Social Engineering - Christopher Hadnagy [174]
“Hello, is Sebastian available?”
“No, he is out to lunch. Can I help you?”
“This is Paul from XYZ Tech. I wanted to confirm that our team will be coming to start the project tomorrow evening.”
“Yes, just remember we can’t have any interruption of service so please do not get here any earlier than 5:30 p.m.”
“Yes sir, you got it. See you tomorrow.”
The next day Tim knew that he couldn’t arrive with the rest of the “team.” But if he timed it right he would not be caught by the IT company or the target. Sitting across the dark parking lot he watched the IT contract company arrive. After a good 30 minutes he approached the front door and explained how he just ran out to get some paperwork from his car. He got buzzed in and now had free reign of the office.
He needed to do some reconnaissance, and he figured the best way was to approach the IT company as one of the internal employees. He walked around until he heard some talking and found one of the guys in a shirt identifying him as one of the IT team.
Armed with the names of the upper-level management from the USB key files and from the point of contacts from the contract, he began, “Hi there, I’m Paul and I work Mr. Shivaz [the CFO]—did someone explain to you about the prod23 production server ?” Tim had the server name from his information gathering; Tim knew that was the server he was attacking.
“Yes, we know that server is off-limits in this work. The CFO explained to us the encryption and how we are not to mess with that server. No worries.”
After a few more minutes of conversing, Tim had discovered some valuable pieces of information:
The IT team is not to touch the server.
The server has full disk encryption.
The techs were “bragged” to by the in-house IT guy about how the target company use a keyfile on a USB key that only the admins carry.
Tim knew this last point would make his task harder, and because the admins were not in, he would not be able to access the server now. In addition, the physical security around this server was very intense and may have been too hardened to take the risk. He did know that the admins would have access to this server so he thought maybe he would try that avenue.
He visited the first office of the admin, but it was locked. He checked the second office, then the third. The third one was shut but had not been closed all the way and it merely opened when he pushed a little. He was in.
By shutting the blinds and leaving the lights off, he felt he would be protected a bit from the potential of being caught. In his social engineer kit he carried a wide variety of tools and clothing. One of the tools he always had with him on these types of gigs was a USB key that was loaded with a bootable Linux distribution such as BackTrack. In the BackTrack install is a preloaded version of Virtual Box, a free open source virtual machine tool.
He loaded the admin’s computer, using a rear USB port, into BackTrack. After he was in BackTrack, he connected to his own servers via SSH, set up a listener, then connected back to it using a reverse shell he initiated from the admin machine. Then he started a keysniffer (to log all keystrokes typed on the computer) in BackTrack and set up the log file to be dumped through the SSH connection to his computer.
Then he did something truly pernicious. He opened Virtual Box and created a Windows virtual machine (VM), using the local hard drive as the physical media to boot from, and loaded the VM. Automatically, it loaded the admin’s user profile and OS. At the login screen he loaded the VM to be in full screen mode, hid all bars, and made the existing hot key to exit VirtualBox some ridiculously long combo. This protects the user from mistakenly hitting that combo and revealing they are hacked.
A risk still existed that he could be caught at any moment using