I arrived onsite to suite 102 -- the bank’s corporate headquarters -- around 9:40 am. I was impersonating a local utility worker -- with all the garments like a hardhat, clipboard, obnoxious yellow vest, and some old Timberland work boots. I played the part well.
When I approached the suite I saw a giant glass entrance into the main office of the bank with a secretary minding the entrance and questioning visitors. I also noticed employees were entering and exiting an unmarked door at the end of the hallway -- no cameras to be seen. I proceeded slowly past the main entrance and then ran to catch the secured door as it was closing behind an unsuspecting employee. I was in!
Entering that door, I casually walked further into the office looking for opportunity. All desks and offices were occupied, and I made eye contact with a number of employees while walking around without being questioned (it must have been my great outfit.) I saw an empty office, slipped in, and deployed a small device under the desk that automatically connected back to a VPN server under my control. I left the suite and returned to the hotel to check connectivity -- in and out in about 10 minutes.
Upon arrival at the hotel, I confirmed connectivity and achieved remote access. A few minutes later, authentication hashes were captured off the network from the device and, voila, I had internal access and verified domain credentials to access the network like a typical employee.
With some lateral movement through the network, it was only a matter of time before I found domain admin credentials. Now I owned the bank’s corporate network. If that wasn’t enough, the bank has a branch down the street from me, so I decided to give them a chance to catch me there.
I arrived at the branch at around 12:30 pm impersonating a local food delivery driver. The food was prepaid, of course, so I just needed to drop it off. Initial conversations with internal staff at the entrance did not yield any access to the building. Great job by them.
I asked to use the restroom on the first floor and while there successfully dropped a USB drive. This was no ordinary drive, however, because it contained a single file -- a reverse shell macro-enabled Excel document titled Employee Bonus Plan.xlsm. That ought to get someone’s attention.
A final attempt to deliver the food was denied and a local police officer was now stationed by the front door standing guard. Yikes. I took the food with me and exited the building, "Have a nice day officer", I said, hoping someone would find the drive and open the file. In and out in 10 minutes.
Back at the office, after I enjoyed a few sandwiches from my "delivery", the payload executes! I saw the happy stream of data signaling the Excel document was executed on a user’s workstation and a metasploit meterpreter session was successfully established. This resulted in complete control of the user’s workstation.
With the user’s local access being administrator, persistence was established to maintain the connection through reboots. Now I had internal access at the branch and verified domain credentials to access the network like a typical employee. With the previous access gained at the corporate office, I also owned the branch network!
Anyone need a loan? Great rates!
Ryan MacDougall, senior security consultant at Coalfire.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.
Photo credit: Frank11 / Shutterstock