Network Pentest for Oil
and gas sector giant
In the recent past oil and gas companies have been a major
target for cyber attacks. Oil and gas are the sector that majorly affects the
national economy of any country and attacks on them is often considered as next
generation cyber attacks. Hackers are now more interested in compromising IT
infrastructure for this sector rather than military or government
organizations, therefore this time my
team was asked by one of the Indian oil and petroleum giant to perform the
vulnerability assessment and Penetration testing of their network both
internally and externally so as to prevent any attack similar to that of Aramco
or any Iranian oil firm that have ever faced.
Strategy
Network attacks are no more confined to remote attack like
MS08-067 or just exploiting any windows rpc service with advent of Windows
server 2008. Therefore beside remote exploitation a second strategy was also
considered for pen testing, ie known as social engineering .Both these
approaches worked well as we were exposed to a network that contained a mix of
windows server 2008, server 2003 and linux machines.
Operation
Process started with the
first and foremost job of information gathering about organization which
includes email id , telephone numbers and sub domains of organizations. Success
of any network pen test largely depends upon success rate of information
gathering. Then we proceeded towards scanning of devices involved in network
pen-test scope, which gave us good idea about what kind of network
vulnerabilities were expected to come out.
Interesting thing to note was organization had a proxy
server through which internet access to every system was distributed and as
usual such proxies are password protected. So their network admin entered the
password in our browsers which were easily recoverable through browsers cache
and that happened to be the password for most of their HP system management web
interface used to manage the devices. Though it was a very simple technique but
a huge flaw in Password Policy that we came across “same password for internet
access and managing critical devices”. In addition to it organization lacked
any separate virtual lans for different departments and access to their devices
can be made from any internal IP’s. Such configuration flaws and unorganized
network can easily be compromised.
A very well known stuxnet attack carried out against oil
firm was a case of malware attack. Such malwares can very easily be injected
into networks through a simple email in an organization without IPS or and IDS.
We replicated such an attack over this organization’s network and was a part of
social engineering activity that was second strategy. An open mail server was
found accessible from outside the organization and was used to send an email
from one of the genuine email id’s of organization to another genuine email id
of organization that was gathered during reconnaissance phase of pen testing. A
simple malware file was attached into a pdf file was sent to employee of that
organization and that employee unknowingly opened that mail and executed pdf
file. As a result the malware got installed on his system, like wise a more
sophisticated malware would have replicated over network and could have compromised
many other machines. So this activity
was a success in reflecting the type of threat and how attack can be performed
over that organization.
Finally various remote exploit were carried out over network
devices and servers , which worked well and provided us with their console
access .
Conclusion
Network Pen test is now no more confined to just exploitation of remote OS vulnerabilities and running remote exploit but it has been more tilted towards social engineering and other means of attacks like malwares and stuxnet attacks. So as hackers and evil guys have shifted their targets from conventional government bodies and private ecommerce industries to next generation targets ,ie, oil and gas companies.
