As a red teamer, I have the distinct privilege of dealing with some of the most exciting security challenges. There’s never a dull moment. Every time I think it can’t get any better, I run into something that I’ve never encountered before.
This is one of those stories – an experience that has had a profound impact on me. It is hacking the way I had never thought of before.
It starts back in the day when I was a consultant hacker in the US of A and was relentlessly jumping from state to state. I had built somewhat of a reputation in a niche doing internal pen tests, which meant I was traveling a lot.
After racking up nearly 230 days of travel that year, I was jaded and had asked my boss for some much-needed downtime. For a couple of days, I wanted to sleep somewhere that was not a hotel room.
The day I didn’t know everything would change
I was just hanging out at the office, catching up on the industry and pending reports, when the bossman walked up to me – he had this way, where he’d stroll up to your desk and say:
“Hey, you got a minute?”
Whenever I had been at the receiving end of this question, it had always been followed up with something interesting.
“Sure, boss, what’s up?” I asked.
“A client has just reached out to me. Interesting work. You up for it?”
“I’ll take that as a rhetorical question, boss.”
“Well, this company has an office in a business complex shared with many others. A couple of weeks ago, one of the other companies in the complex had an incident. They caught a random person walking around their office premise. They’ve asked if we can do something similar, as a test.”
It couldn’t be that easy, so I asked, “You mean, I go to their office and just stroll around?”
“Well, it’s not that simple. We’ve worked out a scenario and a goal. The client has sanctioned a laptop and labeled it. They have a section in their office that’s only partially occupied. That’s where they’ll place it in one of the empty cubicles. “
“Ok.”
“You’ll have to break into the office and steal the laptop.”
“Ok.”
“You also have to get into the laptop, connect to their network, and get domain admin access. Once you get the access, take the laptop and walk out of the premises.”
“…”
“That’s it.”
After an awkwardly long but understandable pause, I attempted to sum up the ask to make sure I had got it right.
“So let me get this straight. You need me to get into the business complex, get on an elevator, find the floor where the company is located, get through their access-controlled doors, find a labeled laptop in a partially occupied section, plug it into a power source, break into it, spend hours hunting for domain admin, do all of this without getting caught, and then just walk out of there with the laptop?”
“Yep.”
“That sounds crazy, boss.”
“It is.”
“Really crazy.”
“I know.”
“Who’s working with me on this?” I asked, looking at the empty seats of my on-the-road colleagues.
“You’re it.”
“How much time do I have?”
“Well, on paper, you’ve got two weeks. Based on my experience, however, you pretty much only have one shot to execute your plan, unless you are really, really lucky.”
Planning the job
I spent the rest of that day talking to seniors on the team who had prior experience with similar assignments. The common thread in all of those conversations was to never underestimate the value of thorough reconnaissance. I would understand the real meaning of their advice later that week.
The stuff that happens in movies makes it look so easy, but recon is a tedious job. Though I did motivate myself by thinking of this mission as breaking into the Ministry of Magic with Harry, Ron, and Hermione to steal a Horcrux.
Internet recon
I looked for anything and everything that could be interesting or valuable on the internet first. In fact, I spent 16 hours just doing internet recon.
- I figured out that the office was on two consecutive floors, and I didn’t know which one the laptop would be on.
- I pulled all information I could from social media about the employees. To this day, I remember the names of some of the people that worked there.
- I looked through job postings, especially the security ones, to see if there were any clues about their security stack.
- I looked for the building management website, fire safety plans – anything that could give me the layout of the building.
- I scoped out web infrastructure to identify some targets beforehand just in case the regular stuff doesn’t work when it’s time to execute the hack.
- I had BackTrack Linux on a pen drive so I could break into the laptop. Also, I was praying for no disk encryption.
I felt I had found everything I could, but ultimately I had to get out of the comfort of my chair and go out into the real world.
Physical recon
The building was located in a busy business district. It had about 23 floors. Lots of foot traffic in the morning, lunchtime, and the end of the day. There was a coffee shop a block away, where people would walk to in groups to grab a cup of joe.
I had learned to recognize the logo of the company, and ever so often, I’d see people from the company walking along with their entry badges attached to their belts or strung around their neck. I also noticed a few people wearing visitor badges (“V”).
I considered cloning one of the badges, which would mean I would have to get real close to a target. Somehow, the thought of doing that made me want to run away and lock myself in a house somewhere in the icy isolation of Nova Scotia. So, I decided to designate that Plan B.
It was a creepy experience, but I managed to get a picture of both those badges by zooming in with the phone cam. I went back to the office and got replicas created.
I scoped out the lobby of the building. There were lots of people sitting on couches and chairs laid out, so I fit right in. One thing that made me really happy – No turnstiles.
I confirmed from the directory that I had the right floors for the company. I eavesdropped on conversations at the information desk, and thankfully, it seemed like just that, an information desk. There was no one checking the badges, but there was a security guard.
I didn’t want to hang around for too long and get on the guard’s radar. I managed to sit there for about 30 minutes, taking in as much information as I could.
And then I left – Big mistake. You see, I’d missed scoping out the elevator itself. I just didn’t think it was important enough, and that was poor judgment. I didn’t even consider going up to the floor, fearing that the receptionist will notice me. I would later pay dearly for this mistake.
The Plan
I put all the information I had gathered together. Finally, after running several scenarios in my head, one which included applying for a job at the company, I decided to keep it simple. I would just walk into the building at around 9:30 am when the traffic was just about dwindling and tailgate someone. I had seen the fire escape plan, but that didn’t tell me where the cubicles were. I would have to just wing it from that point on until I got hold of the laptop. Then I’d find myself an empty conference room, get connected, and blitz through the network. I was the most confident about this part. If someone was to ask me questions, I’d just say I am waiting for a meeting to start.
The night before, I couldn’t sleep. The following day would be one of only 4 times in my life that I got into the office at 6:30 am off my own accord. I just wanted to be in a comfort zone, have a chat with the bossman, and grab my favorite coffee from the cafeteria.
At around 8:45 am, I walked into his office.
“Boss, it’s time.”
“Nice. Good luck. Do you have a copy of the letter?”
“What letter?”
“The letter that says this is an authorized activity in case you get caught. Unless you want to be rugby tackled.”
“No, I don’t have the letter.”
“Just shared it with you. Take a print out. Keep it with you in your pocket. Not in your bag.”
That letter. The best way I can describe that letter is that it was not one you should read if you need confidence. It had the details of the assignment, who authorized it, phone numbers, blah blah. But I was fixated on one sentence – ‘Do not attempt to detain or physically subdue the person in possession of this letter.’
“Physically subdue? Boss, is this a possibility?”
“No. Because you won’t get caught.”
“Thanks, Boss.”
It was showtime.
Phase 1: Access
Everyone has a plan until they get punched in the face. And I got punched pretty early.
Remember the elevator? The one I hadn’t scoped out? Turns out, the floors I needed access to were restricted. The employee badges were configured to give access to the floor. My fake badge was as good as paper.
I rode the elevator back to the lobby and calmed my nerves by grabbing a cup of coffee. I ended up buying 4 of them. I decided to go with the old “Hands full, can you help me with the floor, please?” trick.
I got back into the elevator carrying the 4 coffees when the second problem I hadn’t anticipated unfolded – no one riding the elevator with me was going to the floor I wanted.
I think I was in the elevator for at least 15 minutes, but it felt like years. Writing this reminds me of the nervousness, uncertainty, and fear I was feeling. And I was really, really nervous. I suddenly became very, very aware of the camera in the elevator. Imagine being a security guard monitoring the camera, watching a dude with 4 coffees ride up and down in the elevator multiple times. I was running a risk, but I couldn’t get myself to think of another plan. Tailgating was still the best option.
And finally, on probably the 8th iteration, someone walked in and hit the floor that I had to get off on. The dude walked out, and I almost spilled the coffee while sticking my feet between the closing doors to get out.
Almost immediately, I noticed that there was no receptionist on the floor. The dude had opened the access-controlled door, turned into the hallway, and was out of sight. I sprinted towards the closing door, propped it open again with my leg, and got in.
I had made it.
Phase 2: The Hunt
I was now the random dude walking around the office. Once in, I had to take photos to prove that I was actually on the premises. I had ditched the coffee because my hands were shaking. I was relieved and also mortified that I had made it this far. I took a bunch of photos, but thanks to the fact that I was so full of adrenaline, nearly all of them were grainy. I would later present those photos in the report I shared with the customer where I told them: “You now have a record of the exact time and location I almost wet myself.”
A few minutes later, I ran into a lady in the hallway.
“Can I help you with something?”
“Could you point me in the direction of the restroom?”
“Down the hall, to the right.”
“Thanks! “
I scoped out the floor and found the space with the mostly empty cubicles. It was easy to spot the labeled laptop. For a moment there, I felt relieved – finally, a situation that wasn’t a curveball.
Phase 3: Persist
I couldn’t find an empty conference room, but I did find the coffee room with a printer and two ports. I would later connect the laptop and also get an IP. It was still only 10:55 am. I had gotten this far in under 90 minutes.
I had decided I’d pretend to be the guy troubleshooting the printer if anyone asked.
For the duration I was there, I built up tremendous amounts of confidence. I even had a chat with a couple of folks, exchanging niceties about the weather and what a pain printer technology was.
My friends, the rest of the story is about how I owned a domain while standing in a coffee room pretending to troubleshoot a printer.
Phase 4: Escalate and exfiltrate
Listen, in those days, it wasn’t that difficult.
There was no MITRE ATT&CK, security awareness was just building up, and stopping threats at the perimeter (or at least trying to) was where the money was being made. No one cared about internal detection. In most cases, you could do a Nmap scan with 1000 ports and aggressive OS guessing, and you would still not be detected. There was minimal awareness about Active Directory attacks and how shared local admin passwords were a bad thing. You could even authenticate using null sessions and didn’t need domain credentials to enumerate the network.
But there was also no Mimikatz, no BloodHound, and no PowerShell. Windows XP and 7 were the most prevalent systems. I don’t even think there was Kali. It used to be BackTrack.
The laptop wasn’t encrypted. That was normal in 2011-12. It was also the days of LM hashes, the less secure version of current-day NTLM. If you got an LM hash, you could crack 8 character passwords of any complexity thanks to rainbow tables.
I booted BackTrack to the laptop, obtained and cracked the local admin password, and was able to log in. I could have zeroed out the password too, but this was cooler. Another objective was achieved.
I loaded my favorite tool of the time, SQLPing. It would look for SQL servers and could even be used for password guessing. It searched the master browser for SQL servers.
I popped about 5 SQL 2003 servers with sa/{blank} combinations.
I used xp_cmdshell and gsecdump to get hashes from memory, SAM, and LSA secrets.
LSA secrets had a clear-text password for a sqladmin account.
I verified the group membership of sqladmin account. It was a domain admin.
A quick “net use” to the admin$ share of the domain controller confirmed my access as did the secondary verification using “runas”.
Screenshots. Closed the laptop. Shoved it into my bag. And walked right out without getting caught.
Learnings
- Recon is everything.
- Internal visibility is critical for both physical and network security.
- Real-life hacking is scary AF.
- Persistence, confidence, and a healthy fear of failure can make for really solid red teamers.
- Detect zero-days, APTs, and insider threats
- 10x the detection capabilities with 1/2 the team
- Get started in minutes, fully functional in hours