- Introduction
This story will again be a little different from my previous stories as I plan to introduce some social engineering techniques. I'm not sure how long this story will run for as yet. This is just a fictitious story and no Windows boxes were harmed during the making of these posts.
As always I welcome any feedback and these posts are just a bit of fun and anyone using techniques described here to access systems should get permission first.
Setting The Scene
It started out with an ad I heard on an underground podcast.
"Were sponsored by Hackers On Site, their specialty is hacking people and their technologies. Now, in the past you’ve thought, oh, I would like to hire a hacker, somebody to help me hack a system or root a box. But you’ve wondered, how can I know whether they’re any good or not? And that’s a real problem. That’s why you’re going to love Hackers On Site. All Hackers on Hackers On Site are independent Hackers, but they’re certified, and they have a University of Hackerology. There not hacking for themselves but they are by themselves.
And in fact they’re looking for new Hackers. So if you want to be a Hacker, you can. Hackers On Site is in Canada, U.S., Mexico, England, Australia, South Africa, and Beyond"
I can't believe it, all I do is run a little security website and I get an email asking if I want to join Hackers On Site. I guess I am pretty active in a few forums and on IRC but this is great, it's like my dream come true. The email said I can work as much or as little as I want, they will offer me hacking assignments and if I am available I can do them. What a gig! All I have to do is prove myself on this first job and then pick up further instructions. And the best part is and I get paid for doing what I enjoy most. Okay so there's a risk, but lets face it, theres a risk that i'll get hit by a bus but I still cross the road!
"Were sponsored by Hackers On Site, their specialty is hacking people and their technologies. Now, in the past you’ve thought, oh, I would like to hire a hacker, somebody to help me hack a system or root a box. But you’ve wondered, how can I know whether they’re any good or not? And that’s a real problem. That’s why you’re going to love Hackers On Site. All Hackers on Hackers On Site are independent Hackers, but they’re certified, and they have a University of Hackerology. There not hacking for themselves but they are by themselves.
And in fact they’re looking for new Hackers. So if you want to be a Hacker, you can. Hackers On Site is in Canada, U.S., Mexico, England, Australia, South Africa, and Beyond"
I can't believe it, all I do is run a little security website and I get an email asking if I want to join Hackers On Site. I guess I am pretty active in a few forums and on IRC but this is great, it's like my dream come true. The email said I can work as much or as little as I want, they will offer me hacking assignments and if I am available I can do them. What a gig! All I have to do is prove myself on this first job and then pick up further instructions. And the best part is and I get paid for doing what I enjoy most. Okay so there's a risk, but lets face it, theres a risk that i'll get hit by a bus but I still cross the road!
The target in question is Scanned4U. A company that specializes scanning paper archives and archiving them in digital format.
Part 1 - It's Good to Talk!!!
If you haven't read the intro you can find it here.
Monday
I start off with some online research. It turns out that ScannedU have recently been awarded some pretty big contracts with the local authorities and a couple of small banks, no wonder people are interested in it. Scanned4U has sister companies called Shredded4U and Safe4U that specialise in shredding and off-site backups. While I'm on the site I have a good poke around but I gotta admit, web hacking isn't my strong point. I harvest as much data on the target as possible and spend a while pouring through it, trying to really understand the company.
I perform WHOIS lookups and get an idea of how the network is laid out by checking the MX records of the target and the sister companies. As I thought, they have the same MX record and it routes through a email filtering company. The website is hosted at the same IP as the sister companies too and I really struggle to find the public IP Range that the network must be on. Oh well, there is more than one way to skin a cat.
Using a little Google-Foo to filter out the crap I see that there's quite a few pdf's on the site.
i then use wget to grab the pdf's so i can run them through strings to grab any useful metadata.
wget -r -l1 -nd -np -A.pdf -robots=off http://www.scanned4u.co.uk
I spend the next couple of hours scraping the metadata from published pdf's and the result is I have myself a nice list of names, usernames, email addresses and contact details.
Now I have a few valid email addresses I create an email with an account I happen to know, with a link to a picture on a rather obscure mail server I happen to "0wn", as soon as the picture gets either viewed in a email client which renders HTML or clicked on I should have one of the addresses from the public range.
Now I use Google Maps to check the site layout and I'm happy to see it's not like Fort Knox. I can see several places where staff can go outdoors that are publicly accessible. I bet there will be some sort of door entry system, oh well, theres always ways around that.
This is all very good for a days work but tomorrow I think that I try the more direct approach, like a good old fashioned telephone.
Tuesday
Call 1
"Hello Scanned4U, how can i help?"
"Hi, I'm trying to get to your website and I think there is a problem. Do you know if there is anything wrong it?"
"Oh, I'm not quite sure I'm quite new here. Hold on a second please.........I have a number for IT do you have a pen?".
"Sure, hang on a second...isn't IT support at your site?"
"No they are not based at this office"
"Oh right. OK I have a pen"
"The number is 01344 666777"
"That's great. Who am I speaking to?".
"I'm Karen"
"Thanks for your help Karen, Bye".
With that I hang up. So I now know that the new receptionist Karen is very helpful, aren't they all! I also know that IT Support isn't based at the targets site which is useful to know. Maybe I'll give them a ring. See if they can help me.
Call 2
"Hi, IT Support"
"Hi it's David from Weatherby, I rang about a printer problem last week"
"Hi David it's James, Do you have ticket reference?"
"Oh, I'm not at my desk at the moment"
"Okay, do you know who took your call?"
"I'm not sure, who have you got there?"
"it would have been Martin, Paul, Ian or myself as Geoff was on holiday"
"I think it was Ian, but to tell the truth I'm not to sure. Anyway I was just ringing to let you know it's fine now."
"That's great, thanks for letting us know"
"OK cheers James. Oh one last thing, when is one of your guys down here next? I have a bunch of cables that are no good to us and you guys might know what they are for"
"Next Monday morning as usual, I'll get Ian to pick them up from reception".
"Thats great. Bye"
Okay, now I'm getting somewhere. I have the names of the IT Support guys and the schedule for the site visits.
Wednesday
After having time to think about what I need to achieve I figure out that I need to get more of a feel for the place. I take a trip to town and get some printer brochures from a few local print shops, get a couple of business cards made on the card kiosk machine then I call back Scanned4U.
Call 3
"Hello Scanned4u, how can I help?"
"Hi it's Paul at PrintLine, I have someone making some drop offs in your area tomorrow would you mind if we dropped the new brochures in for Clare?"
"Clare in Marketing?"
"That's right"
"I'm sure that'll be fine"
"Great, thanks. Bye"
"Bye"
Brilliant, now I'll get to see the targets site first hand.
Thursday
So I'm dressed pretty casual like any normal delivery driver, with a good few days stubble and a baseball cap. I drive over to the target's office and looking like I'm lost I park as far away from the reception as possible. This gives me the chance to have a decent look around whilst just looking like someone who is lost. All the time I'm driving around I'm scanning for wireless network with my trusty iPhone. Unfortunately I see none.
I see a few smokers hanging around by a back entrance and I nip over to have a cigarette with them, just to be polite. After making brief polite conversation I ask where reception is and one of the girls swipes in through the entrance and takes me through the building to reception. I notice that there are only swipe card points on the outside doors, internally there don't seem to be any. Obviously once your in your classed as a good guy.
Whilst I'm moving throughout the building I'm making mental notes of the security of the place. I also pay close attention to the equipment in use, I see a xerox copier with a NTDS Ltd sticker on the side, the swipe card system has the same company name as on the alarms on outside of the building, ATT Ltd. When I get to reception I say hi and straight away start to sign into the visitor book as I ask reception to let Clare know Robert is here from ScanLine. I take every opportunity to discreetly look at any PC screens for operating system details and antivirus software in use. Thank god for system tray icons, that's all I can say. And I see that they are using XP, MS Office, VNC and AVG. All useful info and totally free.
By the time a confused Clare gets to reception I have myself a nice new visitor badge. I say hi to Clare and explain that I've been asked to drop the brochures off by my manager. As Clare thanks me and I start to sign out I ask if I could use the toilet. After I'm shown to the visitor toilet I take photo's of my visitor badge and make notes on my iPhone of all the details from the copier, alarms and also the toilet hygiene equipment too. Well you never know.
Before leaving the toilet I put the visitor badge in my pocket in the hope that out of site really does mean out of mind, which luckily it does, the receptionist forgets to ask me for it back.
Friday
So I have now got enough information about the target to feel comfortable enough to go in. After spending most of the day planning my next move, I have decided I am going to get a rouge access point/PC into the building and connect to it from outside the perimeter. Once I have my rogue AP in I'll attempt to connect out to a host via the Internet so I can perform the remainder of my assignment from the comfort of a nice warm house.
Part 2 - Creating My Evil AP
I'm banking on finding a live ethernet socket when I get in, so that I can connect to it and get an internal IP on the LAN. As IT Support do not work from this site I'm hoping that they have flood patched a few ports to reduce site visits.
First thing first, shopping!
I get down to the local superstore and pick up a nice shiny Hacktop (Acer Aspire One) for £250 and I set about prepping it to be my Evil AP.
First I wipe it clean with DBAN and load up a fresh copy of Linux. I get all my favorite tools loaded up, Nmap, Hping, Screen, John, Ettercap, TCPDump, Netcat etc.... oh and a few extras too, but I'll come back to those later.
Next I set about a little hardening. I password protect the BIOS and disable USB bootup. I then set a GRUB bootloader password and remove the rescue mode. I also disable any services that are not required such as Cups, Pulse and the Accessibility services.
I configure my SSH server on the AP to listen on a non-standard port, and only accept connection on the wireless interface. This will go some way to protecting the box from curious wardrivers. I also block any root logins and enter a line in the config file to allow only users of a specific group access to SSH, and that group only contains one very restricted account (bob). This way if someone was to bypass all the other measures they would have to guess the password to a single account which has access to nothing at all and then they would have to bruteforce another more privileged account such as root.
Maybe my paranoia is getting the better of me!
To cover as many eventualities as possible I also want to make sure I can get access to the GUI remotely so I enable shared desktop, which is a front end to VNC, this is moved to a non-standard port (5678) and locked down with ipfilter rules. i'll only be connecting through a SSH tunnel.
Next I configure the wireless network:
ifconfig wlan0 down iwconfig wlan0 mode ad-hoc essid "hpsetup" channel 2 enc on key 123123123
ifconfig wlan0 192.168.99.1 netmask 255.255.255.252 broadcast 192.168.99.3 up
I have configured the SSID to be the same as those annoying printer SSID's that you see in most offices, and even though I'll be using SSH to control the AP I've applied encryption (if you really want to call WEP encryption that is). I have also configured the network card with a 30 bit network mask, this will allow just the AP and the controller on the network which again raises the bar for anyone with ideas of owning my rogue AP!!!
Now I lock down all ports other than SSH on 7890 with a few Iptable rules, allowing just the controllers IP access.
iptables -I INPUT 1 -i wlan0 -p tcp --dport 7890 -s 192.168.99.2 -j ACCEPT
iptables -I INPUT 2 -i wlan0 -j DROP
iptables -I INPUT 3 -i eth0 -j DROP
iptables -L
I now set about configuring my controller laptop.
ifconfig wlan0 down iwconfig wlan0 mode ad-hoc essid "hpsetup" channel 2 enc on key 123123123
ifconfig wlan0 192.168.99.2 netmask 255.255.255.252 broadcast 192.168.99.3 up
route add -host 192.168.99.1 0.0.0.0 wlan0
Brilliant. I have the WiFi working, now I test SSH and the VNC SSH tunnel.
ssh -L 5678:localhost:5678 -p 7890 b0b@192.168.99.1
Then I point my remote desktop to localhost:5678
and bingo! I have my remote desktop working over a secure SSH tunnel.
Great, everything seems to be working well. Once I get my hacktop into the targets premises I'll issue the following command to get the wired interface a DHCP address.
dhclient eth0
Now I just have to work on the camouflage and concealment. Back in my army days I would have smothered it in cam cream and taped a bush to the screen, in an office environment I think a standard nondescript box will have to do!
Coming up .............A little grunt work does hurt anyone.
Part 3
Monday
Right, so same score as before but this time I'm going to give myself a bit of a backup plan, I'll ring first and tell them I'm coming (well sort of.) I'll also look different, glasses, smarter clothes, fake nose (just kidding!). Of course there is a risk that they'll recognise me but hopefully I'll be fine, last time I was about I kept a low profile, and most of the time people are not on the lookout for this sort of thing.
Now, i know from a previous call that Ian will be on-site today, my plan is to arrive after he has left. Before I arrive I'll call and lay the groundwork for a site visit. This will put the receptionist at ease and make her comfortable with me turning up. First I check when Ian is due back by calling his office.
Call 1
"Hello IT Support"
"Hi is Ian about?"
"Sorry he's on site all day but he'll be back first thing. Can I take a message?"
"Oh don't worry I'll give him a call tomorrow. Thanks"
And with that I hang up. Right, so I'll wait until the morning before going to site but I'll get there nice and early whilst people are coming and going. It's a bit easier to move around a building you don't know when there are plenty of people coming and going. Shoulder surfing's also allot easier at those times but I'm hoping not to need to do that as I should be able to get a pass. Any spare time i get I am brushing up on the target organisation. I'm still trawling the website, getting information on business relationships between Scanned4U and it's sister companies. I found out that my target is the smallest and newest company within a group of companies called IT4U. One of the other companies (BackUp4U) has been awarded some pretty high profile contracts backing up data for some large banks. Pretty interesting!
Tuesday
And it's D-Day, I get the show on the road with a few calls.
Call 2
"Good morning, Scanned4U, how can I help"
"Hi, it's James, is that Karen?"
"Yes it is"
"It's James from IT"
"Oh hi James"
"I have a guy stopping by to drop some stuff of for an upgrade that we have coming up, he's a new guy would you ask him to ring ,me when he gets there he's forgotten his phone and I need some info for the audit we have to do?"
"Sure, what's his name?"
"It's Brad Carter"
"No problem I'll let him know. is there anything else?"
Now here I have have her asking me if there is anything I want, how could I possibly pass this up?
"Oh there was one thing. Can I quickly get your PC detail for the audit to save Brad from interrupting you when he arrives?
Now it seems as though I'm doing her the favour, so of course she'll let me.
"Oh that would be great, what do you need to know?"
"It will only take a second, If I can I just check which PC you have, If you click on the Start Button, and then click Run. In the box type "cmd" and click OK"
"Right. I know have a black screen."
"That's fine. Just type "ipconfig /all"
"Oh, I have loads of gobbledygook"
"That's fine, what does it say next to IP Address?"
"192.168.1.61"
"and next to default gateway?"
"192.168.1.1"
"and next to DNS server"
"192.168.1.80"
"No that's not it. Whats the very top line? "
"Host Name. That says Reception"
"That's the one, great. can you press the up arrow key and put a greater than sign and C:\ip.txt on the end and press enter"
"nothing happened"
"OK, that's fine. Thanks for your help. you can close that screen now. Speak later."
"OK, bye"
We'll that was a 3 minutes well spent. aren't receptionists just so helpful, she has no idea how valuable the information she just gave me is. Now I have some great information about the network and I'm expected on site. I also know that the receptionist can write to the C:\ drive so she is probably a local admin on her PC. It looks as though I wont need the visitor pass that I previously acquired after all.
As I arrive at the targets site about 30 minutes later, a very helpful receptionist issues me with another visitor pass and tells me to call James. I call a friend who is expecting my call and the thread of the conversation goes along the line of me dropping the box off and checking a few serial numbers on printers. Karen points me in the right direction for the copier room and I waste no time in finding somewhere to plant my Evil AP.
Ideally I want a messy corner near the south side of the building so I can get to the AP from the car park. After a few minutes I find the perfect place, the obligatory dumping ground that most offices have. As long as I can find a live network point then I'll be a happy little hacker. An extra box wont draw any attention I'm sure.
I find a live point amongst the mess and I get wired up and I check my network settings.
dhclient eth0
ifconfig
I get an IP Address on the internal network straight away. I conceal the hacktop inside a plain box and shove it to the back of a few other boxes so it's well out of site. Ideally I want to compromise another host on the network and get a connection out as I may lose this AP if there is a powercut, or if someone discovers it or just moves it and I lose the network connection. I have a few ideas how to go about it but I need to tread carefully.
As I'm still in the office and no one is around I take a look about. Although I see no PC's at desks to play with I do have a scout around looking for notes stuck to desks and I do manage to find some scribbled stuff on a desk jot pad. I guess It's just some user that has made notes whilst they have been on the phone or something. I find a few letters laying around and I see they are all addressed to the same person, Tom Fitzy, so I'm guessing it's Tom who has been doing the scribbling. It's pretty amazing the things that people will write down on those big desktop blotter jot pads. I take a photo of the pad and move on.
Just before I leave I print off a few test pages and config pages from a couple of printers that I pass and fold them up and pocket them. After all, having a little more detail on the network devices doesn't hurt does it.
I decide I don't want to push my luck and leave. At the car park I check that I can see my Evil AP before I go get some well earned lunch.
Perfect.
I grab some lunch and get home. I'm keen to let Hackers On Site know that I have achieved my objective of getting a foothold on the LAN of Scanned4U.
Source : synjunkie.blogspot.com
