Chapter 8: Social (In)Security – Stealing The Network

Chapter 8 Social (In)Security

by Ken Pfeil

While I’m not normally a guy prone to revenge, I guess some things just rub me the wrong way. When that happens, I rub back—only harder. When they told me they were giving me walking papers, all I could see was red. Just who did they think they were dealing with anyway? I gave these clowns seven years of sweat, weekends, and three-in-the-morning handholding. And for what? A lousy week’s severance? I built that IT organization, and then they turn around and say I’m no longer needed. They said they’ve decided to “outsource” all of their IT to ICBM Global Services…

The unemployment checks are about to stop, and after spending damn near a year trying to find another gig in this economy, I think it’s payback time. Maybe I’ve lost a step or two technically over the years, but I still know enough to hurt these bastards. I’m sure I can get some information that’s worth selling to a competitor, or maybe to get hired on with them. And can you imagine the looks on their faces when they find out they were hacked? If only I could be a fly on the wall.

I could spend most of my time hunkered down over my computer looking for chinks in the armor, or I could do something a bit more productive. Some properly planned social engineering should get me the goods I need to light them up good. That’s the beauty of doing something like this: There’s a lot less risk of being caught if you go about it the right way. Couple that with the fact that there are generally more weaknesses in people than there are in computer systems, and I should be able to get what I’m after in short order. Yeah, that’s it. I’ll hack people instead of systems. I just need to find the right person and situation to exploit. The key is to keep thinking clearly and always plan ahead as much as possible.

Recon

Obviously, the first thing I need to do is get as much information on the company as I can. Things have probably changed since I worked there, but I don’t think things have changed that much. I’ll start with my documentation, notes, and e-mail from when I worked there. It’s a good thing I archived my .PST and backed up my files to my personal laptop on a regular basis before they canned me. There are few things in the world sweeter than having local admin rights on your corporate system. Let’s see what I’ve got in there:

  • Organizational charts and reporting structure documents. These probably don’t mean anything anymore.
  • Old network diagrams. These also are probably not good anymore, but at least I still have some system names to try.
  • Office locations and main phone numbers. These are useful. Only the IT folks were laid off, so most locations that have corporate and administrative functions should still be around. New York and London are two locations listed that fall into that category.
  • Some policy documents on security. These are good because they give incident response contact phone numbers. All of the numbers except mine should work. I’ll have to verify them though.

What Does Google Pull Up?

Newsgroup and Internet postings can often give you a wealth of information about your target. Most people forget that once something gets on the Internet, it’s pretty much there for good. I wonder what cool things I can find with a Google search on the company? Let me take a look through the old news postings. I pull up the search engine, head over to the Groups tab, and search for the company name.

Google Group Search

I come up dry this time. I can’t expect the farm to be given away every time I try something. Patience is a virtue they say.

Okay, there’s still another good search tab. SecurityFocus and other Web-based list archives are usually cached under the “Web” part of the engine. Let me check out that part. I try dropping only the e-mail suffix into Google’s Web tab.

Google Web Search

Behold, the power of cheese … er, Google. From the looks of things, the company is having a hard time locking down the Web servers properly, if some of these recent posts to SecurityFocus are any indication. I need to see who’s hosting and maintaining these servers, and add that information to my notes. If I decide to go back to a “conventional” hack, I’ll certainly need them. After a little more digging, I come up with a press release about the company hiring a CSO by the name of Fred Smith, shortly after my departure from the company. I make a note of this as well.

NSI Lookup

I’ll start off slow and probe the public records at Network Solutions, Inc. over at http://www.nsi.com. I get some basic information from the WHOIS tab at http://www.networksolutions.com/cgi-bin/whois/whois, but it’s Still not enough for what I’m after. I get the standard admin and technical contacts, as well as the handles used for registration. A cross-search by NIC handle doesn’t pull up anything I can use.

Network Solutions Whois Lookup

Sam Spade

Sam Spade, from www.SamSpade.org, does a great job of automating most of these queries. I’ve used this tool for as long as I can remember whenever I did a penetration test. It’ll save me a lot of time on my current reconnaissance mission. Clunky command lines have a tendency to slow you down.

Sam Spade Registrant Lookup

I also make it a point to proxy all research requests through an anonymous proxy from a list located at http://www.multiproxy.org. Covering your tracks as much as possible is absolutely essential, and you can never be too careful. Let’s see, looks like I’ve got my pick of quite a few. I decide to use an out-of-country proxy, just to further complicate any investigative measures that might be taken in the near future.

Anonymous Proxy List

Dropping to the SMTP Verify tab of Sam Spade, I try the administrative contact. Strike one—no such domain mail record exists. It’s a good thing I’m going to social engineer my way in, or this might take forever.

Sam Spade SMTP Verify

Internet Phone Directories

Internet phone directories are really cool tools for social engineering, and there are a ton of them. There’s http://www.infobel.com, http://www.anywho.com, and my personal favorite, http://www.switchboard.com.

Switchboard.com Lookup Screen

I do a search on Fred Smith but come up with way too many hits to be useful. I guess sometimes having too much information is almost as bad as having too little. I do some more digging and find several company locations, contact phone numbers, and main phone numbers.

E-mail bouncing, Return Receipts, and Out-of-Office Replies

This is what I call having fun with e-mail. There’s a wealth of information I can usually pull out of the contents of most e-mail. I try every variation of common e-mail naming conventions I can think of, and finally get something back with a FirstName.LastName@convention. Now we’re cooking with gas. I bounce a few off Fred.Smith@miradiant.com and get a few things I can use.

Return Receipts

By taking a good look at the headers on this read-return receipt, I find out what they’re running on the servers, the approximate geographical location, time-delay latency, virus scanner used at the gateway, and even his e-mail client. Again, if I were going to go with a conventional hack, this would be very useful information. But still, it verifies the server information I dug up from the archives contained in my backup file.

Out-of-Office Replies

Out-of-office replies are also really useful. People that use these without any caution whatsoever continually amaze me. Another funny thing about these messages is that when they are sent to a public listserv, they will be searchable on the Internet as well. People just don’t think ahead anymore.

Out-of-Office Reply

This guy should know better than to give out that amount of information to anyone. I make a mental note to thank him for the toll-free number of the help desk, if I ever run into him. According to my incident response notes, he’s the first person who should be notified in case of an incident, so it should be somewhat clear for me when I attempt to get into the network this weekend. At least that’s the plan. Shoot for the weekend, when most people are not working and support staff is the most thin and/or laziest.

Jacques Cousteau and 20,000 Leagues in the Dumpster

Right next to their office in the alley here in New York, they’ve got a huge dumpster. Maybe I can get something I can use from that. I make it a point to go by there first to case the area. I don’t need anyone asking me what I’m doing when I’m knee-deep in someone’s trash. I note who the dumpster belongs to, jotting down the ID number and waste-management company’s toll-free number, so that I can call to check on the pickup schedule. I get home and make a call to them. I pretend to be someone from the building management staff of the building next door and ask the clerk when they’re going to empty the dumpster. Her supervisor turns surprisingly cooperative and willingly provides me with the pickup schedule, after I offer to report them to the Health department. They’re picking it up early tomorrow morning. Looks like I’m digging by flashlight tonight—that streetlight won’t provide the light I think I’m going to need.

Not that I mind getting dirty, but this is nasty. Even the homeless guy wouldn’t venture in here. I offered to pay him to get in here, and even he took a pass. I’m beginning to wonder if this is worth it all. I should have skipped dinner before doing this, because I’m about to lose it. I dig around for a few minutes, bypassing the more nasty looking items. Okay, let’s see what we’ve got here: credit card receipts, travel and car vouchers, banana peels, coffee grounds, and BINGO! I hit the jackpot! Personnel and phone listings, a backup schedule (complete with a tape), company letterhead, and some source-code printouts. I just got my money’s worth. Time to get the hell out of here and back to home base to sort through everything.

Fun with Human Resources

Well, yesterday was not exactly what I’d call fun, but at least it was productive. The dirty work (yes, pun intended) is out of the way. Looking through the want ads in the paper over coffee, I see an ad about a career fair tomorrow. It seems that my old company will be there looking for some “good people.” Well, I’m good—just not in the way they would like.

I get to the conference center the following day and wander down to their booth with my falsified resume. I came here looking for information, but I hope to leave with the company representative’s laptop. It’s bound to have more information than the career fair guy would ever provide me. And if I can manage to snag that laptop, I should be able to dial into their network.

It seems they’re looking for customer service representatives, so I see if I can con my way through this one. The first thing the company guy, Jeff, hands me is his business card. Oddly enough, these haven’t changed a bit in over a year. According to the employee badge he’s wearing, even the employee number scheme is still the way it used to be.

To the average eye, there wouldn’t appear to be anything useful on this business card. Maybe I’m not average, because I see a naming convention in the e-mail: FirstName.LastName@company. This should save me a few minutes bouncing e-mail off their servers for the correct format next time.

We exchange the usual pleasantries and go through our “interview” process. I manage to find out that Jeff has a flight out of JFK airport back to headquarters in a few hours. I know their HQ is in London, so it should be fairly easy to find out which flight he will be boarding. I make some notes on this for later, in case I need to go to Plan B.

Switching to Plan B

That was a pretty fruitful meeting we had at the Javits Center. I didn’t get everything I came for, but I’m not giving up. I tried to snag this guy’s laptop bag from under the table, but I didn’t have much luck. You know how those booths look at these conference centers. There’s typically nothing but a ten-by-ten-foot sheet of cloth separating the booths from front to back and side to side. If you wait until there are a million people hanging around, your odds of being able to snag what you’re after can go up dramatically. Confusion can be a pretty strong ally, and there’s safety in numbers. And if it weren’t for the nosy neighbor, I would have pulled it off.

The guy in the booth next to Jeff asked me what I was doing. I told him I dropped my last quarter somewhere under there and needed it to make a pay phone call. Big metal and concrete conference centers like the Javits are notorious for bad or nonexistent cell phone signals. At least the nosy neighbor was nice enough to offer his cell phone, but I didn’t want to stand a chance of looking more suspicious than necessary (or leaving my fingerprints for that matter, should I be able to pull this off later).

Well, I’m off to the airport. If I’m lucky, Jeff’s taxi will take the long way there just to run up the fare and buy me a little more time. If I know the cabbies, this shouldn’t be an issue.

I pull into JFK and hit the short-term parking lot. International flights are on the other side, so if I want to catch this guy before he gets on the plane, I’ll have to boogie. I check the departing flights on the board, and there’s only one scheduled to leave for Heathrow in the next few hours. Another sign we’re right smack in the middle of the week. Sweet! It’s delayed two hours due to the weather in Chicago. Go figure. Well, that gives me a little more time to find him and look for an opportunity. I need to tail him and see where I can make my move without being noticed, or worse yet, caught. I was going to try and move in front of him at the X-ray machine, but there are a couple of problems in trying to lift his bag that way:

  • After 9/11, you need a valid ticket and to show your ID to pass through the security check and get down to the gate.
  • He just might remember me from a few hours ago and get suspicious. Maybe I shouldn’t have put WhatSaMatter U as my alma mater on the fake resume.

I suppose I could have printed a ticket up that would slip by the security folks, but when you’re short on time, you need to play the cards as they’re dealt.

I’ve got to find the British Airways counter and chill out until Jeff gets here. I need to stay out of the way, but still be able to observe the counter for his arrival. So, I stay just inside and watch for taxis pulling up to the curb. After what seems like forever, his cab pulls up. As he goes inside, I slip outside and light up a smoke. Chuckling to myself, I remember him bitching during the interview about all of the smokers here in New York. No chance of him coming back out here. I can see his frustration when the lady at the check-in counter tells him the flight is delayed at least two hours.

Where do people go to kill time at the airport? Why, the nearest bar, of course. I slip back inside and head down the hall to it. It’s packed with people. My kind of place. Thanks in part to the new laws in the city, there’s no smoking in the bar anymore, so he’ll probably stay put here. Just as I say this to myself, he walks in and sits down at a small table, laptop and all, and orders a beer. I work my way over little by little, taking care to keep my back mostly to him. I start to make my move when he appears to be distracted by some girl standing close by, but he reaches down for the bag and pulls it onto his lap. He digs inside and pulls out his cell phone. After few minutes of talking, he hangs up and pulls a few resumes out of the bag. Damn it! He’s going to do some work right here in the bar.

While the laptop is booting up, he pulls a yellow sticky note out of the bag. I’ll bet it has his user name and password on it. A few beers later, he’s getting up. My guess is that he’s looking for the men’s room. I’m hoping he leaves the laptop there, but he doesn’t. Just when I’m thinking I’ll never get what I came for, they announce his flight is boarding. This adds a bit of frustration to the mix, as he scoops up everything in a hurry and starts stuffing everything back into the bag. He did forget one vital thing though, and leaves the sticky note for me. (Well, I doubt it was for me, but it’s just as good as having his laptop for my purposes.) It’s a pretty detailed sticky note by most accounts. It has his username, password, domain name, and a dial-in phone number.

The Sticky-Note

Uh oh, there’s no phone exchange on it. This dial-in number could be anywhere. I can only assume that it’s a dial-in number and not the number to his Alcoholics Anonymous contact. He must be a card-carrying member by the way he was soaking in the suds a few minutes ago. Oh well, there’s only one good way to find out, and that’s by dialing it.

I start with the assumption that it’s an 800-type number. I dial a few variations of it from a pay phone looking for a modem to answer. After trying the prefixes 800, 888, 877, 866, and 855, I come up empty. Looks like it’s time for a call to the help desk at the number Fred Smith so graciously and inadvertently provided to me.

I dial the number to the help desk and get an automated message. After hitting enough numbers to spell out the Gettysburg Address on the phone, I get kicked back into the main menu where I started. Yep, these guys have their act together, I think to myself.

I press 0 on the phone, and eventually get a breathing human being on the other end. I immediately ask for her name and badge number, after acting a bit frustrated by the menu I was forced to dial in on. I also use the most genuine British accent I can muster after thinking quickly about what Jeff sounded like at the convention center. I also try an “executive mentality” for patience, thinking back to Jeff’s mannerisms in regard to the other employees. The Customer Service Rep seems very nice, and appears almost too helpful. At this point I’m thinking she’s either on to me or sniffing glue, but I begin to explain my situation anyway. I tell her that I’ve got the dial-in number for remote access, but don’t have the exchange. I’m just a lost soul here in the city, who doesn’t know what a phone exchange looks like in the States, “even if it snuck up behind me a kicked me in the arse.”

We go through the usual phone routine that every help desk typically has you go through. She asks my name, login ID, phone number, and employee ID number. I provide all except the employee ID number without blinking, directly from Jeff’s business card. I ask her to wait a second while I look for my badge, and grab the notes I made during the interview. Ah yes, 0016957, I tell her. I hear her type away for a few minutes. I guess a quiet-key type keyboard would probably kill her, or make it sound like she’s not doing anything.

After what seems like forever, she tells me she’s going to leave dial-in information on my voicemail, and I can retrieve it in about five minutes. I go through the old “poor me, I’m stuck at an airport in the States” bit, but she’s not buying it. She says she has rules that she must follow, and asks if I want to speak to a supervisor. I’m not taking any chances on a supervisor knowing Jeff, so I politely decline and say that I understand her situation. The umpire calls “strike two,” and I start to think about Plan C.

Plan C: The Displaced Employee

I go back to my home office and dig out the company letterhead I got from the dumpster. I forge a pretty realistic looking employee ID from it, lamination and all. I pull some electrical tape out of the toolbox and run a strip of it across the back of the “badge.” Nobody really gives these things a good look anymore anyway. I didn’t see the backside of Jeff’s badge at the interview, but if there’s a badge reader on the main entrance, I can’t social engineer my way in through the front door without the “swipe part” looking realistic.

Early the next afternoon, I’m at the front desk in the lobby. I lay my badge on the turnstile, and look at the guard in feigned amazement when the turnstile does nothing. He asks me if I have a building ID because that’s what the turnstiles use. I tell him, no I don’t, and that I’m visiting from another office location. He says go over to the front desk and sign in. They’ll take care of me over there. I stand in line and sign a fake name (completely illegible, of course). They give me a little “Hi, I’m Jeff” type sticker to wear on the front of my jacket, and send my sorry ass over to the elevator bank, while chuckling at my fake accent. I make a mental note to lose the accent when I get into the elevator. I guess it sounds genuine on the phone, but it isn’t playing well here.

The seventeenth floor is what I’m after. I ride the elevator up to 17, being especially careful not to make eye contact with anyone who might notice me later. As I step off the elevator, I pull out my “badge” and walk past the receptionist with my laptop bag. Having never seen me before, she asks where I’m going and if she can help me. I tell her I’m with the auditing department in London, and need to find an empty desk to work from. It’s a funny thing that when you mention the words visit and audit in the same sentence to someone you’ve never met, you see a complete attitude shift. She tells me where an unused conference room is (so I won’t be disturbed), where the bathroom is, and even where I can get a free cup of coffee.

I swipe my badge on the door reader beside her several times, and murmur under my breath about corporate security knowing that I was coming here today and not getting me door access for my badge in time. The receptionist laughs and tells me her badge doesn’t work half the time either. She graciously badges me in through the door and motions the way to the conference room down the hall. I set up my laptop in the conference room, and begin my sniffer run. I decide that while the laptop is doing network captures, I’ll take a walk around the place.

Shoulder Surfing

While I’m doing my “audit,” I guess I should have a look in the empty cubicles first. I wander down through the cubicle farm, and the land appears barren of people. I guess they really take their lunch hour seriously around here. I see several sticky notes and record their contents into my little notebook. I decide to be a little more daring and find the Systems Administration section.

I run into a lone guy there, eating a sandwich at his desk, and strike up a conversation with him. I tell him I’m with the auditors in London, and I don’t know my way around here too well. I ask if he can recommend a place to get some food around here, and he tells me right around the corner there’s a good Chinese place. I thank him and tell him I used to be a system administrator in a former life. We strike up a conversation about operating systems. I make it a point to be agreeable with his viewpoints, and he says, “Check this out,” and unlocks his workstation with me standing right there. I make a mental note of what he typed to unlock the workstation, which was Cslater and domaingod5.

Then he proceeds to show me this new tool he wrote for enumerating workstations on the network. I remember my laptop hooked up in the conference room, and I try to divert his attention away from running his program and discovering the laptop’s connection. I ask him what rights I need to install some auditing software on my computer, and he goes off on a tangent about how it’s against corporate policy to do that, yadda, yadda, yadda. I tell him it was nice talking to him, and head back to the conference room so that I can unplug my laptop. Then I decide to be a bit more daring and leave it plugged in until just after everyone comes back from lunch, to capture as much login information as I can.

While I’m sniffing, I open Network Neighborhood under Windows Explorer and look for what appears to be a file server. I find one labeled hrfsldn1 and assume from the naming convention that it’s a file server for Human Resources located in London. They’re five hours ahead of us over there, so there’s less risk involved if I screw up and inadvertently modify a file, or file lock it when opening it. I attach to the network share by typing:

And find another folder on the system called Contracts. I take a look inside and find out that New York has a service contract about to expire with Dull Computer Corporation. There are a number of systems listed here, and the locations of each. Quite a few of these systems are located on the sixteenth floor. This gives me an idea, and I shut down my laptop.

I’m going to try one more approach while I’m in the building, and if that doesn’t work, I’ll wrap it up, head home, and pour through all of the captures I’ve gotten so far. Then I’ll attempt remote access via the credentials I’ve gotten, including Cslater\domaingod5.

Success, or You Can Teach an Old Badge New Tricks

It a good thing I kept my badge from when I left Dull Computer some years back. I think it’s going to prove very useful today. They didn’t even do anything silly like hold up my final paycheck until I turned in my badge. The “revenge gods” must be smiling down on me this week.

I take the stairs down to the sixteenth floor, since I noticed before that someone in the elevator had to badge up to 16. Good, there’s no reader on the stairs, and the door is unlocked. It would suck being stuck in the stairwell. I pull a network card and my other ID out of my bag, and go through the door. There’s a sign-in window for the server cages, and I head over to it.

I show my badge and tell the guy on duty that I’m here to change out a network card in NY-MSG-06. He says I’m not on the list and can’t go in. I tell him, “Fine. Your CEO can’t get his e-mail now, and your service contract is about to expire. I’ll pack it up and go home if you want, but you’re not going to make many friends at the executive level that way.” He says to hold on, he’ll make a call to verify. Cool, I hear him “verifying” this with the receptionist upstairs, who tells him she has been having e-mail problems as well. I make a mental note to thank the Clueless God later, and head into the cage with the server.

I log on using Cslater’s account, and check my permissions. Sweet! He has domain administrator rights. I guess he really takes his password of domaingod5 seriously. Just why they have this system configured as a backup domain controller when it sits in the DMZ is beyond me, but I’ll take it. I do some fishing for the next hour and come away with quite a few goodies.

  • A SAM dump of all usernames and passwords. Got to feed L0phtCrack every once in a while to keep it happy.
  • An Excel spreadsheet of all voicemail accounts and the superuser password
  • Some really cool JPEGs of the last company Christmas party
  • All remote dial-up numbers
  • Firewall, DMZ, and Web server configuration documentation and network contacts

I can’t spend all day here, and all of it won’t fit onto a floppy, so I send it zipped to the hushmail account I set up yesterday. I do this via an SMTP relay that I open on the network. I also rootkit the system with Hoglund’s NTRookit (from http://www.NTRootkit.com). That should be fun for all ages when I need to get in again, and should fly below the radar of most of the antiviral systems whenever they go to back the system up. Game over. I win; they lose.

Business as Usual?

Jane: “Sally, did you notice anything odd this morning on the voicemail introduction. You know, right before you press 2 for your messages?”

Sally: “No, I didn’t. I haven’t checked mine yet.”

Jane: “It said something about ‘My kung-fu is greater than yours.’ Do you know what that means?”

Sally: “Nope. It must be the guys in telecom goofing off again. Oh well. Did you hear about the storm coming our way?”