Audit Posted November 24, 2013 Posted November 24, 2013 Good morning to those in North America. Next week I'll be flying out of my office to one of my company's other locations, under the guise of a transfer. I'll be at this job site from right after Thanksgiving, until just before Christmas, roughly 25 days. I'm working for a very-well known recreational shoe and apparel company. Corporate has identified a breach in policy where users are bringing their work laptops to the company's cafeteria. The cafeteria is set up with open public Wi-Fi, so that the public and business visitors can connect. Because the public is allowed here without much suspicion, Corporate has asked me to run a test. They want to know, with consumer-accessible hardware and a budget of $500, how much a potential attacker can gain. For this test, I have selected a Mark V Pineapple, which should arrive soon, and purchased a battery that should run between 24-30 hours. So far, I am $270 into this project's budget. I still need to purchase a laptop and any other gear necessary. The test will be measured by a few metrics: 1)Number of company email login/password sets I can compromise (Outlook Webmail is utilized when not on the main network for office workers, and GMail via Google apps for business is used for contractors and vendors.) 2)Number of company laptops I can compromise with keyloggers. The measure of one successful compromise is one full day's worth of strokes from one user, beginning with their initial morning citrix logins, ending with their access to the timesheet, (which is the last step before logoff) uploaded to a remote server. 3)Avoiding detection. This will be measured by support tickets filed by employees who notice or suspect they have been compromised. 4) I am not allowed to connect anything to the employee's computers physically, so no rubber ducky, no SE, nothing. What I was planning on doing was setting up in the cafeteria just below the access point, and using the known SSID to grab clients. From there I would use DNSspoof and/or SSLstrip to first capture the webmail logins. It will not appear out of place to be in the cafeteria for a few hours with a laptop out and the pineapple concealed in a bag. Next, I can set the pineapple to deploy on battery power. I was considering getting a second battery pack, so that when I revisit each day, I can take the dumps home and swap out the battery for the next day. That should allow me enough information captured over the first week to have a nice set of data. I'm still not sure what vector I should use to deploy the keylogger, but I would need to make sure it only makes its way onto company equipment, and not that of the public. I don't have too much experience with wifi security, most of my previous work in this role has been running physical compromise scenarios, and internal attacks from pretend 'compromised employees'. Any advice or tips would be appreciated, and if this is in the wrong section, feel free to move me. Thanks for a great product, I'm sure this will be a fun experience in what a low-budget attacker can accomplish with a partially closed corporate campus, and some determination. With any luck, Corporate will approve the funds for creation of a separate network for the public's use that blacklists all company gear, and deploy a secured AP like they have on the rest of campus for employees to connect to while eating. Easier than getting employees to follow the rules.
jjd Posted November 24, 2013 Posted November 24, 2013 What is your company worried about? Kids with laptops in the cafeteria or corporate espionage? Because your budget is way off for the latter. Although I think the project budget is way off anyway it would likley be cheaper to implement the fix you talked about then to test the problem. As far as how to deploy a key logger your only option if you don't get hardware access is online. But I would assume your company does not want you installing root kits on everyone's laptops? All in all a very strange project
Lockon Posted November 24, 2013 Posted November 24, 2013 I agree with jjd, this situation, it doesn't seem to make much sense in terms of the budget and goal. What is your company concerned over? Sensitive information being leaked out to the public or unauthorized parties? You don't have to use a laptop, I use an old Nexus tablet to perform simple monitoring functions but key loggers are something that should be implemented at the IT-level, in other words it should've been on the company laptops in the first place. I'm not comfortable sharing how you could inject malware remotely because if you don't know how, there's a risk involved in sharing it here. Besides, I'm under the assumption that those laptops are using some kind of antimalware and it may alarm the user of such attempt. What you can't easily monitor remotely in your situation is when users take any data off the machine physically, like saving it to a disc or flash drive, but they don't have to be in a cafeteria to do it. It would help if you knew what the exact policies are. Are users allowed to check their personal emails from work? Do they have a limited user account or administrative access? What is their AUP (acceptable use policies) outside of the common "no porn sites, no P2P file sharing, no installation of any 3rd party software, etc.) If the AUP allows for employees to check their personal emails for example and you sslstrip and save the data, you are also violating privacy rights of the users if caught.
jjd Posted November 25, 2013 Posted November 25, 2013 (edited) They want to know, with consumer-accessible hardware and a budget of $500, how much a potential attacker can gain.This almost sounds like the beginning of a 'scary' newspaper article about the evil hackers. Not saying your trying to mislead anyone with your post just that it sounds familiar Edited November 25, 2013 by jjd
shadowmmm Posted November 25, 2013 Posted November 25, 2013 First of all i would never respond to that , from a person with one post and no reputation.this should be closed and deleted.
Audit Posted November 25, 2013 Author Posted November 25, 2013 Feel free to close and delete, I don't want to make anyone uncomfortable. Rescinded point #2, I have several acceptable vectors, didn't realize how it would sound posted here. I agree, I find that the scope of work requested doesn't well match up with the restrictions imposed. I think this a case of someone in a board meeting making a sweeping statement along the lines of "Anyone with $X and some time could [ruin us, rape children, convert us to Islam, etc.]" Some of the things I have been asked to do here seem like settling barroom bets rather than legitimate work. jjd-- The request sounds just like it was stripped from USA Today, which is likely where it came from. Lockon -- Got clarification on policies. Users are allowed to us their personal devices for anything outside standard AUP policies, but are not permitted to use company equipment for anything not directly work related. I don't have a way to separate the two categories of equipment without having information outside what would be available in the scenario, I think I'll be rejecting this on ethical grounds and looking for new employment. shadowmmm - Frankly, I don't think I would either. Go figure. I try to do my best to work within the scope they give me and not ask questions. I know that the director of the location I'm visiting is opposed to any infrastructure expenditure on the network, as they've taken heavy losses this year and covered it by coming under in their network budget. The job looks more and more like it's to prove a point. The superior who assigned me this has a personal grudge against the director at the location I am testing. After getting more information in regards to this assignment upon arriving to work this morning, I'm against performing what's been asked. Corporate espionage isn't something that's too much of a concern for us, as anything stolen would be hard to implement without being quickly apparent and a huge legal expense for our main competitor. Sort of a Coke/Pepsi rivalry, where their info won't do us much good. No one has been able to provide me a good justification for what the perceived threat or purpose is other than scaremongering and potentially sabotaging someone's career. All in all, you guys have confirmed my opinion on this matter, and I will be rejecting the request on grounds of it being unfeasible within the parameters and ethically suspect. Thank you for giving me a sounding board to help me come to this conclusion, I think I will start preparing a resume. Still excited to have a pineapple to play with.
Recommended Posts