configured for Aurora) would translate to my Metasploit box.
I logged in to Facebook as Mindy and started typing up a private message.
“Hi PA, how’s your day going?
Hey do you know anything about these pictures on the Intranet from the Xmas party?
(I could have tried masking this link, but I have trust in the lack of security awareness of a Personal Assistant, and especially considering a known colleague within her company was asking her something relevant to both of them)
I went to make a coffee, and by the time I got back to my desk, I saw an active session in Metasploit. Too easy. It really was. So much for the IT managers whiz-bang Checkpoint.
I checked my Facebook messages and saw a response.
“Hey yeah day’s not so bad. Just waiting till 5!
Ummm the link doesn’t work. What pictures are you talking about?”
I didn’t want to raise too much suspicion and have my cover blown just yet so I replied
“Oh sorry never mind. I was trying to get some copies and I saw you were in a few. It’s ok I figured out how to download them!”
Ok so that should give me some time without PA phoning up Mindy asking why she sent her a strange Facebook message.
I hopped onto Metasploit and connected to PA’s PC. I ran the DIR command and was going through what files she had stored locally. It turns out these staff also seem to store all of their work locally and not on the network. Tisk Tisk! Add that to a long laundry list of things wrong with this IT infrastructure.
Using some past experience and common sense, I assume that with most PA’s are always logging into their bosses emails for them (for a variety of reasons). So I was crossing my fingers that she would have saved the password somewhere. And yep, she did.
C:\Documents and Settings\PA\Desktop\HarryPass.doc
I am pretty much laughing to myself at this point. I haven’t seen such a lapse in security for a long time. I had a look around and surprise surprise, I also found HER login password. I don’t even have to bind a Metasploit keylogger to her winlogon service. Again, too easy.
I hopped onto my other PC and did some DNS scans of their domain. Domain Transfers were off which I was happy to see for them, it was hosted by a third party however, so I can’t give any credit to them for that little nugget of security.
Analysing the results of DNSbrute I found OWA.AdX.com.au. (This is the Outlook Web Access service for those who don’t know. It allows web access to your emails while out of the office. Usually running on an un-patched IIS server, I might add).
I logged in to their webmail as PA to see if the password she had written down still worked. It was dated 2 years ago. Yep… it worked.
I logged in as the Managing Director (Harry) to see if his password was valid. Yep, it was. (Looks like someone managing IT wasn’t aware of strong password schemes)
I started to sift through the emails to see if there was any juicy data I could use for my report. Account numbers or client details would be preferred. You always have to find the most sensitive or damaging company information to present to a company so they are disturbed and shocked enough to actually change their security policies.
I didn’t find too much in Harry’s email. Just a lot of meeting requests and lunches (I think I am in the wrong profession, wish I could go out on boozy lunches all day every day).
So I went to PA’s email to have a look around. After sifting through a pile of Facebook alerts (come on guys… you’re are making this painful) I found a bunch of emails from different staff members. Subjects were “Guest List for AdvertisingX Launch Party”. I had a look at these emails and went through her sent items and discovered that AdvertisingX was actually hosting some type of event at their offices the following week. PA was responsible for the RSVP and was taking down names from the company managers of who they wanted on their guest lists for the night. I thought about this for a second and a light bulb flickered on over my head so hard I almost had a seizure.
I called up my friend who was actually controlling this audit and asked him to clarify what Sally had asked of the audit. “Anything goes right? You have that in writing? She wants to see how deep the rabbit hole can go?”. And she did.
I logged back in to Harry’s email account and checked his calendar. He was actually in the office today but had a late lunch appointment. I went into his Outlook rules and created a rule stating.
Reply fro: PA
Rule: Permanently Delete
I turned this rule on. I went through his sent items and found the email he had previously sent PA with a list of people he wanted on the door for this party. I forwaded this back to PA with an addition.
Subject: FW: Guest List for AdvertisingX Launch Party
Sorry, I forgot to add someone to the list.
I sent the email. And deleted it from Harry’ sent items.
I waited for a while and logged back in to PA’s. I saw my email had been read. I checked her sent items and saw a reply.
“Yep not a problem. Added.”
Excellent! I am feeling pretty Jame’s Bondish at this point.
I logged back in to Harry’s and take off the rule before PA sends him any other emails. I am pretty sure there will be no further discussion regarding this one last addition.
Fast forward 2 weeks when I have completed all my remote infiltration and tests. I have collated my report with all of the security vulnerabilities and snippets from emails and documents. I even managed to FGDump the SAM database of their Windows Server 03 Domain Controller. JTR cracked over 75% of these in 2 hours (no need for Rainbow Tables even). I even managed to get access to the CEO (Sally’s) Vaio laptop and discovered she had an SD Card in the slot. I copied these images over to my computer and planned to include one in my report…. Until I discovered mid way through that It was not a good idea. Moving on…
My report is done. And it is thick. I have given it to my friend who includes it to the official report and takes it to meet with Sally. After 45 minutes of their meeting they get to the end of the report where there is a single A4 sized picture. It is a picture of me, having a beer, with the clueless IT manager (yes, I found him at the party). Thanks AdvertisingX – was a good night :). I was trying to prove a point that due to careless security, so easily someone can infiltrate your most personal of assets, and having physical access to roam around INSIDE AdvertisingX having beers and food with people… not good! I made a note indicating that they are lucky I was a ‘good guy’… imagine if an attacker had free roam inside your office. If that doesn’t hit close to home in a way management can understand, I don’t know what will.
There has been some discussion lately about pen-testing companies not performing client-side attacks. General consensus is because most organisations know they will fail these tests and they can seem unfair to un-willing staff. Also, it is pretty hard to measure effective security controls on a living asset (human staff member). Where are the rules and guidelines?
A company can still pass auditing and compliance regulations by not testing their staff on common social engineering attacks (which essentially this is – just taken into web2.0), but we all know that this is a real security threat to companies. The majority of attacks and break-ins are able to be pulled off thanks to the user sitting inside the company, regardless of if the user is aware of it or not.
In this case I told above, I wasn’t working for a security firm. It was an independant audit. And the customer got what they wanted, they found weaknesses which should be addressed. No 0-days were used to attack the client, the Aurora patch should have been patched atleast a month before the audit, considering it’s publicity.
The outcome? Updated internet usage policies regarding new social networking platforms and user education and awareness training. That user education also applies to the IT team who needed to be more dilligent in patch management.