as appearing in PenTest Magazine Vol. 3 No. 8
I sat in the parking lot, trying to maintain my composure. “What do I know about pest inspection?” My palms were sweating, my gear bag was sitting on the seat next to me. My outfit was complete with knee pads, safety goggles, work boots, coveralls. My nervousness certainly helped the disheveled look. I had forgotten to shave or clean my nails. I certainly looked the part, but “what do I know about pest inspection?” The question repeated over and over in my head. It wasn’t like it was the first time I walked into a job I didn’t know much about. Just needed to walk in, look around, ask a few questions, maybe lay a few traps or something, then done. “Well, the client needs me to go take a look inside and see what I can find, maybe I can do this. Besides, what does any bank teller know about pest control?”I walked in the front door and up to the first desk I saw. “Welcome to First National FCU, can I help you?” “Yes ma’am, I’m here to do a walkthrough inspection. Is Ms. Doe available?” No way she is, why would she be?
“No sir, she’s out for lunch, but I can help you.” Oh perfect, the manager isn’t here, how did I know that was going to happen? Fortunately this lady, a loan officer perhaps, is going to help me. She proceeded to tell me she was in charge while the manager was out and told me of numerous locations reported to have ants. In my career, I have found that ants are a very big problem in filing rooms for some reason. Anyway, sure, let’s take a tour and look at those ants.
After taking me on an extensive tour of the facility showing me locations of reported problems, she excused herself and let me get after measuring rooms to get the cubic footage because my employer charges by that and all.
Rounding a corner, I walked into the filing room, again, the person at the computer in this room reported bad ant problems. “Do you need me to step out so you can work?” he asked. “If you don’t mind, I can go ahead and take care of this ant problem for ya right now,” I replied. He quickly excused himself and shut the door on the way out.
Did I mention, I’m not a pest inspector? “What do I know about pest control?”
“What do you know, he left the computer unlocked. Looky here, account data.” A local printer and Ctrl-P, thanks for the help. Now let’s dig through these filing cabinets and look for some hot files to photograph. “Why it’s Ms. Doe’s account.” Click. “Here’s a few large business accounts, I’m sure these are worth some money.” Click click click. Oh, almost forgot, just for a nice touch, I brought canned air. Better make sure I spray it from time to time to sound like I’m spraying for bugs to avoid suspicion. I later learned the showboating wasn’t so important, but this was my first assignment as a pest inspector, and what do I know about pest control?
After packing back up, I slipped quickly out the door. My helpful evacuee was not to be seen but the ladies outside looked up at me. I had forgotten the goggles and dust mask I had donned in case someone busted in while I had those drawers open. “Oh, better tell him not to go back in there for at least 30 minutes, but that ant problem you have is solved.” Yeah that’s right, that would give the evilest of criminals a good thirty minutes to get away before the explosives go off. Scary, ain’t it?
That was one of several frighteningly similar social engineering engagements I have been on across the country over the past decade. I have been in several organizations such as this, too many to count. As I mentioned, I learned the extra touches were not needed. No one cares. If they do, they don’t question it anyway. I have never failed. Not once. I’m not bragging on my skills, it’s just that bad, and it really is that easy.
I think it goes without saying that’s not the name of the bank and Ms. Doe did not manage it. Although, I’m sure I’ve been in a bank with a similar name (not really because a credit union wouldn’t have “bank” in the name, but you get the idea) I don’t believe I’ve ever met a Doe though.
People are the weakest link in security. They always will be. You can’t firewall stupid. In my time in this field, I have found that it simply doesn’t matter what you as a security engineer do. Why come through the network and risk IDS sensors lighting me up when your employees give me the keys to your data center? No seriously, that DID happen. Then again you don’t believe everything you read do you? This article isn’t another social engineering attempt is it?
So you’ve decided to get your hands dirty in this cloak and dagger game and want to know where to begin? This guide will get you started and cover the basics of what you should be trying to accomplish and how you might go about doing it.
Preparing the Client
The first step is to talk with your client to discuss exactly what you will be doing and learn about the company so you can all decide what would be a good test. A real attacker would not have this advantage, however recon and surveillance is very time consuming and expensive and you may end up missing something that an attacker would pick up on so it’s best to talk with the client to ensure the best possible test. Maybe they are in a large shared facility and pest inspection is handled by property management so you’ll need them to get on board with the testing if that is your chosen technique. Perhaps their phone closets are located in an odd place and getting to that might mean mission accomplished, but it would be better if you could devise a better strategy that would allow you more freedom to move through the facility. You’ll also want to define what is to be considered a successful “attack.” Are you taking assets from the facility and if so, how do you handle the chain of custody? Are you installing rogue devices (comes in handy if you are also doing a network penetration test)? Are you just going to photograph assets you could have accessed like network closets, unlocked computers, filing cabinets, etc.?
Once you’ve decided the Rules of Engagement you absolutely must have a fully executed Statement of Work with a clearly defined scope. Do not ever, under any circumstances, perform an engagement without that protection. In addition to that, you will also want what we typical call a “Get Out of Jail Free Card” which is a signed Rules of Engagement and Authorization form that you can give to someone in the event you get caught that explains what you are doing and who they should contact to verify it. It should also explain that they need to handle this discreetly so as any other sites you are visiting are not alerted. Congratulating them on performing their duties goes a long way to helping secure their cooperation. Now that you have an idea for what you want to do, it’s time to start working on costuming and pretexting. If you’re having trouble with just what a costume should look like, go out and observe people in that role you want to play and see how they dress. Are they well manicured? Are their clothes cleaned and pressed? Are they wearing dirty work boots? It may be time for a trip to the thrift store. The thrift store is one of the most valuable places to go for a social engineer. I frequent them all the time looking for great costumes. I have several different polo shirts from big phone vendors, document destruction companies, government offices, etc. Every time I go on location to do a job I check the thrift stores to see if some employee has generously donated a company shirt to the cause.
You may want to get business cards, magnetic car signs, other bits of swag for the company, embroidered shirts if you are completely making up the company you are pretending to be, etc. It’s very important to have a working phone number on your cards, invoice sheets, etc. in the event you are questioned and they want to call your office. This is perhaps more important if you are pretending to work for an existing company. You can tell them to call the number on your card so they don’t have to look it up, or waste time in a queue while calling the public number of a major telephone company, etc. Generally speaking though, I avoid using existing companies where possible.
Now that you are properly costumed, have all your signed documents with client authorizing the test, you are ready to begin your pretexting.
Pretext is the purpose for what you are doing. It’s the background of the character you are portraying for the test. Pretexting considers your role as the main character and all your supporting members.
You need to be able to explain the nature of your visit when you get to the facility, what you do in general terms, and why you need to get to the areas you want to go. For example, be prepared for the pest inspector to not be allowed in the data center. That can be deflected by explaining that your company now has the contract, and as such you are responsible for undetected damage by pests of any kind. Mice love to chew on plastic coated wires. Unless that person wants to sign a waiver that you are happy to bring back to their headquarters explaining that you are not liable for damages at that location, they better let you in. “By the way, if I have to come back out here, it’s going to cost you an extra service fee.”
You must consider the roles within the organization that may be called upon if you get questioned. Those people should be aware of what you are doing. The reason being, they want to be unavailable during the test so it forces the decision back on the employee you have engaged in social engineering. Assuming they fend you off, you’ll want to go back with that authorization, because even if they pass the test by not letting you in, it’s still valuable to your client to know if you are being properly escorted, what they might let a vendor do who is granted access, etc. Most people will give into pressure if they are pushed especially if you speak clearly with authority and urgency. If you put the employee on the defensive of possibly costing their employer time and money because they made the decision to prevent your entry, you can bully them into allowing it. In these situations, if you have a partner with you, which I highly recommend so you can serve as lookouts and distractions for each other, you can work on a compromise with them, suggesting they escort you. Once you get into the back, it’s time for you two to split up and someone needs to run back to get something from truck and enjoy the confusion on your escort’s face as they try to decide which one of you to follow.
You must have someone at the ready to answer the phone for your fictitious company, and that person must be ready to defend you vigorously. Little details like that add perceived legitimacy to your cause. I have had a great many clients call my office to check with them to make sure I’m supposed to be there. That’s obviously a mistake on their part and you should be documenting that.
Arrival to Test
Once you get to the location you should stop a little ways off in view of the facility if at all possible and watch the flow of people. Make note of how people enter parking lots. You don’t want to enter it, start hunting for a parking spot and end up driving around the building drawing attention to yourself, They key idea is to blend in. Now that you’ve parked, this is a great time to jot down some quick notes. You need to identify the location you are entering, the time you arrived, and any other security findings you can spot from the vehicle.
Your next step is the scariest. You have to get out and go do the job. Take a breath, relax, remember what you are there for, and make sure you collect any props and gear you are bringing. It’s always good to leave something behind so you can use the excuse of needing to go back to the vehicle to retrieve something in order to shake an escort. Go get the item, wait a while digging for it, maybe get on your phone a minute and hope they walk off. When you return just attempt to go straight back to where you left off and you may get away without having an escort briefly. It’s also helpful if you have partner to send back outside in order to split the escort.
What You Should Be Looking For While Testing
Your primary goals should be testing to see if you are allowed into secure areas, and if you are escorted should you be allowed. In addition to this, you should be looking for physical security features such as cameras and locks. Identify what types of locks are used to isolate the public from sensitive areas. Consider any place you can go to without passing through a lock as public area. You may be surprised just how far someone can get into a facility before coming across a lock. Make sure locked doors are in fact locked. If a door has a keypad lock, check to see if there are worn buttons. Can you guess the code? If you are escorted to such a locked door, can you watch the employee unlock it and get the code that way?
While exploring the facility, be looking for unlocked computers, employee badges (especially if they use proximity card) that may be left on a desk, USB drives sticks, and network equipment. Note if computers are physical secured or if they can be easily lifted and carried out. Do you see network equipment you can easily access and plug devices into? Are server cabinets locked? Are there printouts left on the printer and do they have sensitive data on them? Are file cabinets locked and if not do they hold sensitive data like account information? Are shred bins secured and do users have a place to store documents apart from the trash until they bring it to the shred bins and if so, can you easily grab those documents? The important thing to remember is to take your time. Mentally prepare for all the things you want to check before you go. Going slow will help you make sure you test everything you can and if you do have an escort, they may grow bored and wander off or stop and talk to a coworker.
Exiting the Test
Once you are satisfied you have all you need, it’s time to make your exit. Keep calm and don’t rush out the door. If you’ve signed a logbook, make sure you sign out. Shake hands with whoever assisted you initially and/or your escort. Thank them for helping. Exit the building and walk, don’t run, to your car. Get in the car and drive off only far enough to get out of sight and pull over at your earliest convenience. Now you need to make any notes you may need from your observations while at the facility since you most likely were not able to take notes while you were there. It’s very important to write it down as soon as possible so you don’t miss anything and if you are doing several locations in a day, it begins to blur together pretty quickly.
As with any type of audit or penetration test, your report should have an executive summary, detail findings, recommendations, and any other sections you typically include in reports. I find it best to stick to a chronological report for the findings and give them a narrative of the events. People generally love a good social engineering tale and the impact of these engagements can really help the client learn about security weaknesses and can drive board members to act and work on improving their security. No other report in our industry has anywhere near the impact. Executives may understand you found some vulnerability and got control of a computer on the network, but they probably can’t relate to it. Everyone can relate to a good social engineering story.
The overall steps are pretty straightforward. Get your contract and authorizations squared away. Get your costuming ready. Get your story ready. Perform the test. Deliver an amazing report. It’s a very simple and very fun test. As you do more and more you will stat to get comfortable with it. You’ll start recognizing what types of actions get the best responses. You can start trying new techniques to get people to comply. If you have anything close to the experiences I have, you’ll quickly find that you probably over prepare for the test and going overboard with costuming is probably uncalled for. People just typically don’t know what you should be doing and don’t notice what you bring. That said, looking as legitimate as possible and having all your backstory things in place do help for those occasions where someone gets a little suspicious and you don’t want to blow an test just because you didn’t have a business card. Good luck.