We have several war stories like this and often share them as case studies during the presentations and training that Brent and I conduct. I am kicking off a series of regular War Stories that will be shared here! By sharing these stories, I hope to provide some legitimate examples of how we have been able to compromise sensitive areas, networks, and obtain sensitive data during our covert entry and Red Team assessments against client locations.
War Story: “Keyloggers and Coffee”
Assessment Type: Red Team (Onsite)
Target Type: Corporate Financial Institute
Most of our assessments over the years focus on large corporate environments. This comes with pros and cons, just as smaller engagements can also have their pros and cons. Some of the pros to performing an on-site social engineering, covert physical security or red team assessment against a large employee body is that you have the benefit of easily blending in. With a high turnover rate and a consistent flow of come and go employees and contractors, you are less likely to be noticed and your list of guises are a little more flexible – especially when posing as an employee. Unfortunately, this engagement wasn’t so flexible and was against low turnover and financial institution client’s small local data processing offices. The client had a few of these new offices (built into the houses and on residential property that they managed) that they wanted tested and one of their concerns was due to the offices being located in the middle of a congested suburb.
Since this was a cold assessment, I had very little client-provided data, time to prepare and the target facilities had been recently built so Google Street View etc. didn’t help with my Open Source Intelligence (OSINT) prep work. So, I decided to do some passive reconnaissance and drive by the buildings a couple of times with two different standard car rentals. This is where I noticed that only one employee was at the site and she had clients coming in and out of the residential office, inside of a house. I decided to dress the part of ye ole “corporate networking guy” and donned a fake badge with my picture, the company logo, and the name “Kevin Alderson,” along with some jeans, a ball cap and a blue zip-up jacket. I also had my laptop bag, a pre-configured drop box, a couple of hardware keyloggers, LAN Turtle, Bash Bunny (by Hak5), a Wifi Pineapple, and some USB devices with pre-loaded payloads, waiting to dial back to the listener that a co-worker and I had setup. Did I need all of this? Nope.
With these types of assessments you risk coming across a very skeptical employee, but more often than not, the sad reality of it is that if you say you’re with “IT” or “corporate,” many employees tend to believe you – unless you give them a reason not to. I was able to use the same guise at both similarly laid out locations, essentially being flexible with the same verbiage and deliverance.
On-site Social Engineering Assessment – Location #1
Once on the property of the first site, I made sure to park down the road a bit and walk to the target location. I noticed that the side entrance had lever handle doors and the main entrance had a generic residential handle and lock. I saw no security sensors or cameras (lockpicking or an opportunity to use the Under-the-Door tool were options). As I walked in, I smiled and waved to the employee who was busy with a client, in her glass office. I looked around and noticed a vacant office to my right as well. This was small…
“I will be with you in just a moment,” she acknowledged me. I nodded and sat down in the visitor area. I watched her as she continued her conversation with a client. She was really focused on the conversation and obviously felt pretty comfortable discussing financial information loudly enough for me to hear. Too often than not, people fail to censor their conversations, no matter how sensitive the content may be.
She appeared to be pretty busy, so I decided to take advantage of this by briefly interrupting her conversation to inquire about the vacant office, followed by, “Sorry to interrupt, I know you’re with a client, but I am with ABC and need to test the network connectivity of some of the new offices. Could I go ahead and get started in here while I wait?” I nodded to the vacant office and started to make my way toward the office door. Sometimes when you move toward something, people bend and go with it.
“Oh…Sorry, not that office. He is out today. I am just wrapping up here and then you can use mine.” Well, that was easy, I thought to myself, a little shocked. I waited for a few minutes as she got up from the desk, shook hands with her client and motioned to her PC. “I’m sorry. You’re with IT, but what did you need to do again?” she asked.
“We are testing the connectivity for the new offices and I just need to take a look at the jack over there and hop on your system real quick.” As I was talking to her, I sat down at the desk, pulled out my rogue AP / drop box and plugged it in the router, conveniently located behind the printer. After that, I plugged in my keylogger and began having a conversation to distract her from what I was doing. “Have you had any latency issues, dropped calls or any sort of connection problems? We are in the process of making some upgrades and…oh, your screen locked out. Do you mind logging back in for me? Also, go ahead and save any work that you may have open.”
She leaned over me, typed in her domain credentials and I screen surfed the documents she had open for a minute as she saved her work. Social security numbers and financial applications…sweet! I also noticed the name of the document processing application that they used, with the data populated from the client she had just met with, still pulled up.
“Also, have you been able to use your domain credentials to authenticate to the XYZ application?”
“Oh, no. I use a different password for that.” She nodded to her keyboard. I raised an eyebrow and looked over. She had conveniently written down a handful of passwords on a piece of paper taped to the bottom of the keyboard. People still do this? Apparently.
“Ah, okay. Which one?” I chuckled in an effort to help her to relax, especially after she had exposed her passwords. She laughed too, even admitting that she knew it was bad practice and then proceeded to tell me what each one was used for. By this time I had already plugged in my drop box and key logger…but, did I need them? Nope. In an effort to see how far I could push, I even had her visit a phishing site that I had set up earlier for the remote portion of the engagement, and asked her to log into the “XYZ Portal” with her domain credentials. She did and they were sent to another Security Consultant who had been waiting for that reverse-TCP connection or some credentials to try against the VPN he had found.
I sat at her system for a good 45 minutes just talking to her about her day, boring IT stuff (where she reminded me a few times that she was not “technical”) and copying several scanned documents with client and financial data. I had made sure that the screen wasn’t in a position where she could see what I was doing and there were absolutely no cameras in the building either. It was at this point that she started talking to me about the things that didn’t work (like her Bluetooth, mouse, etc.). I kept the guise going and wanted to see if I could convince her to plug in the Bash Bunny, “Oh, it looks like you are missing your USB receiver for the wireless keyboard. I have one that we can test. Care if I plug this up or do you want to?”
“If it’ll help, that’d be great! You can go ahead and do whatever you need to do.”
Well, okay then…
It had only taken a couple of minutes to get physical access to the client system and networking devices. Within the first 15-20 minutes I had a drop box plugged in, a key logger installed, hashes pulled, and about a gig of sensitive data being dumped. I walked out of the office with a handshake, a thank you, and more than I had bargained for.
On-site Social Engineering Assessment – Location #2
The second location was similar to the first in appearance and layout. This time, however, I picked up some coffee with an extra one prior to arriving. I thought I would try to use this to butter up whoever the next person(s) may be. Once I parked and walked into the facility, I was greeted by another lady and noticed a maintenance worker sitting across from her. They were complaining about their day and promptly got quiet as I entered.
“Hey guys, I am with ABC Company and just need to test the network connectivity.” I smiled as I sat the coffee cup holder down and began to take my laptop bag off. They looked skeptical.
“You’re here to do what?” The gentleman asked. At this point I considered that he may actually be from IT and my cover could be compromised. I quickly scrambled for legitimate sounding lie to reinforce what I had already said. Dude knew what I had said, he was just testing me.
“There was a ticket put in a while back. Did you guys not get the email notification that I would be here? We are in the process of doing some migration on the network and there have been some outages at the XYZ offices, so I get to drive around all day and choke down ludicrous amounts of caffeine.” I laughed, attempting to fish for some pity and laughter on their part. “Speaking of which, Starbuck’s gave me this extra Americano, if one of you would like it. I know they were out of coffee at the .” I brought the coffee over to the desk, sat it down and went to shake the man’s hand, “Oh, I’m sorry, I’m Kevin. I’m guessing you aren’t here to fill out a 123 form?” I had dropped both a legitimate name and the name of one of the company’s generic forms that I saw at the previous site. It helped.
“Ha ha. No. I am with maintenance. Just finishing up with my break and figured I would come over here and annoy Sarah. Todd’s the name.” He returned the handshake, with a pleasant and trusting demeanor.
“What kind of coffee did you say this is? I usually just drink the specialty coffee drinks with a lot of sugar and syrup. This looks like tar.” The woman behind the desk laughed as she picked the coffee up. “Here you go Todd, I think this is just black. Probably more your taste.” She passed it over as Todd took it, stood up, thanked me and left the building.
At this point, Sarah locked her system and let me sit down at her desk. Instead of using a lot of gadgets, I just took out the key logger and plugged it in between the keyboard and the system. “Could you go ahead and log back in? I need to pull up a command prompt to test the connectivity.” She did, and the keylogger was able to catch her submission. I pulled up a command prompt and quickly typed “ipconfig”, “ping 126.96.36.199”, “netstat”, and some generic network commands, just to let her see something boring and “related” as she watched me. “Actually, because I am going to have to ask you to do that a few times, do you mind just writing down your credentials and then we can shred it once I am finished?” I slid the Post-It stack to her and placed a pen on top as I continued to focus on the system, in an effort to convey that this was normal. Using the same technique that I had attempted to utilize at the previous site, I was successful in this bold request.
“Ha ha. Sure. Just don’t tell anyone or laugh at my password.” She wrote down her password and slid it back to me.
“Well, I will try not to share it with any hackers or anything.” I laughed. “This is a unique password. Fan of the book?” We then discussed the book that she had modeled her password after. Fortunately, I too loved this book and this presented a perfect opportunity to establish further rapport. This went on for a while as I simply repeated what I had done before and began to dump sensitive data. At this point, another employee came in with a client, continuing a conversation about loans. I waved for her to go ahead and do what she needed to do. She nodded and began attending to them, leaving me alone with the system.
As I was snooping around, I gained access to network shares and several systems on the network. I also noticed that she had her PGP private key saved conveniently in the My Documents folder, along with some VPN information. Once she was finished with the employee and client, I had already retrieved more than what I came for. “Sarah, I noticed you don’t have a laptop. Do you ever do work from home?”
“Ha! I am not special enough for a laptop. But, they did give me a tablet that I rarely use. I can’t get the VPN to connect.”
“Oh yeah? Could you show me how you typically connect from home and what credentials you use? Maybe I can reset some things from here for you, in an effort to help. At least, since I am here.”
She continued to explain how to remotely connect to the ABC network and I listened. Since I am far from having a photographic memory, I took some quick notes when she wasn’t paying attention. In the end, I had another gig of data, domain credentials, a private encryption key and a tutorial about how to connect to the VPN. I’d say this was a successful engagement and most importantly a reminder of how gullible people can be when their guard is brought down, when you appear legitimate, are sympathetic, relatable and helpful.
Lessons Learned / How do companies prevent this?
So, what do we learn from this war story?
It doesn’t matter how big the target is, but how aware the employee is. Employees rarely ever look beyond face value, and that includes a legit looking appearance (in this case, “IT guy” with a badge), a free cup of coffee, a roll-with-the-punches approach to conversation and the ability to just listen and relate.
This is going to be a no brainer, but security awareness training! This goes beyond the annual awareness campaign and 10-20 question quiz. This must be ingrained into the culture of your company. Your employees must be aware of the risks that are associated with information security (this includes physical and technical controls). A good security culture, social engineering countermeasures, incident handling, proper controls and enforced standards can prevent a potentially dangerous and damaging compromise. When it comes to physical security, it is more than information that could be at stake, but also the employee and company assets.
You don’t have to be paranoid, but in the age of hacktivism and terrorism, skepticism and awareness are traits every employee should have. Rarely doubt your instincts when someone is requesting something that seems out of the ordinary or abrupt. An employee who is able to discern common traits and mannerisms of a would-be attack, can be the first barrier to prevent compromises like this, and many of the other war stories that I have shared. Hackers do not care how hardened your network is if they can just walk in and ask for passwords and access.