Sunday, January 4, 2009

The Story of a Newbie Hax0r - Part 1

Part 1 - It's Good to Talk!!!

If you haven't read the intro you can find it here.


I start off with some online research. It turns out that ScannedU have recently been awarded some pretty big contracts with the local authorities and a couple of small banks, no wonder people are interested in it. Scanned4U has sister companies called Shredded4U and Safe4U that specialise in shredding and off-site backups. While I'm on the site I have a good poke around but I gotta admit, web hacking isn't my strong point. I harvest as much data on the target as possible and spend a while pouring through it, trying to really understand the company.

I perform WHOIS lookups and get an idea of how the network is laid out by checking the MX records of the target and the sister companies. As I thought, they have the same MX record and it routes through a email filtering company. The website is hosted at the same IP as the sister companies too and I really struggle to find the public IP Range that the network must be on. Oh well, there is more than one way to skin a cat.

Using a little Google-Foo to filter out the crap I see that there's quite a few pdf's on the site.

i then use wget to grab the pdf's so i can run them through strings to grab any useful metadata.

wget -r -l1 -nd -np -A.pdf -robots=off

I spend the next couple of hours scraping the metadata from published pdf's and the result is I have myself a nice list of names, usernames, email addresses and contact details.

Now I have a few valid email addresses I create an email with an account I happen to know, with a link to a picture on a rather obscure mail server I happen to "0wn", as soon as the picture gets either viewed in a email client which renders HTML or clicked on I should have one of the addresses from the public range.

Now I use Google Maps to check the site layout and I'm happy to see it's not like Fort Knox. I can see several places where staff can go outdoors that are publicly accessible. I bet there will be some sort of door entry system, oh well, theres always ways around that.

This is all very good for a days work but tomorrow I think that I try the more direct approach, like a good old fashioned telephone.


Call 1

"Hello Scanned4U, how can i help?"
"Hi, I'm trying to get to your website and I think there is a problem. Do you know if there is anything wrong it?"
"Oh, I'm not quite sure I'm quite new here. Hold on a second please.........I have a number for IT do you have a pen?".
"Sure, hang on a second...isn't IT support at your site?"
"No they are not based at this office"

"Oh right. OK I have a pen"
"The number is 01344 666777"

"That's great. Who am I speaking to?".

"I'm Karen"
"Thanks for your help Karen, Bye".

With that I hang up. So I now know that the new receptionist Karen is very helpful, aren't they all! I also know that IT Support isn't based at the targets site which is useful to know. Maybe I'll give them a ring. See if they can help me.

Call 2

"Hi, IT Support"
"Hi it's David from Weatherby, I rang about a printer problem last week"
"Hi David it's James, Do you have ticket reference?"
"Oh, I'm not at my desk at the moment"
"Okay, do you know who took your call?"
"I'm not sure, who have you got there?"
"it would have been Martin, Paul, Ian or myself as Geoff was on holiday"
"I think it was Ian, but to tell the truth I'm not to sure. Anyway I was just ringing to let you know it's fine now."
"That's great, thanks for letting us know"
"OK cheers James. Oh one last thing, when is one of your guys down here next? I have a bunch of cables that are no good to us and you guys might know what they are for"

"Next Monday morning as usual, I'll get Ian to pick them up from reception".

"Thats great. Bye"

Okay, now I'm getting somewhere. I have the names of the IT Support guys and the schedule for the site visits.


After having time to think about what I need to achieve I figure out that I need to get more of a feel for the place. I take a trip to town and get some printer brochures from a few local print shops, get a couple of business cards made on the card kiosk machine then I call back Scanned4U.

Call 3

"Hello Scanned4u, how can I help?"
"Hi it's Paul at PrintLine, I have someone making some drop offs in your area tomorrow would you mind if we dropped the new brochures in for Clare?"

"Clare in Marketing?"

"That's right"
"I'm sure that'll be fine"
"Great, thanks. Bye"


Brilliant, now I'll get to see the targets site first hand.


So I'm dressed pretty casual like any normal delivery driver, with a good few days stubble and a baseball cap. I drive over to the target's office and looking like I'm lost I park as far away from the reception as possible. This gives me the chance to have a decent look around whilst just looking like someone who is lost. All the time I'm driving around I'm scanning for wireless network with my trusty iPhone. Unfortunately I see none.

I see a few smokers hanging around by a back entrance and I nip over to have a cigarette with them, just to be polite. After making brief polite conversation I ask where reception is and one of the girls swipes in through the entrance and takes me through the building to reception. I notice that there are only swipe card points on the outside doors, internally there don't seem to be any. Obviously once your in your classed as a good guy.

Whilst I'm moving throughout the building I'm making mental notes of the security of the place. I also pay close attention to the equipment in use, I see a xerox copier with a NTDS Ltd sticker on the side, the swipe card system has the same company name as on the alarms on outside of the building, ATT Ltd. When I get to reception I say hi and straight away start to sign into the visitor book as I ask reception to let Clare know Robert is here from ScanLine. I take every opportunity to discreetly look at any PC screens for operating system details and antivirus software in use. Thank god for system tray icons, that's all I can say. And I see that they are using XP, MS Office, VNC and AVG. All useful info and totally free.

By the time a confused Clare gets to reception I have myself a nice new visitor badge. I say hi to Clare and explain that I've been asked to drop the brochures off by my manager. As Clare thanks me and I start to sign out I ask if I could use the toilet. After I'm shown to the visitor toilet I take photo's of my visitor badge and make notes on my iPhone of all the details from the copier, alarms and also the toilet hygiene equipment too. Well you never know.

Before leaving the toilet I put the visitor badge in my pocket in the hope that out of site really does mean out of mind, which luckily it does, the receptionist forgets to ask me for it back.


So I have now got enough information about the target to feel comfortable enough to go in. After spending most of the day planning my next move, I have decided I am going to get a rouge access point/PC into the building and connect to it from outside the perimeter. Once I have my rogue AP in I'll attempt to connect out to a host via the Internet so I can perform the remainder of my assignment from the comfort of a nice warm house.

Coming up ...............Part 2


ipolar said...

I love this stuff! Thoroughly looking forward to the next installment :)

Anonymous said...

Newbz do in person ops now??? I'll have to stay tuned to how this one develops.

KrisTeason said...

I'm also loving the story, damn man, the social engineering involved, I hope it all pays off. What if something were to go wrong and they asked for your bosses # or name? Can't wait to read the rest. i'll keep checking back!