Blog: Social Engineering
Real-life social engineering. Another two days in tweets
What happens in a real life social engineering exercise? There’s a lot of planning and preparation that goes on behind the scenes: it’s not a matter of turning up to a site and ‘winging it’!
I live tweeted an exercise a little while back, to give a flavour of a real task in real time. For reasons of confidentiality, we can’t share photographs or locations, but I hope you find it useful and illustrative’
7:46 AM · Sep 16, 2019 Just a reminder that, I’ll be live tweeting (ish) another social engineering job but in a foreign country which poses a different set of challenges. I’ve got a long flight ahead and recon will start tomorrow. Looking forward to catching you all later
Day One
5:01 AM · Sep 17, 2019 I’ve arrived at my destination but I’m not starting recon just yet. I’ve got a little housekeeping to do. I did promise I’d go over some tools/equipment in my last thread so I’ll do that now.
5:04 AM · Sep 17, 2019 For context, this isn’t a full red team as in physical damage and busting in through the roof is out of scope. This is “light and obvious” physical access testing (my opinion of it anyway).
5:08 AM · Sep 17, 2019 With that in mind, here’s some things I’ve brought to help: Multiple ID badges and holders. I reference this in my talk and it’s a silly thing, but orientation of badge holder is important, portrait/landscape. That green bag is from an airline long haul. Useful to store stuff in
5:10 AM · Sep 17, 2019 My proxmark is there too. It’s a great tool and folks like
@herrmann1001 and @RfidGroup are making that firmware better every day.
5:14 AM · Sep 17, 2019 When traveling or having to carry my rucksack for long periods, I want something light. This ghost pick set from @Mad_boBpicks is perfect. And the blue handled thing, a travellers hook from @redteamtools
5:17 AM · Sep 17, 2019 I don’t often take these out (to the target site) but always handy to have a leatherman and a mini screwdriver. Always check local law about carrying (or even having) these tools. In this instance, I’m not in the UK but have checked.
5:19 AM · Sep 17, 2019 Another odd choice, a cap. I use this as a recon disguise. It’s unlikely anyone that sees me on recon will recognise me the next day when entering just by using a simple trick like this.
5:22 AM · Sep 17, 2019 Some electronic stuff now. This job includes a dropbox: Standard raspberry pi with some customisations. I have two usb 3G/4G dongles with me and really important to test network connectivity and coverage in the target area!
5:25 AM · Sep 17, 2019 I have a portable screen with me too so I can change things on the pi easily if needed. Got a slight issue with the new pi it’s micro HDMI and my screen is mini hdmi, and I’ve not find a suitable converter yet.
5:27 AM · Sep 17, 2019 And a bag of random stuff. Dongles, cables, etc etc. I like to keep everything organised in bags like this. I have separate bags for different tasks. It makes it so easy to just grab a bag, chuck it in the suitcase and go.
5:29 AM · Sep 17, 2019 What I’ve not included in this list is outfits. I have a suitcase full of outfits and shoes. All carefully thought out (and tried on) to be able to cover me for whatever I discover during the onsite recon. Smart, smart casual, casual etc.
12:22 PM · Sep 17, 2019 Ok on to the recon.
12:30 PM · Sep 17, 2019 So here’s some stuff I know from OSINT: The location is in a large shopping mall. Right on the outskirts of town. This is good, I can pretend to be a shopper and I’d expect to see staff wandering around.
12:33 PM · Sep 17, 2019 Also this will help confirm dress style and spotting non standard entry and exit points. Rather than the front entrance. It’s after 7pm here. I left it late because I might want to interact with front entrance security and them be different people tomorrow.
1:03 PM · Sep 17, 2019 At this point what I’m really doing is trying to confirm the output from the OSINT. I always have a backup plan but the OSINT output should be strong and correct at this late stage.
1:05 PM · Sep 17, 2019 If the OSINT was wrong then that would be a different issue, but it’s good and I’m happy. Next I need to find more entrances. I’m not going to do entry tonight but I do want to find all I can.
1:21 PM · Sep 17, 2019 Public Service Announcement: it’s pitch dark here and I’m walking around the back of some areas that aren’t so well lit. I’m 6ft + and I don’t feel comfortable. If I’m not taking that risk, you don’t need to either.
1:22 PM · Sep 17, 2019 I’ve found plenty of stair wells, but I think they are service entrances to the mall not the offices so I’m ignoring those.
1:41 PM · Sep 17, 2019 Sometimes it’s easy to just ask. I spotted an employee, said I had a meeting in the morning, first time here, and what’s the process to get access in the morning for my meeting. Bingo, all the details I needed, a guided tour and info on all the possible entrances!
1:58 PM · Sep 17, 2019 I lucked out massively there. Sometimes that happens. And that’s all for tonight folks. It’s 9pm and I need to eat. Fingers crossed for a good night’s sleep. Catch you all tomorrow
Day Two
2:55 AM · Sep 18, 2019 Morning folks! Following on from yesterday’s recon thread, today is entry day! I’ll be semi live tweeting, depending on what I can get away with. Quick recap from yesterday: recon confirmed OSINT findings, smart casual dress style, and ID badges (including layout).
2:59 AM · Sep 18, 2019 I’m going to be trying a fake ID badge today that the marvelous @Yekki_1 printed for me. This isn’t an electronic clone but a visual copy. Hopefully it’s enough. From my guided tour last night (how lucky was that!) I know where the security and reception desk is.
3:01 AM · Sep 18, 2019 I also roughly know that there are no other entrances at the moment so front entrance is my only choice. As I mentioned in my previous thread, I’ve also planned out a route that will take me past a place to get coffee and croissant
3:04 AM · Sep 18, 2019 I don’t think deodorant was designed for SE work. Maybe they should use us as beta testers!?
3:11 AM · Sep 18, 2019 I have a small technical problem to solve. My international data SIM isn’t playing ball for the dropbox. But I was observant and spotted a phone shop at the target site yesterday so I should be able to solve that.
3:17 AM · Sep 18, 2019 Most of these “smaller” jobs are one person. I need to be able to problem solve on my feet, whilst jet lagged and find solutions in a foreign country/language. Your favourite search engine is your friend here.
3:25 AM · Sep 18, 2019 Some other stuff I did last night in prep: unpacked and repacked my laptop bag. Took out all the stuff I won’t need today and put all the stuff I will need in. When I go to sleep, my brain won’t wake me in the middle of the night saying “hey did you pack X thingy” it’s all done.
4:42 AM · Sep 18, 2019 Slight technical delay, still having issues with a data SIM which is important for the dropbox. I’ve missed the morning peak footfall into the office. I’m not too concerned, my pretext and approach isn’t tailgating this time. I have a different plan
5:18 AM · Sep 18, 2019 Right, think I’ve solved the problem. Time to try and get in. Please standby…….
5:44 AM · Sep 18, 2019 And I’m in! My first challenge, I headed to the toilets to relax down and these are not western style so involve squatting. No place to sit (I said sit!) and squatting is not relaxing. Bugger. Quiet stairwell it is then.
5:49 AM · Sep 18, 2019 I’ll detail how later when things are more settled. Some things I’ve spotted, there are several server rooms on this floor. I’m not going for them yet but they look susceptible to a travellers hook (blue handled thing in tools thread). It’s high risk so will try later.
5:52 AM · Sep 18, 2019 Also spotted several detailed floor plans. These are REALLY useful. I want to stay away from IT and HR, at the moment anyway. Maybe later. I found a quiet stairwell and I’m letting that adrenaline die down.
5:53 AM · Sep 18, 2019 So my plan is, walk around, explore the entire building as much as possible. Then try to find either some meeting rooms or empty offices, and test the network connection. Ready for my dropbox.
5:55 AM · Sep 18, 2019 Once that’s in, and I’ve confirmed it’s working, I’ll probably try those server room doors and other higher risk tasks.
6:34 AM · Sep 18, 2019 Other things of note: main swipe door takes a long time to close which triggers an alarm. But it happens so often, everyone is ignoring the alarm completely. Whoops.
6:51 AM · Sep 18, 2019 I’m also getting looked at a lot. It’s not that suspicious look. More that I’m a new face so I’m a curiosity. Just politely smile.
7:13 AM · Sep 18, 2019 Oh! I spoke too soon! I’ve had a challenge. Part curiosity but part genuine challenge. I *think* my pretext held out. Will find out shortly….
7:52 AM · Sep 18, 2019 Public Service Announcement: look after yourself, remember to eat lunch, drink water and go to the loo. You can get so wrapped up in the moment that you forget these things, then wonder why you feel crap later. Btw, looks like the pretext held out.
8:20 AM · Sep 18, 2019 Here’s something I didn’t prepare for: A massive thunderstorm with really really heavy rain!
10:26 AM · Sep 18, 2019 Sorry for the short break, needed to do a couple of things. Quick update, I’m not done yet, got a few tasks that I want to complete. Other good news, the rain has stopped
10:30 AM · Sep 18, 2019
Found a lovely place for the dropbox, a meeting room that appears to get very little use. I’ve checked, 4G signal is strong and the network point is live. Plus there are chairs stacked up in the corner to hide it amongst.
11:42 AM · Sep 18, 2019 Well that was a nice challenge. The network point wasn’t live so needed to find another spot. A quick but of hunting and talking to staff, I’m offered a desk, with network and power. Perfect
11:45 AM · Sep 18, 2019 A quick test and it’s good. The team in the UK will carry on with that portion of testing. They’ll have more time and I can get some well earned rest. Successful day now to change out of this sweaty pits shirt and shower
11:53 AM · Sep 18, 2019 While I wait for a taxi, a couple of quick answers: my pretext was that I was from the UK office, working in this office for 2 days to meet with some external customers. Difficult to verify both with the UK office and I’m not giving a local internal contact either.
11:56 AM · Sep 18, 2019 And how did I get in: Yesterday’s recon and conversion with staff gave me a vital piece of info (which I can’t really detail, sorry) that meant I knew my fake ID badge would work today. Remember it was only a visual copy.
And it’s a wrap – the real world of social engineering. Preparation makes a huge difference to success and detection rates of the social engineer.
Conclusion
Every exercise is different, but what could the organisation learn from this?
As an industry we tend to use the word “challenge” when advising on how to deal with potential intruders. It’s the right word, but it implies conflict, and the idea of conflict can discourage your staff from acting.
Maybe “question” would be better. I suggest that if staff are unsure about a person they should simply ask them questions. They shouldn’t be confrontational, and the replies should be treated as correct.
…which makes it easier to ask more questions.
It’s best done in a friendly and assertive way. What tends to happen is that the potential intruder will feel comfortable and so will be less likely to move on or respond with a challenge. Obviously the answers will need verifying.
The more questions asked, the more likely it is that the intruder will make a mistake. If they do slip up, you don’t necessarily need to let on, but you do need to notify the right people in your organisation ASAP.