Day 2

The fourth site was forewarned.

This was okay, as I was supposed to get caught; this wasn’t intended to be a successful engagement but instead a test of their emergency/crisis response system that everyone had just been trained in.

I tried to look as conspicuous as possible to look disarming, but they were on high alert. I had come prepared; the hotel’s print/fax/multi-function printer was broken and printing garbled print jobs, but I made a Letter of Authorization just in case something went wrong. Which, of course, this did. When I was asked to “come back in 15 minutes, ” I knew the gig was up, but it was still salvageable.

Driving around the neighborhood and spotted a cruiser parking near the back entrance that I should’ve just used, and I expected to be led out in handcuffs before the day was through. Instead, I walked back in, gleaming smile, clipboard in hand, writing down names and looking as official as possible. Moments later, I’m in a vice president’s office, chastised by the police for “scaring the poor bank manager” as they look over the Letter of Authorization I printed.

At that point, the manager was called in, told I was an auditor, and I gave them the Chief Auditors card, which I took off his desk and was promptly given back to me. At that point, I asked if I could make a call to let them know about the incident and shushed them out of the room, which everyone gladly did.

This left me with two possibilities, do I call this done, or… I took out my netbook and plugged it into the outlet, which had privileged access because it was a Vice Presidents’ office, and plugged a second system into the SCTP network from the VoIP phone. This allowed me to connect through their local network to each of the other three network scanners and print out the results from the office I was in. Just for giggles, I also mapped the printer subnet and grabbed some examples from a little printer/cups filesystem mapped with FUSE on top.

Finally, with reams of evidence in hand, I walk out, thank them with a handshake each, and leave out the employee entrance. As I walk out, I’m told, “You can’t get out that way. You need the PIN code” I enter the one from the first three buildings and walk out, thanking them for their time.

Lessons learned?

When interviewed afterwards the first three sites were unaware anything untoward was going on. It wasn’t until the slip with the unscheduled maintenance that the situation was revealed and all of the sites were alerted. From a defensive perspective the communications channels were exemplary once the detection was made. This emphasizes that prevention is nice, but detection is imperative if an attacker is going to be stopped.