Enjoy the opening chapter of Pen Test Diaries: Insecurity Culture. Learn more about the Pen Test Diaries series, and how to read on, here: https://www.pentestdiaries.com/
Insecurity Culture: Chapter One
The reward for completing a two-hundred-mile cross country drive with origins at four in the morning, other than my KFC Zinger Tower sandwich, picked up from a service station for breakfast, was a 1980’s style office campus in the middle of absolutely nowhere. I paused for a second to reflect on the glamorous life I’d left behind in intelligence, and then came back down to earth, as I remembered my surroundings would’ve been approximately the same.
One of the hangovers from my time in the intelligence community was my security clearance, a ‘privilege’ that meant I was on point for government penetration testing work. That was exactly why I’d dragged myself out of bed to arrive promptly at the facility I was now observing.
The first arrivals of the day were entering the building. I stealthily looked on, while the soundtrack, provided by BBC Radio One, played from my car stereo. As was typical, badge readers were present all doors, other than the main entrance, and probably one in every three-people swiped-in. Colleagues ‘helpfully’ held the doors for each other. A couple of low-grade CCTV cameras covered the entrances of the main building. I could see clearly into offices, and in a couple of cases, was able to study the contents of whiteboards. First impressions of a security culture were as you’d expect at most local government offices, slim to none.
That’s right, I was about to begin an engagement in a local government facility, no less than my tenth such engagement of the last twelve months. The place you complain too about potholes in the road, missing speed limit signs, rubbish not being collected on time, and fight to get your kid into a specific school was about to get a visit from the likes of me.
You might be wondering why I’d been involved with so many local government authorities, and why a security clearance would be needed to work in locations that seem so mundane. Well, in the spirit of fighting crime, terrorism to be specific, several central government departments were starting initiatives to filter more intelligence information down to local authorities. That’s right, the highways guy filling that pothole is be about to become the next James Bond. Okay, that’s an exaggeration, but there was a genuine effort underway to arm certain branches of local government with data that could help detect terrorism. Who in local government would have access to the data was strictly controlled, or was supposed to be.
The intelligence would be delivered by way of a secure network, known as SecureGov, which was classified as a RESTRICTED network. RESTRICTED was a security classification greater than you’d find on a typical local government network, but less sensitive of course than SECRET or TOP SECRET, that you’d find at the central government intelligence agencies.
There would need to be some limited connectivity between the existing network in the facility and SecureGov, in order to allow approved users of both networks the ability to access resources on either using a single computer.
Connecting networks is a risky operation, especially when there are different security classifications involved. To be honest, it’s not something that is usually done in government, however the budget for this new system didn’t cover the costs of buying new workstations for anyone using it. To counter the risk here, aside from the extremely limited connectivity, which allowed access to a single internal portal application that would be used to access the wider SecureGov network, a series of security requirements had to be fulfilled by the local government authority. These requirements were designed to ensure their network, and machines were reasonably well configured. One of those requirements, as you can probably guess, was a penetration test.
Two phases of testing were required for all wishing to connect to SecureGov, an on-site assessment of the network and machines on it, and an external assessment conducted over the Internet of the network’s public-facing footprint. I would be tasked with performing both assessments in this engagement, however, scheduling reasons had meant that I would start with the internal assessment.
That may all sound like terribly boring work, but on the contrary, I found this type of engagement to be quite interesting. My experience working in local government networks had drawn me to the conclusion that they were all significantly messed up for one reason or another. Typically, they’re patched together, as various units within the local government realm enter and exit the sphere of government control. Boundaries get redrawn, and so counties change shape. Staff are reassigned, and so too are the information technology resources that come with them. Throw into that mix a common theme of underfunded, highly stressed staff and you’ve got yourself a perfect storm that leads to Swiss cheese networks and old systems left to rot. Easy fodder for the penetration tester, and of course, the malicious attacker.
It was time for me to leave the relative comfort of my Nissan Micra and head into the originally named “County Hall Building A”, where I’d meet my latest customers. If the last 12 months had taught me anything, I’d likely win them over initially with my quirky nature and colourful hair, before slowly crushing them with a six-month backlog of items they’d need to fix.
Walking from my car into the main pavilion area outside the building, I passed what remained of an old fountain. It was now just a sort of raised cement tripping hazard, as the water had been turned off, presumably to save money. I headed through sliding glass doors into the building and for a split second thought I’d mistakenly entered a showroom for a wood panelling manufacturer. It was that light wood, not the classy looking darker kind. A random assortment of tropical plants bordered the reception area, and behind the desk in front of me sat a gentle looking older lady, wearing a uniform in County colours and a headset. I noted that she had an older switchboard-style phone in front of her, with more buttons than you’d find in an airliner cockpit. Probably a prime candidate for digitisation at some point.
“Hello dear,” the receptionist said, “how can I help you?”
“Hi there, Laura Knight, I’m here to meet with Cliff Heath.”
“Okay, is he expecting you Laura?”
“Yes, he should be.”
“Okay dear, let me give him a call and have him come and collect you. Sign this and take a badge please.”
I was asked to sign my entry time into a visitor logbook. As was my own tradition, I signed my name as ‘Minnie Mouse’ by way of a subtle test to see if the visitor logs were ever reviewed. Previous results of this test at similar offices indicated that no one ever actually reviewed the content of visitor logs.
I then retreated to a row of older looking chairs that offered as much comfort as you’d expect. A step down from typical waiting room chairs, but slightly better than plastic primary school chairs. My natural reaction upon sitting down is to grab my phone and start flicking through Twitter, lest I should be alone for five minutes with just my thoughts. Two dozen or so tweets digested, and a portly, bearded man appeared from behind two turnstiles to the side of the reception desk. I assumed this was my guy, and I was right.
“Laura?” The man asked.
I stood up and headed in his direction, my arm emerging to shake his hand across the turnstile gate.
“Cliff, I assume, nice to meet you.”
“That’s right, Cliff Heath, Director of IT, come on back.”
He smiled and used his badge to open the turnstile on my behalf, before beckoning me through. We walked down a corridor bordered by a brick wall to the left, and full height glass panes on the right. As I walked alongside him, I thought to myself that Cliff had surprisingly strong body odor for so early in the morning. Indeed, he didn’t seem to be in the best physical shape. He wore a tight-fitting light blue shirt that contoured his belly like a balloon from a kid’s birthday party.
“How was the drive?” Cliff asked.
“Oh, you know, long, early, but it gave me an excuse to eat KFC for breakfast, so not all bad,” I joked.
Cliff badged us into an office, which contained six desks that wrapped around the perimeter of the room, and then three desks in the middle. Five of the six perimeter desks were occupied, as were two of those in the middle. The demographic occupying the perimeter desks was about as varied as the paint swatch for the original Ford Model T. In other words, not varied at all. All guys, aged between thirty and close to sixty, all bearded and all wearing shirts that were shades of either white or blue. Way to break the mould fellas.
Some diversity was to be found in central desks, which were occupied by a younger guy in his early twenties, who wore a maroon shirt, and woman who was probably in her mid-thirties. The third central desk was empty, so I made an educated guess that it was about to be mine. I was correct.
“You can use this desk while you’re here, Laura. Toilets are around the corner, and there is a canteen at the end of that corridor. You’ll need to knock on the door to get back in if you leave the office,” Cliff informed me.
“Great, thanks,” I replied, as I placed my things on the desk.
“I assume you know what you’re doing, and can just get cracking?” Cliff asked.
“Yeah, sure, unless you have any questions for me?”
“No questions, please just do what you’ve gotta do and not break anything in the process! I still don’t understand the point of this SecureGov thing, and this test is just another unbudgeted cost for me,” Cliff replied, indicating he was fully on board and positively thrilled by my presence.
“Okay, I’ll plug in, presumably I’ll get an IP address and will start mapping your network.”
Cliff nodded and headed back to an empty perimeter desk.
The room was mostly silent, save for the gentle hum of a few servers in a rack to the side, and the gentle tapping of keyboards. Being in the middle of all the ‘action’ made me feel somewhat exposed, and it didn’t make for a tremendously welcoming atmosphere.
My laptop booted up into Kali, a specialist open-source penetration testing distribution of the Linux operating system. All of a sudden, a booming voice came from the desk behind me.
“Stevie has a question,” said the as yet unidentified bearded gent. “He wants to know if you’re single.”
“Oh, piss off John,” the younger guy in the central desk in front of me said in response.
I glanced up and looked at the younger guy’s screen, he caught my eye and quickly minimised a Microsoft Lync instant message window with his mouse.
“I’m sorry,” he said. “Ignore him, he’s old and doesn’t get out much.”
I rolled my eyes and made a point to turn and frown at the instigator behind me. I had already figured out that there was a strong possibility that the typing I’d heard in the office was a room-wide conversation about me, the newcomer. Great, I thought to myself, two days on site with this comfortable and inclusive atmosphere. I decided to seek out an ally in the other lady in the room. I caught her gaze and smiled.
“Hi, Laura Knight, nice to meet you?”
“Hi there, Catherine O’Connor. You can call me Cat. Nice to meet you Laura.”
I wasn’t exactly sure how many of the folks in the room knew what I was doing, sometimes these engagements are kept on the down low, while other times everyone and their dog is let in on it, so I couldn’t really offer up any information about my role. For this reason, I decided to continue getting set up on my laptop and hoped that Cat would continue the conversation. I was in luck.
“Ignore the guys, they say stupid things, but they’re harmless really,” she whispered and smiled.
“Great,” I thought to myself. Not exactly a strong ally it seemed.
Unperturbed, I refocused and began the process of opening about 15 terminal windows on my laptop, that I would soon leverage for my various command line tools and began creating empty folders where I’d store my pen test findings as I went along.
The start of a pen test is the like the start of any movie, things take a while to get established, but you could be about to see the best movie of your life. You could also be in for a complete suckfest, of course. A ‘Failure to Launch’ starring Sarah Jessica Parker level of terrible, measured as a penetration test, would likely be conducted in a highly-controlled environment, with so many constraints around what could be tested that it would ultimately be a pointless exercise, and therefore a waste of everyone’s time. At least here, I had just been left alone without a set of rules of engagement. A free pass to do what needed to be done to get results, within reason of course. It’s important to remain professional at all times.
As with any exercise you have to start somewhere, and my proven strategy had been to start with an IP address. In particular, the IP address that had been automatically assigned to my laptop when I joined the network. Like most networks, this one made use of a protocol called Dynamic Host Configuration Protocol (DHCP) to quickly configure devices on the network with an IP address, and IP addresses of key servers, such as those providing Domain Name System (DNS) resolution. In reviewing the initial DHCP configuration afforded to my laptop, I had two IP address ranges to start scanning.
The first range was the network segment my laptop’s IP address appeared in, which was likely a user device segment, and the second range was one that both the DHCP and DNS servers IP addresses appeared in, likely a server, or infrastructure focused network segment.
I put my first two terminal windows to use, using a favourite tool, Nmap, a network mapping and port scanning tool, to begin the initial phase of scanning the network. This process took a couple of minutes as I was scanning all 65,535 ports on all hosts in the range. While Nmap did its thing, I sat back and realised that none of these bastards had offered me coffee.
“Stevie, where can I get a cup of coffee around here?” I asked of the younger guy in front of me. He was surprised that I’d been able to remember his name, that I’d learned indirectly during the exchange a few minutes earlier.
“Oh erm, you can just go, erm, you know what, I can grab you one,” he responded.
“Great, thanks. Black is fine.” I replied, smiling as I did.
Cat looked on, and the other faces around the perimeter looked on. I think it was literally the first time anyone had ever made anyone else a drink in that office. We were breaking barriers folks, one coffee at a time.