On 8 January 2014 23:45, Jamil Ben Alluch <[email protected]> wrote:
> Hello, > > I was working on a mental exercise to see how far a pen test could be > taken, and came up with this question for which I'd like to have some input > from those who have done it or would never do it and why (any specific case > that could be shared). > > Has it ever come in your scope/rules of engagement the concept of stealing > a corporate laptop/device from a given employee given the possibility (with > the organization's blessing of course) and use that to leverage access say > to a VPN, admin panels, etc? > > The concept itself seems to be at the very edge of legality, but I was > wondering if this is something that has been attempted and successfully > bore fruit. > > The given scenario I was thinking was about people who work out of the > office but still have access to critical systems/data within the > organization and become careless with their devices outside of the work > place (starbucks, restaurant, airport, bus station, etc..) - It's not hard > to imagine somebody snatching or borrowing the device in order to gain > access to a deeper level. > > I've never stolen one but I've been given a corporate iPad and told to see how far I could get. I guessed the PIN, found stored VPN creds, connected, exploited the Citrix environment, pivoted and exploited more and ended up as domain admin. It is really fun exercise having to go through so many different technologies. Robin > Anyways, food for thought. > > Best Regards, > > -- > Jamil Ben Alluch, B.Ing., GCIH > <http://www.autronix.com> > [email protected] > +1-819-923-3012 > ᐧ > > _______________________________________________ > gpwn-list mailing list > [email protected] > https://lists.sans.org/mailman/listinfo/gpwn-list > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
