Monday, January 12, 2009

The Story of a Newbie Hax0r - Part 3. Lets Get Physical

This is the third part of my story in which I spend some time on social engineering. All of the information harvested by phone calls that I have put in this part and the previous parts are in my opinion entirely feasible.

Part 3


Right, so same score as before but this time I'm going to give myself a bit of a backup plan, I'll ring first and tell them I'm coming (well sort of.) I'll also look different, glasses, smarter clothes, fake nose (just kidding!). Of course there is a risk that they'll recognise me but hopefully I'll be fine, last time I was about I kept a low profile, and most of the time people are not on the lookout for this sort of thing.

Now, i know from a previous call that Ian will be on-site today, my plan is to arrive after he has left. Before I arrive I'll call and lay the groundwork for a site visit. This will put the receptionist at ease and make her comfortable with me turning up. First I check when Ian is due back by calling his office.

Call 1

"Hello IT Support"
"Hi is Ian about?"

"Sorry he's on site all day but he'll be back first thing. Can I take a message?"

"Oh don't worry I'll give him a call tomorrow. Thanks"

And with that I hang up. Right, so I'll wait until the morning before going to site but I'll get there nice and early whilst people are coming and going. It's a bit easier to move around a building you don't know when there are plenty of people coming and going. Shoulder surfing's also allot easier at those times but I'm hoping not to need to do that as I should be able to get a pass. Any spare time i get I am brushing up on the target organisation. I'm still trawling the website, getting information on business relationships between Scanned4U and it's sister companies. I found out that my target is the smallest and newest company within a group of companies called IT4U. One of the other companies (BackUp4U) has been awarded some pretty high profile contracts backing up data for some large banks. Pretty interesting!


And it's D-Day, I get the show on the road with a few calls.

Call 2

"Good morning, Scanned4U, how can I help"
"Hi, it's James, is that Karen?"

"Yes it is"

"It's James from IT"

"Oh hi James"
"I have a guy stopping by to drop some stuff of for an upgrade that we have coming up, he's a new guy would you ask him to ring ,me when he gets there he's forgotten his phone and I need some info for the audit we have to do?"

"Sure, what's his name?"

"It's Brad Carter"

"No problem I'll let him know. is there anything else?"

Now here I have have her asking me if there is anything I want, how could I possibly pass this up?

"Oh there was one thing. Can I quickly get your PC detail for the audit to save Brad from interrupting you when he arrives?

Now it seems as though I'm doing her the favour, so of course she'll let me.

"Oh that would be great, what do you need to know?"
"It will only take a second, If I can I just check which PC you have, If you click on the Start Button, and then click Run. In the box type "
cmd" and click OK"
"Right. I know have a black screen."

"That's fine. Just type "
ipconfig /all"
"Oh, I have loads of gobbledygook"

"That's fine, what does it say next to
IP Address?"

"and next to default gateway?"

"and next to DNS server"

"No that's not it. Whats the very top line?
"Host Name. That says Reception"

"That's the one, great. can you press the up arrow key and put a greater than sign and C:\ip.txt on the end and press enter"
"nothing happened"

"OK, that's fine. Thanks for your help. you can close that screen now. Speak later."

"OK, bye"

We'll that was a 3 minutes well spent. aren't receptionists just so helpful, she has no idea how valuable the information she just gave me is. Now I have some great information about the network and I'm expected on site. I also know that the receptionist can write to the C:\ drive so she is probably a local admin on her PC. It looks as though I wont need the visitor pass that I previously acquired after all.

As I arrive at the targets site about 30 minutes later, a very helpful receptionist issues me with another visitor pass and tells me to call James. I call a friend who is expecting my call and the thread of the conversation goes along the line of me dropping the box off and checking a few serial numbers on printers. Karen points me in the right direction for the copier room and I waste no time in finding somewhere to plant my Evil AP.

Ideally I want a messy corner near the south side of the building so I can get to the AP from the car park. After a few minutes I find the perfect place, the obligatory dumping ground that most offices have. As long as I can find a live network point then I'll be a happy little hacker. An extra box wont draw any attention I'm sure.

I find a live point amongst the mess and I get wired up and I check my network settings.

dhclient eth0


I get an IP Address on the internal network straight away. I conceal the hacktop inside a plain box and shove it to the back of a few other boxes so it's well out of site. Ideally I want to compromise another host on the network and get a connection out as I may lose this AP if there is a powercut, or if someone discovers it or just moves it and I lose the network connection. I have a few ideas how to go about it but I need to tread carefully.

As I'm still in the office and no one is around I take a look about. Although I see no PC's at desks to play with I do have a scout around looking for notes stuck to desks and I do manage to find some scribbled stuff on a desk jot pad. I guess It's just some user that has made notes whilst they have been on the phone or something. I find a few letters laying around and I see they are all addressed to the same person, Tom Fitzy, so I'm guessing it's Tom who has been doing the scribbling. It's pretty amazing the things that people will write down on those big desktop blotter jot pads. I take a photo of the pad and move on.

Just before I leave I print off a few test pages and config pages from a couple of printers that I pass and fold them up and pocket them. After all, having a little more detail on the network devices doesn't hurt does it.

I decide I don't want to push my luck and leave. At the car park I check that I can see my Evil AP before I go get some well earned lunch.


I grab some lunch and get home. I'm keen to let Hackers On Site know that I have achieved my objective of getting a foothold on the LAN of Scanned4U.


Anonymous said...

that's beautiful work...I want to learn to do all of that stuff, as I will be wanting to protect my game server when I get it started

Anonymous said...

^ Really just wants all day butt sex0ring in prison.

Hacking isn't about being a douche bag, conman/simple criminal, you gay boy.

"Brad Carter" ? Phone loser indeed.

Ian Ellis said...

you must be one of those people that do not know what the term hacker means...let me pull a link for you really fast

Take a read at that and educate yourself.

And if you have not been reading he has full permission to do this...the company is paying them to see if they can break their security...

SynJunkie said...

Ian. It's just a story. I use the term hacker in the same way as it's common conception. Unfortnately that's how most people use it and it fitted the story best that way. I'm sure most educated people who read my posts know exactly what the terms hacker and cracker mean. It's not rocket science.

Ian said...

yeah your right...sorry

could you recommend a good place for me to learn about security other than here, like a web site or a book or something? cause i will be having my own servers soon and i want to be able to protect them.

SynJunkie said...

Ian, if you serious about this and you want my recommendation then sure. Firstly Microsoft Technet publish very good white papers about how to secure their products, and also the SANS reading room is full of great papers from authors who know security far better than I do. This is just my hobby and as such I am not an expert.

I hope that helps.


Ian said...

what about for linux as i am going to try to put them all on linux servers...I have already gotten somewhat familiar with ubuntu. Anything you can recommend for that.

SynJunkie said...

There is a good hardening guide for Linux on the Boiling Linux blog.

I'm sure the sans reading room will have one too.

Ken Pryor said...

Good stuff as always. Looking forward to the next installment!

Anonymous said...

can we expect more installments? don't leave us hanging, this is great stuff!

SynJunkie said...

I hope to have a little more time to either continue with this one or start another soon.

Thanks for the feedback.


Anonymous said...

Hey. I like your work and I'm curious to know the end of this story.
Agreed, ^^ "don't leave us hanging"

SynJunkie said...

Hi Anonymous

I kind of just ran out of steam.