CompTIA Pentest+ PT0-002 – Section 8: Social Engineering and Physical Attacks Part 3

67. Baiting Victims (OBJ 3.6)

There are a lot of different ways to get a victim to infect their computer with malware for you or to give you access. All these involve some kind of social engineering, but on a more technical level. For example, you might use a USB drop key, a watering hole attack, or typosquatting to able to get somebody to infect their own machine or let you into the company network. Let’s take a look at each of these. First, we have a USB drop key. Now, a USB drop key is a more modern way of doing things that we’ve done all the time in the penetration testing world and on the attacker side. Now, although I’m talking about USB drop keys, you really could be talking about any kind of media. In the old days, we used to use CDs and DVDs. Before that, it was tape backups, and even old school floppy discs. These days, it’s most commonly going to be USB thumb drives or external hard drives. Now, I know what you’re thinking. “Jason, I am smart enough not to pick up some random USB drive off the ground and stick it into my computer at work.” Yeah, you are. But a lot of people are not.

And so this stuff happens every single day because human nature is to be nice or to be curious. And either of these can be used against you. For example, if you want to be curious, you might go what’s on this disc. Let me plug it into the computer and find out. That now infects the computer because there’s auto runs that are installed on that drive that will run in the background before you ever see anything happen and therefore, you’ve now infected the computer. On the nice side of the equation, you might want to be helping somebody. For instance, I can use the fact of urgency to say I have this presentation in five minutes. I need you to print out this thing and hand you my drive. And hopefully, you’re going to plug it in and print it out for me. Now, what you don’t know is while you’re loading up that file, in the background, my device is already installing malware or a back door or a bind shell or a reverse shell and now, I’ve got access to your systems. All this can happen in under a couple of seconds. So you really have to worry as a offender about these USB drop case. But as a penetration tester, we use them all the time. One of the most common terms for this is called a rubber ducky.

A rubber ducky is a specialized type of software that’s installed on one of these USB drives. Now, these USB drives look like any other USB drive. Once somebody plugs it in the computer, the rubber ducky firmware allows it to run lots of different commands. Instantly, in less than a second or two, it’ll actually be able to get you root shells. It’ll be able to do key wagging. It’ll be able to do dumping and all sorts of stuff right to that USB drive. Now, the second thing we want to talk about is a watering hole attack. And before we do that and talk about in terms of cybersecurity and penetration tests, let’s talk about what a watering hole is in the real world. If you go to Africa, there’s a lot of deserts there. And the animals, they need water. So they’re going to find a lake or an oasis and all the animals will gather there and drink the water. And then they go off and do what they’re going to do all day. And at some point, they’re going to come back to the watering hole again because they need water. They need to drink. And they do this time and time again. So watering holes are simply a place that people, or in this case, animals, have to return to over and over again. Now, what does this have to do with businesses and computers? Well, it’s the exact same concept.

There are a lot of routine habits that our employees have day in and day out. And as we’re looking at the target organization, we want to think about what are the watering holes that they use in their daily business. For example, every morning my wife gets up, she gets her cup of coffee and she logs into Facebook and starts scrolling her feed. For her, that would be a watering hole. It’s something she goes to every single day, almost like clockwork. So if I was targeting Dion Training, I might want to create a watering hole that looked like Facebook to be able to trick Tamera into going there because that would be a way into the company. Now, are there things like that inside your target organization or business? There probably is. Maybe there’s a supplier that that organization goes to every single day to check their invoices. If you think about this like an attacker, you can start to think where do those employees have to go every single day. In my company, there are several places that my employees go every single day. We go onto our learning platform every single day to see if students have questions. We go into our email programs. We go into Slack because we communicate with each other. We go into Asana because that’s where we do our project management.

And by figuring these things out and tricking our users to go into something that looks like Slack or looks like Asana would be a form of a watering hole attack. Now, technically, when we talk about a watering hole attack, you actually would be attacking that website. So in the example of my company, if you wanted to attack Asana, you’d have to go and break into Asana’s website and put some malware there. That way, when we go to check our latest status and tasks inside of Asana, we would actually download the malware as well because you have gotten yourself into that site. Now, for a penetration test, you’re not going to be allowed to do that, at least if it’s something outside of the company. But maybe that company has their own website that is part of the attack. And so if you can get access to the web server and put malware there on the internal web server that people are going to be accessing, you can then expand your access by being able to get the other employees to go to that site, get that malware, and let you into their systems, too. Now, in the real world, these watering hole attacks do happen all the time. And often, they’re part of a supply chain attack. As I said, if you can figure out what companies are being used by your target organization and it’s within the scope to attack their third party vendors, you could use them as part of your watering whole attack. Now, the third thing we’re going to talk about is typosquatting also known as URL hijacking. Now, when it comes to URL hijacking and typosquatting, often, we’ll use this in combination with the concept of a watering whole attack. For example, if you know that a company goes to Dion Training every day to get their training needs met, well, you can do typosquatting to trick them into going to your site that you control instead of diontraining.com.

My website is diontraining.com. Now, you could also buy a website that is similar to it like diontrainings, with an S, .com. Now, notice I have one with a happy face and one with a sad face. Why is that? Well, the happy face is my official website, diontraining.com. There’s nothing wrong there. There’s no malware. It’s a good site. Everyone should be able to go there and get their training needs met. But the one on the bottom diontrainings, with an S, .com is one that I don’t own. That one could be bought by somebody doing a penetration test or an attack against my customers. And in that case, they would own that domain and that’s called typosquatting.

That’s because you might be able to get people to type in the extra S by accident, or if you’re doing something like email campaigns through phishing, spear phishing, wailing, and others, and you put something like diontrainings.com, it looks close enough that most people aren’t going to notice the difference. And so when they click on that link, they think they’re going to Dion Training, but they’re actually going to your site, which is now a watering hole that actually contains malware or other things and they can go after our students that way. That’s just an example of how watering holes work. And they’re very effective around businesses. So maybe you don’t own facebook.com but you might own facebooks.com or you have something that’s spelled just a little bit off like Yahooo with three O’s instead of two O’s. That’s the idea of typosquatting or URL hijacking.

68. Impersonation (OBJ 3.6)

Impersonation is another type of social engineering technique. And it’s one that’s really effective most of the time. Now impersonation is the actor pretending to be someone or something else. If you’re conducting a physical penetration test for example, you may try to pretend to be someone who you aren’t in order to gain access to a facility. If you’re conducting phishing you may use pre-texting to first get a general idea of the situation and then use impersonation to try and influence the person on the other end of the phone to take some kind of action that you want performed. If you’re sending a business email compromise based message to another employee, you are definitely conducting impersonation by pretending to be that executive whose email carrier is that you’ve taken over and broken into and sent that message from. Now, as you see there are lots of different ways to use impersonation during your engagements. One of my favorite methods though is to pretend to be a delivery person or a support technician when trying to gain access to an organization’s facilities during a penetration test. For example, if you have a UPS shirt on and carrying a package or two in your hands you would be amazed at how many people will simply open the door and let you walk right in. Or maybe you have a Polo shirt with the local internet service provider’s logo on it and you’re carrying a tool bag with you. Again, people are going to open up the door for you walk you right over to the telecommunications closet where the company’s main distribution frame is located and then leave you there to do your work at peace.

By conducting impersonation in this manner you could pretend to be somebody who has a reason to be let into that building or into a restricted area like a communications closet. Now you might ask where do you get shirts and uniforms like these? Well, it’s really not that difficult. Want to dress up and pretend like you work for Xfinity and you’re there to fix their internet? Or you want to walk in like you’re the friendly delivery man from UPS? Either way you can for the low price of 3,299 just head on over to eBay and search for UPS Polo shorts and it’s yours. Now I wonder here will the seller actually use UPS to ship it to you? I know inquiry mights want to know, but either way you’re going to get your shirt. Seriously here eBay is now your best friend when it comes to getting uniforms from trusted companies that you can then use to conduct your impersonation during your engagements. As my guidance counselor in one told me many years ago back in high school dress for the job you want.

Well, if you’re dressed up as a delivery person people are going to believe and assume that you’re a delivery person. And now you can walk right through the front door holding a box that needs to be delivered to Greg in accounting and they might even walk you all the way over to the elevator and tell you how to get to Greg’s office. Personally, I love using the impersonation attack that involves a delivery person because it lets me carry an entire box with me inside without being questioned. Now, inside that box I can have all my hacking supplies I might need once I get inside. Things like my lock pick set, my wireless network sniffer, some rubber duckies and a laptop or notebook with coLinux installed. Now as a penetration tester your goal is to use people’s inherent trust of a person in authority or people in uniform against them. And much of the time it’s going to work when you’re doing these impersonation attacks. Now once you’re in the building, what else might you be able to do using your impersonation skills? Well, you could work on elicitation to gather more information or get people on the staff to take actions for you. So what is elicitation? Well, elicitation is the ability to draw bring forth, evoke, or induce information from a victim. Basically, this is a fancy way of saying you’re going to ask them a lot of questions and try to get them to give you some information or take some kind of action. Elicitation can occur face to face such as during your physical assessments or they can occur over chat, email or phone calls if you’re conducting a remote assessment.

Most people by their very nature want to be helpful and they’ll continue to answer questions without thinking about the information they may be handing over to an attacker. For example if I ask one of the employees to show me where the copy machine is because I need to make a copy of the invoice before I leave they’re likely not going to think twice about it. But while I’m at that copy machine I can get them to enter their access code so they can be able to make that copy for me. Or maybe I can print off a test page or enter the configurations to see the IP address of that machine. All of this gives me valuable information that I can use to determine the subnet being used by the printer or the internal IP address scheme used by that company. So remember as part of your social engineering attacks you can use impersonation and elicitation in combination with each other, as well as in combination with an in-person or remote attack to get additional information or access during your engagements.

69. Physical Security (OBJ 3.6)

Physical security is really important to an organization’s network security. After all, if an attacker or a penetration tester can touch the organization’s networks, servers or workstations, they can take control over those devices and do whatever they want with them. As penetration testers, we often think about all the different technical controls that are put in place to keep us out of the target network. Things like firewalls, intrusion detection systems, router ACLs, multi-factor authentications and passwords, encryption, and all sorts of other technical controls. But the truth is the physical security of an organization is just as important in keeping attackers out of a given network. Now physical security is usually broken down into three main areas: the perimeter, the building, and the room or data center itself. When I start thinking about the perimeter as a penetration tester, I’m considering what is in my way as I start approaching the building. Are there fences? Are there guards? Are there dogs? Are there cameras? Are there other sorts of vehicle access control points? All those things help keep the perimeter secure and can be used to detect our approach as we try to make our way to the building. Next we have to consider the security of the building itself.

Are the front doors unlocked? Can I walk right in or is it heavily controlled? For example, if I’m doing an assessment of a retail store that allows customers in and out all day long, that’s going to be pretty easy for me to walk right in and go undetected. But if I’m trying to go into an office building that has guards in the lobby, access control vestibules to control access to the hallways and elevators, and checks everybody’s ID badges before letting them through that lobby, then I’m going to have a much harder time getting in. Then we have to think about the security of the room where the equipment is located, whether that’s a communications closet, a data center, or other secure location. But even if I can’t get into the data center itself, that building probably has some offices. And that means there’s places that people go to to work on a daily basis on a given workstation. And those workstations can communicate over the local area network to the servers in the data center, avoiding a lot of the firewalls. Now how is the organization keeping out unauthorized people from those offices and keeping them off of those workstations? When it comes to the server room, data center, or communications closet, what type of locks are going to be used to keep an attacker out? Are there any glass break sensors? How about a biometric or RFID-enabled lock on the door?

When everybody goes home at night, what kind of methods do they use to lock up the building or the offices? Is it a standard door lock, an electronic lock, or some other mechanism? These are all the kind of things that we need to think about when it comes to conducting your physical attacks against an organization’s physical security. Now the first part of securing the organization is maintaining a good perimeter defense around the building. Now based on the organization, they’re going to have different requirements based on what kind of work they do. For example, if you’re doing an assessment of a government or military facility, you might be dealing with an organization that has classified information. And if that’s the case, you’re going to see a big eight-foot tall chainlink fence with barbwire at the top surrounding the building. You’ll also see that they have access control points that are guarded by soldiers with guns. There might be vehicle barricades and there might be other things like that to keep people away from the building unless they’re actually authorized to be there.

Now this makes sense for the military or governmental organizations though, because they’re dealing with secret and top secret information, and they want to make sure nobody gets access to it that shouldn’t. Now most companies you’re going to conduct a penetration test against aren’t going to have that level of security. Instead they’re going to rely on surveillance cameras and closed-circuit TV. Now when I talk about closed-circuit TV, or CCTV as it’s called, these systems come in a lot of different types. This includes wired and wireless systems. Now a wired solution means the security camera is placed around the building and it’s going to be physically cabled from that camera all the way back to a central monitoring station. Wired cameras are considered to be more secure. So to defeat them, an attacker is usually going to have to do something to cover up the camera’s lens or simply cut the cable between the camera and the monitoring station. Alternatively, many companies use a wireless solution, because it’s going to be a lot easier to install, and avoids these wire cutting concerns.

But because they’re wireless, they’re now going to be subject to interference with other wireless systems and frequencies. So as a penetration tester or attacker, you can intentionally jam that signal by broadcasting a stronger signal on the same frequency as long as that frequency being used is not a controlled frequency by the FCC. Now many of these wireless security systems operate in an unregulated zone called the 2.4 gigahertz wireless spectrum. And just like older 802.11 Wi-Fi, you can actually jam those signals pretty easily during an engagement. Now these camera systems are also designed for either indoor or outdoor use. If the organization is using outdoor cameras to monitor their parking lot, for example, those are going to be designed to stand up to the elements like rain and snow and things like that. If the organization is using indoor cameras though, those lenses aren’t designed to withstand large temperature fluctuations like an outdoor camera can. In this case, you can actually chill the lens and cause it to fog up by applying cold to the camera’s housing or lens, and making it colder than the ambient environment. Another common feature of these cameras is known as PTZ, which is pan-tilt-zoom. As a penetration tester, you need to tell if the camera is stationary or a PTZ camera as you’re planning your attack, because PTZ cameras can be moved by an operator, and this can greatly reduce the number of blind spots for you to hide in as you’re doing a physical penetration test. Now you’ve probably seen these PTZ cameras in some action movies where there’s a security guard who’s able to control the camera by moving a joystick. They can look in different directions.

They can tilt the camera up or down, pan it left or right, or zoom in and out. That is a PTZ system. Now more expensive systems can also support infrared scanning. This can produce an image based on relative heat levels in view of the camera. If you’re trying to break into a building or hiding in a dark room, an infrared camera can still detect you because of your body heat. And that body heat is going to be higher than the ambient temperature of the room. The final type of security system you may encounter is known as an ultrasonic system. Now an ultrasonic system is going to use sound for detecting an attacker. If you ever watch the mission impossible movies, there’s an ultrasonic system that was used there that would sit and listen to the room. If it heard a pin drop on the floor, for example, it could set off the alarm, and alert the guards to arrest the attacker. Now when it comes to security cameras, the most important thing to note is the placement being used. Most organizations do a pretty good job of placing cameras near the entrances and exits.

But once you get inside the building, there’s often a lot of spaces without any cameras at all. These are all areas that a penetration tester may hide during an engagement if they need to in order to avoid detection. For example, bathrooms are a very common area that never have any cameras installed in them for obvious reasons. Now as a physical penetration tester, it is your job to get past the perimeter defenses and get into the building. So if you’ve been successful in sneaking past the cameras in the parking lot, the guards in the lobby, and past the access control vestibules, you can now freely roam the halls and get into different areas that may contain valuable and confidential information. But the organization should also have another set of defenses to help slow you down or stop you depending on your skill level. Now what is that? Well, it’s locks of course. Locks are used on doors, cabinets and drawers to protect data and information that the employees don’t want you to access. You’re going to find that there are different kinds of locks used on different areas and different types of things that you’re securing, including the external doors, the internal doors, doors to the data center, doors to the communication closet, server racks and cabinets, filing cabinets, and even desk drawers. Now not all locks are created equal though. I’ve seen many people who try to use padlocks to keep a communications closet secure, because they know that the standard office door handle with the integrated lock is not secure enough. The sad thing is though that a padlock doesn’t really offer much protection either, because you can learn how to pick a basic padlock in under 60 seconds. So they’re not really that good in terms of security.

Now many other door locks are pretty easy to break too such as the ones that are installed by default in commercially-leased office buildings. These are often the same type of door handles and locks that you see between your garage and the interior of your home. Most trained penetration testers learn how to use lock-picking tools so that these doors become a minor inconvenience to them and they can get right through ’em pretty quickly. Door locks can use many different types of locking mechanisms, including physical keys, a pin number, a wireless signal like a Bluetooth or NFC signal, biometrics like a thumbprint, and other things to lock and unlock the door. As the organization increases the security of the lock, the cost for that also increases too. For this reason, you’re often going to see an inexpensive lock and tumbler-based system used with physical keys in most office door locks, while a higher end cipher lock are going to be reserved for offices that contain sensitive or classified information. A cipher lock is a type of lock that provides excellent protection using mechanical locking mechanism with a series of push buttons that are numbered and require the person to enter them in the correct combination and sequence for that door to open. Often I see these used on server rooms, network closets, and other high security locations.

These locks are pretty difficult to pick, so the easiest method is to try and use social engineering to get another employee to unlock the door for you or to jam the locking mechanism whenever you see that door open and that way it won’t properly shut and latch when somebody leaves the room. These days electronic access systems are becoming more and more popular as well. These electronic access control systems can use an RFID reader to scan an employee’s badge and grant them access based on those credentials.

Some of these will actually be combined with a badge and a pin number to create multi-factor authentication as well. And this can also do logging and auditing of people entering or leaving a room. These are used on the main entrance to the building or going through the lobby by adding an access control vestibule in most large organizations. This requires all visitors and employees to pass through that access vestibule in order to gain access to the offices in a building.

An access control vestibule is simply an area created between two doorways that holds people until they’re identified and authenticated. Sometimes these can be automated, like using an electronic badge and pin system that I mentioned just a minute ago. But other times they’re simply going to be manned by a security guard who actually looks at the person’s ID badge to verify they are who they claim to be. The most common placement for these access control vestibules is actually at the entrance to the building. So as you enter into an office building, there may be an open lobby that anybody can access. Then there’s a set of turnstiles. Then you’ll have to scan your badge and input your pin number to be able to go past those turnstiles. That area between the front door and the turnstiles, that’s considered our access control vestibule in this scenario. Now once you get past that turnstile, you’re now in a secure area, because you’ve been authenticated and you can roam freely. To bypass an access control vestibule, you’re going to have to rely on tailgating, piggybacking or badge cloning. This will allow you to gain access to the protected area on the other side of that access control vestibule. Now the last type of lock you may encounter is one protected by biometrics.

Biometrics rely on physical characteristics to identify a person properly. This is most commonly done using their fingerprints, by scanning the retina inside their eye, or by measuring the distance between different parts of their face. If you think back to your Security+ days, you’re going to remember that there are five factors of authentication: something you know, something you have, something you are, something you do, and somewhere you are. When we talk about biometrics, we’re really focused on that third factor. Something you are, because this is something that is a part of the authenticated user, like their eye, their fingerprint, their voice, or their facial structure.

Whatever it is, that something is innately part of their body and they always have it with them. For a long time, fingerprints were the de facto standard for most biometrically controlled access systems. Most smartphones and tablets, as well as many laptops started to include fingerprint readers that could be used to authenticate a user for access to a given terminal. For example, if you ever had an iPhone in the 5s to 8 model-range years, that actually had a fingerprint login feature called Touch ID. Whenever the user pressed their index finger or thumb to the scanner, it would log them into their smartphone.

Now modern iPhones have actually done away with Touch ID in favor of Face ID. So if you have an iPhone X or newer, then you’re going to have a front-facing camera that scans your face and measures the distance between different areas of your face to uniquely identify you. This allows the user to simply hold up their phone in front of their face and get automatically identified and logged in. These type devices are now being integrated into door locks and physical access control systems too, like access control vestibules. For example, I once worked at a high security facility where I had to use a retina scanner to access my workspace every day. I’ve also worked in other places that used a fingerprint and a pin number that allowed you to get through the access control vestibule. Now if you come across a biometric system, you can bypass it by focusing on the system’s ability to properly identify a user.

This comes down to the acceptance and rejection rates of that system. Now the false acceptance rate or FAR is the rate that the system authenticates a user as valid even though that person should not have been granted access to the system. For example, if you walked up to the fingerprint reader, placed your finger on it, and it accepts you because the system thought you were me, that would be considered a false acceptance. As a penetration tester, we love a high false acceptance rate, because it means their biometric scanners are not well tuned and we may be able to get past it pretty easily. The organization though ideally wants to get that false acceptance rate down to zero by increasing the sensitivity of those scanners and preventing an attacker from getting authenticated when they shouldn’t be. Now on the other side of the spectrum, we have false rejection rate or FRR. Now many organizations don’t think that a false rejection rate is really a problem, but it actually is just as big of a problem as a false acceptance rate being high. Let’s go back to our last example talking about the fingerprint scanner. If the organization increases the sensitivity of that fingerprint scanner to try and eliminate all of those false acceptances, that system can inadvertently increase its false rejection rate too.

Now a false rejection rate occurs anytime the biometric system denies a user who should have been allowed access to the system. So let’s pretend you wanted to log in as me using a fingerprint scanner. Let’s assume during your first attempt, you were able to log as me using your fingerprint. So that means we had a false acceptance. Now I increase the sensitivity up to its highest level. Now there’s no more false acceptances occurring, but about half the time when I use my finger and try to log in, I’m being rejected, even though I’m an authorized user. This is the problem we have with false rejections. And it creates other problems for the organization too, because now if the system is failing to allow me to authenticate half of the time, that means half the time I can’t get on my computer and do my job.

Eventually the organization is going to become frustrated with that and they’re going to decrease the sensitivity. And again, this makes it more vulnerable to attack. So what we have to do is try and find that sweet spot as a defender, trying to figure out where we can have not too many false acceptances and not too many false rejections. Now as a system administrator, our job is to try to find the point where those two things are equal. This is known as the equal error rate or ERR. More commonly though, you’ll hear this referred to as the CER or crossover error rate. Now if I grafted the acceptance and rejection rates, you’re going to see that two lines cross. And at that point, that is the crossover error rate.

The crossover error rate uses a measure of effectiveness of a given biometric system. And so as you figure out what kind of system they’re using as part of your reconnaissance, you can then investigate what is its crossover error rate. Organizations don’t want to buy a system that has a huge error rate that either goes high to one side or high to the other. Instead they’re trying to find one that has a good crossover error rate to make sure that their people are getting authenticated when they should be and/or rejecting others that shouldn’t be. As a penetration tester, you should understand the concept of a crossover error rate if you have to make recommendations on how an organization can improve their biometric security systems after your engagement.

• Category: Uncategorized