Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report.
For this penetration test, our client was a private equity company, and the task was to do an onsite wireless pen test from the lobby outside their office. I started out by capturing the typical WPA2 handshakes, but attempts to crack the pre-shared keys had taken a lot of time, with no end in sight.
While I waited for the handshakes to crack, I began scanning through the guest network, looking for anything of interest. I found an old scanning and printing server that had default credentials enabled. I then discovered it was connected to the domain using a service account. The device had a flaw where it stored the password in the browser, so I could just extract it out of the web page. Although I had the credentials to the domain, I still wasn’t able to get on the corporate wireless.
At that point, I spotted an iPad in the lobby that allowed you to page an employee inside the office. The iPad had not been locked into guided access mode, which meant I could do what I wanted with it instead of being constrained to one app.
Using Apple’s helpful Wi-Fi sharing feature, I shared the pre-shared key with my phone and synced it to my laptop. After extracting the key, I logged in to t ..
Support the originator by clicking the read the rest link below.
