Most of our assessments focus on large corporate environments. This comes with pros and cons, just as smaller engagements can also have their pros and cons. Some of the pros to performing an on-site social engineering, physical security or red team assessment against a large employee group is that you have the benefit of blending in a lot more easily. Unfortunately, the engagement I am about to walk you through was against a financial institution’s local offices that assist in processing their client data and housing applications, and apparently their turnover rate wasn’t that high. The client had some small offices (built into the houses and on the property that they sell) scattered throughout the U.S. and the two in scope were right in the middle of a congested housing district.
Since this was a black box assessment, I had very little client-provided data, and the target facilities had been recently built so Google Street View didn’t help with my Open Source Intelligence (OSINT) prep work. So, I decided to drive by the buildings a couple of times. This is where I noticed that only one employee was at the site and she had clients coming in and out of the residential office. I decided to dress the part of the corporate networking guy and donned a fake badge with my picture, the company logo and the name “Elliot Alderson,” along with some jeans, a ball cap and zip-up jacket. I also had my laptop bag, a preconfigured drop box (PwnPlug by Pwnie Express), a couple of hardware key loggers, a Rubber Ducky (by Hak5), a Mark V Pineapple and some U3 USB devices with pre-loaded reverse-TCP payloads. Did I need all of this? Nope.
With these types of assessments you risk coming across a very skeptical employee, but more often than not, the sad reality of it is that if you say you’re with “IT” or “corporate,” employees tend to believe you – unless you give them a reason not to.
On-site Social Engineering Assessment – Location #1
Once on the property of the first site, I made sure to park down the road a bit and walk to the target location. I noticed that the side entrance had lever handle doors and the main entrance had a generic residential handle and lock. I saw no security sensors (lockpicking is always an option). As I walked in, I smiled and waved to the employee who was busy with a customer, in her glass office. I looked around and noticed a vacant office to my right as well. This was small…
“I will be with you in just a moment,” she acknowledged me. I nodded and sat down in the visitor area.
She appeared to be pretty busy (a perfect time to exploit), so I briefly interrupted and asked about the vacant office, followed by, “Sorry to interrupt, I know you’re with a client, but I am with ABC and need to test the network connectivity of some of our new offices. Could I go ahead and get started in here while I wait?” I nodded to the vacant office.
“Oh…Sorry, not that office. I am just wrapping up here and then you can use my office.” Well, that was easy, I thought to myself, a little shocked. I waited for five minutes as she got up from the desk, shook hands with the client and motioned to her PC. “What did you need to do again?” she asked.
“I just need to test the network jack and hop on your system real quick.” As I was talking to her, I sat down at the desk, pulled out my wireless drop box and connected it to the router (behind the printer nearby). “Have you had any latency issues, dropped calls or any sort of connection problems? We are in the process of making some upgrades and…oh, your screen locked out. Do you mind logging back in for me? Also, go ahead and save any work that you may have open.”
She leaned over me, typed in her domain credentials and I screen surfed for a few minutes as she saved her work. Social security numbers and housing applications…sweet! I also noticed the name of the document processing application that they used, with a recent client just added and still pulled up.
“Also, have you been able to use your domain credentials to authenticate to the XYZ application?”
“Oh, no. I use a different password for that.” She nodded to her keyboard. I raised an eyebrow and looked over. She had conveniently written down a handful of passwords on a piece of paper taped to the bottom of the keyboard. People still do this? Apparently.
“Ah, okay. Which one?” I chuckled in an effort to help her to relax, especially after she had exposed her passwords. She laughed too and then proceeded to tell me what each one was used for. By this time I had already plugged in my drop box and key logger…but, did I need them? Nope. I instead plugged in a thumb drive, visited a phishing site that I had set up earlier for the remote portion of the engagement, and asked her to log into the “Portal” with her domain credentials. She did and they were sent to another Security Consultant who had been waiting for the reverse-TCP connection or some credentials to try out on their VPN.
I sat at her system for a good 45 minutes just talking to her about her day, boring IT stuff (where she reminded me a few times that she was not “technical”) and copying several scanned documents with client and financial data. I had made sure that the screen wasn’t in a position where she could see what I was doing. It was at this point that she started talking to me about the things that didn’t work (like her Bluetooth, mouse, etc.). I kept the guise going and wanted to see if I could convince her to plug in the Rubber Ducky, “Oh, it looks like you are missing your USB receiver for the wireless keyboard. I have one that we can test. Care if I plug this up or do you want to?”
“If it’ll help, that’d be great! You can go ahead and do whatever you need to do.”
Well, okay then…
It only took five minutes to get physical access to the client system and networking devices. Within the first 15-20 minutes I had a drop box plugged in, a key logger installed, a Rubber Ducky plugged in and about a gig of sensitive data being dumped. I walked out of the office with a handshake, a thank you, and more than I had come for.
On-site Social Engineering Assessment – Location #2
The second location was similar to the first in appearance and layout. This time, however, I picked up some Starbuck’s with an extra coffee prior to arriving. Once I parked and walked into the facility, I was greeted by another lady and noticed a maintenance worker sitting across from her. They were complaining about their day and promptly got quiet as I entered.
“Hey guys, I am with ABC Company and just need to test the network connectivity.” I smiled as I sat the coffee cup holder down and began to take my laptop bag off. They looked skeptical.
“You’re here to do what?” The gentleman asked. At this point I considered that he may actually be from IT and my cover could be compromised.
“There was a ticket put in a while back. Did you guys not get an email notification that I would be here? We are in the process of doing some migration on the network and there have been some outages at the XYZ offices, so I get to drive around all day and choke down ludicrous amounts of caffeine.” I laughed. “Speaking of which, Starbuck’s gave me this extra Americano, if one of you would like it. I know they were out of coffee at the .” I brought the coffee over to the desk, sat it down and went to shake the man’s hand, “Oh, I’m sorry, I am Elliot. I am guessing you aren’t a client?”
“Ha ha. No. I am with maintenance. Just finishing up break and figured I would come over here and annoy Sarah. Todd’s the name.” He returned the handshake.
“What kind of coffee is this? I usually just drink the specialty coffee drinks with a lot of sugar and syrup.” The woman behind the desk laughed as she picked the coffee up. “Here you go Todd, I think this is just black. Probably more your taste.” She passed it over as Todd took it, stood up, thanked me and left the building.
At this point, Sarah locked her system and let me sit down at her desk. Instead of using a lot of gadgets, I just took out the key logger and plugged it in between the keyboard and the system. “Could you go ahead and log back in? I need to pull up a command prompt to test the connectivity.” She did, and the key logger was able to catch her submission. “Actually, because I am going to have to ask you to do that a few times, do you mind just writing down your credentials and then we can trash it once I am finished?” I slid the Post-It stack to her and placed a pen on top as I continued to focus on the system, in an effort to convey that this was normal.
“Ha ha. Sure. Just don’t tell anyone or laugh at my password.” She wrote down her password and slid it back to me.
“Well, I will try not to share it with any hackers or anything.” I laughed. “This is a unique password. Fan of the book?” We then discussed the book that she had modeled her password after. This went on for a while as I simply repeated what I had done before and began to dump sensitive data. At this point, a real estate agent came in with a client and they began talking to the employee. I waved for her to go ahead and do what she needed to do. She nodded and began attending to them.
As I was snooping around the system, I gained access to network shares and several systems on the network. I also noticed that she had her BitLocker recovery key saved conveniently in the My Documents folder, along with some VPN information. Once she was finished with the agent, I had already retrieved more than what I came for. “Sarah, I noticed you don’t have a laptop. Do you ever do work from home?”
“Ha! I am not special enough for a laptop. But, they did give me a tablet that I rarely use. I can’t get the VPN to connect.”
“Oh yeah? Could you show me how you typically connect from home and what credentials you use? Maybe I can reset some things from here for you, in an effort to help. At least, since I am here.”
She continued to explain how to remotely connect to the ABC network and I listened. Since I am far from having a photographic memory, I took some quick notes when she wasn’t paying attention. In the end, I had another gig of data, domain credentials, encryption key and a tutorial about how to connect to the VPN. I’d say this was a successful engagement and most importantly a reminder of how gullible people can be, when you appear legitimate, are sympathetic and helpful.
So, what do we learn from this war story?
It doesn’t matter how big the target is, but how aware the employee is. Employees rarely ever look beyond face value, and that includes a legit looking appearance (in this case, “IT guy” with a badge), a free cup of coffee, a roll-with-the-punches approach to conversation and the ability to just sit, listen and “do your job.”
How do companies prevent this?
Guess what? Security awareness training! This goes beyond the annual awareness campaign and quizzes. This must be ingrained into the culture of your company. Your employees must be aware of the risks that are associated with information security (this includes physical and technical controls). A good security culture, social engineering countermeasures and enforced standards can prevent a potentially dangerous and damaging compromise. When it comes to physical security, it is more than information that could be at stake, but also the employee and company assets.
You don’t have to be paranoid, but in the age of hacktivism and terrorism, skepticism and awareness are traits every employee should have. An employee who is able to discern common traits and mannerisms of a would-be attack, can be the first barrier to prevent compromises like this, and many of the other war stories that I have shared. Hackers do not care how hardened your network is if they can just walk in and ask for passwords and access.