In most companies, the server room is considered the heart of the network. When a customer asks us to penetrate this room, we know the challenge is going to be considerable. The server room is usually guarded by access control, cameras, and a staff person or two. We're not always successful, but when we do manage to get in, we remind ourselves that relying on the kindness of strangers opens almost as many doors as a master key.
One of the most memorable server rooms we compromised pertained to an organization that had remote locations across a large geographic area. Each office served as a critical junction of network and switch equipment, and each facility also served as a service location that deployed people in trucks to provided customer support and service infrastructure. The customer asked us to visit certain locations and attempt to gain access.
We visited our first facility and combed the exterior as if we were locked out of our homes. The building was entirely constructed of concrete block, with no windows and one steel door guarded with a proximity access key-card system. We were about to get back into the car and leave when we spotted an unlocked company truck. I opened the door and noticed an employee badge and a proximity card hanging from the visor. I grabbed the badge and put it on to see if I could get in the building.
Just as I placed the card in front of the reader, the door opened. An employee was as startled as I was, probably because we almost walked into each other. He looked right at me and asked if I needed any help. That's about the time I realized I was wearing his badge, yet he did not notice.
I told him I was a building appraiser hired by the company to inspect the properties. Figuring I was caught and about to have to deal with the local authorities, I was instead invited into the building. Asked why the property and technology was being appraised, I responded that the company was probably being sold and they needed a fair estimate. He sighed and told me to do what I have to do. He then reached for his phone I was sure he was calling the cops. But in the meantime, I sat down among rack after rack of equipment, opened my laptop, and connected to an available network connection.
While I sat and worked, I listened to his phone conversation. It was his wife he was telling her the company was being appraised because it was being sold, and that he might be looking for work. After a few more minutes on their network (and eavesdropping), I decided to get out while I still had the opportunity. I motioned I was leaving and letting myself out. He waved back, still on the phone. I was still wearing his photo ID.
Let 'em eat cake
Another scenario didn't quite turn out the same, but fortunately our effort wasn't a complete failure. We were hired by an organization that wanted us to compromise its server room as part of a social engineering effort. Our client indicated that only a few key people were clued in to what was planned. Unfortunately, word spread fast that the IT group was being tested, so everyone was on high alert.
The day of our attempt, my colleague, Robert Clary, and I posed as consultants needing access to the server room. We approached the door and attempted to see if it was open. As we tried the door, a man who was working in the server room opened it and asked what we were doing. Between his tone of voice and body language, it was obvious he knew who we were and what we were doing.
Feeling cheated, we decided to retaliate. Clary and I retreated to my car to have a cup of coffee and devise our Plan B. From my car, we noticed the organization's security building directly in front of us. This customer had its own mini police force to guard the facility. We decided to social engineer our way into the security building and use their network connection to penetrate the internal network.
Armed with no more then laptop bags we entered the police force building, indicating we were consultants hired to work on their network connection. The department's director provided us with private offices in which to work. We cracked the network and were scouring it as thoroughly as we could when one of private security officers popped his head in. Clary and I had the identical simultaneous thought: Busted. To our surprise, the officer asked us if we wanted to participate in a birthday party for one of his co-workers. We agreed, left our private office, sang Happy Birthday, enjoyed some cake and coffee, and then got back to scanning the network.
Fast food security
Another recent server room caper also involved food, specifically leveraging the power of pizza and Buffalo-style chicken wings. The customer's server room was in a hallway in an office building shared by several tenants. Although guarded by a proximity access, it was secured by a regular doorlock. After some surveillance, we noticed that a few tenants still had employees and visitors coming and going after 5:00 p.m., so the building remained unlocked.
We also noticed that the cleaning crew started around 6:30 p.m. We made a note and paid particular attention to the guy who was responsible for cleaning the main hallways. He appeared friendly as we walked by and said hello, and his response indicated his English was limited.
On the day of our attempt we rounded up the normal stash of stuff we take, with the addition of a large, Neapolitan cheese pizza, a couple dozen Buffalo wings (hot), and a six-pack of soda (diet). When we picked up the food, I asked for an additional empty pizza box. In that one, I stashed a laptop, power brick, and Ethernet cable.
I parked in front of the facility and then watched through the glass doors for our cleaning guy. As he started cleaning I made my way into the building, heading for the door that led into the server room, carrying my two pizzas, wings, and soda. He noticed I was struggling to balance the two pies and Styrofoam container of wings on top of the boxes, while in my other hand I held the soda in a plastic shopping bag.
When I stopped in front of the server room door, I started the one-hand-holding-the-soda-trying-to-get-in-my-front-pocket-for-a-key routine. Without hesitation he immediately came over and reached for his wad of keys and opened the door. Success! I was in. After thanking him numerous times, offering a slice and drink, I slid into the air-conditioned server room to plug in.
It almost seemed too easy. But if you think about it: Why would he question a guy trying to get into a locked room to steal something, while carrying a couple pizzas? Most hackers probably do not pack a lunch when they intend on breaking into a place. [Ed, note: Perhaps they will now.]
So forget deep-packet inspection, the latest malware updates, and other technical must-haves for a second. People remain the weakest link in any enterprise security strategy. Most people want to be helpful and are conflict-averse, especially if you look even remotely as if you might belong in a given place. Employees and any ancillary service personnel must be trained to ask questions, verify identities, and know whom to call when something smells wrong. And those skills and processes must be continually reinforced. Otherwise, what they perceive as a kindness may be little more than unlocking the safe for some nice, friendly stranger.