The world of Red-teams and Social Engineering can be quite insular. As someone who founded The AntiSocial Engineer Limited, I know that was almost part of the design and philosophy at the time. We weren’t interested in doing things like other InfoSec companies – we wanted to be different.
A big part of this process was moving away from the rigid and limiting methodologies and scopes that are seen in many high street security companies. I didn’t want my wings clipped on a social engineering assessment, jobs were to be realistic, impactful and offer actual benefits to customers. To me, a social engineering physical report is like saying to your client. “Look, I have really had my criminal hat on this week, I have gone through absolute physical and mental torture to bring you these findings.”
What physical social engineering is not; It is not bumbling up to some building with a cup full of coffee and a head full of ego, hoping you’ve remembered enough lines of that YouTube video to trick the receptionist into believing that you don’t have social anxiety.
Five years since founding The AntiSocial Engineer Limited, performing social engineering physical testing for some great companies, adapting our brazen testing styles, learning by trial and error and I’ve been meaning to write it down or at least make some notes to explain a little to our customers and provide something I can expand on later.
The second the customer is added to my calendar, I have a quick look at their DNS, Website, Google and try to gauge the level of doom and fear I should feel. Some customers are wanting a bit of ‘first steps’ spot check with the majority of my time onsite explaining some common risks in a boardroom.
Then there are the other organisations, physical testing is a critical part of honing their policy and processes, the test is their sixteenth physical assessment and the bar is so much higher with all eyes on us to push their blue team further. I’m going to break the stages down as we go through a typical Physical social engineering assignment.
After a customer decides they want to perform a social engineering assessment with us, the first step is ensuring the paperwork is completed and checked. As you can imagine, there is quite a lot to clarify with an organisation before the tasks. Insurance, contracts, scoping overview.
We like to understand the kind of simulation that they would benefit them, identify what areas of concern they currently have. From this, we can agree on some clear boundaries and steer the job accordingly. For us, scoping is less about identifying if we can use lock-picking or send SMShing messages and more about identifying concerns – such as a food production company requiring suited employees in a working space. We find our customers leave a lot to our discretion and in return, it just seems smart to identify their concerns. Minimising incidents and keeping the following work professional!
Start Of The Week
Before I paint any pictures of tacticool clad consultants sneaking through air ducts, many people are surprised to find that the start of a physical social engineering assessment is quite nerdy. It is not uncommon for us to spend 12+ hours online scraping away at snippets of information that may be useful later.
Over the course of five working days, the task is to take a company name and play the part of a competent and determined attacker. Usually to get in and extract information or re-create a financially motivated crime. Regardless of what character we are going to play at the end of the week, currently, all we have is a name. Information is going to shape every step of the following week and we collate as much data as we can.
Google vs OSINT
It’s quite a challenge to gather all the data you need but luckily some great tools help us speed up the process. Everything useful is processed and stored. A worksheet is created and shared amongst the party and this is the place we combine our findings. every test differs but usually, this will contain; Links to interesting sites, Pictures of the building, Names taken from LinkedIn, Addresses, Google Maps Data, NMAP Scan Data, SpiderFoot Sheets, Paid Services, DNS Records etc
Of course we Google! we get right into the 8th page and use all kinds of Google dorks to uncover things a program would miss. The issue is though good OSINT has to cross a myriad of resources and as of yet, programs aren’t that great at it. Spiderfoot’s 55,000 unique datasets are impressive but sometimes I find a hand-curated list of 150 employees and their job roles off LinkedIn more useful.
Whilst OSINT is more than a good Google search, many miss the point. OSINT is about soaking up all the information you can and using it to formulate the next stages. We aren’t too picky where the information comes from, as long as it can be trusted and gives us information on our target company.
Before entering a building for the first time on a social engineering job, I like to go and spend some time there. This is usually done late at night and is as covert as I can be at 6’4″. After working hours, some sites are completely closed off from the world and this is a great time to gather more information.
If the weather is good and the location warrants it, I will also chuck a drone up and see what it can see. It kind of feels silly not too when you can have military-style live recon of the site, from your car, for a few hundred pounds.
Wireless snooping of the WiFi is sometimes useful. If a good signal is available from a discreet enough location then a wireless recon box can be left. The device has a battery and 4G connection amongst a WiFi Pineapple and SDR radios so I can connect to this for a few days and try out all kinds of slow wireless attacks.
A walk of the perimeter to find CCTV and footpaths. Although Social Engineering is about the manipulation of people. It can, and should cross into Red-teaming where it is appropriate. This isn’t Twitter where some criminal is having a moral dilemma about Red-team vs SE. If a fence is broken I will exploit that and sneak in and try to take pictures through the windows. If I see a recycling area I’ll also have a look for documents and gems in the bins.
With a lot of security testers glued to Kali these days, the basic stuff is the lost, untapped source of information social engineers need. Sure it could be 3am and I am on my knees taking a photo of a rat trap outside the building – but when I arrive on Friday and get a badge from reception to go and service these boxes and take over everything they won’t see me tired, dirty. They will be clueless as to how knowledge of this exact pest control company on the box will get me access.
Call it laziness or experience, but I want every on-site social engineering job to start with me parking up, waltzing into reception and picking up my ID as an expected guest. How we get to that point is the behind the scenes bit that makes use of the previously gathered data!
In the lead up to physically gaining access to a site, we will try all kinds of phishing emails, text messages and try to gather credentials and access to the company remotely. The purpose is to obtain more information that we can feed into the worksheet and ongoing campaign.
It seems to be a matter of time and technique but sooner or later they always give you something. Access to their Exchange accounts, access to some third party app, their company mobile operator spills too much info.
Remote attacks provide data and this prevents me from going in cold and messy, making a scene and an idiot of myself. Nothing gets you acquainted better with the company than going through the new starter induction checklist on your marks Sharepoint account.
Once I have the global address book and have compromised a few more accounts and services I will plan the email to reception… something boring enough to slip under the radar yet get me a key and a coffee later on when I am on site.
On Site Visit
I can only explain the thrill of social engineering like riding a broken roller coaster. You know it’s broken and you’ve taken the choice to ride it so when it leaves that station you are a complete passenger. Your opinions are irrelevant and you can take a backseat to the events that follow.
I used to ride that rollercoaster every week and it caused me a lot of fear and worry. Until I just decided to put all my efforts and hard work in beforehand. I prepare religiously and when I walk in that front door I am relaxed and excited. Learning to enjoy physical social engineering was very much my dancing in the rain moment.
Everything on a job is turned up to 11. You greet the receptionist, smiles, reassuring body language. My vocal tone begins to resemble people that like other people. I am chatty, witty. We engage in conversation about my made-up visit to the Cotswolds last week with my made-up charity fundraising team. Doing everything in my power to cover the distraction theft of a secondary badge and audio bug that has just been planted near reception. I move on. One thing that nobody tells you on a social engineering job – you need to know where you are going! and look natural. But this is hard because you can’t ask people.
You quickly get a feel for the place and there are common similarities between offices that offer reassurance. Multi-floor buildings have execs and c-suite residing on the highest floor… Finance normally have a locked office or space. Smoking shelters are common place now, this means the nearest door is open and closed all day.
Dropboxes and Deception
One common goal we have is to plant a networking device on the internal LAN that will allow us persistent access after we have left the site. For this we use small computers that can be run headless. This means it’s normally a case of plug in and walk away. The computer will boot up and try to connect to a control server. Not all DropBoxes make use of the LAN though, a WiFi Pineapple style device can also be impactful in the right offices.
When we get into a client’s offices, the bag of tools gets tipped upside down; Mini-IP cameras, UHF and GSM Bugs, 4G Mifi’s, Batteries. The more gadgets, the more you can see and hear and touch after you leave.
The physical presence in the building is like god mode for a pentester compared to hacking remotely. No longer do you have to research exploits for days – you just pick up electronics and connect away. You can plant key-loggers then feign a problem and someone will come over and log in for you. You can use the internal phone system to ring the helpdesk and get a password reset. All options, glorious options as you pretend to hot-desk in yet another trendy wealth management company.
You have to be on your toes because for the commissioned time of a social engineering engagement, these smiley happy people you find yourself amongst are the enemy. They might lean over and appear to be friendly but subconsciously they don’t like something. They want to probe and unravel your lies.
Employee – “So you are from the Manchester Office?”
Me – “Yes Sharon, I’m also new so I don’t know any of your estranged work mates.”
Like a bad game of ping pong, the conversations go back and forth, but are all steered towards me being a really nice person who is doing something very trivial because of some unforeseen drama. With a big pinch of everything is completely OK thrown in.
I like to keep communication throughout a job with the clients we work with if possible. It makes it easy to quickly get an answer to simple questions. “We planted a bug in the boardroom, do you want us to continue, go harder or fall back?” We design and plan the job, but still, this chat often allows me to fine-tune the assessment.
This is also good for receiving feedback on events, don’t forget this is a simulation and risks should be minimised. My favourite example of this was gaining access to a building and then hiding under a desk in an unused office area. Because I had time and was quite well concealed under the desk, I decided to pull out a laptop and start on the network. This triggered a Dark Trace alert. Because of good communication, myself and a very scared IT tech could be sharing a coffee in record time with no escalation or Police incident.
Reporting and Debrief
Reporting is very much unique to the client and their needs. If they require statistics and numbers solely, the screenshots from the drone might be a little out of kilter. Tailoring this so everyone is happy and has the maximum amount of learning is the challenge. Presenting findings directly to a board is also a really efficient way of transferring first hand accounts of what happened. As a minimum, all of the important stages of the assessment will be reported on. I am very visual in reporting and like photos from the jobs and screenshots to walk through the stages.
Improving security after a social engineering exercise should be the focus. What areas could be adapted in the target company to make it harder for people like me to gain access.
When we work with clients over years, improvements can start with simple nudges like implement two-factor authentication or improve sign in procedures. As time goes by, improvements get more advanced and tailored.
When you return back for the next engagement and the fence has been fixed, CCTV is better, the receptionist is a stone cold dragon. The RFID system has been upgraded and I am having to work harder, it really does make me smile.
This is why I wake up and go to work.