2007
A HACKING ODYSSEY PART I: RECONNAISSANCE CONT...
Humans are very easily programmed and become stuck when something
happens out of the ordinary.
Think of a normal hand shake; if someone walks up to you and extends
their hand in a motion that signifies to you that they are about to
shake yours, you are programmed to lift your hand up in response.
In certain scenarios such as when meeting someone, this is
expected. But what if it happens in a situation you don’t expect it,
i.e. when you are walking down the street and a perfect stranger walks
up to you with an outstretched hand signifying that he wants to shake
hands with you? You still lift your hand to respond to that person,
maybe not very far but you will still do it.
Now what if when meeting someone, and when you expect a hand shake,
the person stops half way through extending their hand and puts it in
their pocket? You still extend yours and when something happens you
don’t expect, such as someone putting their hand in their pocket, your
programming breaks down and for a second or two you go into limbo as
you have no idea what to do. Why - Because like as not this will have
never happened to you before so you have no programmed response to it.
Consider this – whilst you are in limbo during this hand shake, if
the other person was to ask you what your phone number is, what would
you do? You are programmed to respond to a question, so whilst your
mind is in limbo wondering what the hell to do, the programmed part of
it will respond to the question that has just been directed towards you
and unless you manage to stop yourself in time you will answer the
question.
When I was learning about Social Engineering the course was taught
by a Psychologist and not an IT security professional. Half way though
one talk the speaker invited a hypnotist into the seminar. The first
thing this hypnotist done was to walk up to someone near the front of
the audience and introduce himself – just as they were about to shake
hands he put his in his pocket and said something to him, in a few
seconds this guy was hypnotised and answered any question the guy asked
him. He very effectively utilized the moment when his mind was
wondering what it should do, to hypnotize him.
I’m not suggesting you need to walk around shaking hands with
people and hypnotising them to socially engineer them, but am trying to
demonstrate that when something happens out of the ordinary, people let
their guard drop very temporarily and the mind is very open to external
influences.
To apply this psychology to a ‘real life’ social engineering attack
– imagine you phone up the web hosting company that Shed Store use (we
know this info from the DNS records and the WHOIS record), and went
through the normal process everyone goes through when initiating a
phone call – the other person says hello, you say hello and state the
reason why you are phoning – the other person will go through the
process they have probably gone through 1000’s of times and asks you
for your credentials to authenticate yourself……… Ooops, we hang up as
we can’t do that.
To apply the methodology of breaking someone’s programming you need
to do something unexpected that may have never happened to the other
person before.
The list of how to do this is endless – but you have just found out
your name server allows anonymous Zone Transfers right? So your going
to be a tad angry – what’s the odds that if you phone up and instead of
saying 'hello' which the poor help desk dude will be expecting, you
start yelling down the phone straight away asking why their DNS server
is miss configured. What you are going to do is put them in a situation
they may have not been in before and do not know how to handle properly
(chances are at the help desk level they will not even know what a DNS
Zone Transfer is). So whilst they are fumbling around trying to make
sense of what you are angry about, mention (in a very pissed off voice)
you cant logon to your web server and need to know your details – now
this is something the person will be programmed to do and will
understand, so whilst they are still trying to figure out what the hell
a DNS Zone Transfer is and who they can escalate it too, they will be
only too happy to do something they are familiar with (and which gives
them a bit of breathing space) and lookup the details for you.
Of course you don’t have to rant and rave at someone to throw them
of their guard. Try phoning an up-market hotel who do not normally give
out the details of who is staying in a certain room…..when they answer
just simply ask if they have the time (be very polite), I can pretty
much guarantee the receptionist will have never had this happen to her
before…so whist she is in the state of registering what you have just
asked and what she should do in response to you, ask her who is staying
in room 101 – her programming will kick in and she may very well
divulge the information to you. The trick is to be nice and extra
polite to her.
After you have tried this method a few times you will develop a few
methods that usually work most of the time and stick to them.
Being extra nice to someone and
making that person like you and want to help do, does pay off sometimes
This one kind of speaks for itself and is not something I need to
cover in great detail. Use your charm to try and make someone like you
enough to want to help you. This usually works best when talking to
someone of the opposite sex (unless you swing the other way). The best
way to do it is not to try and solicit any information during your
first conversation. Phone up initially, explain who you are (or who you
are pretending to be) and ask an innocent question that will not
require her to ask you some questions to authenticate yourself. Such
as:
“Hi, I’m Keith Taylor the Managing Director of Shed Store, well
Guardian Buildings but you have us down as Shed Store. You host one of
our web sites called shedstore.co.uk and I was wondering if you are
experiencing any technical difficulties again, as at the moment we
can’t reach it.”.
If we examine that seemingly harmless and everyday initial introduction
more closely you can see what we have just done:
“Hi, I’m Keith Taylor the Managing Director of Shed Store” = Using
the name we got from the WHOIS record we have introduced ourselves to
her – putting a name to a voice on the telephone forces her to
automatically construct a mental picture of you, which will aid us in
getting her on our side. We have told her we are very high up in the
company, the MD no less. How many MD’s does she speak to on a daily
basis? Not many I bet, so we will now stick in her mind and she will
remember us next time we call. By identifying the company we are from,
we allow her to learn a little more about us by offering her extra
information, which goes in our favour but more importantly we let her
know what company we are from so when we try to extract some
information from her later on she may not feel the need to authenticate
us.
“well Guardian Buildings but you have us down as Shed Store” – This
again offers her a little more information to add to her mental picture
of us. The second part of this sentence implies we have contacted them
before and have regular dealings with them – again adding to our
authenticity.
“You host one of our web sites called shedstore.co.uk” – Here we
have told her what our web site is and that we are indeed one of their
customers. This is important later on when we ask her for our login
details, as she will not need to ask us what our domain name is which
is usually the prelude to asking us to authenticate ourselves – we will
be breaking her programming.
“I was wondering if you are experiencing any technical difficulties
again, as at the moment we can’t reach it” – This reinforces the fact
we have spoken to them before as we mentioned the word ‘again’. But
more importantly it is a question that does not require her to
authenticate us and is something she will have to search for, and gives
you that ‘moment of silence’ to make idle chat with her……get to know
her….and make her like and trust you.
She now has a mental image of you, knows who you work for, knows a
little more info about your organisation than she may normally get to
find out with most customers (which could make you stand out amongst
others), she knows you are a Managing Director which again makes you
more likely to be remembered by her (and all women like important men
don’t they?), we have let her know that we have phoned up before, she
knows your domain name – which means she won’t have to ask for it, she
knows you are having technical difficulties but are still being nice to
her – not many other customers would be as nice when experiencing
technical difficulties, again you will stick out in her mind because of
this.
After this all you can do is use your charm during the ‘moment of
silence’ to get to know her.
Give it a few hours and phone back up, you may have to do this a few
times until the same person answers the phone.
The second conversation could go something like this:
“ Hi <insert her name!> it’s Keith again the MD from
shedstore.co.uk. I phoned you earlier to ask about some technical
difficulties, I’m just wondering if you are having some issues now as
we can’t access our site again and are really starting to lose business
over this.”
“ Hi <insert her name!>” – You must use her name here as it
tells her we have remembered her, and everyone likes to be remembered,
right? Especially by an MD…
“it’s Keith again the MD from shedstore.co.uk” – This time we just
use the first name, to make the conversation more friendly and social,
we reinforce the fact we are an MD and again we tell her our domain
name.
“I phoned you earlier to ask about some technical difficulties, I’m
just wondering if you are having some issues now as we can’t access our
site again and are really starting to lose business over this.” – This
last part is designed to make her go off and search for something again
– which will give us another moment of silence to make idle chit chat.
Most important we have no emphasised that this is a serious matter to
our business and needs to be resolved…but we are still being very civil
and chatty to her……..this will be out of the norm for most cases she
has experienced when something is going wrong….and it stresses the fact
that we must be an exceptionally nice person if we are still being nice
to her….hell I would want to marry me!
The knack here is to make idle chat but around a subject that you can
refer to later on.
The third time you phone up, don’t mention anything work related.
Start the conversation off about the subject you made idle chat about.
When you feel the time is right say something along the line of “Oh
I’ve forgot what it is I’m phoning for now….Oh that’s right, I can’t
remember my logon for the shedstore account, can you help us out?” – Or
words to that effect.
If you have done your part right she will know your domain name, be
under the impression you work for Shed Store and may just go right
ahead and give you the credentials you need.
I have provided a theoretical example that only uses three phone
calls. In reality it could take week or even months to gain the trust
of someone and it is not always done over the phone, it can quite
easily be done in person. You only get one shot, if you try it to soon
and she asks for credentials, obviously you can’t supply then and have
to hang up wasting what could be weeks of effort in trying to gain her
trust.
People
generally do not say no to an authoritative figure or to someone who is
higher placed then them in the organisational structure. & It is
usually easier to coerce someone into doing something they don’t
normally do, than to coerce them into doing something they do everyday.
You should have grasped the basics by now. If you can convince them you
are important enough, they maybe willing to skip procedure to
accommodate your request. Or, if you can put them under enough direct
‘managerial’ pressure they may rush the job and again not authenticate
you.
The last one relates to things like the job advert I mentioned
further up the page: It will be easier to get the person filling in for
the missing firewall admin to make a change that it will be to get the
regular firewall admin to make the change.
Accidentally phoning the wrong person, when you know the real
person is away (maybe by an OOO reply to a newsgroup) can be a lot more
rewarding that phoning the correct person.
Likewise instead of phoning a hosting company who are trained to
authenticate people before dealing with them, try phoning the target
company direct and claiming to be from the hosting centre…..it maybe
easier to coerce an un-trained company employee who has never had to
ask anyone for credentials in their life to part with some logon
details.
Prior Information
What ever tactic you decide to use you are always going to need one
thing – prior information about the person/organisation you are trying
to imitate. You can’t pretend to be someone else if you know nothing
about them…
What information have we managed to get from all of the above steps?
Company name – An obvious one that we need
Domain name – Handy to guess email addresses, needed for WHOIS lookups
and for social engineering attempts.
Office Opening hours – What better time to attack their network
than when they are not there, or if you want to phone someone claiming
to be an employee it is best to do so when they are not in the office
Telephone number range – People still do use modems. With the phone
range we can Wardial the company looking for them.
Company Address – A post code is often used in authentication
steps. We also now know were to go to look through their rubbish if you
are that way inclined
Senior Person from the company – From the WHOIS record we know the
name of a person who is likely to be high up in the company. Also good
as a search string in newsgroups
Name Servers – You have seem why these are important
Mail Servers – In this case the email is outsourced – another
avenue for a social engineer attack, either to the target claiming to
be from the email company, or vice versa. The also may have a second
email service for another domain.
Web site hosting company – As above; ideal for Social Engineering
attempts. We also know they host a web mail solution for the company
too – more info we can use for our social engineering. If we did want
to social engineer them we also know their address and phone number
from the RIPE record we looked up.
FTP Site – We know they have FTP access to the web site. This can
come in very handy when wanting to try and exploit parts of the web
site as all we have to do is find an FTP logon, we don’t need to spend
a lot of time looking for web vulnerabilities.
Caller ID spoofing
You could use all of the information we have gathered together so
far and you could use the very best methods of social engineering and
it could all fail. They are not foolproof methods as they have a huge
human element to it, and humans are very unpredictable.
However, there is one final trick in our arsenal that can sometimes
work when all other attempts fail and that is to spoof our caller ID.
If someone was to ring you up at work and say “Hi its Jim, I am
filling in for the System Administrator today.” You may or may not
believe him. If he called and said the same thing but on your caller ID
display it came up that he was indeed calling from the Sys Admins desk
then the chances are that you would indeed believe him……unless his desk
is in the same room as you of course.
Think of Caller ID spoofing as instantaneous credibility 
It is relatively easy to spoof a caller ID, the hard part is finding
what number to spoof it too.
TeleSpoof: http://www.telespoof.com/
is probably the most popular service to use since Star38 and Comophone
where forced to shutdown due to very negative publicity…usually
CallerID ‘falsification’ services do not stay in business very long but
TeleSpoof seem to be doing a good job of it so far.
You have to pay to use TeleSpoof but it is relatively cheap and is
worth trying out on your friends a few times to get the hang of it all.
If you have a VoIP setup than you can spoof your own caller ID for
free, notably the Asterisk PBX is quite good for doing this and is
free…
Once you have learnt of a telephone number, probably via a WHOIS
record or a RIPE / ARIN record, which both usually list the System
Administrators of organisation (and what better person could you pick
to pretend to be!) you can spoof away and see who reveals information
to you.
If you can’t find the System Administrators number, usually phoning
reception and asking for it will work…. After all, why would they not
give it to you?
Summary
Reconnaissance is not very glamorous, it is tedious, probably not
much fun to read about and is almost never done by Script Kiddies. It
is largely based on common sense and reading publicly available
information, However, it is a very important part of the bigger
picture. It puts you 'in tune' with the target so you don't go
wondering in blindly Nmap'ing away. There is not much skill involved in
it - which is why I think it puts the Skiddies off....
I have tried to run through all the steps an attacker may go through
when researching your organisation. I have chosen a real life company
as nothing in this paper is illegal to do. The company I chose looks to
be a largely web based company and I have not revealed anything that
could list their internal network presence, although there are a few
ways of finding it out and the more astute of you may be able to do so
by utilizing most of what I have mentioned.
The next part will cover the prelude to gaining access to a network
– i.e. network discovery, mapping out a network, scanning for services,
looking for weaknesses, WLAN scanning etc and will utilize the
information we have learnt here. I won’t use Shed Store for this as
they are a real organisation trying to run a business over the Internet
and it would not be right to demonstrate methods of accessing their
network, if indeed there are any.
If someone from Shed Store does read this hopefully they will look
at it as a free partial vulnerability assessment and leave it at that.
Remember to write everything down that you learn about a target, no
matter how small and trivial it maybe. You never know when that little
bit of information may come in handy. Try out your social engineering
on a few innocent people in a harmless manner; maybe try and find out
who is staying in a particular hotel room etc. After a while you will
get good at it and be able to use it for more ‘daring’ situations.
Some of you maybe wondering why I have not mentioned Google much at
all – that is because I plan on writing another paper in the near
future on how to use Google from a ‘hacking’ 
prospective.
Please post any questions in this thread or start a new one in the
relevant forum; PM’s, Email’s and MSN messages will not be answered.
Nokia
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on February 7th, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.