Posted by Ace Hackman on July 23, 2012 (3 Comments)
One of the many challenges in this job is figuring out how to carry enough equipment without having to carry a backpack, messenger bag or briefcase. While bags of that sort fit a few attack scenarios, it's nice to have the choice. Sometimes you can get enough intel to only take what you need, but usually I find myself taking about twice as many devices as I really need to be prepared for most situations. Therefore, I was thrilled when I added the minpwner pentest drop box to my hacklebox. Even with the battery attached, it's thin enough to put in my pocket and not look out of place. That leaves plenty of room for my pwndrive, cell phone and other devices in other pockets, stuffed in my socks, etc.
As it turns out, the minpwner came in very handy on a recent pentest gig. The client was a law enforcement agency with multiple small locations spread over a wide geographic area. Due to some politics, I couldn't get my "get out of jail free" card until several days into the engagement. I could perform very little recon, and I wasn't about to get too close without it.
So, armed with my pwndrive, cell phone, minipwner, etc., I approached the "employee only" entrance to check the door. Just as I determined the door was locked, it suddenly opened. Was this an officer leaving and an opportunity to "reverse tailgate" them? No such luck. Apparently he had seen me standing outside the door and decided to let me in. Fortunately for me, he gave me a softball by asking, "Are you here for a meeting?" "Why, yes, I am," I replied and walked past him toward a conference room. After checking to make sure he wasn't following me, I darted around the corner and ducked into the men's restroom.
After taking stock of my situation, I decided to just roam around the office looking for an unused workstation in an isolated location that I could boot up with my pwndrive for some goodness. As fate would have it, this small location was made up mostly of cubical areas and there were people everywhere! After walking around for a little while, I had an idea. I found a random guy and asked him where the communication room was. I explained I was from the main office and needed to trouble shoot some communication issues we'd been having with the poponet application (ok, i made up that name). He led me to a cubical, rummaged through a drawer, and pulled out a key. We then crossed the hall, and he opened a closet to reveal a Cisco 4500 series switch. Score!
After thanking him for his help, I took a close look at the switch as if I was diagnosing it; tracing cables, checking connections, etc. Finally, he got bored and told me to let him know if I needed more help. Once he left, I closed the door to the closet and plugged the minipwner into an empty switch port as well as the attached battery. As soon as the minpwner finished booting up, I connected to it wirelessly with my phone. So far, so good!
After using connectbot to ssh into the minipwner, I confirmed that the ethernet port had gotten a dhcp address from the network using ifconfig. A quick reverse ssh shell script and the minipwner had connected to my C&C server on the internet. Persistent connectivity to their internal network!
Just as I finished hiding the minipwner on top of the rack, my helper opened the door to the closet. A few seconds slower and I would have been busted wide. I looked at him and said, "Everything seems to check out in here. Do you have a workstation with poponet on it i can take a look at?" His response almost threw me for a loop. He said, "We don't use poponet in this building. Are you sure you're in the right location?" to which I replied that maybe I wasn't.
At this point, I told him I was going to go check my orders out in my car and call the main office. Of course, when I got to my car, I connected to my C&C server and through the reverse SSH shell nmap scanned his internal subnet. It turned out that they had some weak password issues, so I pwned a few boxes across my connection for good measure (and took screenshots, of course) and then returned to the location. This time I came in through the front door since people had seen me before, found my buddy, and told him I needed to check one last thing in the comm. room. He told me it was still unlocked so, I went in, retrieved my minipwner, and left.
This time it was another day, another *agency* owned!