Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/20/2008
06:57 AM
50%
50%

The Social Engineer's Toolbox

These are a few of our favorite things to bring along for a social engineering exploit

My firm was recently hired to perform a penetration test that required some extensive social engineering. To prepare for the job, we inventoried the tools we needed to do the job.

We have some shirts with tech company logos embroidered on them, as well as other items to help us pretend to be someone our client’s employees would trust. But as we began sorting through what we would bring on the trip, we realized these disguises and our laptops loaded with security software tools were benign compared to the other items we needed to get through airport security.

Here’s a rundown of some of the social engineering tools we have acquired at Secure Network Technologies and how we use them to ease our way into a facility and to connect to its network.

RF receiver

One of the most important tools we use is a portable RF receiver with digital recording. Models for these devices range from ones available from Radio Shack to fairly sophisticated units that cost thousands of dollars. When parked in front of your target building, one of these devices can be priceless. Server rooms are frequently equipped with wireless headset units that emit an RF signal back to a base station. On more than one occasion, an administrator in communication with another support person trying to troubleshoot a problem will give up a login and password when wearing one of these. Most headsets are enabled without encryption and are powerful enough to emit a signal that leeches outside the building. (See Hacking Wireless Headsets.)

Night vision

When reconnaissance is required for probing the weaknesses to help get into a customer’s location, night vision is extremely helpful. Since most customers who require our services are located in an urban environment, night vision combined with infrared illumination is recommended. Night-vision units that have both of these features are capable of minimizing blinding vehicle headlights, while also providing infrared illumination to help light up an object. Night vision lets us determine the best entry into a building or check out security guards and surveillance systems.

Laser range finder

When social-engineering your way into a building, tailgating workers is extremely effective. One tool we use for this is the laser range finder, which you can find in most sporting goods stores. It lets us determine the distance to the entrance into a building from a designated starting point. In one case, we used the range finder to determine the spot where we needed to catch up with a group of workers entering a secured building. Giving these employees enough lead time, and then trying to catch up with them as if we were late to a meeting is a convincing way to get us into a building that’s completely secured with proximity access cards.

Lock-pick set and gun

I never thought I would need to know how to pick a lock. But this skill – which I learned from my father-in-law, who was a licensed locksmith – has proven very valuable. Once inside a client’s building, gaining access to a secured location inside can be even more challenging. We bring along a set of lock picks as well as a tool known as a lock-pick gun. The “gun” helps automate the skill to some degree, but still requires a considerable amount of expertise. On one occasion, we needed access to a locked desk that contained the information required for us to compromise the client’s network. It only took two or three minutes with the lock-pick set and gun, and the desk lock was compromised.

Length of ¼-inch copper tubing

This tool is so ingenious that I wish I could take credit for it. Several offices have adopted the European "L"-style door handle, and this tool helps get past it when locked – a 3-foot section of copper tubing you can get at any hardware store, with steel thread run through its center and then tying the thread into a noose. The tubing can be bent, and then slid under the door so the noose of the steel thread can capture the handle. When it catches, just pull down and the door should open. It can also be helpful for doors that require motion, or button, access to open from the inside. By sliding it under the door and leveraging its rigidity to then press the release button, you could be in before you know it. We found this tool helpful when moving floor to floor through a building stairwell.

Covert digital camera and DVR

Sometimes, a customer requests we use a covert camera when social engineering our way into a building then onto the network. Not only does it prove we got in, but playing the video back to employees helps drive home the point of security. We’ve become fond of button cameras tied to a digital video recorder. The recorder is roughly the size of a portable MP3 player and the quality is exceptional in light and dark scenarios. The camera, which you wear on the lapel of a coat or as an actual button on a shirt, is hardly noticeable. While on one job, we were able to video a group of employees in a conference room with a button camera: By simply removing my jacket and strategically placing it, we recorded the keystrokes needed for the next phase of our exploit.

It helps to use super glue to adhere the camera to your clothing -- that minimizes camera movement and helps aim the camera in the desired direction. (Warning: Super glue bonds to skin with incredible strength. Once the glue tube cap opened while in my pants pocket -- not only does it burn, but trying to separate certain parts of your body that get glued together can be extremely painful.)

Digital audio recorder

Capturing a conversation can be lucrative. We use a high-end digital audio recorder, which is a little larger than the size of a pack of cigarettes. It has several microphones built into it so it can record from several angles with exceptional quality. A colleague of mine once attended a hotel bar to gather intelligence from a group of employees from out of town. Once he gained their trust and they had been drinking for a while, the effects of the alcohol were as good as an injection of sodium pentothal. We got information about what they were in town for, what their plans were – inside information that we could use as cover.

USB memory sticks

The memory stick comes in handy for moving data in and out of the client’s site. Mobility is important in social engineering because getting overloaded with gear can be a problem.

Badge sleeves, access cards, and keyfobs

The appearance of “belonging” is a big part of social engineering. I have gathered a considerable collection of card access keys, badge sleeves, and building access keyfobs over the years. Having a bogus card on a retractor may be all you need to convince an employee that your card has just become defective. On more than one occasion, an employee has let me into the building, having been convinced by my ruse. My colleague Robert Clary once got complete access to a facility by displaying a dosimeter badge used for radiation protection.

As new technologies evolve, our list of tools and tricks of the trade will evolve and grow as well. Meanwhile, a word of caution: For those with questionable ideas, note that using any of the social engineering tools here for anything outside of permissible intentions may be considered criminal behavior. And when you travel, I suggest checking your bags rather than trying to get any of this through airport security.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18629
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...
CVE-2019-18628
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information dis...
CVE-2021-21331
PUBLISHED: 2021-03-03
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive info...
CVE-2021-27940
PUBLISHED: 2021-03-03
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
CVE-2021-21312
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...