Pentesting 101: Getting in with Social Engineering
Penetration testing is all about using the tools you have at your disposal for their intended purposes or chained together to meet a larger objective. On a penetration test, more often than not, you will need to access a network discreetly and will not be provided access inside the network at the start. There are two main ways to go about getting access into the network. One is through technical means, that is to say using an exploit to get into the network through an unpatched service or creating a 0day against a service that is reachable through the internet. The other is through non-technical means by exploiting the end user.
In this series so far we have scanned a network and assessed that the network is not accessible through technical means. It could be vulnerable to a 0day exploit but that is far outside the scope of this series of articles. The only other way in is through using the inherent trust that network users have in other humans. This type of attack is called social engineering.
CASE STUDY: RSA
Shortly after STUXNET was discovered and when corporate cyber security was just starting to be taken seriously, one of the most significant cyber attacks to a security organization took place. This attack was against the company called RSA. RSA started as a small company by the same individuals, Ron Rivest, Adi Shamir, and Leonard Adleman, who created the RSA encryption algorithm. As the company grew, RSA helped start other security companies like Verisign. RSA also had one of the first bug bounties where they encouraged the cyber security industry to crack the Data Encryption Standard or DES. Presently, when many people think of RSA, they associate RSA with the two-factor authentication tokens that they use to log into computers at work called “SecurID”.
The attackers, an APT group in this case, searched the internet for individuals who worked at RSA. The APT group found email addresses of low level employees. When they found enough email addresses, they split the email addresses into two groups and emailed one group a day over a two day period. The email sent by the attackers contained a Microsoft Excel file with flash vulnerability that installed a backdoor on to the victim’s computer. At the time, RSA had good enough filters to filter out suspicious looking traffic. However, one user went into their spam folder in their email and found an email with the Excel attachment called “2011 Recruitment Plan” and that was enough for them to open the email, which led to the compromise of the company. From there the attackers established a beaconing C2 system using Poison Ivy to move laterally through the network.
While the above attack used many email addresses to carry out the attack, another attack along the same lines is a spearphishing attack. Spearphishing is also an email style attack but instead targets one or two individuals, usually with a more personal feel in the social engineering aspect. For example, in Operation: Pawn Storm in 2012, a threat actor compromised the accounts of military, embassy, and defense contractors to compromise more sensitive victims in other organizations with malicious attachments about well-known events and conferences that they thought would pique the victims interest. To find out more about Operation: Pawn Storm, check out the case study linked here.
DROPPING A USB STICK
There is an old trick that some of us may have read about previously. Humans by their nature are curious. Before the time where cyber security was taken seriously and USB sticks were brand new on the market, dropping a USB stick was a very common practice for penetration testers. Those who had USB sticks would plug them into any computer and transfer files back and forth. It was easier than burning a CD and faster than trying to transfer a 500MB file over the internet. USB sticks were also not as ubiquitous as they are today so if an individual saw one lying on the ground outside of their work or home, they usually picked it up and used it as their own. Dropping a compromised USB stick outside of a company may not work as well as it did in the early 2000s but you never know what people will do with a USB stick when it has the label of “HR” or “Employee Payroll” on it.
Warshipping is a very unique attack where an attacker will send a package to an organization which contains a device that will try to crack a Wi-Fi system upon arrival. The attacking device in the package is autonomous and is programmed to attack the network when it arrives at the specified location. These devices can be relatively cheap to make and if sent at the right time, can arrive at the victim’s address on a Friday afternoon, giving the device the whole weekend to crack the network and beacon out to the C2 server.
LOW-TECH SOLAR WINDS
Another type of attack similar to warshipping is sending “update media” to the target in question from a “trusted vendor”. For example, say the penetration testing target is a company that employs lots of Dell servers that run VMWare ESXi. A skilled penetration tester can craft up an official looking package with an associated USB stick with a note that says something along the lines of “Due to the sensitive nature of this update, we are sending this update out directly to our subscribers. Please plug this USB stick directly into your ESXi server and run the associated binary.”
Buying access into a network isn’t an attack. The network or computer system in question may already be compromised. If you have ever browsed the “dark web” you’ll know that there are a myriad of nefarious services available for purchase. These services can be bought and paid for with cryptocurrency and are usually expensive for what they offer. There are hackers, not penetration testers, that will compromise vulnerable computers and networks to build botnets. Some of these bots could be in a network that is your target. Buying access to these bots could yield a very easy, yet expensive way into a network with little trouble. As with buying anything on the dark web, there are no guarantees of anything. The other issue is the ethics of gaining access and fostering the community of illegal hacking activities.
THE SOCIAL-ENGINEER TOOLKIT
Tying all of this together is a tool called The Social-Engineer Toolkit aka SET, maintained by TrustedSec. Originally released in 2010 by Dave Kennedy, it allows users to craft phishing emails, deploy metasploit listeners to catch crafted exploits, and create fake websites, to name a few. Using SET is very straight forward. SET doesn’t require fancy command line switches but is a python-based, menu driven environment. Below is a screenshot of the starting menu.
Below is another screenshot showing some options that a penetration tester could use if they were on a Windows domain to get a callback using psexec.
SET has been around for many years and is very intuitive and takes a lot of guess work and setup out of the equation. It is very similar to metasploit and pairs very nicely with metasploit. SET is very easy to use and very powerful.
When we think of penetration testing, most people think that it is super technical and that it is difficult to compromise a network. It is true that there are aspects of penetration testing that are technical, however, some aspects are not. One of the greatest hackers, a household name, Kevin Mitnick is renowned for social engineering skills. He credits social engineering to be the easiest way to obtain usernames and passwords to get into networks.
With social engineering, there are many ways to attack the human element in the cyber security chain. This article briefly touches on a few attacks that have been used in the past. It is not an exhaustive list and there are thousands of articles to read about different social engineering aspects, both past and present. There is a saying that a chain is as strong as its weakest link. More often than not, the human is the weakest link in cyber security. In the next article we will discuss how to leverage a social engineering attack from a technical point of view, including tunneling and catching call backs.