 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study Corporate LAN Penetration Test Industry: Leisure Location: UK The external security of this company had been shown to be drastically improved by rounds of penetration testing. The focus now rightly shifted to the internal corporate LAN. The challenge was to test the security of the corporate LAN. The corporate LAN was typical of an organisation of the same size, over 1200 staff. The engagement was classified as a penetration test. The plausible scenario was that the penetration tester was a contractor working on-site for a week. The contractor was permitted to connect a laptop to the LAN, no further access was provided. After finding that MAC address based ACLs were implemented our 'contractor' changed the MAC address on the attacking laptop to one which was seen in network traffic. This permitted MAC address allowed the laptop onto the network but legitimate access was sought from the networks admin. The reason for this is that the contractor was allowed legitimate access to the network and using a duplicate MAC would cause intermittent network issues for both parties. With access to the LAN the 'contractor' now started to survey the network. IP address ranges were mapped and server ranges, IP enabled printers and other devices including UPS systems, network hardware and desktops were detected. The 'treasure' in terms of this network was seen to lie in the IP ranges set aside for servers. Approximately 30 servers were seen, these were mainly Microsoft Windows. After making a more detailed examination, approximately 14 were seen to suffer from a remotely exploitable issue in Microsoft Plug and Play. An exploit for this issue was readily available from the Internet. The exploit was used on the vulnerable machines and worked everytime. Successful exploitation lead to a command shell and so accounts were created so that they could be further probed by logging in using Microsoft Terminal Services. One of the servers exploited to SYSTEM level was the Active Directory machine for the domain. SYSTEM level access on this machine meant that the account created could be elevated to 'Domain Admin' status. Once this was done the entire Domain was open to the 'contractor'. Within the space of a few hours the machines which were fully exploited included:
For the purposes of reporting screenshots were taken from key servers. Information captured in these screenshots included the information listed above. The LAN was penetrated to the core by a 'contractor' who had access to the LAN for less than one working day. The risk for the business in question is that the full range of detailed HR and Finance information could very easily find its way out of the corporate network and onto the streets. One element of risk is the commercial and public relations embarassment caused by such a lapse being publicised. Another element is the legal repercussions stemming from the loss of employee and client data. |
