Earlier that year, very - earlier - I had one technician of an international company calling me for some advice. She/He had a problem with the local networking staff and their "modus operandi" regarding network security. The company had a big assembly line and very powerful, automated machinery - which made the leaky security all the more troublesome. My job was to exploit one of those security holes and show - as clearly and easily as possible - said problems - so that they were getting finally fixed.
The first stage of the whole testing was the usual: Reconnaissance. Though, in this case, this was very easily achived, as my contact handed me over parts of the firewall ruleset as well as an access to their office lan. First thing that lit up like a christmas tree: They actually had the production and office networks seperated by a firewall - which is good. For the bad part: They did drop everything. Everything except everykind of ICMP packets. Well. Damn.
Second stage was to create an exploit to that happy little mishap: My contact wanted to be able to bridge office and production networks and access them via the - according to the networking department - water tight secure firewall. The exploit needed to be able to run on a Windows 7 machine as well. With that in mind, I went through different ICMP tunnels: HANS and Dhaval Kapils icmptunnel were the first one to be dropped from that list, as they did not satisfy all constrains. In the end, I choose icmptunnel or short ptunnel. With a bit of manual patching, I could get it to compile and work again on Windows, thanks to the efforts of Mike Miller.
For testing I recreated the network and firewall using a Cisco 1841 and a Cisco 3560 switch. As I needed to integrate ptunnel into the production network, I wanted it to look as innocent and inconspicuous as possible: So I used a Raspberry Pi 3 and dumped it into a DIN Rail case - then I outfited it with a Power over Ethernet adapter and could serve it network as well as power over said network connection.
The tests worked flawlessly and I even cramped enough speed over ICMP to get some remote desktop working.
On to stage three: Attack.
This stage turned out to be way cooler than thought: Due to certain circumstances, we meet at night, 0 dark thirty - you could say - and sneaked through the production line, past workers which did not take much notice in my presence. I inserted the "Rogue Pi" into one closet next to an Siemens Human-Machine Interface and plugged it into the network switch.
Then we left again. Back in the office, I tried to connect to my little helper and was immediately rewarded with a working ICMP tunnel - now transfering an SSH connection as payload. From that moment on, I could connect to a dozend different systems from different vendors in that production network. Last but not least, as "visual" demo, we created a little batch script to start the connection and connect to the Remote Desktop Interface / Human Machine Interface of a very heavy and very unsecured press - now leaving it to our control.
At this point, said connection was only opened in a "read/view only" mode so that - even by accident, we could not harm anyone. We had to bear in mind that this multi-hundred ton press was now at the mercy of our fingertips and we did not wanted to wreck hevoc at all costs - so - if you're conducting field exercises with real "heavy hardware" - find a way to interact safetly with that - before you engage any connection to it.
With this preparation, the technician was able to run the demo in front of the higher ups and finally got the attention, permission and support needed to bring security to a higher standard.
So that effort paid of in the end for the production security of that company - and rewarded me with my first - and hopefully not last - field pentest :).