Social Engineering - Christopher Hadnagy [168]
“If you can, open your PDF reader, click the Help menu and About, and tell me the version number please.”
“One minute; it is 8.04.”
“Excellent; I don’t want to send you a version that you can’t use. Just one second while we are on the phone I am going to send this to you—okay, it’s sent.”
“Great, thanks. I hope I win; I really love that place.”
“I know; the food is good. Before I let you go, could you just check to see whether you got the e-mail and let me know if it is working?”
“Sure, I am logging out in about five minutes, but I can check. Yep, it is here.” When I heard the sound of double-clicking, I looked over on my BackTrack computer saw my malicious payload collector, Meterpreter (see Chapter 7), reacting. I was holding my breath (because this part never gets boring) and bam, the shell appeared. My Meterpreter scripts changed the ownership to something like Explorer.exe.
Chuck then said, “Hmm, all I got is a blank screen. It’s not doing anything.”
“Really? That’s odd. Let me check here.” What I was really checking was that I had access to his drive and the ability to upload a reverse shell that would run on reboot in case he shut down. I said, “I am sorry, I don’t know what happened. Can you give me a minute or do you need to go?”
“Well I need to go empty this coffee mug, so I will put the phone down and be back in a minute.”
“Excellent, thanks.” That minute was all I needed to make sure I had unlimited and returning access to his computer. He came back.
“Back.”
“Well, Chuck, I’m really embarrassed but I don’t know what happened. I don’t want to hold you up, so why don’t you go and I will e-mail this to you when I make you another PDF. We can touch base Monday.”
“Okay, no problem. Have a great weekend.”
“You, too, Chuck.”
We parted ways and to my surprise and extreme joy his computer remained on and active. Yes, he kept everything in a secure drive that only he had access to, but in Word documents. I promptly downloaded those Word documents and within a few hours I had access to the servers and printed out all the internal processes he wanted to protect.
We did touch base on Monday morning, not as Tony the fund-raiser, but as his security consultants with printouts of his “secrets,” his passwords, and recordings of the phone calls that were made to him and his staff.
This first meeting after a successful attack is always filled with the client’s initial shock and claims that we used unfair tactics and personal weaknesses to gain access. When we explain that the bad guys will use the exact same tactics, the look of anger turns to fear, and that fear turns to understanding.
Applying the SE Framework to the Overconfident CEO Hack
As in the previous examples, applying the case to the social engineering framework and seeing what was good and what could have been improved upon can be beneficial.
As always, information gathering is the key to any social engineering effort, and this particular story shows it. Information gathering from many sources—the Web, Maltego, the phone, and more—is what made this attack successful. Insufficient information would have led to a miserable failure.
Proper and plentiful information makes all the difference, even information I never needed, like his church, and his parents’ and siblings’ names. These things were useful to have in case I needed them, but what proved to be invaluable was the information found about the e-mail naming convention and the files on the servers using Maltego. This was the pathway to getting my foot into door of this company.
Keeping the information you find cataloged into BasKet or Dradis, as discussed in Chapter 2, and ready to use is also important; otherwise, you just have a text file with a jumble of information you can’t make use of. Organizing the information is just as important as gathering and using it.
Thinking like a bad guy—that is, looking for ways to exploit the weaknesses and desires of the target—isn’t a great part of the job, but if a professional auditor wants to protect clients, he will show them how vulnerable they are.