How I “Pwn” Your Network: A Chat with a Social Engineer and

Facility Breach Expert

Kai Axford

<Insert lots of letters and stuff here>

**DISCLAIMER**

All demonstrations are examples of

techniques currently used in social

engineering and facility breach exercises,

with express permission from the client, by

trained professionals.

Do not try this at home.

“It’s increasingly harder to break in on the external perimeter, adaptation occurs towards our weakest link, the human element.”

- Dave Kennedy (ReL1K), Developer of the Social Engineering Toolkit (SET)

• Why would I fight your: – Security Information Event Management (SIEM)

– Anti-Virus

– HIPS/NIPS/IPS/IDS

– Web Application Firewalls

– Secure Coding Practices

– Patch Management

• Why would I fight everything you’ve built into your entire security program….when I can just walk in and take your data?

We exploit the gap between:

Corporate Security

Information Security

Network

Web Applications

Wireless Facility

Users

• Google-Fu + Bing-Fu => FTW!

– Facility layout and surroundings

– Job openings

– Telco providers

• Corporate website - Investor relations,

corporate officers, contact info, etc.

• Social networking sites (LinkedIn,

Facebook, Twitter, etc.)

Social Engineer’s Toolkit (SET)

• Is a toolkit “specifically designed to perform advanced attacks against the human element” that is built on top of the MSF. – Developed by David Kennedy (ReL1K)

• Will conduct the following attacks: – Spear-Phishing – Spoof or utilize already established email

addresses to do spear-phishing attacks with file format attack vectors.

– Web Attacks – Multiple attack vectors including Java applet, client-side exploits, tabnabbing, man left in the middle, and the credential harvester.

– Infectious Media Generator – Creates a CD/DVD which allows you to deploy MSF payloads in a simple autorun.

– Arduino / Teensy USB HID Attack Vector – Multiple payload selection for the USB keyboard HID attacks.

– And so much more!

DEMO: BackTrack 5

Breaking In: For us, it’s all about

style…

• Numerous ways to accomplish my goals:

– Technical and Non-Technical methods

– Point and Area Targets

• Point Targets – Targeting an individual

– This means YOU!

– Phone, email, social networking, face-to-face

• Area Targets – Targeting a site

– Tailgating, baiting, “Red Team” exercise, lockpicking,

dumpster diving, etc.

Point Targets

Phone Domination

• Let’s have a listen…

DEMO: Spoof Card

• Social networking is my dream and your nightmare.

• TMI = Too Much Information about you and your company.

• Why do IT guys like to just “tell it all” on these sites?

Face to Face

• Sometimes this is actually easier for a social engineer.

– Easier to gauge reaction.

– Harder to dismiss someone in front of you.

• Relies completely on the skill of the social engineer

– Must react to the situation immediately

– Know when to push and when to retreat

Face to Face

• It’s not as easy as you think to avoid…

• Let’s take at what happens when you are successful….

Area Targets

• No lock is perfect

• Various types

– Pin Tumbler locks

– Wafer locks

– Cipher locks

– Code and card

operated locks

– Padlocks

• Only a delaying

mechanism

DEMO: Lock Picking

Tailgating

• A frequently used attack vector

• Why?

– It works and requires almost no skill

– (I bet you’ve used it before yourself!)

DEMO: The PwnPlug

Programmable HID USB

Keystroke Dongle • USB device that emulates a USB keyboard and drivers and

will execute commands (i.e. install malware, reverse shell,

shutdown A/V, etc.)

• Why do I use it?

– Types faster than I can, without errors

– Works even if autorun is disabled

– Draws less attention

– Can be set to go off on a timer…e.g. when my target is logged on

**Important Safety Tip**

An individual information gathering technique

or attack vector is rarely successful. It is the

combination of these techniques that make

this a credible threat to your infrastructure.

Defeating the Social Engineer

We’ll make this real simple…

1. What I love to see and hear

2. What I hate to see and hear

What I LOVE to see and hear

• “You won’t get in….according to the audit

committee…we’re compliant.”

• A contract security guard who is busy with

non-security tasks

• “The Beige Plastic Gambit”

• Nice employees

• “The Cameraman of Security Theater”

What I HATE to see and hear

• A nosy workforce with regular security

awareness training

• Rapid and effective incident response

• Patch management that patches

• Physical Security Information Management

(PSIM)

• Visitor management

• Turnstiles & Anti-Passback devices

• Tech controls that work, but aren’t sexy

Questions? Kai Axford, MBA-IA, CPP, CISM, CISSP, QSA

Director of Strategic Services

FishNet Security

kai.axford@fishnetsecurity.com

Twitter: @kaiax33

Resources

• Social-Engineer.org (http://www.social-engineer.org/)

• Social Engineering: The Art of Human Hacking. Hadnagy,

Christopher. 2011. Wiley Publishing.

• PwnieExpress (http://pwnieexpress.com)

• Deviant Ollam’s Site (http://deviating.net/lockpicking/)

• BackTrack Linux.org (http://www.backtrack-linux.org/)

• Crenshaw, Adrian. “Programmable HID USB Keystroke Dongle:

Using the Teensy as a pen testing device” IronGeek.com

(http://www.irongeek.com/i.php?page=security/programmable-

hid-usb-keystroke-dongle)