My firm was recently hired to perform a penetration test that required some extensive social engineering. To prepare for the job, we inventoried the tools we needed to do the job.
We have some shirts with tech company logos embroidered on them, as well as other items to help us pretend to be someone our clients employees would trust. But as we began sorting through what we would bring on the trip, we realized these disguises and our laptops loaded with security software tools were benign compared to the other items we needed to get through airport security.
Heres a rundown of some of the social engineering tools we have acquired at Secure Network Technologies and how we use them to ease our way into a facility and to connect to its network.
One of the most important tools we use is a portable RF receiver with digital recording. Models for these devices range from ones available from Radio Shack to fairly sophisticated units that cost thousands of dollars. When parked in front of your target building, one of these devices can be priceless. Server rooms are frequently equipped with wireless headset units that emit an RF signal back to a base station. On more than one occasion, an administrator in communication with another support person trying to troubleshoot a problem will give up a login and password when wearing one of these. Most headsets are enabled without encryption and are powerful enough to emit a signal that leeches outside the building. (See Hacking Wireless Headsets.)
When reconnaissance is required for probing the weaknesses to help get into a customers location, night vision is extremely helpful. Since most customers who require our services are located in an urban environment, night vision combined with infrared illumination is recommended. Night-vision units that have both of these features are capable of minimizing blinding vehicle headlights, while also providing infrared illumination to help light up an object. Night vision lets us determine the best entry into a building or check out security guards and surveillance systems.
Laser range finder
When social-engineering your way into a building, tailgating workers is extremely effective. One tool we use for this is the laser range finder, which you can find in most sporting goods stores. It lets us determine the distance to the entrance into a building from a designated starting point. In one case, we used the range finder to determine the spot where we needed to catch up with a group of workers entering a secured building. Giving these employees enough lead time, and then trying to catch up with them as if we were late to a meeting is a convincing way to get us into a building thats completely secured with proximity access cards.
Lock-pick set and gun
I never thought I would need to know how to pick a lock. But this skill which I learned from my father-in-law, who was a licensed locksmith has proven very valuable. Once inside a clients building, gaining access to a secured location inside can be even more challenging. We bring along a set of lock picks as well as a tool known as a lock-pick gun. The gun helps automate the skill to some degree, but still requires a considerable amount of expertise. On one occasion, we needed access to a locked desk that contained the information required for us to compromise the clients network. It only took two or three minutes with the lock-pick set and gun, and the desk lock was compromised.
Length of ¼-inch copper tubing
This tool is so ingenious that I wish I could take credit for it. Several offices have adopted the European "L"-style door handle, and this tool helps get past it when locked a 3-foot section of copper tubing you can get at any hardware store, with steel thread run through its center and then tying the thread into a noose. The tubing can be bent, and then slid under the door so the noose of the steel thread can capture the handle. When it catches, just pull down and the door should open. It can also be helpful for doors that require motion, or button, access to open from the inside. By sliding it under the door and leveraging its rigidity to then press the release button, you could be in before you know it. We found this tool helpful when moving floor to floor through a building stairwell.
Covert digital camera and DVR
Sometimes, a customer requests we use a covert camera when social engineering our way into a building then onto the network. Not only does it prove we got in, but playing the video back to employees helps drive home the point of security. Weve become fond of button cameras tied to a digital video recorder. The recorder is roughly the size of a portable MP3 player and the quality is exceptional in light and dark scenarios. The camera, which you wear on the lapel of a coat or as an actual button on a shirt, is hardly noticeable. While on one job, we were able to video a group of employees in a conference room with a button camera: By simply removing my jacket and strategically placing it, we recorded the keystrokes needed for the next phase of our exploit.
It helps to use super glue to adhere the camera to your clothing -- that minimizes camera movement and helps aim the camera in the desired direction. (Warning: Super glue bonds to skin with incredible strength. Once the glue tube cap opened while in my pants pocket -- not only does it burn, but trying to separate certain parts of your body that get glued together can be extremely painful.)
Digital audio recorder
Capturing a conversation can be lucrative. We use a high-end digital audio recorder, which is a little larger than the size of a pack of cigarettes. It has several microphones built into it so it can record from several angles with exceptional quality. A colleague of mine once attended a hotel bar to gather intelligence from a group of employees from out of town. Once he gained their trust and they had been drinking for a while, the effects of the alcohol were as good as an injection of sodium pentothal. We got information about what they were in town for, what their plans were inside information that we could use as cover.
USB memory sticks
The memory stick comes in handy for moving data in and out of the clients site. Mobility is important in social engineering because getting overloaded with gear can be a problem.
Badge sleeves, access cards, and keyfobs
The appearance of belonging is a big part of social engineering. I have gathered a considerable collection of card access keys, badge sleeves, and building access keyfobs over the years. Having a bogus card on a retractor may be all you need to convince an employee that your card has just become defective. On more than one occasion, an employee has let me into the building, having been convinced by my ruse. My colleague Robert Clary once got complete access to a facility by displaying a dosimeter badge used for radiation protection.
As new technologies evolve, our list of tools and tricks of the trade will evolve and grow as well. Meanwhile, a word of caution: For those with questionable ideas, note that using any of the social engineering tools here for anything outside of permissible intentions may be considered criminal behavior. And when you travel, I suggest checking your bags rather than trying to get any of this through airport security.