This One Time on a Pen Test, Part 3: How Jumping a Fence and Donning a Disguise Helped Me Steal an Energy Company

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is the third in a five-part series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our report, “Under the Hoodie 2018: Lessons from a Season of Penetration Testing.”

I was once part of a Red Team of three tasked with testing an energy company with three locations in three different cities. My assigned location was surrounded by an 8-foot barbed-wire fence to guard most of its service and Cat heavy equipment vehicles.

I started by driving by the site on the first day of testing, watching people arrive for work and leave to get an idea of what sort of activity this location had. I went to dinner, and when I came back around 9 p.m., I realized there was a business next door that allowed for cover after hours. I decided to jump the fence and walk around the property in the shadows as much as I could. My goal was to avoid getting picked up by any cameras and getting caught.

As I began checking the commercial vehicles for unlocked doors, I found that one had a laptop on the armrest inside. I got excited, as I was thinking of all the possibilities for what I could do with a laptop if I got my hands on it. The vehicle’s locked doors stumped me for a while until I realized the quarter window was unlocked. I was able to push it open, unlock the truck, jump in, and grab the laptop.

I sat there for about five minutes waiting to see if anyone had spotted me. When nothing happened, I tried to get into the laptop but struggled because I didn’t have any tools on me. I made a call to my point of contact and asked for permission to take the laptop, which was granted. I then slid it under the fence, jumped over to my rental car, and headed to my hotel.

I worked on the laptop all night, getting past the login first with Kon-Boot and adding a local administrator user. Later, I mounted the hard drive with Kali, as the drive wasn’t encrypted. I pulled up the local admin hashes off the PC and set up some malware so that when the box was booted up, it would call back to me and give me access when it was on.

The next morning, I broke back in and returned the laptop before employees’ shifts started so no one would suspect anything. I got a local administrator shell, but it died before I could do anything with it. So, I had to go back the next day and do it again. Once more, I briefly got a shell I was unable to do anything with.

I decided to go to an office of theirs and attempt to see whether I could clone some RFID badges so I could use them to gain access to the facility without having to jump the fence every night. It turns out, the location I cloned badges from was a shared office, and I was unable to tell who or where the cloned badges I obtained came from. In the end, none of them worked at the location I had been given permission to test.

At this point, it was the second-to-last day of the assessment, and I didn’t have everything I wanted. So, I decided to do it again but just keep the laptop and use it to get into the corporate network. This time, I got into a truck and put on a uniform someone left inside. I used this uniform to walk around the property and gain access to more trucks. I figured if I were seen on camera, I would look like a legitimate employee just doing some maintenance or say that if I were somehow found and questioned.

I also knew the laptop would now be reported stolen in the morning, which meant I didn’t have much time to work with, since they could have had a way to shut off access to it. I started taking a forensic clone of the system and decided to take a shower while it was cloning. When I came out, I saw the mouse cursor was moving and closing things! It became a fight for the mouse and keyboard at this time, and I ended up just disconnecting the network connection. I eventually got on the corporate network and gained local admin access on some other systems, which led to domain admin access. With that, I was able to do whatever I wanted on their network and systems.

That was fun.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back next week for Part 4, which will cover a web application pen test, and review the other stories in our series below:

This One Time on a Pen Test, Part 1: Curiosity Didn’t Kill the Cat—Honesty DidThis One Time on a Pen Test, Part 2: How Just One Flaw Helped Us Beat the Unbeatable NetworkLet our pen testers uncover your vulnerabilities. Learn more about our professional services.

Get Started

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?