Within 10 minutes we were on their computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators.
Wow, clearly a privileged account management problem that could have been solved via software, smartcard use for administrators or better control of group memberships.
Scott cracked the Marshalls WiFi network, and he and James started navigating the system: they co-opted log-ins and passwords
Last login date; more effective provisioning and de-provisioning may have helped prevent this. Of course, if Marshalls would have bothered to implement 802.1X security rather than having “open” wireless access points this may never have happened to begin with.
He was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection.
I’m not a SQL expert but these guys accessed SQL databases to get their information. Whether they did this with privileged accounts or not is unknown but clearly a file/database security monitoring tool or potentially something that managed privileged accounts (SQL or domain accounts) may have prevented this type of access or at least alerted people to the access issues.
And one last pointer from the article: Beware of people sitting in cars, with laptops and giant antennas!