How I compromised nearly 30 accounts of an organisation?

Some organisations in INDIA don’t even bother about the IT security .

So here’s my journey from 0 to 30 accounts take over in a few hours .

I got a proposal to test the internal network of an organisation which I accepted and I visited the site after 2 days .

It started with a BlackBox testing where i have no information related to network and its subnets .

I Just connected my machine with the ethernet cable in their local network and started reconnaissance .

It all started with a network traffic analysis where i got some mail servers login Url’s (Http request) .
After few minutes i was having a hand full of all the Url’s of mail servers which were being used by the company for official work .
But getting few Url’s is not the problem . So at this movement i was stuck with the problem that without having credentials how will i be able to gain access to the mail servers .

I have two choices left at this moment :
1)Authentication bypass/Sqli or any kind of attack possible at the login panel.
2)To get the login credentials anyhow.

Initially I tried with first choice and no results.
Then I shifted my focus from attacks to getting credentials anyhow and i prepared myself to perform social engineering on employees(mainly focussed employees are of IT department) of the company so i asked few questions and got to know that their SSL certificate license of firewall just got expired and they will renew it in few hours .
From the inside, I said BINGO to myself as now I am having an open opportunity to capture request as there’s no SSL security on the firewall itself .
Further I Mapped the internal network and made a long list of hosts connected on the network on almost all the active subnets .

I started capturing and sniffing the traffic and performed arp-poisoning so that I can capture the username/email and passwords .
With this I started getting some juicy results and I did this for a couple of hours and started analysing the results which were loaded with usernames/emails and passwords of the users making request to some IP addresses which could be destination IP address where I can input these credentials .
I got few emails/usernames with blank space in field of password
So, I filtered all the emails/usernames having passwords and made seperate list of it .

Sorted!

Note:Emails/Usernames , Passwords I was getting were in PLAIN TEXT . LOL!!

After filteration of credentials with IP to which the request is made , I started logging in one by one and with this I compromised 28–30 accounts containing few accounts of HR department , IT department , & yes, the Director of the company alongwith many other employees.

Why this happened ??
Due to no/low ssl security at the time of testing .