what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Tuesday, April 29, 2014


 Security Starts with the People

There was this inquiry of Penetration Testing that was advertised early last year and a lot of organizations went for it. The owners of the organization wanted to know if they can be penetrated from the outside. So several Security Firms did their quotations, convinced the clients how they will do good test, and then they decided to go for one firm, and the pentest began. This firm had convinced the client, they will do a Blackbox in less than two weeks and it will be worthy their money.

Well wont go to the details, but what they got were mostly scans, and to sweeten the report, they added the website which was hosted overseas, as it was easy to break into.

So, i was contacted later in the year, by one of the Technical Managers, to do a small approach on how i would target them.

So on-line, only two IPs were available, the gateway to the office and the mail server OWA, all heavily protected. The gateway was NATed to and had a few machines, one with a httpd port, hosting a SAP kinda of Application. (Wont say much). The website was hosted overseas, on a shared host, well remember blackbox has no limitations.

So,  we decided to start with more online recon and also ground recon, especially since Surveillance and Recovery Assessments which is part of Blackbox, seems to yield more data for an attack.

Now this operation was not funded, it had to be cheap as possible, but with a promise of the whole Pentest, it was worth it. It was a two man operation.

So, we decided to start scouting the area, two and three tailgating that didn't work, we discovered a flaw later on. Sunday.... the guards drink a lot on Saturdays, and get to work Sundays, all way hangover-ed, they cant see anything, otherwise red-eyed and aren't attentive.

So, that Sunday we parked on the other side of the street, the organizations compounds is way off town, but fenced all way round with a stone wall. Parking lots were underground and one more was on top floor. One part of the compound where trucks got in to load and offload, had a normal fence, though electrified, all we needed was to gain access to at least one office and understand the Surveillance Cameras, Motion Detectors, Door-To-Door Security and Control Box Manufacturers + Version.

So we decided to pretend to have a lost a cat, and it had gone through the side fence to the Loading Center, selling that to the guard at the gate was going to be hard, since we were both men, and so i was to do the approach.

First thing i had to do, was to run around the block, and i had to pretend to come from the other side of the fence and also i needed to credibly sell the narrative, by the heavy breathing. The guard was a Luo, he was a bit hesitant until i said am visiting the country from Uganda. I didn't know Ugandans had such respect, but it worked. He was a bit high, recovering from his Saturday spoils, so he let me in and i started shouting the name of a fake cat and the HTC was busy photographing every part of the compound. Funny enough the server room was actually situated off the main building, just next to the car park lot, and it was open during the day and closed at nightfall as i gathered later. (Okay that was terrifying, i wished i was deploying APT)

I got access to the offices via the kitchen, the guards weren't even following me, he was just busy laid up in his cubicle the others nowhere to be seem. the doors had no control, no shredding of information, IT Offices had white-boards with a lot of details on the infrastructure. There was no paper shredders, managers offices were not closed, a few notepads with passwords which we came to understand later were stuck on the tables (Personnels still do this a lot, especially WIFI Keys), names and emails were gathered and the information gathered was just overwhelming.

At this age, Information Security Awareness is vital for Infrastructure and Cooperate Defense. What protects you, could be used to infiltrate your network.

No comments: