CompTIA Pentest+ PT0-002 – Section 8: Social Engineering and Physical Attacks Part 4

70. Lock Picking (OBJ 3.6)

Lock picking, in this demonstration I want to show you how easy it is to bypass a security that a standard padlock tries to afford you. You can do this by using an inexpensive lock picking set you can find on eBay or Amazon for about $25. This same basic technique works for a standard door lock as well, like the one you’d find on your office or your home and the reason is they both rely on a pin and tumbler system. Now, hopefully this shows you how important it is to pick a high quality, pick resistant lock to protect your networks servers and your organizational facilities. So to do this demonstration, we’re going to use four things. I have a standard padlock. I have the keys for that padlock. I have a lock pick, in this case it is a single lock pick that will have one single tooth that will try to move the pins up and down and I have a tension wrench.

So first I’ll show you that the standard padlock, You can see this is see through, so you can actually see inside of it. We’re going to put the key in just like we normally would. We will open it and you can see it’s just a standard lock. It opens to the right. And if we take the key out, we can lock it again. So now what we’re going to do is we’re going to take the tension wrench and we’re going to place it into the keyhole at the bottom. Now, when we go to open the lock we want to be able to turn it to the right. So I’m going to constantly apply just a little bit of pressure with my pinky to hold that in place. And I’m going to use the lock pick and I’m going to pick each of those six pins to find the right place for them. And once we get them right, the lock will open. You can see just how quickly and easily it is to be able to pick a lock in this manner.

71. Physical Attacks (OBJ 3.6)

When it comes to physical attacks, there are really six key types of attacks that you need to know about. These include tailgating, piggybacking, shoulder surfing, eavesdropping, dumpster diving, and badge cloning. The first type of physical attack is known as tailgating. Tailgating occurs when an attacker attempts to enter a secure portion of an organization’s building by following an authorized person into that area without their knowledge or consent. Now, for example, if I just went up to the server room door and I swipe my access badge and enter my pin number, the door would beep and unlock. And now I can walk in, because I’m part of the authorized personnel list. Now, as I open the door and walk through, but before that door shuts behind me, somebody else could sneak in, and enter the room without my knowledge. That would be considered tailgating. As a penetration tester, you can try to identify the habits of employees as they’re using those doors and the way the doors themselves function, in order to take advantage of them during tailgating. For example, if you notice that employees often let the door close by itself using the force of gravity to shut it, this can be something you could take advantage of, because there’s going to be time between when the employee walks through that door and the time the door is actually shut and locked again. By observing the door, you can also see just how long it takes for gravity to actually shut that door.

For example, I’ve been in some secure buildings where the door will shut itself in under two seconds, which doesn’t leave a lot of time to grab the door and sneak in. But I also saw other doors in that same high security building that took 30 to 60 seconds to fully shut by itself, because somebody misconfigured the tension rod that actually pulled the door shut. Other organizations I’ve been at, have trained their employees to be aware of people who are trying to tailgate into secure areas. So those employees are now in the habit of actually pulling the door shut behind them instead of simply walking away and hoping the force of gravity is going to shut the door for them. The second type of physical attack you can conduct is known as piggybacking. Now, many people get tailgating and piggybacking confused, because they are very similar. Piggybacking occurs when an attacker attempts to enter a restricted area or get past an access control vestibule by following an authorized employee with their knowledge or consent. Now notice, that is the key difference.

With tailgating, the employee didn’t know you’re sneaking in behind them, but with piggybacking, they’re aware of it and they’re allowing it. Now, why would somebody allow it? Well, this comes back to your ability to conduct effective social engineering and using the six different methods of influence, your impersonation skills, and your ability to elicit their assistance. For example, if I walked up to the access control vestibule with my hands full of boxes, and I started fumbling around with something that looks like my access badge, an authorized employee might be nice enough to scan their own badge and hold the door open for me. If the employee trying to be nice, actually opens that door and then lets me walk through it, this is known as piggybacking. Because two people are entering on one swipe of the employees access card. In general, piggybacking works really well in large organizations, where all the employees don’t know each other. If you try to conduct piggybacking at a smaller company like mine, it’s not going to be very effective because everybody in our company knows everybody else. And so we would have to question, who are you, and why are you trying to get in this building?

Because we have less than 20 people on our team, so we know everybody who works for us. Now, the next type of physical attack is known as shoulder surfing. Shoulder surfing occurs when an attacker attempts to observe a target’s behavior without them noticing it. Most commonly, shoulder surfing is conducted very close to the target in an effort to use direct observation to obtain authentication details or other sensitive information. For example, if you’re sitting at your desk and you’re about to log into your computer in the morning, I could walk over near you, look over your shoulder as you’re typing your password. I might see your fingers start moving across the keyboard. P-A-S-S-W-O-R-D enter. Got it. Now I know your password. Your password is password. That’s the idea of shoulder surfing because I’m looking directly at your hands as you’re entering the password on the keyboard. Usually it’s not going to be as obvious as me standing right behind you and looking over your shoulder, but instead, shoulder surfing can take a lot of different forms. For example, let’s say I’m working at the desk next to yours, I could glance over at your computer screen and see sensitive information there, like your bank balance or your credit card number or something like that. Any kind of information that somebody can see when they’re not really authorized because they’re looking over your shoulder or looking at your screen, that’s going to be considered shoulder surfing. In the modern era though, shoulder surfing can also occur with the help of technology.

For example, I have a friend who has a very long telescopic lens that he uses on his camera during engagements. From across the street, he can look through an office window and take pictures of sensitive information on the victim’s computer screens. This although enabled by technology is still considered shoulder surfing. Similarly, with a smaller size of wireless cameras these days, it’s possible for a penetration tester to lead behind a small camera, pointing directly at assistant administrator screen or keyboard without it being easily detected. And this would also be another technology enabled form of shoulder surfing. The next type of physical attack we have, is known as eavesdropping. Just like we can use our eyes to conduct shoulder surfing, we can use our ears to conduct eavesdropping. Now, if you’ve been able to get into the office or you’re hanging out at a coffee shop right next to your target organization, you’re likely to overhear some information that could be useful during your attacks and exploits phase of the engagement.

Or maybe you’re going to conduct a second round of information gathering. Either way, using your ears and listening, can be very valuable. Now, for example, let’s say I’m standing behind you and your boss as you’re a conversation about the projections for next quarter’s profits. By listening to your conversation and performing that direct observation with my ears. I can now listen in on that conversation and get sensitive financial details that I shouldn’t be authorized to hear. A technology enabled form of eavesdropping, occurs when a penetration tester leaves behind a wireless microphone or a digital recorder inside of a work area to capture any ongoing conversations. These days, you might also be able to hack into a smart device like a Google Home or Alexa and turn its embedded microphone into an eavesdropping device for your use. This is because many offices have these devices installed in their conference rooms or the executive’s offices. The next type of physical attack, is known as dumpster diving. Now, dumpster diving occurs when an attacker searches inside a trash or recycling container for personal, sensitive or confidential information or other items of value. Now, I know this sounds dirty, but guess what? It works. And it works really well.

And so penetration testers and attackers are willing to do it, because they find some really good information inside those dumpsters during their information gathering phase of the engagement. For example, if I perform dumpster diving against a target organization I might be able to find official documents, contact lists and other employee details. Now I have people’s names, positions, phone numbers and emails, and I could create a spear fishing or vision campaign based on the official documents I found. All of this can be great information for me to use during my engagement. Additionally, I could find things like calendars or physical printouts of some of the executive’s agendas, or upcoming meetings. Most employees, for example, throw away their calendars at the end of the year. And if you collect them, you’re going to find all sorts of notes, contacts and even sometimes passwords that are written down on the pages of those old calendars. In previous engagements, I’ve even found external hard drives, USB drives and old tape backups sitting in the dumpster.

You’re going to be surprised what you can find in that dumpster or the recycling bins behind your target organization. So it’s definitely something you should consider, based on the scope of your engagement. The final type of attack we have is called badge cloning. Now badge cloning is the act of copying authentication data from an authorized user’s badge. Depending on the authentication system being used by the organization. Their employee badges may rely on magnetic strips, an embedded microchip and a smart card or an RFID or NFC tag, embedded into the badge, that holds the authentication data. If the badges rely on a magnetic strip or an embedded microchip, that badge is going to have to physically be in your possession in order for you to clone it, because that authentication data is only transferred through physical contact methods. For example, I used to have a skimmer that could be installed on an access control vestibule’s badge reader. That way it could collect the authentication data from the employee badge when they tried to swipe their badge and gain access. Later in the day, I could go back and retrieve the skimmer and all the authentication data it collected.

Now a smart card base system with an embedded microchip is going to be harder to clone because it requires both the chip and the badge and the user’s pin to unlock that chip and read the certificates from it. To clone this type of a badge, you’re going to also need to conduct some form of shoulder surfing in order to identify the user’s pin and then borrow their badge to make a copy of it without their knowledge. By far though, the easiest badges to clone, are the badges with RFID and NFC tags embedded in them. Since these badges are considered contactless you really only need to get within the range of the badge, in order to read it’s authentication information. For example, if an employee has their badge on a lanyard around their neck you could accidentally bump into them and a reader in your backpack could pick up the RFID’s tag information during that accidental bump. With that RFID reader, you can usually read the badge up to a couple of feet away. This is actually a common technique for older RFID badges that relied on the 125 Khz EM4100 technology, because those badges didn’t support encryption and they transmitted any time a reader was nearby.

Unfortunately for penetration testers and attackers though, the newer RFID badges in use in modern authentication systems use higher frequencies that provide more bandwidth and higher data rates. And these do support encryption. Many of these systems also don’t send the entire authentication data, from the badge during their transmission. And instead they only transmit some key identifying attributes to identify the users. All these security features combined, do make it harder to conduct effective badge cloning on newer RFID base badges. Now for NFC based badges, a penetration tester needs to be extremely close to the badge they want to clone. Usually within just a few inches. Luckily many Android smartphones have embedded NFC readers. So you can actually install a badge cloning app on a rooted Android device and then use that to clone NFC badges, even those with encryption. Many badges are encrypted using the default keys that are issued by a manufacturer because the organization forgets to change them after the initial installation. This can make it really easy for a penetration tester to find success cloning these newer NFC style badges if they can get close enough to their target. As you can see, there are lots of different physical attacks that you can use, to gain access to a facility, obtain sensitive information and gain the freedom to move about the facility, once you clone a badge, to use during your physical penetration test.

72. Social Engineering Tools (OBJ 3.6)

In this lesson, we’re going to do a quick review of a couple of social engineering tools you should know about for the exam. This includes the Social Engineering Toolkit, the Browser Exploitation Framework, and some call spoofing tools. Now, the first one we’re going to cover is the Social Engineering Toolkit, also known as SET. Now, SET is a Python-based collection of tools and scripts that are used to conduct social engineering during a penetration test. The Social Engineering Toolkit comes installed by default in Kali Linux, and you can launch it by typing setoolkit at the command prompt. When you launch the Social Engineering Toolkit, you’ll be greeted by a menu with several options. This includes Social-Engineering Attacks, Penetration Testing, Third Party Modules, updating the Social-Engineer Toolkit, updating the SET configuration, Help, Credits and About. Now, once you go into the Social-Engineering Attacks, you’ll be greeted with a long list of things that you can do, including Spear-Phishing attacks, website attacks, Infectious Media Generation, creating a Payload and Listener, Mass Mailer attacks, Arduino-Based attacks, Wireless Access Point attacks, QR Generation Code attacks, Powershell attacks, and third party modules.

Using the Social Engineering Toolkit is fairly easy because it does use this menu based system. As you go through and enter the different options in the menu, it will walk you through all of the options to configure and launch attacks, including phishing, pharming and other attack vectors. The next one we’re going to talk about is BeEF, which stands for the Browser Exploitation Framework. Now, we’re going to dig more into BeEF as we get into our network attacks and web application attacks, because BeEF is heavily used for both of those areas. But the exam objectives do include BeEF under the social engineering section, which is why I’m introducing it here. Now, BeEF is used to allow a penetration tester to actually assess the security posture of a target environment by using cross-site attack vectors, including things like cross-site scripting. BeEF can also be set up as an interception proxy between your system and the remote web server you’re connecting to. So you can actually stop, inspect and change packets as are being transmitted from your client to the browser. This allows you to change things in the DOM, which is the Document Object Model, or inside of the scripts themself using cross-site scripting attacks. The Browser Exploitation Framework is a great tool for testing browsers and associated web servers and applications. The third social engineering tool we’re going to talk about is call spoofing tools. Now, call spoofing tools aren’t covered by name in the exam objectives the way that SET and BeEF are, but the idea of a call spoofing tool is important to understand for the exam, because the concept is covered.

Now, when we talk about spoofing a call, most phone calls these days are made by voiceover IP phones. Now, this is in contrast to what we used to use, which was called the POT system, the Plain Old Telephone system. Now, on the old POT system, it was very difficult to do call spoofing and route your calls across a different network to show that your source of the call was coming from a different phone number. But with IP and VoIP, it is very easy to do. These days, you can spoof a VoIP call very easily by using dedicated apps for it, or even using tools like Asterisk, which is a free and open source tool you can install inside a Kali Linux. Using Asterisk, you’re able to make your own private branch exchange or PBX, and therefore, you can control the number that’s being reported as part of the caller ID.

Now, why would a social engineer want to spoof their calls? Well, there’s several reasons for this. One is to hide their true identity, and that way people can’t trace it back to them. The second is because you might be trying to conduct an impersonation attack. For example, if I’m trying to call up and pretend to be Bob from IT, it should probably say that I’m calling from a number inside your organization that you recognize, like, the IT help desk. That is the idea of doing call spoofing. And it’s a very useful tool for a social engineer to use during their assessments. If you need to conduct call spoofing as part of your engagement, I recommend that you look at what is considered a modern and up-to-date version of a call spoofing program at that time, because this is one area where the tools are changing rapidly, and there is no single tool that is considered the best by all penetration testers.

• Category: Uncategorized