Pentesters Hate Him. One weird trick to PWN everything!

· 955 words · 5 minute read

Listen to this story

In the early 2000s ARP spoofing was our go to party trick to use on internal pentests at Scan Eye Tea. It’s what I used in the bank we got chased away from. A week after my stint as a garbage collector, I was to assume the role of an employee of the bank at their head office for a week. This time they knew I was coming. My mission, should I choose to get paid that month, was to go in with no prior information, find a bunch of administrator level passwords and then use them to gain access to what the bank would classify as: very important systems.

Back then, we would recommend our clients give us a staging environment to run our tests. However, like Boeing, most of them glossed over this detail and allowed us to run tests in production. So we would ARP spoof in actual production networks. Before we proceed, let me take a brief aside to describe what ARP spoofing is. All computers talk to each other on a network of some sort. A group of computers within the same building will typically be on the same network. Each of these computers will relay information to each other through a gateway. In most cases this gateway is some sort of network switch or router. ARP spoofing is the extremely risky technique of running a smear campaign against the current gateway. Like mudslinging in the US elections, one candidate on the network will bombard all other citizens on the network with propaganda, informing them that the current gateway doesn’t know what it’s doing, and that all network traffic should be entrusted to that candidate instead. As that candidate, you then begin to take on the very important role of sending and receiving traffic on behalf of all the citizens on the network. The intended effect of this is that you now get to see all the network traffic flowing back and forth.

After first ensuring that my flagstone of a laptop was set to forward traffic, often a gotcha in ARP spoofing, I kicked off the negative PR campaign against our friend the HP Switch using Ettercap.

“Ho ho ho! Just wait until the network hears about what YOU DID!”

Dutifully, all computers on the network then slowly began sending me their data and I began writing it to a file locally and then forwarding it along to its intended destination. Later I would fire up Ethereal and sift through the data to find any useful bits of information. Information such as admins logging into servers using telnet or FTP. Now, if you have even the faintest familiarity of the tools I just mentioned, then I hope your midlife crisis is going well. I recommend getting the lava orange 992 GT3.

I discovered several admin passwords and some other interesting network ranges to explore. I like to multitask while waiting for longer scans to complete and one thing I normally do is to scan large groups of hosts for one or two ports. So while waiting, I scanned for HTTP ports and found a handful of hosts which I then opened up in my browser. A couple of them were just the web interfaces for the photocopiers and then one bare looking login page for something that seemed like a custom developed portal. I can’t remember what the brand of the copier was, but it had this setting enabled on it that would save a copy of every scanned document to its local storage. I would end up having some fun sifting through some confidential documents later on, but for now I turned my attention to this portal.

Not the actual ATM.

Image Copyright Szymon Kochański

One of the passwords I had collected let me in and I saw a two column layout with the larger of the columns on the right containing a map of the UAE. Dotted around the map were little red and green circles and clicking on each of them opened a small info box that had an IP address, hostname, running state and some other stats. What mostly caught my eye was that all the hostnames were prefixed “ATM_”. With shaky hands, I made notes. Always make notes. Always. I collated all the IPs of what I believed was their ATM network and prioritized scanning these. I’ll spare you the details of what came next, and instead summarize as follows:

  • Each ATM ran outdated Windows XP with remote desktop enabled.
  • Each ATM had the same administrator password.
  • ATMs would collect and store images of each customer interaction locally.
  • I could shutdown the entire ATM network, but would have to do so one ATM at a time.

I didn’t mess with the ATM binary because I felt the access I had gained was sufficient and I also didn’t want to break anything. I didn’t want the intervention of the already angry bank IT team. The Scan Eye Tea team always riled up the client IT teams. I learned that effective pentesting was as much about relationship building and education as it was about skills. Admittedly, I learned this 15 years later only after arrogance eroded with age.

I earned my keep that week and my reports ended up being my eventual selling point where repeat clients would ask for my involvement on projects. I was in great company with my colleagues and my cybersecurity career was off to a great start. I couldn’t ask for more. ARP Spoofing was the one weird trick that worked that day. It is a double-edged sword however, and not all ARP Spoofing stories have a great ending to them. Maybe I’ll tell you one of those stories another time.