Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.
Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). A theme during that month is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.
The goal of this assessment was to obtain access to a low turnover facility and snag some domain credentials and get out without being caught. To test the security awareness and physical controls that were in place, Tim Roberts, Drew Culbertson and myself had developed the following guises:
- Potential Employee: Arriving at the wrong campus, awaiting an interview.
- Contractors: There to test the network connectivity on cubicle drops because they were “running fiber.”
In order to have a reason to enter the building and maintain access, I took the role of someone who was scheduled for an interview. Through reconnaissance, I learned that the company was conducting interviews that day at a different site. I also learned through eavesdropping that someone was scheduled for a group interview, but went to the wrong location. This seemed to be a common problem, since this particular client has multiple locations in the area. I wanted to take advantage of the recruiter names I’d gathered, so I knew I would be name-dropping to the receptionist to make my backstory of having an interview scheduled seem more legitimate. I quickly put together a fake resume. To really try and take advantage of the situation, I converted it into a PDF with a malicious payload (reverse TCP Meterpreter), and saved it on a thumb drive, so I could ask the receptionist to “please print off my resume for me.”
This location was the client’s smallest building, so there wasn’t really much opportunity to just walk in unnoticed. I knew being there for the “interview” would be a good distraction while Tim and Drew attempted to make their way in.
I was dressed in my suit and ready to go. Drew and Tim dropped me off in a nearby parking lot. I made my way to the main entrance. The receptionist was busy with phone calls and helping a customer. She greeted me, and I assured her that I was okay to wait a bit, and made sure to keep a polite and trusting smile. Because I didn’t want to waste time while waiting for the receptionist and just stand around, I thought it would be a good to see what information I could find inside to relay to the guys, who were currently working on trying to enter through the back door in the back of the facility. I even thought I might find the back door and let them in myself. So, I politely interrupted while she was helping a customer and asked for the location of the restroom. Luckily for me, it was past her desk and back in the office area. After walking past her and turning a corner, I was quickly out of her sight. I tried to find the back door quickly, but was unable to. I knew that I needed to get back to the lobby quickly, or she might get suspicious and send someone after me, potentially blowing the assessment. So, after a few minutes of looking for the back door with no success, I returned to the front to accomplish my original plan of distracting the receptionist. That’s fine. That would have been too easy anyway.
I began a conversation with the receptionist, who was now alone. “Hi! I’m supposed to meet here for an interview at 1pm today.” We discussed the details of the name I dropped. She was familiar with the person, as they are in charge of the hiring and the interview process. She was also quite sure that interviews were at a different location (which indeed they were). I then explained that and I had discussed a separate interview at this location. I also added that because I was short on time and had been in a hurry to leave my house, I had forgotten my printed resume on the table, and I didn’t have time to go back and get it or to find a print shop. While already trying to hand her the USB drive, I asked if she could please print it out. I stressed that I really needed this job, and that I really appreciated her help. In reality though, I really wanted that malicious payload to execute so that our other co-worker back at NTT Security, Kelly Correll, could take control of the receptionist’s machine from his location in another state. She said that she was not permitted to plug in anything to her computer. I pushed bit more, but she wasn’t budging. She did, however, offer me a clipboard with a blank application that I could fill out. Good for her on remembering her security awareness training and policies! This was a great sign that the company’s security awareness training was working, and a bad sign for us trying to infiltrate.
While I was having this discussion with her, Tim and Drew entered through the front door and informed the receptionist that they needed to run some network connectivity tests and would only be a moment – however, she requested that they sign in. After some back and forth attempts to avoid showing a photo ID in conjunction with the fake contractor badges, and my interjections of trying to get her to print my application, they were able to enter with only their fake IDs.
After Tim and Drew had made their way around the corner and were out of sight, I thanked her for her help and sat on a couch in the lobby, pretending to be busy filling out the application. I made sure that I was within earshot of the receptionist so that I could hear anything that might be discussed about the “contractors.”
Tim and Drew quickly made their way to the top floor where only a few of the workstations were being used. Equipped with hardware key loggers, fake contractor badges that they had printed up the night before from the hotel, and a convincing story about “testing network connectivity issues,” they found an employee who agreed to let them plug in the keylogger. They stated that it was a “network connection testing device.” Before placing the device, they asked the user to lock the computer. This was done to give some assurance to the user that the computer “could not be tampered with”. Once the device was installed, the user was asked to log back in. This would ensure that domain credentials would be captured in the keylogger in clear text.
While they were upstairs capturing credentials, I continued to listen to the receptionist. After a couple of minutes, she had started to worry, as she knew something didn’t feel right about the contractors. She called another worker to come to her desk and began to explain how something felt off. She was finally following up with her “intuition alarms,” and really starting to worry that maybe she had done something wrong. She than began calling others, to verify the names of the contractors who had signed in. The person in charge was not familiar with the names, nor were they expecting any visitors. So now the search was on. I was continuing to update Drew and Tim via text messages, and at this point told them, “They are actively searching for you two now. Get out.” I also made a comment to the receptionist along the lines of, “Oh, are you talking about those two guys who were walking around, and one had a clipboard? Yeah. I saw them. They went that way.” I of course, pointed to the opposite direction from where they had headed.
Tim and Drew quickly wrapped up their interactions with the employee, retrieved their keylogger and made their way out of the building through a nearby stairwell. Once they were outside, Tim called me to tell me they were out. I used that phone call as an “out.” I pretended it was the lady that I was meeting for the interview, calling to tell me that it was actually scheduled for tomorrow. I spoke loud enough so the receptionist would hear me. I wanted to give a reason to leave, so as not to raise any further suspicion. So, I made a joke about how I needed more coffee and thanked her for her time. I then exited the building and met Tim and Drew, who were already outside with the car, waiting to pick me up. The getaway was a bit quicker, due to the police station being adjacent to the building, and we didn’t want to take the chance of being apprehended. Lucky for us, the police hadn’t been notified, and we completed yet another successful social engineering and physical security assessment.
The key takeaway from this war story is to always fact check. Call your co-workers and check to make sure any visitor is who they say they are. Even if they are past the front desk, don’t let someone connect to your computer without knowledge of who they are, and permission from the appropriate people within your organization.
STOP. THINK. FACT CHECK.