what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Tuesday, July 02, 2013


Hi good people.

A few Months ago i was tasked to a Penetration Testing, for a Secure Organization and they wanted to know which vulnerabilities they had and how someone with some bad intentions would take it.

Now this organization, i will call Tazama LTD, for security reasons and NDA agreements. This will be used for Knowledge transfer only and should not be used against an infrastructure which could be having similarities.

Now, i was called in for a target, everything was Blackbox Penetration Testing and i was allowed to use Red Team Assessment wherever possible. Now hard to hack infrastructures are my best, since i love challenges, and anything i fear doing, seems to make me grow further.

The thing about security is that the very things that protect you can be turned against you by someone who knows what he's doing.

So first was to get the recon done, find where the offices are based, the HQ and also the Management names from the website. Remember, every battle is won before its fought. The organizations chart, Job vacancies, Emails addresses, Phone numbers, Facts and Figures, were the first to go for.

Recon went on to the operation aspects, Domain names, Network blocks, DNS Servers, etc. As i did this, i realized the IPs they were using as gateway, was not registered under their name, and several offices across the country had Internet Connection from different providers. And to get all the IPs, i had to send mails to all different offices, and X-Originating IPs came with internal network IPs flowing back in to my Thunderbird like little springs on hills.

All the IP were all heavily secured, no ports allowed, except the MailServer in Nairobi, and The Website, hosted in States, now this was a challenge. Alot of pentesters get dead tired, when they see this:

Starting Nmap 5.21 ( http://nmap.org ) at 2012-xx-xx 18:25 EAT
Nmap scan report for xxx.xxx.xxx.xxx

Host is up (0.0037s latency).
All 1000 scanned ports on xxx.xxx.xxx.xxx are closed

I used to be there too, experience is the better teacher. Nothing is impossible.

Next step is to check out the HQ office in town, and they were up the top floors, up to 20ths, and the building surrounded with others. Driving around town and getting a parking was getting hectic. I needed i better solution. So hired a van for three days, a driver, and packed in my gadgets for this adventure. We drove around the buildings as we looked for an easier way in, without having to drive in, at the same time i had my antenna just a few inches out of the windows, picking up one ESSID that had their Org name on it. Lets call it Tazama1, was a bit faint to receive packets though. So eventually, i knew there must be Tazama2 and maybe 3. With a building that is almost 20 floors, and the offices all way far up, i had a task. Had no tablet on me, and i really needed some good OS for this attack, so i had to find a way to the building, with a good laptop and maybe extra batteries, just incase. (Shud invest in a 12 hrs Laptop Battery :D)

The building has a college and an entertainment office, as long as you knew their names, you would walk right throw the main door. So, i left the van, walked through the main door, social engineered the guards and went to the 2 floor where the Entertainment Agency was located. I realized that the stairs weren't guarded, so up i ran, to the 19th floor, and there i could get clear WiFi signals. That was the first vulnerability picked up. These guards seemed professional, but forgot to secure the stairs, but had their men all over the corridors.

All the doors to the offices were locked with Biometrics hardware, to get in through, you needed a fingerprint and a code. During this kinda of assessment its okay to try break into them, but if you don't have good hardware, you might end up being caught. Its an optional target, but remember these days, a Pentester is like a plumber, a dentist or a mechanic. Everybody is always looking for a good one.

Breaking down the equipment is bad for business as the test is a Covert Operation and thats why we call it BlackBox Penetration Testing.

There were no cameras on the hall way and the toilets aren't closed. Guards Room was closed though, it wasn't like a former Pentest, where we wore guards uniform and walked all over the company, story of another blog post

The WiFi Access Points, were all hardened WPA and all that i would collect were handshakes, nothing further, but to bruteforce later.

airodump-ng -c 9 --bssid xx:xx:xx:xx:xx:xx -w psk ath0

Tried not use --ivs, since i wanted all packets, then de-authenicate the users, and they all connected back and grabbed all data.

The first password list failed, no need to try futher, maybe later on, if there is no more holes to get through. DDOSing the WiFi wasnt an option, although bad guys would do the same to course havoc, i had to choose between that and Penetrating into the systems.

Weekend was approaching, and all i had were WPA Handshakes and Building Structure, Physical Security and Organization chart. So i decided to explore further and the building had basement floors where employees park their cars.

Now one thing you will find in most cities is that Parking Lots are labeled with the company name and who is supposed to park there. Now this is good for governance but at the same time can be used against the organization.  By the end of that day, i had the names and a few car number plates of the users. Target was the IT Tech team, yes it has always been.

Developing plans for the next attack, coming week, was harder, due to that it needed a second player, someone equipped with art of deception. I needed someone  to sell a good lie. This is where putting in a little show, making someone angry or work hard to get a piece of information, without compromising the real intention of the whole scenario seemed real chaotic at this moment. A great way to get people talking about their security is to put them on the defensive, accusing a Information Security guy of having bad IDS systems, Weak Firewalls and before you know it he's telling you where his motion detectors are, what WAF he uses, and even the IPS configurations. With not much experience on this, a back plan was underway.

Now, the backup plan was to follow IT Manager to his house, and hope he has wifi and carries his laptop home with him. This seemed better, and this time i went with one of my fellow workmates.

Monday is pretty havoc in the city, traffic is all over the streets from morning to evening, trailing someone might seem real hard especially with City Cops, not allowing motorists to use street lights. So we decided to plug out my car GPS, stick it with glue under his car, and secure it in a way that it wouldn't fall due to bad roads in Nairobi. The GPS if well charged, can be up, to 6-7 hrs. From here, there was no need of trailing our mark, but to wait for him to park his car the next day in the basement, pick up the GPS, charge it and check out his route.

This whole plan worked okay throughout but with only one issue, he was living in Umoja Estate. This estate is a little crowded, going over recon via such a diverse area was getting almost unreasonable for this type of work especially at night due to the risk of getting mugged or robbed, depending on how many hours we might use breaking into his home WiFi.

Luck was on our end, it was on WEP and a cheaper, older router. No wonder he had no access to WPA Security. With SMB shares on the laptop, we were in via smbclient, and able to know the version of Anti Virus and get to understand which type of exe to upload. Mostly, the best way is to set it up on C: drive which is frequently opened. Setting up an Outrun file, the executable will quickly launch in the background.

With smbclient, you cant read SAM, or even copy it. And even if you copied it, it would still have problems decrypting, a meterpreter call back would give us the hashes, all cleaned up. But nowadays, in real life Pentests MSF seems not to do much, so if you can, get to use your own prepared tools. On this one, Symantec EndPoint Protection, was hell and back. Metasploit was not an option here.

The exe didn't called back until after five days, we used that time to go through any sort of data we pulled from his drive. Machines running Window XP don't have much security even when hooked up on a secure domain, and i still wonder why Security Departments let workstations still share files or hard drives to the network.

A workstation is not a server!

We pulled SQL files, downloaded PST, which had some information about the Employee entry cards and Boimetric data. All the vulnerability reports done by Information Security Dept was also there, so we knew all specific types of servers and their internal IP Address, decryted alot of passwords, and this time we had a connection from our zombie, and it was from Tazama internal network. This is a classic Advanced Persistent Threat.

Now with this form of encrypted network attack, scanning throughout the network is much more easier, and more vulnerabilities were picked, plus new targets.

Reporting and cleaning up is always the last options for a penetration tester.

Show the customer the risks, and group them by:

a) Ease of Identification
b) Ease of Exploitation
c) The impact to the Business
d) Over all Risks
e) Recommendations

More blogs to come,

The thing about security is that the very things that protect you can be turned against you by someone who knows what he's doing.

signing off,



Bright Gameli said...

Daaammmnn man...This is one heck of an APT...going the full 100%...Nice one there Chucks.Always learning more from you.

soul said...

Chucks Salute :) and again ..... you proved to us Imagination is more than a books worth knowledge shukran ...watching from the bottom ... we coming man

Antony Gikabia said...

This was just too brilliant..nice learning from you.

Salim Yego said...

This is a crazy one Big up man