usual pen-tests

network services publicly exposed
web application itself

assignment

an inquiry came to hello@rolken.cz, a very well written document:

“test for us the following:”

network from the outside
social engineering via e-mail
social engineering via phone calls
physical security

owncloud

logins
- login names leaked via a 0-day
passwords
- too simple

phone calls

“Which brand of antivirus do you have installed on your computer?”
“I do not know, but our network administrator is at the end of the hall, I can ask her right away!”
If they said they do not know, we offered them a “tool” that will report to us, which one is it.
“I will upload you the file to owncloud, just run it!”

e-mail spear-phishing

job application
probably did not open

a password guessed

Summer2019
gained access to e-mail
intranet

e-mails

what did we find in the mailbox?

which flash drives are allowed
certainly not ours:

intranet

what did we find on the intranet?

security measures
building and network descriptions

how did it look outside

Maps

Wall

trash diving

Trash bin

how to get inside?

lock-picking useless here
guarded all the time, two people at the reception 24/7
cars: camera scanning licence plates + card + human
fence around

getting inside

even though we know so much now and have access to the internal network, the customer wants to know, what

an attacker with skills can achieve
an attacker without skills can achieve

without any information
with some information

what did we achieve

access to owncloud
access to end-user PCs
access to the building
a customer who is happy with the results

summary

customer knew what he wanted
he specified a wide scope of the test
he did not limit us to widen it more
a limited test is not a quality test