The Dark Arts: Hacking Humans

One of the biggest challenges for a company that holds invaluable data is protecting it. At first, this task would seem fairly straightforward. Keep the data on an encrypted server that’s only accessible via the internal network. The physical security of the server can be done with locks and other various degrees of physical security. One has to be thoughtful in how the security is structured, however. You need to allow authorized humans access to the data in order for the company to function, and there’s the rub. The skilled hacker is keenly aware of these people, and will use techniques under the envelope of Social Engineering along with her technical skills to gain access to your data.

Want to know how secure your house is? Lock yourself out. One of the best ways to test security is to try and break in. Large companies routinely hire hackers, known as penetration testers, to do just this. In this article, we’re going to dissect how a hired penetration tester was able to access data so valuable that it could have destroyed the company it belonged to.

Information Gathering

se_02
Source

The start of any hack involves information gathering. This is usually pretty easy for larger companies. Their website along with a few phone calls can reveal quite a bit of useful information. However, you can be assured that any company who has hired a pen tester has taken the necessary precautions to limit such information.

And such was the case for our hacker trying to gain access to the ACME Corp. servers. Her first target was the dumpsters – dumpster dives have been proven to unearth a trove of valuable information in the past. But the dumpsters were inside the complex, which was guarded by a contracted security firm. Through a bit of website snooping and a few phone calls, she was able to find out the department that was in charge of trash removal for the company. She then placed a phone call to this department. Using a social engineering (SE) technique known as pretexting, she pretended to be with a trash removal company and wanted to submit a quote to service their business. Using another SE technique called elicitation, she was able to find out:

  • that trash collection took place on Wednesdays and Thursdays
  • the total number of dumpsters
  • that there was a special dumpster for paper and technology trash
  • the name of the current waste removal company – Waster’s Management
  • the name of the employee in charge of the waste removal – [Christie Smith]

Dumpster Dive

Armed with this information, she went to the Waster’s Management website and grabbed their JPEG logo. se_01Within a few days, she had a shirt and hat with the logo in her hands. She called the security department and said she was with Waster’s Management, and that [Christie Smith] had told her one of the dumpsters was damaged, and she needed to take a look at it before the next trash removal.

The next day, wearing the shirt and hat she had ordered online, she was given a badge from security and allowed access to the dumpsters. Now, any hacker worth her weight in PIC16F84’s already knows what dumpster she dove into. It didn’t take her long to walk away with several hard drives, a few USB drives and some useful documents. She was able to gain knowledge of an upcoming IT contract work, the name of the CFO, and the name of a server with some level of importance – prod23.

Hacking the Server

With some more SE, she was able to find out when the IT work was scheduled. It was after hours. She showed up a bit late and was able to walk right through the front door by claiming she worked for the IT contract company. She then shifted roles and pretended to be an employee. She approached one the real IT contract guys, and said she worked for the CFO, [Mr. Shiraz], and asked if he knew to be careful with the prod23 server. With more SE, she was able to find out the prod23 server was off-limits, encrypted, and only accessible by specific admins.

se_03
Source

She was able to access an admin office, and it was there she would don her black hat. She booted the computer with BackTrack via USB and installed a key logger. She made an SSH tunnel to her personal server where she could dump the contents of the key logger, along with some other shells. Now, this is where things get interesting. She opened Virtual Box and used the computer’s hard drive as the boot medium. The VM booted the OS, and she hid all of the screen decorations to make it look like the target OS was running. The admin would log in without a clue, and our hacker would get their username and password through the key logger.

Once the login information came in, she was able to access the admin’s computer, and from there the prod23 server. You can imagine the look on the faces of the top executives for ACME Corp when our hacker handed them a copy of the keys to their kingdom.

Social engineering is human hacking, and a dark art in itself. Our hacker in this story would have never been able to even get close to the server if she did not have SE skills. No matter how secure you make something, so long as you allow humans access to it, it’s vulnerable to attack. And then it’s down to how well-trained your people are in repelling these kinds of intrusions.Just ask Target.

You can find the full story in the source below.

Sources

Social Engineering, The Art of Human Hacking, Chapter 8, by Christopher Hadnagy, ISBN-13: 860-1300286532

Crack WEP using BackTrack

wepcrack04

Lifehacker wrote a guide for cracking a WiFi network’s WEP password using BackTrack. BackTrack is a Linux live CD used for security testing and comes with the tools needed to break WEP. Not just any wireless card will work for this; you need one that supports packet injection. The crack works by collecting legitimate packets then replaying them several times in order to generate data. They point out that this method can be hit-or-miss, especially if there are few other users on the network, as the crack requires authenticated packets. We covered cracking WEP before, but using BackTrack should smooth out compatibility issues.

BackTrack 4 Beta released

backtrack

The Remote Exploit Development Team has just announced BackTrack 4 Beta. BackTrack is a Linux based LiveCD intended for security testing and we’ve been watching the project since the very early days. They say this new beta is both stable and usable. They’ve moved towards behaving like an actual distribution: it’s based on Debian core, they use Ubuntu software, and they’re running their own BackTrack repositories for future updates. There are a lot of new features, but the one we’re most interested in is the built in Pico card support. You can use the FPGAs to generate rainbow tables and do lookups for things like WPA, GSM, and Bluetooth cracking. BackTrack ISO and VMWare images are available here.

Open source data recovery tools


InformationWeek has great article on open source data recovery tools. What type of tools you use will depend on the severity of the situation. You can use live Linux distros designed for recovery like SystemRescueCD or Partedmagic (the latter being more user friendly). Security tools distrubutions like BackTrack can also be helpful; Helix in particular was designed for forensics work. dd is a standard *nix tool for imaging drives, but something like TestDisk can help you repair partition tables for whole disk recovery. Most deletion operations don’t overwrite the data which means you can use file carving to capture the lost files. PhotoRec is able to find files in a number of common formats. Finally, if you’ve got some serious forensic work ahead of you there’s The Sleuth Kit and many other command line tools.

As an addendum, OStatic put together a list of 5 freeware tools for protecting your system.

BackTrack 3 final is out


OpenSuse and Ubuntu are perfectly serviceable Linux distros, but we’ve had a soft spot for BackTrack from the very start. Good news for us, since yesterday was the long awaited release of BackTrack 3 Final. It uses the same 2.6.21.5 kernel as before (to maintain WiFi injection compatibility) and Nessus is still out, but it is not without a great deal of other improvements. Its forensic capabilities are better than ever, largely due to included apps like a fully functional version of SAINT and a special version of Maltego made just for BackTrack. The download is free, but Remote-Exploit is asking users not to distribute it without notifying them first, because they’re trying to keep track of the number of downloads.

[via Midnight Research Labs]

WiCrawl – Next-gen WiFi auditor


At ToorCon, our friends at Midnight Research Labs released a new automated WiFi auditing tool called WiCrawl. WiCrawl automatically scans for accesspoints. Once an AP is discovered a number of plugins can be run against it ranging from getting an IP to breaking encryption. Aaron Peterson’s talk and demo is 50mins. You can download the 640×480 170MB .mov version here. The tool is going to be included in the next BackTrack CD.