Quick and Dirty Social Engineering
Every now and then, I work on the assessments that normally Brent White and Tim Roberts blog about. When I’m privileged to get such an assignment, I typically create unnecessary pressure on myself in an effort to compete with the likes of my aforementioned teammates and their overwhelming success on Social Engineering Assessments. I find myself feeding off the pressure and nervous energy, turning it into excitement and focus. By drawing on my past experiences in the Broadcast Television industry, I convince myself that this will only help me succeed on such a project. Then, when I get word of the increased challenge level, whether due to the small size of the company being assessed, a shared work environment or building, or armed guards present, I actually find myself getting even more excited. Assignments like these while appearing scary at first offer a nice change of pace.
Social Engineering Assessment Background
On one such assessment, I was faced with a few challenges that could have increased the difficulty of achieving success. The organization had a small employee base, less than 100, and shared a building with a couple of out-of-scope organizations. This meant that posing as an employee was absolutely out of the question due to the increased likelihood that everyone knew everyone they worked with. This also meant that I would have to be quick with any attacks once inside the facility, and hope that the office layout afforded me opportunities to covertly place any pre-configured malicious devices on the organization’s network.
After some reconnaissance, I discovered which property management company managed the shared facility that was in scope for the assessment. I also noticed that both the property management company and the organization being assessed conveniently listed profiles of their respective leadership teams. This helped set up the initial guise I would use while performing the assessment. After some brainstorming, I worked out a plan with my teammate Tim Roberts who was responsible for a different part of the assessment. He had given me a URL to a YouTube video showing how easy it was to get into any building while carrying a ladder. Brilliant! This gave me the idea to pose as a maintenance worker with the “authority” of the property manager. I would make up a story about a recall on fire suppression sprinkler heads, and would use that to gain entry long enough to plant a rogue access point. The next stop would be the hardware store.
On-site Social Engineering Assessment
On the day of the assessment, I made sure to dress the part and grow out the stubble of an overworked maintenance worker in hopes of selling the idea that I was, in fact, on premise to inspect the fire suppression system. I also made sure to carry a ladder, a hideaway clipboard (to conceal several USB drives with malicious executables disguised as documents, spreadsheets and jpegs) and a small wireless router that would act as the rogue access point. When I arrived, I made a phone call to my teammate Tim Roberts who posed as my manager. I did this to establish legitimacy for being on premise and tried to use this as an additional sales pitch to the organization’s front desk employees.
As I was talking to Tim over the phone, I walked through the front door of the organization and started hinting that I saw the recalled sprinkler head models in the front lobby area. I informed Tim that I had arrived and would call him back shortly with the “inspection results,” and that it shouldn’t take too long to complete “the job.” After hanging up, I greeted the administrative assistant at the front desk and another employee who entered the front lobby area at about the same time as I did. I informed them that their property manager, and more specifically the property management employee responsible for this facility, had hired me to inspect the fire suppression system following a recall of specific sprinkler head models. With a nod of the head and holding the secured entry door, I was allowed inside the secured area of the office. The employee who held the door for me then quickly described the layout, making sure to point out several conference rooms and offices containing sprinkler heads. Once done with the tour, the employee returned to his desk and left me unescorted.
I immediately took my ladder and tools into the closest conference room and closed the door slightly. I made sure to set up my ladder behind the door as an early warning system and to aid in selling my presence in that room. Once that was finished, I plugged the rogue AP into a vacant network jack on the wall opposite the door, and powered it on. As soon as I stood up, another employee walked through the door and asked me for identification. I pulled out a letter that I had forged, which appeared to be signed by the property management employee whose name I’d dropped at the front desk. The employee took the letter back to his office to call the property management company despite my best efforts to point that employee to my “manager’s” contact information on the letter, who was standing by just in case of this exact situation. Once the employee left the room, I tested the wireless router and validated connectivity to the internal network. I made sure to hide the ESSID of the router to reduce the likelihood the organization would find it and unplug it.
With my ladder in hand, I proceeded to the next conference room. It wasn’t long until the first employee confronted me and asked that I follow him back to the front desk area. I did, only to find out the legitimate property manager was on the phone and wanted to speak to me. This was a bit nerve wracking but needed to be done. I noticed the phone base was close enough for me to reach, just on the other side of the front lobby desk. I used this to my advantage and began talking over the property management employee in an attempt to convince the administrative assistant and the other employee that this was a simple misunderstanding. While putting on a performance, the property management employee on the other end of the phone call was clearly getting irritated. I finished the conversation and then hung up the phone myself without letting the employees speak with the property manager. As I started to walk toward the secure door to “continue the inspection,” one of the employees called the property manager back to confirm my story. The employee then informed me the property manager was in the process of calling the police. The employee even apologized, saying they were supposed to be undergoing a security assessment and they were just being overly cautious. What?! This employee was not a main point of contact and should not have known that the organization was having a social engineering assessment performed, as this would greatly increase the risk of compromise and reduce the likelihood of obtaining a comprehensive security overview. While this was a bit of a surprise, I used it to my advantage.
While the employee was trying to get ahold of the property manager again, I presented yet another fake letter, this time posing as a falsified security company with illegitimate points of contact (“authorizing” the assessment). The employee just glanced over the falsified letter, without validating the information. I was able to use this employee’s knowledge of the assessment against him. Since that employee didn’t come back, and because I didn’t want to be arrested if the police showed up, I presented the administrative assistant the actual letter of authorization for the assessment and walked out into the foyer of the building.
Here’s where this assessment gets really good. Instead of just leaving, I found a spot in the parking lot that would afford me a strong enough signal to connect to the wireless access point I had placed on their network. This spot was out of sight of the administrative assistant and any windows in the office area. I now had full access to their network, out of sight from their employees, and I could sit there most of the day interrogating their servers and network.
I was in and out within about 30 minutes. I was able to walk in, drop a rogue AP, convince the staff to let me leave without validating either of my two guises, connect to the network from outside, and kick off some quick scans to pull enough data for my proof-of-concept. While I would have loved to stay inside longer, this assessment was still successful and the organization will be better for it.
How can an organization prevent an attack like this? That’s a great question. For starters, when I entered the front lobby area of the office space used by this organization, the front desk administrative assistant and employee should have requested the letter and called the property manager to confirm that I was who I said I was. Once it was confirmed that I was not supposed to be there and an additional fake letter was presented, the validation process has to start over. In this case, since there was a small number of employees, it would be easy to pick out that the names provided on the second document were not actual client employees with authority. This could be validated using an employee intranet application or a call to human resources. If a third letter is presented, validation starts over by reading the information on the document, and calling the number. Again, a quick follow-up call to a department or a point of contact who can authorize these types of things, would do the trick.
Identification validation is an important part of employee security awareness training. I would also add roleplaying and encourage employees to follow processes or escalate to someone who isn’t afraid to question authenticity. How can we teach people not to be afraid to gently confront someone and validate identification? Throughout this assessment, I could tell that the employee who confronted me, genuinely wanted me to be who I claimed to be. He went to great lengths to find ways to convince himself that I was who I said I was. This unfortunately clouded his judgment a bit and allowed me enough time to get the job done.
For additional social engineering war stories, please check out our War Story Wednesday series at: http://technical.nttsecurity.com/tag/warstorywednesday