Musings From a Penetration Tester’s Diary - Part 2

The author has been performing penetration tests (ethical hacking) around the globe since graduating from Carnegie Mellon 18 years ago. He’s “hacked” banks, factories, fire departments, airports – you name it. We asked Akash Desai, our Director of IT Consulting, to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.”

In my last article, I mentioned that a long time ago we were hacking modems – not advanced devices like today’s that connect just about anything to the Internet. That got me thinking – it’s been quite a while since I’ve been doing this.

So, looking back, what are some of the most memorable penetration testing projects that I’ve worked on over all these years that readers might find interesting?

Different projects can be memorable for different reasons but let me think of this from the lens of which projects were a lot of fun.

And obviously if the project was fun for a pen tester, it means we were able to hack our way deep into the organization…

Smoke and Fire in Pen Test Project

A pen test project for a city government led us to its fire station network. One of our team members, then a young and eager consultant, pointed out a website which was the fire station’s control panel. I began to think about the best way to hack it, eager to set an example for the young woman.

But what could have been a teachable moment quickly slipped away as we realized the control panel for the entire city’s fire station was open! We could move sliders that would change emergency levels, status logs, truck route information, live updates, and lots more. At one end of the panel, there was an inviting red button which could set off an alarm. No, we didn’t!

They Can See Us: Pen Testing & Banking

That takes me back to the time when I was a young and eager consultant. A bank’s network was the pen test target. The bank was pretty well-secured and it was obvious the IT staff members had really worked hard to plug security issues before asking a penetration testing company to have a go at them.

With lots of time spent on the obvious without much success, the urge to look for something not-so-obvious took me to their CCTV camera site. The default password? Amazingly it was “password.” We called the CISO. I heard him telling his security officer – “they can see us!” We were thinking of asking someone to wave at the camera. No, we didn’t!

Pshhhkkkkkkrrrr​kakingkakingkakingtsh​chchchchchchchcch​*ding*ding*ding*

If you’re smiling, you know what this is. It’s the handshake tone of a modem. Clearly, my most memorable projects list is incomplete without my very first one for a penetration testing company.

We hacked into a utilities company via the modem. We had written a script on top of a tool called ToneLoc. Not wanting to arouse suspicions, we ran this during the nights. It took about three nights before we had taken over a router that led us to a critical control database. The urge to hack this treasure chest was strong. But the pen test rules of engagement said we shouldn’t try to crash any critical systems. So, no, we didn’t.

One Injection to Rule Them All

We once performed a web application penetration test for a logistics company. The security was actually pretty good. There were no significant findings, and we were nearing the close of the project. But as I mistakenly clicked the forgot password link, I remembered that I hadn’t tried to inject SQL into the forgot password field yet.

True to its promise, the SQL injection did what it does best, only better. The attack vector was crafted such that all accounts in the application were reset together. A few steps down the line, we were able to login to any account of our choosing.

The clincher here is we had actually run a vulnerability scanning tool on the web application and the tool used SQL injection attack vectors as well. Yet, it didn’t find what a manual attempt did. You might remember what I had said about manual versus automated pen testing. On this day, that message could be heard from the rooftops.

Finding a Fortune

When you’re pen testing a bank, there’s always a feeling that the testing might lead to gold – access to an account. Many times, it doesn’t happen, but in this example, the results were shocking.

By the end of the first day of testing, we could wire any amount we wanted to anywhere we wanted. But you need to have millions in your little test account before you can transfer them, right? Wrong. We could even change the amount of money available in the test account.

The best comment came from our company accountant – “Reconciliation would be such a nightmare.”

In the Middle of the Night

Our penetration testing projects with Fortune 500 clients are markedly different from other projects. There’s a lot of structure. The reporting lines are clear. And they have offices around the world so when we’re pen testing in the middle of the night, they have someone working in another time zone to whom we can escalate issues.

During one such project, we hacked a web form that generated emails and turned it into a spam machine. We escalated this to a senior security team member in the company’s UK office and explained the finding to him. It turned out he was the global head of security at the company … and he was fascinated.

We also showed him how we could send him an email from his own email address, and pretty much anyone else’s email address for that matter.

Mining The Miners

A recent pen test led our penetration testing company to some open ports on a server that looked normal but were not really because the profile of the server did not match the services the ports pretended to offer. Things didn’t add up and we flagged the discrepancy to the client.

It turned out the server had been compromised for over a year and was being used to mine bitcoin. What unfolded then was truly amazing. At the end of our pen test, we had identified similar patterns in several other servers. Hackers had created a server farm of sorts to generate “passive income” from bitcoin.

To the CISO and his team’s credit, they went about relentlessly plugging server after server until they were all cleaned from the bottom-up. We tested them again to make sure that all the holes were indeed plugged. A comprehensive security breach investigation and remediation exercise followed as well.

Final Thoughts from a Pen Tester’s Diary

Our penetration testing projects take us from one end of the industry spectrum to the other. One day, our penetration testing company could be hacking into the Internet banking site of a bank, the next day a large onsite data center for a construction giant, and the day after that a complex cloud implementation for a municipality.

I’m mindful that many of these organizations deal with end customers and users – regular people. I feel fortunate that the work we do can protect their information, money, and mental peace.

Well, this was fun. I’ll be back of course. Musingly yours.