Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report.

For this penetration test, our client was a private equity company, and the task was to do an onsite wireless pen test from the lobby outside their office. I started out by capturing the typical WPA2 handshakes, but attempts to crack the pre-shared keys had taken a lot of time, with no end in sight.

While I waited for the handshakes to crack, I began scanning through the guest network, looking for anything of interest. I found an old scanning and printing server that had default credentials enabled. I then discovered it was connected to the domain using a service account. The device had a flaw where it stored the password in the browser, so I could just extract it out of the web page. Although I had the credentials to the domain, I still wasn’t able to get on the corporate wireless.

At that point, I spotted an iPad in the lobby that allowed you to page an employee inside the office. The iPad had not been locked into guided access mode, which meant I could do what I wanted with it instead of being constrained to one app.

Using Apple’s helpful Wi-Fi sharing feature, I shared the pre-shared key with my phone and synced it to my laptop. After extracting the key, I logged in to the network the iPad was on. To my surprise, the network had access to the internal network. I used the credentials found on the guest network on the domain controller, and to my surprise, it was a Domain Administrator.

And that’s the story of how I was able to compromise an internal network using a receptionist iPad.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.


Get the latest stories, expertise, and news about security today.