Tales From the Road: How DirectDefense Got a Free, Round Trip Ticket to an Airline’s Internal Network During a Physical Pen Test

Tales From the Road: How DirectDefense Got a Free, Round Trip Ticket to an Airline’s Internal Network During a Physical Pen Test

Using Simulated Security Attacks to Test Network and Physical Vulnerabilities

DirectDefense was asked by an airline to conduct security testing through simulated security attacks to help identify vulnerabilities that could put the airline’s data and operations at risk.

As part of the engagement, DirectDefense:

• Developed penetration testing scenarios to simulate an adversary attempting to circumvent security controls (both physical and logical) that were in place to protect the airline network and data assets.
• Attempted to gain unauthorized physical access to a targeted subset of the organization’s facilities
• Measured the security awareness of airline personnel in their ability to recognize, and act upon, such an attack in an attempt to thwart the attack.
• Attempted to gain access to the internal network environment (only in the event physical access was obtained).

Spoiler Alert: Through effective tactics, like tailgating, we were able to gain unauthorized access to the airline’s internal network via physical breaches at three locations including an airport, a training facility, and the corporate headquarters.

Attempt #1: Free Ticket to Ride the Airline’s Internal Network

For our first attempt at a physical breach, we went straight to the ticket counter at one of the airline’s airport locations. To gain access to the ticketing agent station, our consultant simply walked across the baggage scales and began working behind the counter as if he was an authorized airline employee. He was able to gain access to the airline’s internal network and sensitive data assets via the ticketing counter by disconnecting the network cable from the computer at a ticketing agent station. Not one employee confronted our consultant to intervene in the process.

While there, we noticed that an airline technician was performing maintenance on the airline ticketing Kiosks, so we targeted alternate Kiosks to attack while the legitimate technician was working. Our consultant was able to gain physical access to the airline’s internal network via four ticketing Kiosks which were not fully locked by disconnecting the network cable from the Kiosk unit and connecting a laptop computer. Although DHCP was disabled, there appeared to be no other logical controls at the network level to prevent access to the internal network once physically connected and IP information was statically assigned.

Next stop, Gate A32. Physical access to the gate counter computers, devices and cabinet containing the network printer was not found to be prevented by any physical security controls. Our consultant was able to gain access to the airline’s internal network via the printer cabinet at the gate by disconnecting the network cable from the printer inside the cabinet, via the service counter at the gate by disconnecting the network cable from the IP phone on top of the counter and also by disconnecting the network cable from the computer inside the counter. No logical controls existed at the network level to prevent access to the internal network once physically connected.

The Takeaway: All three attempts demonstrated significant weaknesses in the existing security controls in place to protect the organization. A real attacker could leverage identified vulnerabilities to gain access to the airline’s internal network and sensitive data assets and would likely spread to a full compromise of the Active Directory domain.

Attempt #2: Flying Into a Training Facility & Taking Off With Network Data

Upon arrival at one of the airline’s training facilities, our consultant noticed a group of students returning from lunch and tailgated them into the building through the main entrance. Once inside, he walked around the facility and found a computer that was unlocked and signed in. He enabled wireless and the computer connected to the wireless network. It wasn’t long until he was able to connect to the Internet, as well as the airline’s network resources, such as Domain Controllers. Our consultant was also able to browse a USB storage device, which he had inserted into the laptop.

Additionally, he connected the laptop to DirectDefense’s BeyondTrust remote access instance. This allowed for persistent interactive remote access to the laptop.

From here, another consultant was able to access the laptop and would have been able to install software that would allow the laptop to function as a proxy to the internal network, permitting further penetration and exploitation to occur. At this point, the consultant was noticed and challenged by the facility manager. The consultant presented a fake badge and stated he was from IT and fixing connectivity issues with the laptop. The facility manager stated there were no issues with the laptop and further challenged the consultant. In this time, remote access was obtained, and the consultant left the facility.

The Takeaway: DirectDefense was able to gain access to the training facility and access a laptop on the airline’s network. From this vantage point, an attacker would have access to the internal network as an authenticated user and machine, leading to a compromise of the airline’s network and assets. Although this simulated attack was recognized by a vigilant employee, we were able to attain remote command and control of an airline system prior to leaving the facility.

Attempt #3: Tailgating Our Way into Airline Headquarters

Our consultant arrived at the airline’s Headquarters facility and was quickly able to gain unauthorized physical access by tailgating the airline’s personnel right into the building. In fact, several employees even helped the attack by holding doors open and pushing elevator floor buttons for our consultant! Once inside, we were able to connect to the internal network from several vantage points on floors one, three, and five of the facility, thanks to propped open doors and malfunctioning locking systems.

While our consultant was in the mailroom, three employees entered the area. At no point did an employee attempt to properly identify the consultant and question him for being there.

The Takeaway: The results of this exercise demonstrated significant weaknesses in the existing physical and logical security controls in place that are intended to protect the organization from such an attack, namely:

• No tailgating controls to mitigate the problem of tailgating.
• No logical controls at the network level to prevent access to the internal network once physically connected.
• Several areas where physical locks were disabled or malfunctioning.

Lack of Physical Security Clears the Runway for Internal Network Attacks

The simulated attacks all highlight the fact that your internal network and all the sensitive data on it is only as secure as your physical security. Once on the internal network, DirectDefense was able to exploit vulnerabilities, move laterally throughout the internal network, gain access to hashed and cleartext credentials, compromise privileged accounts, and gain privileged access to the Active Directory domain.

An attacker in a real-world scenario could significantly compromise this company, bringing on major consequences for the airline and its customers.

Keep Your Network & Sensitive Data Grounded

DirectDefense recommends the following physical and technical security measures to keep your network data from taking flight.

Physical Security Recommendations:

• Tailgating Controls: DirectDefense was able to gain access to the facility by tailgating a group of employees returning from lunch. Employees should be required to present an access card or badge to gain access to the facility.
• Security Awareness: DirectDefense was able to tailgate a group of employees entering the facility. DirectDefense was not challenged or questioned by any employees while entering and walking about the facility. A security awareness program should be implemented, with specific training on the performed scenario.
• Session Lockout/Asset Security: DirectDefense was able to access an unlocked workstation that was already signed into the Frontier domain. Workstations and laptops should be locked when not in active use.

Technical Network Security Recommendations:

• Network Segmentation: Establish firewall access controls between the various internal network segments to mitigate and limit access to network resources in the event an attacker gains access to any given network segment.
• Egress Filtering: The assessment identified that in general, egress restrictions do not appear to be in place. After obtaining physical access, an attacker could leverage this configuration to exfiltrate data over the Internet. Implement tightened egress filtering rules to prevent data exfiltration or tunneling out of the internal network.
• Network Access Control (NAC): Implement a NAC solution to restrict network access within all facilities to ensure that only authorized devices can plug in to a network jack and connect to the internal network. The NAC solution should be effective at preventing MAC address spoofing as well.

How Tight is Your Organization’s Physical Security?

Our consultants’ ability to gain significant access to several locations demonstrates the importance of tight external security, especially in busy, high-traffic areas like airports where one individual can easily go unnoticed without the right security protocols in place.

This engagement also demonstrated the importance of running regular security testing, as ever-maturing threats continue to place unprotected organizations at high risk. Get a physical penetration test to understand how the security of your physical environment could be improved.

Contact Us Today!

Take stock of how secure your organization is from malicious attackers. Contact us today or call us at 1 888 720 4633.

   By: Bethany Kozal   02.14.23