 |
|
| |
 |
|
Social Engineering Example:
Social Engineering uses influence and persuasion to deceive
people by convincing them that the social engineer is someone
he is not, or by manipulation. As a result, the social engineer
is able to take advantage of people to obtain information
with or without the use of technology.
This is an example of a previous job I performed for
a client. See how what seem like insignificant information
enables me to build trust with people and achieve my successful
compromise of the company.
This has been provided as further reading for an interview
I did on penetration testing and social engineering for
PC Extreme magazine.
- Nathan House |
Social Engineering Tools:
To explain how I might go about using a combination of social
engineering and technology I need to first explain the tools that
I may use.
We have many tools that we have developed for the purpose of
penetration testing. In this Social Engineering example I will
be using a package or executable wrapper, a rootkit and The RAT
(Remote Access Tool).
In simple terms the wrapper can create executable programs that
appear to do one thing but in fact at the same time perform other
tasks as well. Our wapper also encrypts and compresses the contents
to help defeat virus detections and computer forensics.
The RAT is a remote access tool which when run on a machine
searchs for connections out of the network to the Internet and
utilising any proxies and other devices if required. The RAT uses
outbound connections from the target machine to receive its commands
to complete bypass any security that a firewall or NAT can protect
you from. The communication traffic is also sent as legal HTTP/HTTPS
traffic so even if the targets proxy or firewall has application
level filtering the control commands will appear as normal HTTP
traffic because in fact they are. This means that we can communicate
with targets deep inside company networks and defeat firewalls/proxies/DMZ
etc.
The RootKit is a program that hides the hackers actions from
the operating system and anybody examining the machine. Our rootkit
hides Processes, Handles, Modules, Files & Folders, Registry
Keys & Values, Services, TCP/UDP Sockets and Systray Icons.
So what this means is task manager, netstat, regedit, file explorer
etc will not be able to see anything that has been placed on a
machine by the hacker that has been rootkited. The hacker’s
actions and programs will be completely invisible.
There are some less sophisticated versions of these types of
tools available on the Internet but there are two good reasons
why a professional hacker won’t use them. One is they don’t
provide the required functionality so fail in there task and the
other reason is that many virus checkers will pick up their signatures
and stop them. This is the difference between the script kiddie
and the professional hacker.
Social Engineering Begins:
Social Engineering call (1)
Call to main switch board of organisation from my mobile
phone.
Nathan: Hi I’m having a problem with my desk phone can you
put me through to someone who may be able to sort this out for
me?
Reception: Connecting you.
Phone Services: Hi
Nathan: Hi I’m having a problem with my desk phone. Sorry
I’m new here. Is there anyway I can find out who is calling
me when they call my desk phone? Is there a caller ID?
Phone Services: Not really no. Because we use hot desks here and
because people usually use their mobile phones the caller id isn’t
often related to a name. Is this a problem for you?
Nathan: No its fine now I understand. Thanks bye.
I now know that the company uses hotdesks and that phone
caller id is not always expected and therefore not an issue if
I call from outside the company. If it was expected then I could
work around it anyway.
Social Engineering call (2)
Call to main switch board of organisation.
Nathan: Hi could you put me through to building security.
Reception: OK
Building Security: Hello how can I help you?
Nathan: Hi I don’t know if you will be interested but I
found an access card outside the building which I think someone
must have dropped.
Building Security: Just return it to us we are in building 3.
Nathan: ok no problems, could I ask who I’m speaking to?
Building Security: My names Eric Wood, and if I’m not here
give it to Neil.
Nathan: ok that’s great I will do. Are you the head of building
security?
Building Security: It’s actually called facilities security
and the head is Peter Reed.
Nathan: Ok thanks a lot. Bye.
This told me the name of a number of people in security,
the correct name of the department, the head of security and that
they are the ones who deal with physical access cards.
Social Engineering call (3)
Call to main switch board of organisation.
Nathan: Hi I’m calling from Agency Group and I wonder if
you could help me. I had a meeting about a month ago with some
of your HR people but unfortunately my computer crashed and I
have totally lost their names.
Reception: Sure no problem let me look up that department? Have
you any idea at all of their names?
Nathan: I know that one of them was the head of HR. There was
a number of people in the meeting though.
Reception: …….ok here we are. Head of HR is Mary Killmister.
0207 xxxxxxx
Nathan: Yes that rings a bell. Who are the other names in HR?
Reception: In HR Jane Ross, Emma Jones…… <list
of names.>
Nathan: Yes defiantly Jane and Emma. Could I have their numbers
please?
Reception: Sure Jane Ross is xxxxxxx and Emma Jones is xxxxxx.
Would you like me to put you through to any of them?
Nathan: Yes could you put me through to Emma please.
I now know the names of the three people in HR including
the head.
Social Engineering call (4)
HR: Hello Emma here.
Nathan: Hi Emma this is Eric from facilities security in building
3. I wonder if you can help me? We have had a problem here with
the access card database computer. It crashed last night and some
of the data for the new starters has got lost. Do you know who
would be able to tell who the new starters were over the last
2 weeks as their access cards will have stopped working? We need
to contact them and let them know ASAP.
Emma: I can help you with this. I’ll look up the names and
email them to you if that’s ok? For the last 2 weeks did
you say?
Nathan: For the last 2 weeks yes. That’s great thanks but
would it be possible to fax it as we share one computer for email
and that was affected by the computer crash too.
Emma: Yes ok, what is your fax number?, ow and what’s your
name again?
Nathan: Mark it for the attention of Eric. I’ll have to
find out the fax number for you and call you back.
Emma: ok
Nathan: Do you know how long it will take to find out the information?
Emma: It shouldn’t take me more than 30 minutes?
Nathan: Will you be able to start working on in straight away
as it’s quite urgent.
Emma: I have a few things to do this morning but I should have
the names this afternoon.
Nathan: That’s great Emma thanks. When you’re done
would you be able to call me straight away so I can start reactivating
their cards?
Emma: Yes sure. What is your number?
Nathan: I’ll give you my mobile number that way you’re
guaranteed to get me. 07970 xxxxxx.
Emma: ok sure I’ll call you when I have the list.
Nathan: Excellent thanks. Really appreciate this.
Social Engineering call (5)
IT Support
Call to main switch board of organisation.
Nathan: Could you put me through to IT Support?
Reception: Connecting you…Long wait in queue.
IT support: Hello can I have your LS number or your case reference?
Nathan: I’ve just got a quick question. Is that ok?
IT support: What is it?
Nathan: A guy from Reuters is trying to send me a presentation
and is asking me what is the maximum size for attachments?
IT support: Its 5meg sir.
Nathan: That’s great thanks. Ow one more thing he said it’s
an exe file and sometimes those get blocked or something.
IT Support: He won’t be able to send an executable file
as the virus scanners will stop it. Why does it need to be an
exe file?
Nathan: I don’t know.. How can he send it to me then? Could
he zip it or something?
IT Support: Zip files are allowed sir.
Nathan: ok, ow one more thing. I can’t seem to see my Norton
anti virus icon in my system tray. The last place I worked there
was a little icon.
IT Support: We run Mcafee here it’s just a different icon
the blue one.
Nathan: That explains it then, thanks bye.
I now know that to send an executable via email it will
have to be zipped first and less than 5 meg. I also know that
they are using McAfee anti virus.
Social Engineering call (6)
A few hours later. Call from Emma in
Human Resourses
Emma: Hi is that Eric?
Nathan: Yes hi.
Emma: I have the new starters list for you. Do you want me to
fax it?
Nathan: Yes please that would be great. How many is there?
Emma: About 10 people.
Nathan: I’m not sure the fax is working properly here could
you possible read them out to me I think it will be quicker?
Emma: ok. Do you have a pen?
Nathan: Yes go ahead.
Emma: Sarah Jones, sales, manager is Roger Weaks, <lists names>………..
Nathan: OK thanks you have been a real help bye.
I now have a list of the new starters over the last
2 weeks. I also have the departments they belong to and their
manager’s name. New starters are many times more susceptible
to social engineering than long term employees.
Social Engineering call (7)
Call to main switch board of organisation.
Nathan: Hi im trying to email Sarah Jones but am not sure what
the format of your email addresses are? Do you know?
Reception: Yes it would be sarah.jones@targetcompany.com
Nathan: Thanks.
Social Engineering Email (1)
Minutes later a spoofed email is sent
from:
itsecurity@targetcompany.com |
to:
sarah.jones@targetcompany.com |
subject:
IT Security |
Sarah,
As
a new started to the company you will need to be made aware
of the company’s IT Security policies and procedures
and specifically the employees “Acceptable Use Policy”.
The
purpose of this policy is to outline the acceptable use
of computer equipment at <Company Name>. These rules
are in place to protect the employee and <Company Name>.
Inappropriate use exposes <Company Name> to risks
including virus attacks, compromise of network systems and
services, and legal issues.
This
policy applies to employees, contractors, consultants, temporaries,
and other workers at <Company Name>, including all
personnel affiliated with third parties. This policy applies
to all equipment that is owned or leased by <Company
Name>.
Someone
will contact you shortly to discuss this with you.
Regards,
IT
Security. |
Social Engineering call (8)
Couple of hours later
Call to main switch board of organisation.
Nathan: Hi could you put me through to Sarah Jones please?
Reception: Connecting you.
Sarah: Hello Sales how can I help you?
Nathan: Hi Sarah I’m calling from IT Security to brief you
on IT security best practises. You should have got an email about
it.
Sarah: Yes I got an email about it today.
Nathan: OK excellent it’s just standard procedure for all
new starters and only takes about 5 minutes. How are you finding
things here? Everybody being helpful?
Sarah: Yes thanks it’s been great. It’s a bit daunting
starting somewhere new though.
Nathan: Yes and it’s always difficult to remember everyone’s
name. Has Roger introduced you around?
…… various small talk to build up rapport inter burst
with more trust building.
Nathan: …Emma Jones is very nice in HR if you need any help
with that side of things.
Sarah: Yes Emma did my HR interview for the job.
Nathan: Well I better run through the security presentation with
you. Do you have your email open? I’ll send you the security
presentation now and I can talk you through it.
Sarah: Ok I see the email.
Nathan: Ok just double click on the “Security Presentation.zip”
attachment.
Sarah: It has come up with winzip.
Nathan: Just click extract and double click on “Security
Presentation”
Sarah: ok …..
The executable that she has ran is in fact a cleverly packages
series of scripts and tools created by our wrapper program including
within it the RAT, a rootkit and keyloggers anything else I may
want to add.
When she clicks on the file the presentation immediately starts.
This is just a series of power point slide telling her not to
run executables that she is sent etc etc and other good security
practices ;)
The presentation is branded with all the company logs that were
conveniently copied from their public webserver just to add a
little more trust. A few seconds later as she is being taken through
the presentation. Scripts within the package start to try to disable
Mcafee and any other PC security that may be found that may help
protect the user. Then the rootkit installs itself hiding all
future actions from the operating system or anybody to do a forensic
investigation. Next the RAT is hidden and installed. The RAT is
made to start every time the machine reboots and these actions
are all rootkitted and hidden. The RAT then looks up any proxy
settings and other useful information and tries to make its way
out of the network and onto the Internet ready to get its commands
from its master. Obviously all processes and TCP connections are
hidden and even running things like netstat and task manager will
not reveal them.
The RAT connects to the master. I now own the PC and its time
to start looking around and really start hacking! Job done. -
Nathan House
Telephone
: |
+44 (0)208 560 5621 |
Telephone : |
+44 (0)7970 870 381 |
Instant Support line: |
0904 194 0808 |
E-mail: |
|
|
|
|
|
|
