Ever wondered what it's like to be an ethical hacker? Alfonso Arjona, Senior IT Security Consultant and Ethical Hacker at Outpost24, details the reality of keeping systems secure and importance of staying caffeinated.
The sun has barely surfaced, and my phone is pinging off left, right and centre. I scroll through and it turns out there is a host of new security alerts pending to be read and analysed. I could tell it was going to be one of those days and there was me thinking I’m popular.
Coffee poured, toast…well, toasted and laptop on. It’s time to get this show on the road.
While my messages download, I take the time to catch up on any developments or updates in the hacking world. A few scans across online forums and social media sites gives me a grasp of what’s happened over night and a sense of the mood the cyber community is currently at.
With all the alerts and messages downloaded, I begin to start scanning my customers networks to make sure everything is in order. Once the scan is launched it can take a few moments before it is completed so I start trawling my way through the alerts. Skip, not critical, skip, not relevant at this time. Oh wait, here’s one. A new method for gaining privileges on a platform my customers uses.
This is very common as there are thousands of privilege escalation methods available and each one allows a user to gain more privileges on a certain system or platform. A common example of this occurs on corporate networks, whereby a regular user with limited access gains admin privileges which allows them to view confidential information or distort system settings.
The scan, now finished, has identified there are a lot of services that should be removed with a few flagged as being outdated. Nice, time to work my magic and explore if they are exploitable or not.
Surprise, surprise, they are! Thankfully, there is nothing interesting on the servers. They are legacy systems with no content that the customer forgot to remove from the production environment. Well, at least I now have the first findings that need to be written for my report.
By midmorning, my double espresso has well and truly kicked in and I start my second workstation - brute force attacking numerous services using my “holy grail” of default credentials. This is a relatively simple test and involves trying all possible combinations of known usernames and passwords to access a particular system or application until I find one or more pairs that work. This tends to be more successful on larger environments as administrators tend to forget to change the default passwords on some services, something malicious attackers know.
I look at the clock and it’s just gone 11:30am. My stomach’s grumbling but it’s too early to have lunch. A banana or apple will suffice. It’s at this point I think to myself, do the customers realise how boring certain parts of testing are. Send a payload, check the response, change a bit of the payload, check the new response and repeat.
It can get very mundane and tedious quickly, but it is a necessity to ensure the systems are fully operational and secure. This pulls me through to lunch and I’ve already thought of the winning combination for my sandwich: fresh onions and tomatoes on slightly toasted brown bread with the finest French cheese layered with smoked ham and cut into even triangles.
But before I can sink my teeth into anything, a highlighted line appears across my terminal!
Turns out the brute force I was working on discovered a set of credentials in one of the systems which enabled me to log in. After some light digging I found it was hosted on a hypervisor or a virtual machine (VM) which gave me the capability to run an exploit that enabled me access to the hosts operating system.
I continue to scour the internal network and I eventually unearth some very sensitive material, so much so that I contact my customer almost immediately to inform them. Within 10 minutes a meeting is scheduled with the whole team.
Rolling deep into the afternoon and having discussed calls to actions, the meeting ends with the customer shutting down certain systems and blocking access to the internet to the entire world. Only I would have access. This is the best way to prevent potentially threatening situations and to allow continuous scanning of the platform.
You can never be sure when a new vulnerability will arise and depending on how malicious the flaw is, the best course of action is to close certain features until it is addressed.
The default credentials I found gave me access to a system that housed a gazillion backups. Time to download some and check the content. Before you say anything, I was given permission by the customer as this is exactly how a cybercriminal would act. Therefore, it is imperative for administrators to change default passwords and usernames to something more secure instead of a simple 1234 or 0000. It’s a simple step many seem to forget.
I need evidence of this. First, I'll sort the backups by size. I need to copy one to prove I've been there, but I don't have too much space left on my laptop. Bingo! On top of the list I found script files. These files contain credentials for the most important domain accounts and SQL servers.
As the street lights outside turn on, I realise this will be a long night. I’ve barely scratched the surface and the more I dig, the more I find. The client is going to be in for a shock when I tell them, and the IT team will be patching services and applications way into the early hours of the morning. I honestly don’t envy their position but that is the price you pay to ensure a decent level of security.
Suddenly I realized that the office is too silent, and I spotted the time. Laptop off and time for my escape. I will leave the reporting for tomorrow as well as testing identified web applications. It’s been another long day. The only thing I have to look forward too now is actually eating my sandwich as I make my way through the empty office. I’m the last one in the office…again.