Assessment Background

When performing a social engineering assessment, you never know what type of person you’re going to encounter, especially when trying to enter the client’s facility.

Sometimes you’ll run into that person who ignores what you have to say, is a stickler for protocol, and is intent on verifying your story and your legitimacy for gaining access. These individuals are the ones who understand that security doesn’t equal convenience. They stick to their security awareness training and incident response procedures, and take the well-being of the company to heart. These are the employees that penetration testers want to avoid when playing the role of an attacker. Unfortunately, this type of employee is often rare in corporate security.

More often, you’ll encounter a very trusting and kind individual who is eager to help out without wanting to inconvenience you by verifying that what you’re telling them is legitimate. By simply flashing an “employee badge”, or maybe just by name-dropping, you will be allowed to proceed. Even if something doesn’t feel right to them, they ignore "intuition alarms” as the thought of challenging you can be uncomfortable.

In a recent assessment, I was tasked with entering two separate facilities for a client, in which I encountered both types of people I just described.

On-site Social Engineering Assessment (SEA)

After initial surveillance on the first location, I noticed a café connected to the building and it was open to the public. While sitting in the café during the breakfast rush, it was easy to get a good look at the target client’s badges as several employees came in and out. As I continued to drink my coffee, I opened up my laptop and quickly forged a mock-up. After I had finished my breakfast, I walked back to my hotel, printed off the badge, put it inside my badge holder and headed back to the location. Time to go to work!

During the initial surveillance, I had noticed a side door which opened by pushing the handicap-assistance button, and which didn’t require a badge. I utilized this entry point to gain initial access into the building. Once inside, I located the client’s suite. It was a shared building and their suite was rather small - actually, much smaller than I had anticipated. I had concerns about how this was going to go. Smaller locations can often be difficult, since everyone knows who is and isn’t supposed to be there. They quickly recognize a new face and become inquisitive.

As I entered the suite, there was a waiting area with only two chairs, an occupied conference room and a glass door into the office area. I couldn’t stay out of view from those in the conference room and the door into the office area was locked. So, picking the lock would be a dead giveaway, and no longer an option. My only other option at this point was to ring the doorbell and hope for an exploitable person that was eager to help me out.

Seconds after ringing the doorbell, a polite young lady came to the door. Bingo!

“May I help you?” she asked.

I gave her a friendly smile and quickly flashed my badge. “Yes ma’am. I’m here from IT Security to take a quick inventory of the servers and workstations.”

“Okay. What’s your name?”

“I’m . What’s yours?”“I’m . Who did you say you were with again?”

Flashing my badge again, “Oh, I’m sorry. I’m with IT Security. They sent me up here to do a quick inventory.”

She opened the door and invited me in. At this point I started explaining how I was new to the company and this was my first time at this particular location. I said that I wasn’t quite sure what I was supposed to document, and was just told to "inventory the computers on-site." She then asked if I needed to look at the server room. I, of course, said yes. Since I was the “new employee,” she happily got her keys and led me to the server room. I played dumb and it worked.

Once inside the room, I got out my notebook and camera. She joked about how messy it was in there, and I made small talk about how corporate doesn’t really care if it’s pretty, they just care if it works. After writing down a few things to convince her that I was doing what I said I was there to do, I told her that it was probably going to be a while and if it’s okay, I would just come and get her when I’m finished. I assured her that I didn’t want to waste her time. She agreed and told me where her desk was. As soon as she left, I plugged my laptop into a switch, launched an LLMNR poisoning attack and began capturing usernames and password hashes. While this was running, I continued to write down some serial numbers and server names in case she wanted to see any proof of what I was doing.

After about twenty minutes, I decided that it had been long enough. After all, there wasn’t much in this particular server room, and I didn’t want her to start getting suspicious as to why I was in there so long. As I wrapped up my things and the loot that I had just harvested, I laid my business card on the keyboard in the server room to let them know who had really been there.

Next, I walked to her desk, told her I was finished and that I needed to look at each cubicle really quickly. She was, of course, okay with this. She was so okay with it that she unlocked the executive’s office door without me even asking, explaining that the executive was currently in the boardroom on a call. She even took the laptop off of the docking station for me and I pretended to document the numbers on the bottom. I could have taken it further, but I already felt like such a huge jerk at this point for lying to such a sweet person (which is the only un-fun part about this job). Besides, I already had a solid enough proof-of-concept, so I just kept moving.

While going through the cubicles, I photographed credentials that had been written on post-its and either affixed to the monitor, or pinned up on the cubicle walls. I thanked her for being such a huge help, let her explain other things that were wrong with current systems, and then casually strolled out of the building.

Success in less than thirty minutes.

I was feeling pretty good about the results of the assessment so far, and was excited about the next location — which consisted of two buildings and is known to be fairly secure. The client owns the property and the buildings, and so the security guards watching through the multiple cameras know who is coming and going.

I also knew that the odds were stacked against me, because during the previous year, a colleague had performed the same assessment and was able to gain access to their main data center, as well as the C-level offices on the top floor. Had they actually performed their due-diligence and remediated these risks? Or, was this going to be another successful attack? We’ll see.

After parking far back in the parking lot, hoping to be out of sight of the cameras, I walked to the first building. The report for last year’s assessment showed that this particular facility is pretty secure. There are only two entrances, one on the front and the other at the back of the building, both requiring badge access, and both with cameras pointed directly at them. I pulled on the doors, but they were locked. It was lunchtime, and I was surprised at how little traffic there was coming in and out of the building; hardly any at all. I knew that piggybacking wouldn’t work.

I approached three employees who were walking around outside at separate times. They were all very nice, but their response to my “new employee badge not working” was that I needed to visit the second building’s guard station to get a temporary pass, or get my badge fixed. No good! I didn’t have an appointment set up with anyone at that location, and venturing over there could be a dead giveaway. I continued to survey the area and noticed a fire escape, but the office windows faced it and a couple of cameras were pointing right at it. No good. If anyone happened to be in those offices or monitoring the cameras, I’d be caught, quickly.

I supposed I should move on to the second building before someone started to wonder who this guy is just strolling around outside. So far, it was going as expected, so not really a disappointment. Also, great job to the client!

The second building, which is on the same campus and not too far of a walk, houses the guard station, main data center and the C-level offices. This is the building that didn’t do so well during last year’s assessment. Again, how much attention did they give to the report? Had they made their security awareness training more robust? Will it be just as easy, or even harder?

As I approached the second building from the back, I noticed that these doors also required a badge. Two ladies walked out, but I wasn’t close enough to catch the door and walk in. I stood outside the door a bit, pretending to be on the phone and hoping that someone else would walk out soon. After about five minutes, I decided to pace a little while pretending to have an intense discussion on the phone. I noticed a blind spot on the building where no cameras were pointing. There was a fire escape, but again, there were several office windows facing it and I was saving that entrance as a last attempt.

After another minute or so, I discovered a mechanical closet outside on the ground level that looked inviting – possibly a maintenance elevator inside? I picked the lock in just a few seconds and entered the room. What a letdown! It was about a 7’x7’ room that had some electrical boxes and air ducts. There were no doors or entrances into the building, and entering through an air duct was out of scope. No “mission impossible” moves today, I suppose.

As I paced back to the opposite side of the building, still pretending to be on the phone, I noticed a door to my right. “Security Guard Office. No employee entrance!” As soon as I read this, I knew I was busted. If I was standing on the outside of this glass door, reading it, I knew that there had to be someone on the other side looking at me. I was right. As soon as I turned around to go somewhere else, the door flew open and a very large security guard quickly approached me.

“Hey! Can I help you?”

I gave him the same story that I had given others, that I was from IT Security and there to do inventory but my badge wasn’t working. He got even closer to me and said that he now had to escort me to the front to check in. While walking down the hallway, I stopped him, hoping that by letting him in on the secret that he’d let me continue. I told him that he had caught me and that I was there to do a security assessment. I showed him my letter of authorization, legitimate and signed by the client. He laughed and didn’t even attempt to read it. He said that he had been watching me from the moment I pulled into the parking lot and that I still needed to come with him. There was nothing I could do at this point and I knew that I had to follow him to the receptionist.

Once at the receptionist’s desk, I explained to her the real reason why I was there, hoping that she would let me continue. She mentioned how they didn’t do well at all last year and that she would have to call the Human Resources (HR) director to let him know. At first she seemed as though she would let me continue to browse the building, looking for any vulnerabilities and to see if other employees would report suspicious activity. I quickly realized, however, that this wasn’t going to be an option when the HR director approached me.

By this time, I was surrounded by five people, all looking at me like a criminal. The HR director was even treating me as one. I explained to the HR director the real reason I was there, giving her my letter and even showing her my fake badge. She copied my letter, sent an email to the point of contact, and ripped up my badge in front of me. I asked her if I could continue the assessment, even if escorted, but she just asked me to leave. Realizing that it wasn’t going to get any better, I agreed, thanked them for their time, gave kudos to the guard for being so watchful, and left. 

Lessons Learned

It seems as though the client had learned its lesson. I admit that I was a bit disappointed that the second location didn’t go as well for me as the first one did. But I was also pretty happy that the client had taken our previous report seriously enough to actually fix the issues! This is great and it’s also the whole point of these assessments.

The employees learned that it’s okay to challenge people, and to be polite but verify at the same time. The thing about security is that it’s not convenient. You’re going to have to take some extra steps to do the things that in your security awareness training. You’re going to have to step out of your comfort zone, and ask questions if something seems out of place.

I commend the security guard and the employees at the second location and hope that the nice lady and other employees at the first location learn to follow the same procedures.

Hopefully other companies will follow suit.

How do companies prevent this?

So, how do companies prevent this type of unauthorized access? Security awareness training and due diligence.

Security guards should respond in the same way as the one who caught me. With a proper incident response procedure and a robust security awareness training program, a compromise similar to what happened at the first facility can be avoided. Teach your employees what to look for. Teach them that it’s okay to question what someone is telling you, and to report things that seem out of place. Make sure there is a clear procedure for doing so. Always remember that it’s okay to trust what someone is saying, as long as you take steps to verify the accuracy.

For more information about NTT Security services, contact us at: https://www.nttsecurity.com/en/work-with-us/