Recently we had quite an interesting engagement and we have been allowed to share some of the details!
Objective: Gain physical entry to a building for the purpose of impromptu network penetration test and wireless testing.
Company Arena: Global Offices, Finance, High Security
Chances of a consultant wandering around with a laptop for an hour un-noticed: 0
In the planning stages of the campaign in was evident we would have to be a light touch. There is a lot of variance in your average redteam engagement and sometimes we are in favour of a gun ho’ attitude to gaining access – confidence and psychological trickery can go a long way… but we’ve all heard the about the much famed ‘coffee cup or clipboard’ approach to social engineering. The belief that people around you will pay you less attention because you have a cup of coffee or a prop of some kind. It has it’s place but it wasn’t right for this job so we plotted and plotted for some time until it hit us!
In a Eureka moment, we knew we needed to design a ‘dropbox’ like no other! For those not in the know, a dropbox is a smallish device that a social engineer can place into your network or computers. Once a device is connected, network access is a trivial task for the hackers. These devices usually have a wireless element to them as well that will try to hijack nearby Wi-Fi users.
We got to work ordering all the components of what we would need from Amazon. To say we were excited about building such a device would be an understatement – the parcels arrived.
Initial impressions are we went overboard… but it should be an interesting few hours getting this mess sorted. Battery packs needed charging, wires and mess everywhere and as the evening progressed programs and applications were configured on the device to make it all work smoothly.
Once all the technicals were out of the way, the device was put through its paces and tested thoroughly. Wires are to be neatly coiled and packed away. A GPS tracking device and also a second access point was installed to provide additional client mode services to the pineapple. The LTE router was configured to run in Ethernet over USB mode.
Now we needed to get this device to the target building. Sometimes in a physical penetration test, you have to understand getting caught isn’t just bad – it could have unforeseen circumstances to a business. All care is made to not impact a company in its day to day activities, but also try to test realistic attacks. It’s a hard balance.
We got to work with further recon and struggled and struggled to think of a viable solution to the problem we had of getting this device into the building. The idea of impersonating a mail man popped up and I didn’t like it. It would only get you a few seconds in the building if you were lucky and it was likely we would need clearance to get that far…
Sometimes a thought can be all it takes to make a hopeless scenario something of beauty.
We got to work collating all of the email addresses we could find of the target company, using the low hanging fruit from OSINT tools. These are the emails that get spammed the most in a company because they are relatively public. An email was sent to each of them and we waited for the predictable few ‘out of offices’ replies. When we had these we further profiled staff who were away – the intention was to identify who was having a busy week at work and hit the out of office for a break and who was legitimately on annual leave or holiday. Some social media profiling provided 2 people who were unlikely to be back in the building for a while.
We wrapped up the dropbox, made sure it looked like it was a fresh parcel, printed new Amazon stickers for the parcel and handed the device over to a courier. Not us pretending to be a courier – an actual courier. Unbeknownst to the poor delivery person, the attack was progressing beautifully.
So to cut this short, the parcel was connected to a server in our control and every step of the way we could track its location, access the device remotely and scan all neighboring networks in transit. When it was signed for by the target company we knew it had been accepted successfully into the building. The Wi-Fi networks we observed also correlated with this. In the following days, the device was used to run wireless penetration tests at a client site.
So firstly, this is an extremely unlikely scenario for the public to be concerned with. Most businesses are also unlikely to see anything near this level of effort behind an attack but if the rewards are high enough something like this could catch you off guard.
In security critical environments – airports, prisons, power stations, laboratories etc it could really ruin an IT managers day! Inbound parcels should be scanned using GSM detection devices on entry to the building. Parcels should be stored in Faraday bags or not delivered to the premises at all.