Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/20/2008
06:57 AM
50%
50%

The Social Engineer's Toolbox

These are a few of our favorite things to bring along for a social engineering exploit

My firm was recently hired to perform a penetration test that required some extensive social engineering. To prepare for the job, we inventoried the tools we needed to do the job.

We have some shirts with tech company logos embroidered on them, as well as other items to help us pretend to be someone our client’s employees would trust. But as we began sorting through what we would bring on the trip, we realized these disguises and our laptops loaded with security software tools were benign compared to the other items we needed to get through airport security.

Here’s a rundown of some of the social engineering tools we have acquired at Secure Network Technologies and how we use them to ease our way into a facility and to connect to its network.

RF receiver

One of the most important tools we use is a portable RF receiver with digital recording. Models for these devices range from ones available from Radio Shack to fairly sophisticated units that cost thousands of dollars. When parked in front of your target building, one of these devices can be priceless. Server rooms are frequently equipped with wireless headset units that emit an RF signal back to a base station. On more than one occasion, an administrator in communication with another support person trying to troubleshoot a problem will give up a login and password when wearing one of these. Most headsets are enabled without encryption and are powerful enough to emit a signal that leeches outside the building. (See Hacking Wireless Headsets.)

Night vision

When reconnaissance is required for probing the weaknesses to help get into a customer’s location, night vision is extremely helpful. Since most customers who require our services are located in an urban environment, night vision combined with infrared illumination is recommended. Night-vision units that have both of these features are capable of minimizing blinding vehicle headlights, while also providing infrared illumination to help light up an object. Night vision lets us determine the best entry into a building or check out security guards and surveillance systems.

Laser range finder

When social-engineering your way into a building, tailgating workers is extremely effective. One tool we use for this is the laser range finder, which you can find in most sporting goods stores. It lets us determine the distance to the entrance into a building from a designated starting point. In one case, we used the range finder to determine the spot where we needed to catch up with a group of workers entering a secured building. Giving these employees enough lead time, and then trying to catch up with them as if we were late to a meeting is a convincing way to get us into a building that’s completely secured with proximity access cards.

Lock-pick set and gun

I never thought I would need to know how to pick a lock. But this skill – which I learned from my father-in-law, who was a licensed locksmith – has proven very valuable. Once inside a client’s building, gaining access to a secured location inside can be even more challenging. We bring along a set of lock picks as well as a tool known as a lock-pick gun. The “gun” helps automate the skill to some degree, but still requires a considerable amount of expertise. On one occasion, we needed access to a locked desk that contained the information required for us to compromise the client’s network. It only took two or three minutes with the lock-pick set and gun, and the desk lock was compromised.

Length of ¼-inch copper tubing

This tool is so ingenious that I wish I could take credit for it. Several offices have adopted the European "L"-style door handle, and this tool helps get past it when locked – a 3-foot section of copper tubing you can get at any hardware store, with steel thread run through its center and then tying the thread into a noose. The tubing can be bent, and then slid under the door so the noose of the steel thread can capture the handle. When it catches, just pull down and the door should open. It can also be helpful for doors that require motion, or button, access to open from the inside. By sliding it under the door and leveraging its rigidity to then press the release button, you could be in before you know it. We found this tool helpful when moving floor to floor through a building stairwell.

Covert digital camera and DVR

Sometimes, a customer requests we use a covert camera when social engineering our way into a building then onto the network. Not only does it prove we got in, but playing the video back to employees helps drive home the point of security. We’ve become fond of button cameras tied to a digital video recorder. The recorder is roughly the size of a portable MP3 player and the quality is exceptional in light and dark scenarios. The camera, which you wear on the lapel of a coat or as an actual button on a shirt, is hardly noticeable. While on one job, we were able to video a group of employees in a conference room with a button camera: By simply removing my jacket and strategically placing it, we recorded the keystrokes needed for the next phase of our exploit.

It helps to use super glue to adhere the camera to your clothing -- that minimizes camera movement and helps aim the camera in the desired direction. (Warning: Super glue bonds to skin with incredible strength. Once the glue tube cap opened while in my pants pocket -- not only does it burn, but trying to separate certain parts of your body that get glued together can be extremely painful.)

Digital audio recorder

Capturing a conversation can be lucrative. We use a high-end digital audio recorder, which is a little larger than the size of a pack of cigarettes. It has several microphones built into it so it can record from several angles with exceptional quality. A colleague of mine once attended a hotel bar to gather intelligence from a group of employees from out of town. Once he gained their trust and they had been drinking for a while, the effects of the alcohol were as good as an injection of sodium pentothal. We got information about what they were in town for, what their plans were – inside information that we could use as cover.

USB memory sticks

The memory stick comes in handy for moving data in and out of the client’s site. Mobility is important in social engineering because getting overloaded with gear can be a problem.

Badge sleeves, access cards, and keyfobs

The appearance of “belonging” is a big part of social engineering. I have gathered a considerable collection of card access keys, badge sleeves, and building access keyfobs over the years. Having a bogus card on a retractor may be all you need to convince an employee that your card has just become defective. On more than one occasion, an employee has let me into the building, having been convinced by my ruse. My colleague Robert Clary once got complete access to a facility by displaying a dosimeter badge used for radiation protection.

As new technologies evolve, our list of tools and tricks of the trade will evolve and grow as well. Meanwhile, a word of caution: For those with questionable ideas, note that using any of the social engineering tools here for anything outside of permissible intentions may be considered criminal behavior. And when you travel, I suggest checking your bags rather than trying to get any of this through airport security.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...