Last updated at Mon, 11 Dec 2023 18:03:36 GMT
For this penetration test, our client was a private equity company, and the task was to do an onsite wireless pen test from the lobby outside their office. I started out by capturing the typical WPA2 handshakes, but attempts to crack the pre-shared keys had taken a lot of time, with no end in sight.
While I waited for the handshakes to crack, I began scanning through the guest network, looking for anything of interest. I found an old scanning and printing server that had default credentials enabled. I then discovered it was connected to the domain using a service account. The device had a flaw where it stored the password in the browser, so I could just extract it out of the web page. Although I had the credentials to the domain, I still wasn’t able to get on the corporate wireless.
At that point, I spotted an iPad in the lobby that allowed you to page an employee inside the office. The iPad had not been locked into guided access mode, which meant I could do what I wanted with it instead of being constrained to one app.
Using Apple’s helpful Wi-Fi sharing feature, I shared the pre-shared key with my phone and synced it to my laptop. After extracting the key, I logged in to the network the iPad was on. To my surprise, the network had access to the internal network. I used the credentials found on the guest network on the domain controller, and to my surprise, it was a Domain Administrator.
And that’s the story of how I was able to compromise an internal network using a receptionist iPad.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.
- This One Time on a Pen Test: Playing Social Security Slots
- This One Time on a Pen Test: I’m Calling My Lawyer
- This One Time on a Pen Test: Outwitting the Vexing VPN
- This One Time on a Pen Test: Ain't No Fence High Enough
- This One Time on a Pen Test: I Know...Everything
- This One Time on a Pen Test: Doing Well With XML