As i am sitting in the reception of a well known London managed office provider awaiting a client, i’m looking around, noting Ethernet points, WI-Fi repeaters, door access system, how people walk in and out, either swiping cards or tailgating others coming in or out of the building I’m struck from a security point of view how easy it is to get in through the first level of perimeter security, namely the door system ( also remembering some of these offices offer 24/7 access ).
I am met by my client and we go up to their office where we grab a coffee and have our meeting.
On the way down i look for an opportunity to answer some emails, and lo and behold, there is a breakout area by reception where residents are having lunch or coffee or sitting there doing other hipster things ( yes, its a mystery to me too! )
I spy a seat in the corner which i head too, and claim it as my domain. Settling in, i get my laptop out fire it up and pull a bottle of water out of my bag and look around closer to my surroundings.
No one has challenged me so far. But thats not too unusual for these places.
So i wait for the laptop to finish loading, scrolling through news on my phone whilst i wait, then log in and check my mails, a few replies, couple of questions and a message that my apple account had been locked.. i don’t have an apple account 😆 i’m looking around and i wonder if this place is secure.. probably not, i make a bet with myself.
I fire up a VM and whilst this is happening, i dig in my bag and with a longer than normal usb cable connect a powerful USB Wi-Fi dongle with twin antennae and stuff it under my seat on the floor… noticing as i do, an Ethernet and power socket behind my chair.
So, first off, i do a Wi-Fi scan and note several SSID’s three of which belong to this managed office provider.
I start to search them one by one, noting the users around me and knocking them off one by one a few times each till i see two guys close to me complaining about the Wi-Fi here in this building being a bit crap. Bingo! playing around with these guys i managed to capture their Wi-Fi logon hash to play with later, its not that I’m seriously looking for a way in, i just want to see how quickly i can get some details to use. Pretty quickly it seems.
Whilst playing with this I’m also scanning Bluetooth devices as the same time and finding a few devices close by, within 10-15 meters that might be of interest above the normal iPhone and android devices.
I look at the local Wi-Fi again and the guest Wi-Fi just wants my Facebook or google id to give me access… i offer up one of the many false ID’s i have and i get access.
Scanning my currently assigned IP range i see about 40 IP addresses already taken, and running down the list i see a few host names, but nothing out of the ordinary. Now i look for adjacent subnets and see if there’s anything, but not getting any responses. The Guest Wi-Fi is either operating in a small range or is in isolation mode.
So i go back to my recently captured Wi-Fi details, run it through some tools, and a short later i have the Wi-Fi password. ( My laptop is a bit slow, that why it took some time )
Then i log in to the next Wi-Fi SSID and do a quick scan, lots of IP’s to play with 🙂
Time to fire up WireShark.
WireShark is such a neat tool, on any security exercise, its my number one goto for swift intel. So looking at the traffic, i see the normal local traffic, and the requests for owners of IP’s etc.. normal stuff, but now i’m seeing other IP ranges outside of the one I’m currently on, so i adjust my subnet mask and broaden my search ( nMap is good for this ) and start scanning for devices on the three subnets above and below my current one.
Sitting back and taking a swig of water, waiting for nMap to deliver i make a bet with myself, Big Mac says i find multiple exposed subnets, Tuna salad says i am isolated.
Big Mac and fries please with a side of heart attack!
The results i got were pretty astounding, the building i was in offers Wi-Fi access to all clients, as well as Ethernet packages ranging from 1mb to 100mb bandwidth at eye watering rates. They are charging an arm and a leg, not to mention a few vital organs for basic internet access with little or no security to protect internal clients from one another.
Digging a bit deeper, i came across finance investment companies with exposed NAS boxes, open shares on workstation in work-group mode, printers that i could access the admin pages where no admin creds were used or even worse, the default ones were still in place !!! Recruitment companies, consultancies, and other various agencies.
Sipping water, I’m wondering how bad this really is.
I remember the Ethernet socket behind me, so i whip out my Ethernet Cat6 cable, plug it in and my PSU as the battery on my laptop is now warning me i have less than ten minutes left, and enable my Ethernet controller.
I check and i got an IP assigned!! so there’s a DHCP service running on this segment somewhere.
Then checking the range, its different from the Wi-Fi one, which is good, so i run the same scan check, betting a krispy creme or an apple on the results.
Krispy creme won the day… by a massive margin.
I’ve gotten what looks like some real golden drops here, I’m seeing reception workstation, servers and printers and a SAN.. i think the Ethernet port I’m plugged into is directly connected to their private corp network.. why i don’t know but its quite clear the port I’m on is plugged into their corp switch, i can even see a badge printing machine and a label printer!
Right now I’m feeling a bit proud of myself, its taken me less than an hour and a half to get to this point, the hipsters have gone to be replaced by other hipsters, lunch is over but the break out is still busy.
I could stay here and gather a lot of intel, but to be honest, i can’t be bothered as i know i’ll eventually be able to crack their security with no serious effort. In a normal world, i would have told my client, but they are moving out next week. If i was feeling generous, i would have spoken to the centre manager and let them know what i found etc etc… but I’ve had some bad run ins with this particular service office provider before, their cheap and even cheaper approach to service delivery left a bad taste in my mouth, they are one of the largest in the UK, and if you’ve been in a managed office before, you probably can guess who they are.
For now, i’ll just write out a brief explanation of what i found and how i found it, and send it to the reception printer just before i leave. Let them figure it out from there 😛