Allow me to give you a real world example that is counter to your point.
During an active pen test of a bank, I walked the outside of the building and noticed that on of the doors did not shut all the way. I walked up to the door and pushed it open. That let me into a hallway that had a printer. The printer was connected to both power and a wall plate that had an active Ethernet port. I took my wifi extender, and plugged it into the second port and sure enough got a connection. The wifi extender was configured to allow me to access that port via the wifi link. So I went back outside, pulled my car into the parking lot (Wendy’s I think) that was opposite the door. I jumped on the laptop, connected to my wifi device and I was on their branch office network.
This particular branch also had a guest wifi for their customers and in internal wifi for their conference rooms. Now I know how lazy IT people can be so I figured I would crack the wifi password and try to use the same password to get to the switch. So I set the wifi up to require someone to log in. It is basicly a reset packet that dumps the wifi connection. Most users dont notice it because the default configuration is to attempt to reestablish connection by logging back in. I did care who it was because I just wanted to get a copy of the hash. Sure enough, I was able to grab a trace of their connect request and the hash is contained in that request.
Using my Verizon 4G hot spot, I sent that hash back to my cracking rig and had the wifi password in less than 10 min. I dont know exactly how long it took because I went into a coffee shop for a coffee after I sent over the hash. Once I had that password, I went back to the connection that I had put in and sure enough, the infrastructure ... all of the switches, used the same password. Now I could see the branch’s traffic Every single connection. A simple reconfiguration of the switch and now my wifi connection would receive a copy of any person’s traffic that I wanted to see. From there, using a similar trick as the wifi reset, I executed a TCP reset on someone’s traffic, captured the hash that was sent across the network, and sent that hash to my cracking rig.
So before lunch, I had user credentials and their password and a connection to the backbone along with the infrastructure password The infrastructure password was “Yankees11!”
No one challenged me.
No one stopped me.
Heck, I didnt even see anyone in the hallway.
After lunch I contacted my security contact and asked if any alarms were going off. Nope, not one.
Owned in less than 4 hours.
Granted, that is the exception rather than the rule and I have purposely left out some details. But I did not target any user. I just cracked the passwords of those that were easy to obtain.
Nice :-D
Thanks once more. Internet/Net security, is not a static issue and not being an expert by any stretch of imagination, it is interesting to see the issue from the eyes of one engaged in the process.