This is the third part of my story in which I spend some time on social engineering. All of the information harvested by phone calls that I have put in this part and the previous parts are in my opinion entirely feasible.
Right, so same score as before but this time I'm going to give myself a bit of a backup plan, I'll ring first and tell them I'm coming (well sort of.) I'll also look different, glasses, smarter clothes, fake nose (just kidding!). Of course there is a risk that they'll recognise me but hopefully I'll be fine, last time I was about I kept a low profile, and most of the time people are not on the lookout for this sort of thing.
Now, i know from a previous call that Ian will be on-site today, my plan is to arrive after he has left. Before I arrive I'll call and lay the groundwork for a site visit. This will put the receptionist at ease and make her comfortable with me turning up. First I check when Ian is due back by calling his office.
"Hello IT Support"
"Hi is Ian about?"
"Sorry he's on site all day but he'll be back first thing. Can I take a message?"
"Oh don't worry I'll give him a call tomorrow. Thanks"
And with that I hang up. Right, so I'll wait until the morning before going to site but I'll get there nice and early whilst people are coming and going. It's a bit easier to move around a building you don't know when there are plenty of people coming and going. Shoulder surfing's also allot easier at those times but I'm hoping not to need to do that as I should be able to get a pass. Any spare time i get I am brushing up on the target organisation. I'm still trawling the website, getting information on business relationships between Scanned4U and it's sister companies. I found out that my target is the smallest and newest company within a group of companies called IT4U. One of the other companies (BackUp4U) has been awarded some pretty high profile contracts backing up data for some large banks. Pretty interesting!
And it's D-Day, I get the show on the road with a few calls.
"Good morning, Scanned4U, how can I help"
"Hi, it's James, is that Karen?"
"Yes it is"
"It's James from IT"
"Oh hi James"
"I have a guy stopping by to drop some stuff of for an upgrade that we have coming up, he's a new guy would you ask him to ring ,me when he gets there he's forgotten his phone and I need some info for the audit we have to do?"
"Sure, what's his name?"
"It's Brad Carter"
"No problem I'll let him know. is there anything else?"
Now here I have have her asking me if there is anything I want, how could I possibly pass this up?
"Oh there was one thing. Can I quickly get your PC detail for the audit to save Brad from interrupting you when he arrives?
Now it seems as though I'm doing her the favour, so of course she'll let me.
"Oh that would be great, what do you need to know?"
"It will only take a second, If I can I just check which PC you have, If you click on the Start Button, and then click Run. In the box type "cmd" and click OK"
"Right. I know have a black screen."
"That's fine. Just type "ipconfig /all"
"Oh, I have loads of gobbledygook"
"That's fine, what does it say next to IP Address?"
"and next to default gateway?"
"and next to DNS server"
"No that's not it. Whats the very top line? "
"Host Name. That says Reception"
"That's the one, great. can you press the up arrow key and put a greater than sign and C:\ip.txt on the end and press enter"
"OK, that's fine. Thanks for your help. you can close that screen now. Speak later."
We'll that was a 3 minutes well spent. aren't receptionists just so helpful, she has no idea how valuable the information she just gave me is. Now I have some great information about the network and I'm expected on site. I also know that the receptionist can write to the C:\ drive so she is probably a local admin on her PC. It looks as though I wont need the visitor pass that I previously acquired after all.
As I arrive at the targets site about 30 minutes later, a very helpful receptionist issues me with another visitor pass and tells me to call James. I call a friend who is expecting my call and the thread of the conversation goes along the line of me dropping the box off and checking a few serial numbers on printers. Karen points me in the right direction for the copier room and I waste no time in finding somewhere to plant my Evil AP.
Ideally I want a messy corner near the south side of the building so I can get to the AP from the car park. After a few minutes I find the perfect place, the obligatory dumping ground that most offices have. As long as I can find a live network point then I'll be a happy little hacker. An extra box wont draw any attention I'm sure.
I find a live point amongst the mess and I get wired up and I check my network settings.
I get an IP Address on the internal network straight away. I conceal the hacktop inside a plain box and shove it to the back of a few other boxes so it's well out of site. Ideally I want to compromise another host on the network and get a connection out as I may lose this AP if there is a powercut, or if someone discovers it or just moves it and I lose the network connection. I have a few ideas how to go about it but I need to tread carefully.
As I'm still in the office and no one is around I take a look about. Although I see no PC's at desks to play with I do have a scout around looking for notes stuck to desks and I do manage to find some scribbled stuff on a desk jot pad. I guess It's just some user that has made notes whilst they have been on the phone or something. I find a few letters laying around and I see they are all addressed to the same person, Tom Fitzy, so I'm guessing it's Tom who has been doing the scribbling. It's pretty amazing the things that people will write down on those big desktop blotter jot pads. I take a photo of the pad and move on.
Just before I leave I print off a few test pages and config pages from a couple of printers that I pass and fold them up and pocket them. After all, having a little more detail on the network devices doesn't hurt does it.
I decide I don't want to push my luck and leave. At the car park I check that I can see my Evil AP before I go get some well earned lunch.
I grab some lunch and get home. I'm keen to let Hackers On Site know that I have achieved my objective of getting a foothold on the LAN of Scanned4U.