Good morning to those in North America.
Next week I'll be flying out of my office to one of my company's other locations, under the guise of a transfer.
I'll be at this job site from right after Thanksgiving, until just before Christmas, roughly 25 days.
I'm working for a very-well known recreational shoe and apparel company.
Corporate has identified a breach in policy where users are bringing their work laptops to the company's cafeteria.
The cafeteria is set up with open public Wi-Fi, so that the public and business visitors can connect.
Because the public is allowed here without much suspicion, Corporate has asked me to run a test.
They want to know, with consumer-accessible hardware and a budget of $500, how much a potential attacker can gain.
For this test, I have selected a Mark V Pineapple, which should arrive soon, and purchased a battery that should run between 24-30 hours.
So far, I am $270 into this project's budget. I still need to purchase a laptop and any other gear necessary.
The test will be measured by a few metrics:
1)Number of company email login/password sets I can compromise (Outlook Webmail is utilized when not on the main network for office workers, and GMail via Google apps for business is used for contractors and vendors.)
2)Number of company laptops I can compromise with keyloggers. The measure of one successful compromise is one full day's worth of strokes from one user, beginning with their initial morning citrix logins, ending with their access to the timesheet, (which is the last step before logoff) uploaded to a remote server.
3)Avoiding detection. This will be measured by support tickets filed by employees who notice or suspect they have been compromised.
4) I am not allowed to connect anything to the employee's computers physically, so no rubber ducky, no SE, nothing.
What I was planning on doing was setting up in the cafeteria just below the access point, and using the known SSID to grab clients.
From there I would use DNSspoof and/or SSLstrip to first capture the webmail logins. It will not appear out of place to be in the cafeteria for a few hours with a laptop out and the pineapple concealed in a bag.
Next, I can set the pineapple to deploy on battery power. I was considering getting a second battery pack, so that when I revisit each day, I can take the dumps home and swap out the battery for the next day. That should allow me enough information captured over the first week to have a nice set of data.
I'm still not sure what vector I should use to deploy the keylogger, but I would need to make sure it only makes its way onto company equipment, and not that of the public.
I don't have too much experience with wifi security, most of my previous work in this role has been running physical compromise scenarios, and internal attacks from pretend 'compromised employees'.
Any advice or tips would be appreciated, and if this is in the wrong section, feel free to move me.
Thanks for a great product, I'm sure this will be a fun experience in what a low-budget attacker can accomplish with a partially closed corporate campus, and some determination.
With any luck, Corporate will approve the funds for creation of a separate network for the public's use that blacklists all company gear, and deploy a secured AP like they have on the rest of campus for employees to connect to while eating. Easier than getting employees to follow the rules.