Audit

Feel free to close and delete, I don't want to make anyone uncomfortable. Rescinded point #2, I have several acceptable vectors, didn't realize how it would sound posted here. I agree, I find that the scope of work requested doesn't well match up with the restrictions imposed. I think this a case of someone in a board meeting making a sweeping statement along the lines of "Anyone with $X and some time could [ruin us, rape children, convert us to Islam, etc.]" Some of the things I have been asked to do here seem like settling barroom bets rather than legitimate work. jjd-- The request sounds just like it was stripped from USA Today, which is likely where it came from. Lockon -- Got clarification on policies. Users are allowed to us their personal devices for anything outside standard AUP policies, but are not permitted to use company equipment for anything not directly work related. I don't have a way to separate the two categories of equipment without having information outside what would be available in the scenario, I think I'll be rejecting this on ethical grounds and looking for new employment. shadowmmm - Frankly, I don't think I would either. Go figure. I try to do my best to work within the scope they give me and not ask questions. I know that the director of the location I'm visiting is opposed to any infrastructure expenditure on the network, as they've taken heavy losses this year and covered it by coming under in their network budget. The job looks more and more like it's to prove a point. The superior who assigned me this has a personal grudge against the director at the location I am testing. After getting more information in regards to this assignment upon arriving to work this morning, I'm against performing what's been asked. Corporate espionage isn't something that's too much of a concern for us, as anything stolen would be hard to implement without being quickly apparent and a huge legal expense for our main competitor. Sort of a Coke/Pepsi rivalry, where their info won't do us much good. No one has been able to provide me a good justification for what the perceived threat or purpose is other than scaremongering and potentially sabotaging someone's career. All in all, you guys have confirmed my opinion on this matter, and I will be rejecting the request on grounds of it being unfeasible within the parameters and ethically suspect. Thank you for giving me a sounding board to help me come to this conclusion, I think I will start preparing a resume. Still excited to have a pineapple to play with.

Good morning to those in North America. Next week I'll be flying out of my office to one of my company's other locations, under the guise of a transfer. I'll be at this job site from right after Thanksgiving, until just before Christmas, roughly 25 days. I'm working for a very-well known recreational shoe and apparel company. Corporate has identified a breach in policy where users are bringing their work laptops to the company's cafeteria. The cafeteria is set up with open public Wi-Fi, so that the public and business visitors can connect. Because the public is allowed here without much suspicion, Corporate has asked me to run a test. They want to know, with consumer-accessible hardware and a budget of $500, how much a potential attacker can gain. For this test, I have selected a Mark V Pineapple, which should arrive soon, and purchased a battery that should run between 24-30 hours. So far, I am $270 into this project's budget. I still need to purchase a laptop and any other gear necessary. The test will be measured by a few metrics: 1)Number of company email login/password sets I can compromise (Outlook Webmail is utilized when not on the main network for office workers, and GMail via Google apps for business is used for contractors and vendors.) 2)Number of company laptops I can compromise with keyloggers. The measure of one successful compromise is one full day's worth of strokes from one user, beginning with their initial morning citrix logins, ending with their access to the timesheet, (which is the last step before logoff) uploaded to a remote server. 3)Avoiding detection. This will be measured by support tickets filed by employees who notice or suspect they have been compromised. 4) I am not allowed to connect anything to the employee's computers physically, so no rubber ducky, no SE, nothing. What I was planning on doing was setting up in the cafeteria just below the access point, and using the known SSID to grab clients. From there I would use DNSspoof and/or SSLstrip to first capture the webmail logins. It will not appear out of place to be in the cafeteria for a few hours with a laptop out and the pineapple concealed in a bag. Next, I can set the pineapple to deploy on battery power. I was considering getting a second battery pack, so that when I revisit each day, I can take the dumps home and swap out the battery for the next day. That should allow me enough information captured over the first week to have a nice set of data. I'm still not sure what vector I should use to deploy the keylogger, but I would need to make sure it only makes its way onto company equipment, and not that of the public. I don't have too much experience with wifi security, most of my previous work in this role has been running physical compromise scenarios, and internal attacks from pretend 'compromised employees'. Any advice or tips would be appreciated, and if this is in the wrong section, feel free to move me. Thanks for a great product, I'm sure this will be a fun experience in what a low-budget attacker can accomplish with a partially closed corporate campus, and some determination. With any luck, Corporate will approve the funds for creation of a separate network for the public's use that blacklists all company gear, and deploy a secured AP like they have on the rest of campus for employees to connect to while eating. Easier than getting employees to follow the rules.