Social Engineering uses influence and persuasion in order to deceive, convince or manipulate. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
The following is an example of a previous job I performed for a client. It demonstrates what seemed like insignificant information can build trust with people and compromise a company.
This has been provided as further reading for an interview I did on penetration testing and social engineering for PC Extreme magazine.
Social Engineering Tools
To explain how I might go about using a combination of social engineering and technology I need to first explain the tools that I may use.
We have many tools that we have developed for the purpose of penetration testing. In this Social Engineering example, I will be using a package or executable wrapper, a rootkit and The RAT (Remote Access Tool).
In simple terms, the wrapper can create executable programs that appear to do one thing but, in fact, perform other tasks as well. Our wrapper also encrypts and compresses the contents to help deflect virus detections and computer forensics.
The RAT is a remote access tool which, when run on a machine, searches for connections out of the network to the Internet, utilising proxies and other devices if required. The RAT uses outbound connections from the target machine to receive its commands to completely bypass any security from a firewall or NAT. The communication traffic is also sent as legal HTTP/HTTPS traffic so even if the target’s proxy or firewall has application-level filtering, the control commands will appear as normal HTTP traffic because, in fact, they are. This means that we can communicate with targets deep inside the company’s networks and defeat firewalls/proxies/DMZ, etc.
The RootKit is a program that hides the hacker’s actions from the operating system and anybody examining the machine. Our rootkit hides Processes, Handles, Modules, Files and Folders, Registry Keys and Values, Services, TCP/UDP Sockets and Systray Icons.
What this means is the task manager, netstat, regedit, file explorer, etc. will not be able to see anything that has been placed on a machine by the hacker that has been rootkitted. The hacker’s actions and programs will be completely invisible.
There are some less sophisticated versions of these types of tools available on the Internet but there are two good reasons why a professional hacker won’t use them. One is they don’t provide the required functionality, and the other reason is that many virus checkers will pick up their signatures and stop them. This is the difference between the script kiddie and the professional hacker.
Social Engineering call (1)
Call to main switchboard of the organisation from my mobile phone.
Nathan: Hi, I’m having a problem with my desk phone. Can you put me through to someone who may be able to sort this out for me?
Reception: Connecting you.
Phone Services: Hi.
Nathan: Hi, I’m having a problem with my desk phone. Sorry, I’m new here. Is there any way I can find out who is calling me when they call my desk phone? Is there a caller ID?
Phone Services: Not really, because we use hot desks here. Because people usually use their mobile phones, the caller ID isn’t often related to a name. Is this a problem for you?
Nathan: No, it’s fine now. I understand. Thanks. Bye.
I now know that the company uses hot desks and that phone caller ID is not always expected. Therefore, it is not an issue if I call from outside the company. If it was expected, then I could work around it anyway.
Social Engineering call (2)
Call to main switch board of organisation.
Nathan: Hi, could you put me through to building security?
Building Security: Hello, how can I help you?
Nathan: Hi, I don’t know if you will be interested but I found an access card outside the building which I think someone must have dropped.
Building Security: Just return it to us. We are in building 3.
Nathan: OK, no problem. May I ask who I’m speaking to?
Building Security: My name’s Eric Wood. If I’m not here, give it to Neil.
Nathan: OK, that’s great. I will do. Are you the head of building security?
Building Security: It’s actually called Facilities Security and the head is Peter Reed.
Nathan: OK, thanks a lot. Bye.
This told me the name of a number of people in security, the correct name of the department, the head of security, and that they are the ones who deal with physical access cards.
Social Engineering call (3)
Call to main switch board of organisation.
Nathan: Hi, I’m calling from Agency Group and I wonder if you could help me. I had a meeting about a month ago with some of your HR people but unfortunately, my computer crashed and I have totally lost their names.
Reception: Sure, no problem. Let me look up that department. Have you any idea at all of their names?
Nathan: I know that one of them was the head of HR. There was a number of people in the meeting though.
Reception: …….OK, here we are. Head of HR is Mary Killmister. 0207 xxxxxxx
Nathan: Yes, that rings a bell. Who are the other names in HR?
Reception: In HR, Jane Ross, Emma Jones……
Nathan: Yes, definitely Jane and Emma. Could I have their numbers please?
Reception: Sure. Jane Ross is xxxxxxx and Emma Jones is xxxxxx. Would you like me to put you through to any of them?
Nathan: Yes. Could you put me through to Emma please?
I now know the names of the three people in HR, including the head.
Social Engineering call (4)
HR: Hello, Emma here.
Nathan: Hi, Emma. This is Eric from Facilities Security in building 3. I wonder if you can help me. We have had a problem here with the access card database computer. It crashed last night and some of the data for the new starters got lost. Do you know who would be able to tell who the new starters were over the last 2 weeks as their access cards will have stopped working? We need to contact them and let them know ASAP.
Emma: I can help you with this. I’ll look up the names and email them to you if that’s OK? For the last 2 weeks did you say?
Nathan: For the last 2 weeks, yes. That’s great, thanks but would it be possible to fax it as we share one computer for email and that was affected by the computer crash, too.
Emma: Yes, OK. What is your fax number? Oh, and what’s your name again?
Nathan: Mark it for the attention of Eric. I’ll have to find out the fax number for you and call you back.
Nathan: Do you know how long it will take to find out the information?
Emma: It shouldn’t take me more than 30 minutes.
Nathan: Will you be able to start working on in straight away as it’s quite urgent.
Emma: I have a few things to do this morning but I should have the names this afternoon.
Nathan: That’s great, Emma. Thanks. When you’re done, would you be able to call me straight away so I can start reactivating their cards?
Emma: Yes, sure. What is your number?
Nathan: I’ll give you my mobile number that way you’re guaranteed to get me. 07970 xxxxxx.
Emma: OK, sure. I’ll call you when I have the list.
Nathan: Excellent, thanks. Really appreciate this.
Social Engineering call (5)
Call to main switch board of organisation.
Nathan: Could you put me through to IT Support?
Reception: Connecting you… (Long wait in queue.)
IT support: Hello, can I have your LS number or your case reference?
Nathan: I’ve just got a quick question. Is that OK?
IT support: What is it?
Nathan: A guy from Reuters is trying to send me a presentation and is asking me what the maximum size is for attachments.
IT support: It’s 5MB, sir.
Nathan: That’s great, thanks. Oh, one more thing. He said it’s an .exe file and sometimes, those get blocked or something.
IT Support: He won’t be able to send an executable file as the virus scanners will stop it. Why does it need to be an exe file?
Nathan: I don’t know. How can he send it to me then? Could he zip it or something?
IT Support: Zip files are allowed, sir.
Nathan: OK. Oh, one more thing. I can’t seem to see my Norton Anti-virus icon in my system tray. The last place I worked, there was a little icon.
IT Support: We run McAfee here. It’s just a different icon — the blue one.
Nathan: That explains it then. Thanks, bye.
I now know that to send an executable via email, it will have to be zipped first and less than 5 MB. I also know that they are using McAfee anti-virus.
Social Engineering call (6)
A few hours later, call from Emma in Human Resources.
Emma: Hi, is this Eric?
Nathan: Yes, hi.
Emma: I have the new starters list for you. Do you want me to fax it?
Nathan: Yes, please. That would be great. How many is there?
Emma: About 10 people.
Nathan: I’m not sure the fax is working properly here. Could you possible read them out to me. I think it will be quicker.
Emma: OK. Do you have a pen?
Nathan: Yes, go ahead.
Emma: Sarah Jones, sales. Manager is Roger Weaks, ………..
Nathan: OK, thanks. You have been a real help. Bye.
I now have a list of the new starters over the last 2 weeks. I also have the departments they belong to and their manager’s name. New starters are many times more susceptible to social engineering than long-term employees.
Social Engineering call (7)
Call to main switchboard of the organisation.
Nathan: Hi, I’m trying to email Sarah Jones but am not sure what the format of your email addresses are? Do you know?
Reception: Yes, it would be firstname.lastname@example.org.
Social Engineering email (1)
Minutes later, a spoofed email is sent.
subject: IT Security
As a new starter to the company, you will need to be made aware of the company’s IT Security policies and procedures and specifically, the employees “Acceptable Use Policy”.
The purpose of this policy is to outline the acceptable use of computer equipment at target company. These rules are in place to protect the employee and target company. Inappropriate use exposes risks including virus attacks, compromise of network systems and services, and legal issues.
This policy applies to employees, contractors, consultants, temporaries, and other workers at target company, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by target company.
Someone will contact you shortly to discuss this with you.
Social Engineering call (8)
A couple of hours later, call to the main switchboard of the organisation.
Nathan: Hi, could you put me through to Sarah Jones, please?
Reception: Connecting you.
Sarah: Hello, Sales. How can I help you?
Nathan: Hi Sarah. I’m calling from IT Security to brief you on IT security best practises. You should have gotten an email about it.
Sarah: Yes, I got an email about it today.
Nathan: OK, excellent. It’s just standard procedure for all new starters and only takes about 5 minutes. How are you finding things here? Everybody being helpful?
Sarah: Yes, thanks. It’s been great. It’s a bit daunting starting somewhere new, though.
Nathan: Yes and it’s always difficult to remember everyone’s name. Has Roger introduced you around? (…… various small talk to build rapport interspersed with more trust-building.)
Nathan: …Emma Jones is very nice in HR if you need any help with that side of things.
Sarah: Yes, Emma did my HR interview for the job.
Nathan: Well, I better run through the security presentation with you. Do you have your email open? I’ll send you the security presentation now and I can talk you through it.
Sarah: OK, I see the email.
Nathan: OK, just double click on the “Security Presentation.zip” attachment.
Sarah: It has come up with winzip.
Nathan: Just click extract and double-click on “Security Presentation”
Sarah: OK. …..
The executable that she ran is, in fact, a cleverly packaged series of scripts and tools created by our wrapper program including within it the RAT, a rootkit, keyloggers and anything else I may want to add.
When she clicks on the file, the presentation immediately starts. This is just a series of PowerPoint slides telling her not to run executables that she is sent, etc. and other good security practices 😉
The presentation is branded with all the company logos that were conveniently copied from their public web server, just to add a little more trust. A few seconds later as she is being taken through the presentation, scripts within the package start to try to disable McAfee and any other PC security that may be found that may help protect the user. Then, the rootkit installs itself hiding all future actions from the operating system or anybody doing forensic investigation. Next, the RAT is hidden and installed. The RAT is made to start every time the machine reboots and these actions are all rootkitted and hidden. The RAT then looks up any proxy settings and other useful information and tries to make its way out of the network and onto the Internet, ready to get its commands from its master. Obviously, all processes and TCP connections are hidden and even running things like netstat and task manager will not reveal them.
The RAT connects to the master. I now own the PC and it’s time to start looking around and really start hacking! Job done.