Assessment Background

Businesses that are adjacent to hotels are the best…for security consultants. When you have a high-gain wireless antenna, a rogue access point plugged into a network or able to compromise a vulnerable wireless access point, you pretty much don’t have to leave the comfort of your hotel room or parked vehicle for the assessment. I have been on a handful of these fortunate layouts and it certainly helps when staying under the radar. One of my first red team assessments had a hotel right next to the business we were assessing. The only thing separating the extended stay hotel and business was waist-high foliage, with little to no lighting or camera coverage. With this assessment, after hours testing was in scope, thus making the assessment that much easier.

On-site Social Engineering Assessment

The first day on-site was mostly filled with passive reconnaissance, driving around the building with a couple of different vehicles and noting the layout of cameras, window watching from afar via some binoculars and noting employee traffic to and from the building. The only active recon was when I had asked an employee (during their smoke break) where the nearest gas station was. I did this for the purpose of getting an idea of what the access control badge layout looked like and the color of the lanyard around his neck.

After a full day of reconnaissance, my partner and I made a quick stop at an office supply store, went back to the hotel and started building our guise. This client site had a pretty big employee body and turnover was moderate. Fortunately, via the hotel staff, we discovered that the client also had a lot of contractors who would work on-site for weeks at a time, who would stay at the hotel. That afforded us the opportunity to get a feel for dress codes, contractor badges, bag types etc.

As we were finishing up our fake access badges, I had left something in the car and went to retrieve it. After stepping outside, I decided to take another look at the facility. It was late evening and the lights were on for three of the floors, illuminating several cubicles on one of them. Contemplating how we would gain a backdoor into their network, I considered the possibility of Dynamic Host Configuration Protocol (DHCP) in use, especially with the amount of guests and contractors that come in and out. If MAC filtering was turned on by chance, maybe we could plug into one of the phones and spoof the MAC address; either method would be handy to drop a rogue access point. I contemplated our next move and, lo and behold, a cleaning crewmember propped open the back door and a bright light bled into the parking lot, almost beckoning me. I quickly walked back into the hotel, let my partner know about the opportunity and we decided to take advantage of this negligence while we could.

With a fake but legitimate looking access control badge that we had just forged, a blue lanyard around my neck, and my partner sitting in a car in the hotel parking lot with a 15 dBi wireless antenna, we got to work. If questioned, my backstory would be “I forgot my laptop,” “working late tonight on some server issues,” or something vague and brief enough to convince late night cleaning crew to leave me alone, if questioned. What about the security guards? Well, there was one and he was conveniently preoccupied in the front lobby – this was noticeable because of the lights beaming on his jovial laughter at whatever movie he was watching on his tablet. Fortunately I didn’t have to worry about him because the back door was still propped open.

Once inside, I made my way up the emergency exit stairs, counting the floors as I went, until I got to the one that I had seen from the hotel with the lights still on. I entered the main hallway and heard voices; some employees were still working. The glass door into the main office floor made it easy for me to see them looming over a cubicle. If I could see them, it meant they could also see me, so to avoid engaging in conversation I ducked into the bathroom located right outside the door. I kept my partner updated – he had positioned himself in the emergency exit, a floor down.After sitting in a bathroom stall for about a half an hour, I heard the cleaning crew as they were leaving the main office floor and heading towards the elevator, around the corner. I had noticed the request to exit sensor above the door on the inside – once the crew and one employee left, I considered just waiting until everyone was gone and using some canned air to trip the sensor. However, all of that was completely unnecessary as the handicapped door delay was just enough for me to duck behind them as they turned the corner. After some old fashioned tailgating, I noted a printer and conference room, directly across from the door, and quickly made my way towards the conference area. The remaining employees I had seen earlier were not in view when I entered the office floor, so I notified my partner and watched as he made his way to the door. After letting him in, we both stayed hidden in the conference room. About an hour after, two employees dimmed the lights indicating they were the last on the floor, and exited out the same way we came in. I took a peek out to confirm that no one else was there. We had the whole floor…nay, the whole building, to ourselves and the solitary security guard, fixated on digital entertainment. It was time for us to make our move.

It was apparent that either a Clean Desk Policy was nonexistent or lax when it came to enforcement, as we were able to obtain photos of sensitive documents in unlocked offices and messy cubicles. Several laptops were left untethered – so we took some photos for evidence and then we placed them back. We had considered trying to spend some time compromising the laptops, but some whole-disk encryption thwarted those efforts and we wanted to be quick. We were able to plant a rogue access point via an active and open network jack in a cubicle near the window, facing our hotel. We tested connectivity and my partner went back to the hotel in order to test the range as I adjusted the access point. Once we had network access from a distance, we were in.

As I was leaving, I noted the security guard was still occupied. I opened the back door and left the same way I came in, ensuring the door latched behind me. Once I got back to where my partner was positioned, we both connected to the deployed rogue AP, found some default credentials on a few services and most importantly some vulnerable SQL servers, enabling us to loot a trove of sensitive information via tables we pulled from the database.

Lessons Learned / How do companies prevent this?

So, what do we learn from this war story?

Cleaning crews should NEVER prop open the door and leave it unattended. In several cases that I have witnessed, cleaning crews often prop a door open to move equipment in and out. In this particular case, the crew had left the door wide open for an attacker and neglected to make sure they were not followed. How common are compromises like this? Had this been a malicious attack, who knows what could have happened. 

A preoccupied security guard is an ineffective security guard. I understand that overnight security work can get super boring. I have been there. Boredom does not mean that you become lax in your awareness or even too buddy-buddy with the night crew. Guards do not have to be paranoid, but they are paid to be the first layer of human security and that includes ensuring physical security policies, procedures and active awareness are at the top of their priorities.

How do companies prevent this?

Security awareness training! I know we recommend this a lot, but it should be a strong staple in your security initiatives. This goes beyond the annual awareness campaign and quizzes. This must be ingrained into the culture of your company. Your employees must be aware of the risks that are associated with information security (this includes physical and technical controls).  A good security culture, social engineering countermeasures and enforced standards can prevent a potentially dangerous and damaging compromise not only to security, but to safety as well. When it comes to physical security, it is more than information that could be at stake, but also employee and company assets.

You don’t have to be paranoid, but in the age of hacktivism and terrorism, skepticism and awareness are traits every employee should have. An employee who is able to discern common traits and mannerisms of a would-be attacker can be the first barrier to prevent compromises like this, and many of the other war stories that I have shared.

Hackers do not care how hardened your network is if they can just walk in and ask for passwords and access.

Reach out to NTT Security for more information on how you can better secure your company. We can test your security with an on-site risk assessment, or help your organization build a stronger security program.