As an inside penetration team leader, I learned every exploit I could to conduct a successful inside penetration test. It was during those years that I gained most of my social engineering experience. These skills helped me to eventually hang up my dumpster diving penetration team jersey and retire from the Tiger Team world undefeated.
Although I had several close calls, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that’s the role I was playing—effectively, it’s what I was.
In 1988 I was part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear conversations that went on when a “black hat”
(or malicious) group targeted a victim by calling on the phone. The black hats were using social engineering skills to gain access to proprietary information, including passwords. What I heard one of the veteran black hats say to a trainee remains true today:
“Social engineering is the easiest way to break into a system.”
Why do attackers prefer social engineering as their attack vector? Let’s say you are an elite black hat hacker, and an international conglomerate has offered you big
www.syngress.com
Social Engineering: Here’s How I Broke Into Their Buildings • Chapter 5 103
money if you can provide them valid sign-in credentials for their chief rival’s corporate network. In short, they want one or more user names and passwords.
Let’s call the target company International Acronym. As a “leet” black hat, you see no challenge whatsoever in learning user names for Acronym’s network. Most big corporations assign user names systematically, derived from employee names. If Joe Doaks works for Acronym, his user name is probably one of a few variations: joedoaks, jdoaks, JDoaks@Acronym, or some equivalent. If you can learn employee names, you can fi gure out user names. One obvious way to do this is to snag a printed corporate phone book (more on this later). But since you’re a smart and competent high-tech attacker, instead, you search Acronym’s Web site and fi nd some names. You have many to choose from: executives, a PR person, a tech support manager, a marketing drone quoted in an interview… an email address here and there indicate what the structure of user names probably is. Great! All you need now is a password.
I’m about to compare what a high-tech hacker does to obtain a targeted valid password, versus what a no-tech hacker does to get a password. Ready? Here are the high-tech steps:
■ Scan Acronym’s network to see if any ports are listening on the Internet. You could scan the whole range of 65,000 ports in a matter of seconds, but Acronym’s Intrusion Detection Systems would go off like a Christmas tree wearing a car alarm. You’re too smart for that, so you perform your scan in stealth mode.
You have to go in low and slow, scanning one port every few seconds, ideally from IP addresses all over the huge botnet you control.
■ Install malware on a victim machine. Assuming your port scan successfully reveals an open port, you next want to sneak your rootkit onto Acronym’s network. You program a little script that can exploit a dozen recently patched vulnerabilities, in hopes that Acronym hasn’t kept up with patching every application on their network. Packing and crypting a chunk of code that exploits holes in Internet Explorer, Quicktime, Yahoo’s toolbar, WinAmp, and other popular apps, you send it off. Like making your fi rst million dollars, getting that fi rst victim is the hardest. But since you’re so “leet,” we’ll stipulate that you successfully land your code on one of Acronym’s networked computers.
104 Chapter 5 • Social Engineering: Here’s How I Broke Into Their Buildings
■ Enumerate the target network. Congrats! You’re on Acronym’s network. But how large is it? How many subnets does it have? Does it use routers, or switches? What connects to what? Can you fi nd servers that contain password fi les? You’ll have to carefully map out the network, hiding your activity the whole time. And in today’s dog-eat-dog network environment, you might also have to fi ght off other hackers, or at least seal the security hole that got you in–so that a less careful hacker doesn’t blunder in and blow your cover.
■ Locate and copy the encrypted password fi le. Let’s assume Acronym runs a Windows network. You’ll probably use a tool like pwdump to snag a usable copy of their password hashes that you can ship to your own network to try to get at all those valuable passwords in clear text. You must move from one Acronym computer to another, like a series of stepping stones, moving ever closer to the main password server. And of course, you must do all this while concealing your activities, modifying logs and altering registry keys so that certain fi les do not update the date they were accessed.
■ Run automated cracking tools against the encrypted password fi le. With the password hashes in your possession, and your activity on the Acronym network carefully hidden, you rev up John the Ripper loaded with all your favorite dictionaries and a huge rainbow table. Once this process begins, you’ll probably have a few passwords in less than an hour. (If you’d like to see this working under lab conditions, check out the SecurityWise video, “How Password Crackers Work,”
found at http://video.google.com/videoplay?docid=4683570944129697667).
Whew! That was uber-leet, but you pulled it off. And it only took about a week.
Now let’s go for the same goal – a valid password on Acronym’s network – the no-tech way. Ready? Count the steps:
■ Make a phone call.
■ Make another phone call. While you’re chatting, ask for—and receive—valid login credentials.
Badda-bing, badda-done. In a moment, I’ll show you how that’s possible. For now, line up those two procedures side by side, and you can see why hackers fi nd social engineering easier than high-tech attacks.
www.syngress.com
Social Engineering: Here’s How I Broke Into Their Buildings • Chapter 5 105
And the two-step version is the diffi cult version. Sometimes the Social Engineering Gods drop nuggets right into your lap. I stood on a street corner in Seattle waiting for a bus one day, and I overheard two workers near me discussing their corporate network. One employee described to the other his cool new password, stating it out in the open. He probably assumed this was safe because he felt anonymous. But when I took an incredulous glance back to see what kind of reckless wild man blabs his password on a street corner, there, dangling from a pocket of his cargo pants, was his employee identity badge. There was his name. Right above the logo for Amazon.com, whose headquarters was two buildings away. Amazing.
Social engineering can be that easy.
Even better: social engineering doesn’t rely on a faulty piece of high-tech equipment to mount the attack. Rather, it uses a skilled attack on the psyche of the opponent.
Most of the time, it can be accomplished with a clipboard and a cheap business card.
So besides being easy, social engineering can be dirt cheap. (Even crooks worry about overhead cutting into their profi t margin.)
Over the past fi fteen years, I have learned fi rst hand just how easy it is to be an effective con man as I lead several inside penetration teams into client’s buildings who had hired us to test their vulnerabilities. Not one time did we fail or get caught as we roamed their buildings pretending to be employees. Everyone we encountered as we did our thing thought we belonged there.
How was that possible? Why, it’s just human nature.