Social engineering in practice: “physical access” to Kevin Mitnick’s private conference
“Physical access is the entry into the building of the company you are interested in. I never liked it. Too risky. I am writing about this - and a cold sweat is already piercing me. " Kevin Mitnick," Ghost on the Web. Memoirs of the greatest hacker "
Even in student time, when Olympiads and conferences on information security were held, I was enraged that methods and work, including social engineering (SI), were not accepted. How so! After all, Mitnick, legendary in those days, says that 99% of hacking occurs using the SI.
I can not tell you what my joy was when I learned last September that Mitnick was coming to Moscow, but I was even more happy with the “story of a friend of mine” who came to a private conference for a business audience. I don’t know, maybe he invented it, but still publish the “text of the translation of his letter,” which he sent me from an “anonymous mailbox”.
')
Under the cut, an excerpt from the book Mitnick about physical access and the story about the penetration of the conference Mitnick in Moscow 2013.
The excerpt from the first chapter of the book contains many useful techniques that my friend successfully used.
to read
Somehow I had a chance to experience what physical access is. An incredible feeling encompasses when you are hiding in a dark parking lot of a company that turns billions of dollars into a warm spring evening and you choose the right moment. The week before I visited the building in broad daylight. Came under the pretext that you need to leave a letter for one employee. In fact, upon entering the building, I was able to find out what the company’s passport identifier looks like in this company. So, the close-up picture of the employee is located in the upper left corner. Right under it - the name and surname, first comes the last in large block letters. At the bottom of the card is the name of the company in large red letters.
I went to an online club and looked at the company's website. It was possible to download and copy the image of the logo of this company. After working for about 20 minutes in Photoshop with a logo and a scanned photo on the documents, I made quite a convincing facsimile of an identification card. I neatly inserted the result of the creation into a cheap badge. Another fake pass was made for a friend who agreed to help out if he needed his help.
It turned out that one could do without this disguise. In 99% of cases, they practically do not look at the pass. If the main elements of the card are arranged correctly and look something like they should look like, then you will easily get inside. However, an overly zealous guard or officer who decided to play Cerberus may ask you to bring the card closer. And if you live like me, then such a danger can never be written off.
In the parking lot I can not see. I look at the lights of cigarettes of the series of people who go outside to smoke. Finally, I notice a group of five to six people returning to the building. The door of the back door is one of those that opens only when one of the employees brings the card to the reader. I take advantage of the moment and the last attachment to a similar group. The guy in front of me crosses the threshold, notices that someone is walking behind him, glances at me briefly, sees that I have a badge, like all employees, and holds the door for me to enter. I nod gratefully.
This technique is called "train".
Inside, I immediately notice a poster that is positioned so that every visitor will see it. This poster, posted for additional security, warns that you can not hold the door in front of someone who comes after you: you need everyone to enter the building one by one, bringing the ID card to the reader. However, the usual politeness, the very minimal courtesy that every day you have a colleague-friend, makes the staff to ignore the warning poster with enviable constancy.
So, I'm inside. I walk forward along long corridors with a wide step of a man who runs to solve an important task. In fact, this is a research trip and I am looking for an office of information technology (IT). I find it ten minutes later in another part of the building. I was well prepared for the visit and I know the name of one system administrator of this company. I think he has the broadest access rights to the corporate network.
Hell! When I find his workplace, it turns out that this is not the usual “walk in who wants” booth, but a separate office where the door is locked with a key. However, this problem is instantly solved. The suspended ceiling is lined with white soundproof squares. Above it, a technical floor is often left for pipes, wiring, ventilation, etc.
I call a friend, say that I need his help, and return to the back door to let in the partner. He, thin and tall, can do what I could not. We return to the department of information technology, and my accomplice climbs on the table. I grab his legs and lift him high enough. He manages to raise the soundproof plate. I strain, lift him even higher - he grabs the pipe and pulls himself up. Minutes pass, and I hear that he is already in the office. The door handle turns - and a comrade launches me into the office. He is covered in dust, but his smile stretches to his ears.
I enter and quietly close the door. Now we are more secure, and the possibility that we will be noticed is very small. The office is dark. Turning on the light is dangerous, but it is not needed: I have enough monitor to see everything I need. In addition, the risk is much less. I quickly look at the table, check what is in the top drawer and under the keyboard - suddenly the administrator left a cheat sheet on which he wrote down the password to the computer. Not found. Sorry, but this is not a problem at all.
I take a bootable CD from the bag with the Linux operating system, which also contains the hacker tools, and insert it into the drive. One of the tools allows you to change the local administrator password. I change the password to the one that I know, with which I can log in. Then remove the disc and restart the computer. This time I’m already logging into the system with administrator rights through a local account.
I work as quickly as possible. I install a remote access trojan - a special virus that gives me full access to the system - and now I can keep a record of all keystrokes, collect encrypted password values (hashes), and even order the webcam to photograph a person who works at the computer. The Trojan that I installed on the machine will connect to another system over the Internet every few minutes. I have full control over this connection and now I can do whatever I want in the affected system.
I do the last operation: I go to the computer’s registry and specify the login of an unsuspecting engineer as the last user who logged in (last logged in user). So I erase all traces of what entered the system through a local administrator account. In the morning the engineer will come to work and notice that for some reason he has logged out. It's okay: as soon as he enters it again, everything will look exactly as it should.
It's time to go back. My friend has already replaced soundproof tiles. As I leave, I lock the door.
The next day at 08:30, the system administrator turns on the computer and establishes a connection with my laptop. Since the trojan runs under its account, I have all the administrator rights in this domain. In just a few seconds, I find a domain controller that contains passwords for all accounts of employees of this company. The fgdump hacker tool allows me to collect hashed, that is, encrypted, passwords from each user in a separate file.
Within a few hours, I run a list of hashes through rainbow tables — a huge database that contains pre-calculated password hashes — and recover the passwords of most of the company's employees. In the end, I find an internal server that processes user transactions, but I understand that credit card numbers are encrypted. However, this is not a problem at all. It turns out that the key used to encrypt numbers is hidden in a stored procedure inside the database on the SQL server computer. Access to this computer is open to any database administrator.
Several million credit card numbers. I can buy anything I want, use a different card each time, and most importantly, they will never end.
Believe me, I'm not going to buy anything. This true story is not another attempt at hacking, because of which I have made myself a lot of trouble. I was hired to do this penetration.
I went to an online club and looked at the company's website. It was possible to download and copy the image of the logo of this company. After working for about 20 minutes in Photoshop with a logo and a scanned photo on the documents, I made quite a convincing facsimile of an identification card. I neatly inserted the result of the creation into a cheap badge. Another fake pass was made for a friend who agreed to help out if he needed his help.
It turned out that one could do without this disguise. In 99% of cases, they practically do not look at the pass. If the main elements of the card are arranged correctly and look something like they should look like, then you will easily get inside. However, an overly zealous guard or officer who decided to play Cerberus may ask you to bring the card closer. And if you live like me, then such a danger can never be written off.
In the parking lot I can not see. I look at the lights of cigarettes of the series of people who go outside to smoke. Finally, I notice a group of five to six people returning to the building. The door of the back door is one of those that opens only when one of the employees brings the card to the reader. I take advantage of the moment and the last attachment to a similar group. The guy in front of me crosses the threshold, notices that someone is walking behind him, glances at me briefly, sees that I have a badge, like all employees, and holds the door for me to enter. I nod gratefully.
This technique is called "train".
Inside, I immediately notice a poster that is positioned so that every visitor will see it. This poster, posted for additional security, warns that you can not hold the door in front of someone who comes after you: you need everyone to enter the building one by one, bringing the ID card to the reader. However, the usual politeness, the very minimal courtesy that every day you have a colleague-friend, makes the staff to ignore the warning poster with enviable constancy.
So, I'm inside. I walk forward along long corridors with a wide step of a man who runs to solve an important task. In fact, this is a research trip and I am looking for an office of information technology (IT). I find it ten minutes later in another part of the building. I was well prepared for the visit and I know the name of one system administrator of this company. I think he has the broadest access rights to the corporate network.
Hell! When I find his workplace, it turns out that this is not the usual “walk in who wants” booth, but a separate office where the door is locked with a key. However, this problem is instantly solved. The suspended ceiling is lined with white soundproof squares. Above it, a technical floor is often left for pipes, wiring, ventilation, etc.
I call a friend, say that I need his help, and return to the back door to let in the partner. He, thin and tall, can do what I could not. We return to the department of information technology, and my accomplice climbs on the table. I grab his legs and lift him high enough. He manages to raise the soundproof plate. I strain, lift him even higher - he grabs the pipe and pulls himself up. Minutes pass, and I hear that he is already in the office. The door handle turns - and a comrade launches me into the office. He is covered in dust, but his smile stretches to his ears.
I enter and quietly close the door. Now we are more secure, and the possibility that we will be noticed is very small. The office is dark. Turning on the light is dangerous, but it is not needed: I have enough monitor to see everything I need. In addition, the risk is much less. I quickly look at the table, check what is in the top drawer and under the keyboard - suddenly the administrator left a cheat sheet on which he wrote down the password to the computer. Not found. Sorry, but this is not a problem at all.
I take a bootable CD from the bag with the Linux operating system, which also contains the hacker tools, and insert it into the drive. One of the tools allows you to change the local administrator password. I change the password to the one that I know, with which I can log in. Then remove the disc and restart the computer. This time I’m already logging into the system with administrator rights through a local account.
I work as quickly as possible. I install a remote access trojan - a special virus that gives me full access to the system - and now I can keep a record of all keystrokes, collect encrypted password values (hashes), and even order the webcam to photograph a person who works at the computer. The Trojan that I installed on the machine will connect to another system over the Internet every few minutes. I have full control over this connection and now I can do whatever I want in the affected system.
I do the last operation: I go to the computer’s registry and specify the login of an unsuspecting engineer as the last user who logged in (last logged in user). So I erase all traces of what entered the system through a local administrator account. In the morning the engineer will come to work and notice that for some reason he has logged out. It's okay: as soon as he enters it again, everything will look exactly as it should.
It's time to go back. My friend has already replaced soundproof tiles. As I leave, I lock the door.
The next day at 08:30, the system administrator turns on the computer and establishes a connection with my laptop. Since the trojan runs under its account, I have all the administrator rights in this domain. In just a few seconds, I find a domain controller that contains passwords for all accounts of employees of this company. The fgdump hacker tool allows me to collect hashed, that is, encrypted, passwords from each user in a separate file.
Within a few hours, I run a list of hashes through rainbow tables — a huge database that contains pre-calculated password hashes — and recover the passwords of most of the company's employees. In the end, I find an internal server that processes user transactions, but I understand that credit card numbers are encrypted. However, this is not a problem at all. It turns out that the key used to encrypt numbers is hidden in a stored procedure inside the database on the SQL server computer. Access to this computer is open to any database administrator.
Several million credit card numbers. I can buy anything I want, use a different card each time, and most importantly, they will never end.
Believe me, I'm not going to buy anything. This true story is not another attempt at hacking, because of which I have made myself a lot of trouble. I was hired to do this penetration.
Text of the letter
(The letter was in English, so my translation is a little crooked, I redrew the picture too).
“I learned about the arrival of Mitnick in a couple of days. Looking for information on the Internet, I found only the contacts of the organizers. I sent several requests on behalf of the department of information security of a technical university. It is a pity, but the organizers did not respond to the letter. Well, I decided to go the other way. I found out where the meeting will take place. I arrived at the specified address with the intention of sorting it out on the spot. It was a nook on the waterfront. It was easily found on the signs and extensions with the name of the event.
How it looked outside:
It was a narrow dead end. On the street in front of the entrance to the building there were a smoking room, coffee break tables and a reception desk, where passes were issued. The entrance was strictly permits, 2 guards watched this, which 90% were alone, sometimes one left, but the second always remained on duty.
I settled in the purple point and pretended to be waiting for someone. Periodically, I took out the phone and said to him that I was already there and how many blockheads you still have to wait. It was always a half to two meters from the entrance, so I heard all the guards say, and they heard what I say. So an hour passed, and I gathered quite a lot of information. What color someone passes, how exactly check passes, is there anyone who passes without a pass, as waiters pass, is there a service entrance, etc. During this time there was a change of guards, which pleased me.
During the time that I stood, I noticed that for the media they sometimes give out badges without a full name and they were different in color. It was also noted that already several media teams had time to go in and out, that is, they made a report and left.
I am waiting. Watching. I see that another media team is coming out with the intention to leave for good. They were a couple of female journalists and a couple of male operators.
I attract the attention of the girls to myself, I stand next to the guards, I look behind all the keen eyes of the special agent. I try to establish eye contact.
Here they go, I slowly follow him. A lot of people are circling around - participants, organizers, security guards. So go ahead. Green dots show the trajectory of following the media. Without leaving the alley, I watched as the media crossed the road and began putting cameras in the car. And here I am speeding up, running across the road, running up to the car, one girl hasn’t got inside yet, I’m making a little worried face and say: “Sorry, I’m from the organizers, you saw me at the entrance, we help the security service. Due to our mistake, we accidentally let you go with the badges, but this is prohibited by the regulations, otherwise someone may use it and go unauthorized into the building. Please hand over your badges. “And they surrendered. And asked for forgiveness. Bingo!
Badges are on hand, but they are with female names. It is good that the badge was plastic, and the full names were printed on self-adhesive and glued to the badge. It was easy to pick them off, although the pens were trembling.
Since I knew that some of the media was allowed just by badge without a full name, I did not bother and did not look for the nearest express printing house, but got bold and moved on to the second stage.
I returned to the entrance, stood for 5 minutes, took out the phone, went closer to the guards to hear, and said into the pipe: “Ale. Have you already arrived? And skipping with you? Already I go, I was tortured to wait so much. “
Then I turned a corner, put a badge on, turned my back just in case (I saw that the guards let him in this position as well), returned to the entrance and, pleased and confident, entered through the door under the watchful eye of the guard.
First of all, I went to the banquet hall and ate as much smog as meat and cakes. Feel better. And just announce the start of Kevin Mitnick. Heading to the conference room on the second floor. A wide staircase leads to the second floor, takes a step on the first step and I hear a firm but very polite voice: “Young man, may I have a moment for you.”
Pam Pam. I turn around, on the sides of the stairs there are two guards in more prestigious suits than those on the street.
"Turn over your badge please."
I turn over. "It's all right, you can pass"
What thoughts were in my head as I climbed the stairs, I will leave it to the discretion of your imagination.
But in the form of a trophy I have a book with the signature of Mitnick, his legendary business card and a non-name badge. "
End of story
These are the stories that happen and I am very curious to get acquainted with such stories (and even more interesting to be a participant).
If anyone has an acquaintance with interesting examples of social engineering, share these examples in the comments.
UPD (Aug 6) Happy birthday, Kevin Mitnick!
Source: https://habr.com/ru/post/232353/
All Articles