The financial firm had locked down the old Siemens Rolm PBX's administrative password, but it had overlooked the even more powerful field-technician user account.
"The organization looked like it had good processes, strong security on the perimeter, some controls internally," says Rob Havelt, director of penetration testing for Trustwave SpiderLabs, who worked on the pen-testing engagement for the company's financial services firm client.
Havelt says he and his team employed the forgotten user account, which had an old default password, to get in and clone the firm's help-desk voicemail box. The field-technician account is even more potent than an admin account, he says: You can use it to make yourself the admin, for example.
A PBX might not seem to be a lucrative target, but the cloned help-desk voicemail box didn't take long to reap the benefits: "One day during testing, we got a voicemail from a user on the road whose VPN access wasn't working," Havelt says. "It just so happens that in a previous life, I was a certified Check Point instructor, and they were using a Check Point VPN. I knew exactly the problem and how to fix it, so I called him back."
Havelt got the user to provide his username and two-factor authentication token password, and then logged in as the user and fixed his VPN connection. "The guy was none the wiser," he says. "And then we ran roughshod over the internal network."
If hacking via PBX isn't odd enough these days, then the victimized user's response to Havelt's help was: "The funny thing about that one was that as we were doing our debriefing, their help-desk manager got an email he couldn't figure out that was in praise of one of their technicians ... how he had gotten back with the user after hours and fixed [his VPN problem]," says Havelt, who will share this and other weird pen-test experiences his team has had during his "Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests" presentation at SecTor in Toronto.
All it took for this rare type of pen-test exploitation was first finding a weak link in a rarely used user account, then setting up the "help desk" voicemail that intercepted the VPN user's call, and socially engineering his credentials out of him. "Having this guys' credentials led to us owning their AD domain," Havelt says. That led to accessing HR finance, wealth-management transfers, and other sensitive information.
In another odd pen-test engagement -- this one at a major manufacturing company -- Havelt and his team exploited an authentication bypass weakness in the company's network of hidden security cameras.
"They had this network of hidden security cameras set up everywhere internally. For some inexplicable reason, they were Internet-accessible," he says, most likely for remotely viewing their feeds.
The SpiderLabs team discovered a zero-day flaw in the camera software itself that let them bypass authentication and gain access to the around 20 cameras spread around the facility. About half of the cameras were pointed at various workstations: "As we logged into the camera, we zoomed into the keyboards and watched when people logged in and were able to harvest valid credentials that way," Havelt says. "And then we used them externally to get in [the network]," he says.
"You don't think of your own security cameras being used that way," he says. It's better to either not have Internet access at all with the cameras, or, at the least, via a VPN, he says.
It's often the little, seemingly benign things left unattended -- a PBX or Internet camera hole -- that leave an organization open to attack, Havelt says. "It's a recurring theme: You leave a default account, a default password. It might not seem like a big deal but can [become one] rapidly. If you give anyone any level of access, they will find another hole" and potentially do serious damage, according to Havelt.