How I “Pwn” Your Network: A Chat with a Social Engineer and
Facility Breach Expert
Kai Axford
<Insert lots of letters and stuff here>
**DISCLAIMER**
All demonstrations are examples of
techniques currently used in social
engineering and facility breach exercises,
with express permission from the client, by
trained professionals.
Do not try this at home.
“It’s increasingly harder to break in on the external perimeter, adaptation occurs towards our weakest link, the human element.”
- Dave Kennedy (ReL1K), Developer of the Social Engineering Toolkit (SET)
• Why would I fight your: – Security Information Event Management (SIEM)
– Anti-Virus
– HIPS/NIPS/IPS/IDS
– Web Application Firewalls
– Secure Coding Practices
– Patch Management
• Why would I fight everything you’ve built into your entire security program….when I can just walk in and take your data?
We exploit the gap between:
Corporate Security
Information Security
Network
Web Applications
Wireless Facility
Users
• Google-Fu + Bing-Fu => FTW!
– Facility layout and surroundings
– Job openings
– Telco providers
• Corporate website - Investor relations,
corporate officers, contact info, etc.
• Social networking sites (LinkedIn,
Facebook, Twitter, etc.)
Social Engineer’s Toolkit (SET)
• Is a toolkit “specifically designed to perform advanced attacks against the human element” that is built on top of the MSF. – Developed by David Kennedy (ReL1K)
• Will conduct the following attacks: – Spear-Phishing – Spoof or utilize already established email
addresses to do spear-phishing attacks with file format attack vectors.
– Web Attacks – Multiple attack vectors including Java applet, client-side exploits, tabnabbing, man left in the middle, and the credential harvester.
– Infectious Media Generator – Creates a CD/DVD which allows you to deploy MSF payloads in a simple autorun.
– Arduino / Teensy USB HID Attack Vector – Multiple payload selection for the USB keyboard HID attacks.
– And so much more!
DEMO: BackTrack 5
Breaking In: For us, it’s all about
style…
• Numerous ways to accomplish my goals:
– Technical and Non-Technical methods
– Point and Area Targets
• Point Targets – Targeting an individual
– This means YOU!
– Phone, email, social networking, face-to-face
• Area Targets – Targeting a site
– Tailgating, baiting, “Red Team” exercise, lockpicking,
dumpster diving, etc.
Point Targets
Phone Domination
• Let’s have a listen…
DEMO: Spoof Card
• Social networking is my dream and your nightmare.
• TMI = Too Much Information about you and your company.
• Why do IT guys like to just “tell it all” on these sites?
Face to Face
• Sometimes this is actually easier for a social engineer.
– Easier to gauge reaction.
– Harder to dismiss someone in front of you.
• Relies completely on the skill of the social engineer
– Must react to the situation immediately
– Know when to push and when to retreat
Face to Face
• It’s not as easy as you think to avoid…
• Let’s take at what happens when you are successful….
Area Targets
• No lock is perfect
• Various types
– Pin Tumbler locks
– Wafer locks
– Cipher locks
– Code and card
operated locks
– Padlocks
• Only a delaying
mechanism
DEMO: Lock Picking
Tailgating
• A frequently used attack vector
• Why?
– It works and requires almost no skill
– (I bet you’ve used it before yourself!)
DEMO: The PwnPlug
Programmable HID USB
Keystroke Dongle • USB device that emulates a USB keyboard and drivers and
will execute commands (i.e. install malware, reverse shell,
shutdown A/V, etc.)
• Why do I use it?
– Types faster than I can, without errors
– Works even if autorun is disabled
– Draws less attention
– Can be set to go off on a timer…e.g. when my target is logged on
**Important Safety Tip**
An individual information gathering technique
or attack vector is rarely successful. It is the
combination of these techniques that make
this a credible threat to your infrastructure.
Defeating the Social Engineer
We’ll make this real simple…
1. What I love to see and hear
2. What I hate to see and hear
What I LOVE to see and hear
• “You won’t get in….according to the audit
committee…we’re compliant.”
• A contract security guard who is busy with
non-security tasks
• “The Beige Plastic Gambit”
• Nice employees
• “The Cameraman of Security Theater”
What I HATE to see and hear
• A nosy workforce with regular security
awareness training
• Rapid and effective incident response
• Patch management that patches
• Physical Security Information Management
(PSIM)
• Visitor management
• Turnstiles & Anti-Passback devices
• Tech controls that work, but aren’t sexy
Questions? Kai Axford, MBA-IA, CPP, CISM, CISSP, QSA
Director of Strategic Services
FishNet Security
Twitter: @kaiax33
Resources
• Social-Engineer.org (http://www.social-engineer.org/)
• Social Engineering: The Art of Human Hacking. Hadnagy,
Christopher. 2011. Wiley Publishing.
• PwnieExpress (http://pwnieexpress.com)
• Deviant Ollam’s Site (http://deviating.net/lockpicking/)
• BackTrack Linux.org (http://www.backtrack-linux.org/)
• Crenshaw, Adrian. “Programmable HID USB Keystroke Dongle:
Using the Teensy as a pen testing device” IronGeek.com
(http://www.irongeek.com/i.php?page=security/programmable-
hid-usb-keystroke-dongle)