Withering cyber incidents are frequently in the news. Cybercrime statistics are soaring. We’re all very much aware of the highly unethical cyber attacks that do the rounds.
But cybercrime is one of those unusual situations where you can fight fire with fire. Forearmed is forewarned when it comes to cyber-awareness and it pays to know where exactly your organisation’s cyber-weaknesses lie.
Enter the world of ethical hacking.
What is Ethical Hacking?
Ethical hacking is where authorised cyber security experts (known as “ethical hackers”) are given permission to try and compromise an organisation’s IT systems. These “hackers” will then report back to the organisation about their potential security vulnerabilities so they can be addressed, leaving the organisation’s defences stronger.
How is Ethical Hacking Different to Penetration Testing?
Though the terms are often used interchangeably, ethical hacking and penetration testing are technically two slightly different things. The main difference is their scope. Penetration testers are generally tasked with finding flaws or vulnerabilities in a specific network, piece of software, or new set up.
Ethical hackers, however, usually have a much wider scope – covering an entire organisation’s physical and digital security. It can include classic, digital hacking but can also include “physical pentesting” and usually results in a lengthy report about the ethical hacker’s findings. Understandably, because of this increased potential scope, ethical hackers generally require more qualifications and legal authorisation to do what they do.
This isn’t presented as a “how to” and we don’t encourage anyone to try and emulate the behaviour below without proper qualifications or without explicit permission from the client organisation. It’s a fictional representation of the things that we ethical hackers do and some of the shocking things that ethical hackers can uncover. Similarly, the timescale is a little shorter than real life but it’s presented to give you an idea of an ethical hacking project.
Similarly, please don’t let this scare you! We’ve made this fictional victim particularly ahem… in need of ethical hacking services. If you’re worried about your own cyber vulnerabilities, then give our ethical hacking/pentesting team a call!
Meet Our Ethical Hackers – And Our Target
Mina and Jim are ethical hackers, working together on a project. The client is Chikkin Food: a vegan meat substitute manufacturer and distributor with a small office premises, warehouse, and factory floor.
Before our intrepid techies set to work, they have received explicit legal permission from Chikkin’s directors to throw whatever they can at them in order to uncover their physical and digital security weaknesses. So, with permission granted and contracts signed, it’s time to get to work.
Day 1: Remote Hacking
First, let’s see what can be done from afar. Mina sets to work actively “red teaming” the client’s systems. That means going on the attack! She starts by hunting down some of the client’s internal email addresses on LinkedIn. When she has all of the addresses she can find, she sends them a fake phishing email, pretending to be Office 365, to see who takes the bait.
While she’s waiting for those results to come in, she sets to work probing the network’s open “ports” to find ways into their network. She finds that their remote access port is wide open – a hangover from when the office team were working from home during the pandemic.
She makes her way into the network and uncovers something interesting. Chikkin Food was created when two companies merged, and the older of the two brought with it a lot of older network hardware. On an older server, Mina finds a long-forgotten intranet portal that has been long abandoned in favour of more modern cloud collaboration tools. It’s ripe for code injection attacks but it clearly hasn’t been used for over a decade. There’s not much point in attacking it but it all goes in the report.
Turning her attention back to the phishing email, Mina has hit real paydirt. 10 of the recipients responded to the fake Office 365 email and “logged in” through her fake authentication page with their passwords. And there they are, ripe for the picking in plain text! Mina explores the results, only to find that the financial director’s PA was among those who failed the test.
She then sends “spoofed” phishing emails (emails that mimic another person’s email address) to a few, select sensitive individuals who responded. The email looks like it’s from the FD, asking them to immediately pay an invoice at a mysterious link. It only takes one respondent to click the link and… she’s got another backdoor into the network. Mina 2, Chikkin 0.
Now she has two backdoors into the network, it’s time to make them persistent. She looks at the users who clicked the link and notices that an IT middle manager fell for her trap – he really should have known better! He proves a good target – he has Local Admin rights, so he has permission to add and remove software on his PC. Perfect.
Mina is also able to silently install Mimikatz on the IT bod’s machine, a tool that allows hackers (both ethical and otherwise) to harvest lists of credentials used by the Windows operating system. Mina extracts some password hashes which can be rendered usable by her specialist password-cracking rig. She’s able to create an encrypted, persistent connection back to her machine using the now geriatric SMTP port 25 (which is often blocked for security – but not here, it seems!).
Meanwhile, Jim is trying to hack Chikkin’s e-commerce website and wholesale ordering web app. It collects personally identifiable information and card details, so it needs to be secure. Thankfully, the developers did a good job on security, though Jim does uncover a small code-injection opportunity that could be used to breach user email addresses. It’s a bit obscure but potentially disastrous in the wrong hands.
Jim’s got the gift of the gab, so he then tries a spot of social engineering over the phone. He sets up a dodgy looking webpage with the same network access link Mina used in her email earlier, and chooses his victim.
He pretends to be a new guy in the IT department, testing connectivity. He asks his victim to visit the webpage and click on the link but no dice! This person went and got their manager who rightly called Jim out. Calling from an external number, trying to get someone to click a dodgy link, this team obviously knows something fishy when they see it. That’s the weird thing about ethical hacking – even a “fail” is a positive.
Retrieving the cracked passwords from the cracking rig, Mina and Jim meet to lay their plans for the second day of hacking – this time, on site.
Day 2: On-Site Hacking
On the second day, Mina and Jim get to Chikkin Food’s premises just before the usual 8:15-9am employee arrival time. From the car park, they begin probing the client’s WiFi network. Mina sets up an “evil twin” access point that looks and acts just like the company’s WiFi, but allows her to see the traffic that flows through. It can even fool devices that have the original network saved!
She gets a couple of connections – nothing too egregious, until a roving salesperson turns up, jumps onto the evil twin WiFi from the car park, and orders a new folio case online with his company expense card. Bingo!
Meanwhile, Jim does a physical sweep of the premises – and its WiFi coverage. Not only does he find an unprotected wireless access point in the company’s refrigerated warehouse, he finds an unguarded door into the offices that has been left temporarily unlocked for a much-needed coffee run. He sneaks inside and finds that the server room is right across the corridor… but that door is locked. Drat – but also thank goodness.
With his visual and WiFi sweep of the external premises complete, he heads back to Mina to formulate a plan of action. They both want to get inside, get to that server room, and maybe some offices too! Their preliminary meeting included wardrobe plans: Jim’s dressed like a typical on-site technician with a nondescript branded polo shirt, cargo trousers, a toolbox, a well-worn RFID card clipped to his belt. Mina’s wearing a high-powered business suit and a worn ID card on a client-branded lanyard.
They couldn’t have planned it more perfectly. Jim can go in, charm the receptionist saying he’s “upgrading the servo updog mainframe” (or something equally bluffy-but-meaningless), only to install an RFID skimmer within range of the server room’s card reader. When someone enters, Jim can copy those creds onto his card and let himself in at leisure.
Now it’s a waiting game. Mercifully, there’s a good coffee machine. It’s internet enabled for card payments so Jim’s interest is piqued. Turns out, it’s not well ring-fenced from the rest of the network. He uses the far more secure method to get his coffee for the time being – the change in his pocket.
At the same time, Mina probes the poorly configured WiFi AP in the warehouse. With minimal effort, she’s able to access the network and the IoT refrigeration monitoring system. It’s password protected, but it might be phishable…
With that interesting and fully plant-based nugget noted, she composes herself for her next part of the mission – the role of a harried exec from another office here for a meeting. She waits for an office junior to man the reception for a moment and strides in, looking like thunder. Nobody dares say anything!
Mina marches upstairs and through corridors until she finds an unattended, unassuming, and most importantly unlocked meeting room with an ethernet port. And she’s in! She can uncover all manner of sensitive company assets.
She looks at her list of passwords from the Mimikatz haul and realises something. Connecting to the unprotected WiFi AP, she uses one of the passwords to log in to the refrigeration systems. Yikes, a less ethical hacker would be able to shut down all refrigeration and take out their entire stock! Her shock is interrupted by a ping from Jim about the potentially hackable vending machine.
Wait… a poorly secured refrigeration system… a card-enabled vending machine… could someone pull a 2013 Target hack on this company? The vending machine may not be able to run the same kind of card-stealing malware that the POS systems in the Target hack did… but it would be interesting to see how far she could get. She sets to work.
After gaining some loot of his own from the server room, Jim texts Mina again to mention that most of the ground floor team have left for lunch. “Meet you by that rubbish vending machine lol.” With most of the office out of the way, Mina and Jim can explore the ground floor in search of unlocked PCs, passwords on sticky notes, and other low-hanging fruit.
Jim uncovers an executive’s corner office – with accounting software open and unlocked. It looks like this person was accessing the company’s online banking information in one of their umpteen open Chrome tabs – now thankfully displaying an auto-timeout screen. Phew, but also yikes!
Before they head back to home turf, Mina heads up to the still unoccupied (and still unlocked) meeting room and plugs a hidden, unassuming listening device into the ethernet port. If it isn’t moved, she and her team will be able to listen in to network activity and access the network remotely. It’s all done with security in mind though – the goal here is to discover vulnerabilities, not blast them wide open!
On their return to the office, they’re able to plug in the COO’s passwords into the cracking rig, make a few more observations using the listening device, and start putting their report together.
Day 3: The Report
Ethical hacking projects conclude with detailed reports that include the hackers’ full methodologies, findings, and recommendations; but for the sake of brevity, here’s a list of what Chikkin Food now need to do to improve security:
- Change all breached passwords and adopt multi-factor authentication across all Office 365 logins.
- Remove email addresses from publicly available profiles like social media.
- Implement an intrusion prevention system to stop hackers entering and moving around the network.
- Close any ports not being explicitly used like RDP (3389) and SMTP (25) in this case. Make sure that all ports in use are monitored by a firewall and intrusion prevention system.
- Get rid of the old intranet and any other surplus tech left over from mergers and reshuffles.
- Chikkin Food’s team needs cyber-awareness training, especially around social engineering
- Keep a closer lid on whose PCs have full admin privileges and adopt strict Principles of Least Privilege (POLP).
- Chikkin Food should ask their web developers to close off the possible code-injection vulnerability.
- Set up a WIPS to keep a look out for evil twin access points and other WiFi gremlins.
- Provide training to roving team members around secure WiFi (and payment card) use.
- Make sure that all WiFi access points are fully password-secured.
- Lock external doors and internal meeting rooms when not in use.
- Reception staff need security protocols so they’re more vigilant about visitors.
- Use the latest RFID tech to minimise your chances of RFID spoofing attacks.
- Ring-fence the vending machine from the network and ensure that its traffic is monitored by the firewall and IPS.
- Set up multi-factor authentication or passwordless authentication on the refrigeration portal.
- Train staff to lock PCs and give them a plan of action if they see strangers wandering about the premises.
- All team members with an office should lock the office’s door when they are off-site.
- Properly log out of any financial software or portals when not in use.
Sometimes you need a cyber-savvy critical friend to tell you how to make your existing setup safer. Whether you’re worried about hacks from afar or threats from within, all organisations can benefit from ethical hacking and penetration testing. If anything in the article has caused you concern, contact us.