Blog: Red Teaming
Real-life social engineering. Two days in tweets
This is the write-up of my live tweets while on a recent social engineering engagement. It’s all available on my feed @ghostie_
I did this because I wanted to share what it’s like to prep for, and work through a job, warts and all. If you can take anything away, to enhance your technique, or defend against it then it’s been worthwhile :)
Remember, I tweeted this on the fly, whilst conducting a real life, real time engagement. Because of that I’ve edited it a little for context, minor details and typos.
DAY ONE – Reconnaissance
10:12 AM · Sep 2, 2019 Going to (semi) live tweet physical recon that I’m doing today for an entry tomorrow.
I’ll reference some points from my DEF CON 27 talk.
I’ve already done some OSINT so I know the building and it’s layout. (PS this building is not my target)
The lie of the land
10:14 AM · Sep 2, 2019 I’m at the target site. First thing I notice, several other companies on different floors.
I’m going for a basic tailgate and will try to match dress style etc.
Several other companies in the same building makes matching dress style hard.
10:16 AM · Sep 2, 2019 Are the people I’m seeing from my target or a different company?
From what I’ve seen so far, there are two dress styles, very casual (jeans, t-shirt kinda casual) and very smart (full suits, ties etc).
Scoping out entry options
10:19 AM · Sep 2, 2019 I’ve made a note of the other company names [in the same building] and I’ll research that later.
Next challenge, there’s nowhere to hide. I’m across the street from the front entrance, pretending to be on my phone but there’s only so long I can get away with that.
10:23 AM · Sep 2, 2019 I’m seeing folks come out and heading to the same place outside to smoke.
That’s useful. I have my no nicotine vape with me. (BTW tailgating from the smoking spot is useful for a later in the morning/day entry. Probably won’t be an early morning rush)
Other things observed from the front:
- Reception is dead centre in a large open space.
- Employees are walking to the left to a set of doors, completely bypassing the person on reception.
- And I’m not seeing any visible ID badges.
10:28 AM · Sep 2, 2019 Does look like there is access control on the doors though, just not a visible picture/company name ID badge. That’s pretty common in shared office blocks.
10:31 AM · Sep 2, 2019 Quick tip: Check the weather!
It’s [pouring] down with rain, but have my trusty North Face waterproof with me. Also, standing outside for long periods is cold! I’d checked temps before I left and have warm stuff on.
10:32 AM · Sep 2, 2019 I think the front entrance has given up most of the info for now, time for a full building walk around.
brb…
Weighing up those options
10:52 AM · Sep 2, 2019 OK, [target site] walk around complete.
Some observations: there was no one at them but two more smoking places around the back, noted because of discarded cig butts and chewing gum on the floor.
10:54 AM · Sep 2, 2019 Also, not appropriate for this engagement, but good to practice being observant.
Only 2 CCTV cameras, one at the car park entrance and one at the fire door entrance. Suggests there’s no dedicated physical security team, at least not on site at a guess.
10:59 AM · Sep 2, 2019 Another interesting challenge, the signage by reception doesn’t list my target company.
I’ve confirmed with the client contact that it is the right building. So I need a way to find the right floor without giving the game away or blowing my pretext.
11:01 AM · Sep 2, 2019 I’m going to take a risk and hope Reception is manned by someone different this afternoon than tomorrow morning, and going in and ask.
Risky but I’ll be in a different “outfit” tomorrow than I’m in today.
11:22 AM · Sep 2, 2019 Hold on folks, quick coffee break and warm up…
Nerves
11:59 AM · Sep 2, 2019 So a little bit of “the fear” is kicking in.
It’s self-doubt and questioning whether my approach will work.
I just have to remind myself that I’ve done this 100’s of times, and nothing bad is going to happen.
12:03 PM · Sep 2, 2019 A big rush of folks coming out for lunch.
Still no visible badges.
Still no idea [which] company the smart vs the casual dressers work at.
Such a massive difference between dress styles, it’ll be difficult to do something in the middle without standing out.
Simplicity is the key (for me)
12:08 PM · Sep 2, 2019 I like to keep things (pretext, approach, challenge replies etc) really simple.
Simple is easy. Easy to remember, esp when under pressure. Easy to believe, both to me and anyone asking questions. And easy understand why I might be somewhere I shouldn’t be.
12:11 PM · Sep 2, 2019 For me, complex is to be avoided. It’s so easy to trip yourself up trying to remember something complex. But also if it’s too complex for the target listener, then either you buffer overflow them and get zero useful info back or they go away and check.
Outfit choice
12:14 PM · Sep 2, 2019 I’ll double check this later but from memory, my social media OSINT showed very casual so I’ll take that risk.
Sheer luck sometimes helps
12:18 PM · Sep 2, 2019 Interesting, there are two doors into reception. Some staff are using the right hand door which has a swipe card reader.
Some are using the left hand door, which has no swipe card reader.
Both doors go into the same place in reception. Odd.
Use the lunch rush
12:32 PM · Sep 2, 2019 Another quick tip: when everyone comes out for lunch, try to time it so that you are walking against the flow i.e. walking into them.
This gives your chance to spot badges (if any) and if I was doing badge cloning, perfect chance to capture some.
Plain and comfortable clothes
12:52 PM · Sep 2, 2019 Similar to the good coat, wear comfy shoes. I’ve walked miles this so far and the recon day isn’t over. Lots more walking to do.
I’m also trying to be as plain as possible, no bright coloured clothing etc. I don’t want to stick out. I don’t want to be memorable.
Technical issues
1:44 PM · Sep 2, 2019 Sorry, another break. Need to make some changes to my dropbox. Mobile signal on my usual SIM is terrible.
Expect weird stuff like this and be prepared to be flexible and adapt.
Trialling the entry method
4:56 PM · Sep 2, 2019 My gamble paid off, went straight to the main/shared reception and asked what floor my target is on. Got nice clear directions and useful info about what I should expect once I get to that floor.
4:58 PM · Sep 2, 2019 The main reception had no interest in me once I said I was an employee of the target from another office.
Which is common.
And I know I can bypass that reception tomorrow without being challenged.
5:04 PM · Sep 2, 2019 Ok folks, that’s enough recon for today. Tomorrow is attempted entry. In summary, casual wear, no visible ID badge, no need to interact with reception and know what floor the target occupies.
I’ll be back tomorrow with a new thread but expect bigger gaps between posts….
DAY TWO – Entry
7:49 AM · Sep 3, 2019 Morning folks! Following on from yesterday’s thread of physical recon, today is entry day.
I’m going to (semi) live tweet trying to social engineer entry into the client’s offices. There will be delays depending on the situation so please bear with me……….
Here we go:
Practice your pretext
7:52 AM · Sep 3, 2019 I spent a good portion of last night practicing my pretext in the bathroom mirror (the room next to me must think I’m crazy )
I also carefully packed my laptop bag with the tools I might need (I’ll try to list those later)
And I tried my outfits to make sure I’m comfortable
Nerves, again
8:38 AM · Sep 3, 2019 Whilst I wait for an opportunity, let’s talk about nerves.
Nerves are natural. It’s what makes you a real, alive human being.
Right now I’m nervous. Like I want to be sick, sweaty arm pits nervous.
8:41 AM · Sep 3, 2019 My arm pits feel like a constant stream of water
8:42 AM · Sep 3, 2019 And my stomach is saying: don’t eat anything or I’ll make you puke
8:46 AM · Sep 3, 2019 But I’ve prepared for this. A coffee and a croissant are my comfort foods and I’ve planned my walk route to get one close to my target.
Also carrying a coffee cup on the way in makes it look like I belong there.
Building entry, with the help of props
9:04 AM · Sep 3, 2019 I’m in
9:12 AM · Sep 3, 2019 A coffee cup, that’s what got me in.
I’m at a hot desk with my laptop.
I’m going to sit here for a while, mostly to let the adrenaline rush die down.
But also to normalise my presence to those around me.
9:18 AM · Sep 3, 2019 I’m starting to calm down, arm pits are still waterfalls. Stupid deodorants, 48hr protection with active dry they promised
Technical issues, again
9:21 AM · Sep 3, 2019 First challenge, a technical problem with my laptop. VMware not playing ball with my usb devices.
No worries, let’s see if a reboot fixes it……
9:29 AM · Sep 3, 2019 Nope that didn’t fix it. Bugger.
I’ve planned for this too. I have the installer handy just for exactly this kind of issue.
9:46 AM · Sep 3, 2019 That didn’t fix it either. No worries, I’ll leave that till lunchtime.
So some things that were right from yesterday’s recon: very casual dress, some people are in shorts (must be local, it’s cold up north). No ID badge but there is a fob to open certain doors.
Environment summary
10:02 AM · Sep 3, 2019 Some other things of note, this appears to be very coder heavy. Most folks are headphones on and deep in writing code. Not quite what I expected but not a problem. Some “management” looking types about but not many.
10:22 AM · Sep 3, 2019 Someone is checking me out (not in that way). I think they are curious as to who I am.
They keep walking past, looking at me and checking what’s on my laptop screen.
I’m expecting a challenge soon.
Being challenged would be good right now
11:59 AM · Sep 3, 2019 Interesting, no challenge! I actually wanted it, they seemed important but curious so I was going to use it at an opportunity to human privilege escalate and get a new friend with power. But nothing.
Another floor to explore
12:02 PM · Sep 3, 2019 I have found another floor that belongs to the client though.
And what’s beautiful, there’s two swipe doors.
The right hand side is swiping really really slowly.
The left hand side is not working at all, like purposefully unlocked to stop folks getting annoyed.
12:03 PM · Sep 3, 2019 And the floor is a U shape.
So I can walk in the unlocked door, walk around and find myself at the locked door! (Which is push to exit, not that it matters).
12:46 PM · Sep 3, 2019 Lunch break! Important to take a break, both food and toilet breaks.
The game is up!
1:55 PM · Sep 3, 2019 Yes! Caught!
Will explain more in a mo…
3:31 PM · Sep 3, 2019 Ok so I moved areas. In the new area, found a free desk and confirmed with the person opposite that it was free.
Convo started well, had a little chat, nothing too heavy, just light chit chat.
Then the bombshell challenge came.
3:35 PM · Sep 3, 2019 It was just a subtle question.
One that I’d thought I’d answered well, based on their satisfied nod.
Until 3 other people came over 2 minutes later to question me further!
Proper busted.
3:37 PM · Sep 3, 2019 Credit where it’s due, the challenge was great, subtle, not aggressive and no clue that the game was up.
I made sure the questioner and his manager knew that they’d done a great job and that the challenge was spot on.
3:40 PM · Sep 3, 2019 There’s other stuff going on, and being tested, but from the physical entry side of things, this chapter is done.
Recommendations
As an industry we tend to use the word “challenge” when advising on how to deal with potential intruders. It’s the right word, but it implies conflict, and the idea of conflict can discourage your staff from acting.
Maybe “question” would be better. I suggest that if staff are unsure about a person they should simply ask them questions. They shouldn’t be confrontational, and the replies should be treated as correct.
…which makes it easier to ask more questions.
It’s best done in a friendly and assertive way. What tends to happen is that the potential intruder will feel comfortable and so will be less likely to move on or respond with a challenge. Obviously the answers will need verifying.
The more questions asked, the more likely it is that the intruder will make a mistake. If they do slip up, you don’t necessarily need to let on, but you do need to notify the right people in your organisation ASAP.
