Social Engineering - Christopher Hadnagy [160]
Now I don’t know about you, but that seems like it would fail. It just about did:
“Who are you?” he was asked
He had to think quickly and responded, “This is Al. I was calling 503-555-5753.”
All he did was give a random number with the same area code and base number and made up the last four digits. Then he just shut up. The officer made some assumptions:
He was internal and already had the number for a non-public area (Teletype).
He had almost all the number for the DMV.
With those two facts firmly in the officer’s mind he assumed that Eric was allowed in and gave him the number. Eric wanted more than one number, though; he wanted as many as he could get his hands on.
Accomplishing this goal would require an even deeper hack—a multi-level, multi-faceted attack with many different avenues. It would be of epic proportion.
Gaining Access to the State’s Phone System
Eric called the number he was given to get into the DMV. He told the DMV representative he was from Nortel and needed to speak to a technician because he worked with the DMS-100, a much-used switch.
When he was on with the technician he claimed to be with the Texas Nortel Technical Assistance center and explained he was updating all switches. It would be done remotely and the technician wouldn’t need to do anything except provide the dial-in number to the switch so Eric could perform the updates directly from the Technical Assistance center.
This story sounded completely believable, so the technician complied, giving Eric all the info he requested. Armed with this information he could now dial directly into one of the state’s telephone switches.
Getting a Password
The next hurdle was one that could have stopped this whole hack dead in its tracks—getting passwords. The Nortel switches that the DMV used were password protected. From past experience in using Nortel Switches Eric knew that Nortel uses a default user account, NTAS. Eric then dialed in several times trying the standard passwords he has encountered:
NTAS—fail
Account name—fail
Helper—fail
Patch—fail
Update—SUCCESS
Wow, really? The password was update. He now had full control over the switch and all lines connected to it. He queried the telephone lines that were his target. He quickly found out that 19 phone lines went to the same department.
After checking some of the internal setup of the switch he found out that the switch was programmed to hunt through the 19 lines until it found one that was not busy. He picked line 18 and entered the standard forwarding code that added a call forwarding command to that phone line.
Eric bought a cheap, pre-paid cell phone that could be disposed of easily. He entered that number as the number to forward to when line 18 was rung. Basically, as soon as the DMV got busy enough to have people on 17 lines, the 18th call would not ring to the DMV, but to Eric’s cell phone.
It wasn’t too long until that started happening. Around 8:00 a.m. the next morning the cell phone started to ring. Each time, it was a police officer looking for information on a person of interest. He would field calls from police at his house, at lunch, in the car—no matter where he was he pretended to be the DMV representative.
What made me personally get a good laugh was how the calls are reported as going:
The cell phone would ring and Eric would say, “DMV, may I help you?”
“This is Detective Andrew Cole.”
“Hi Detective, what can I do for you today?”
“I need a Soundex on driver’s license 005602789.”
“Sure, let me bring up the record.” While he simulated working on a computer he asked a couple questions: “Detective Cole, what is your agency?”
“Jefferson County.”
Eric would then launch the following questions: “What is your requestor code?” “What is your driver’s license number?” “What is your date of birth?”
As the officer would give all his personal information, Eric would pretend to be verifying it all. Then he would feign confirmation and ask what details he needed on his call. He would pretend to look up the name and other information