Social Engineering and USB Come together for a The art form known as social engineering is often used to manipulate individuals or social groups through the use of conversation, digita
Trang 1Mitigating Measures 171
Drive Mapping
Environments with this ability enabled allow users to transfer any data from client to server or vice versa This opens the door for leakage scenarios and also provides the ability to upload malicious code unknowingly or intentionally Windows Terminal Service is able to prevent local drive mapping on the target sessions These settings can be adjusted by toggling the following GPO item
• Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Terminal Server\Device and Resource Redirection
Citrix, BlueCoat RA, and Sun SGD are all able to modify this behavior Due to resource testing limitations and version variance, we will only include Windows-
related corrective actions where applicable
Disabling Clipboard Pasting
The copy and paste feature within windows can be very useful, but it is also another vulnerable area Administrators rely heavily on this feature to perform basic daily function, so its removal will not come without a cost Disabling this has the potential
to decrease administrative efficiency, increase outage times, and limit
troubleshoot-ing, which could be financially devastating depending on the circumstances involved Administrators often make use of this feature to copy database query results, logs for vendor troubleshooting, or any number of normal tasks often considered mun-
dane A Windows Group Policy option is available for disabling clipboard
redirec-tion in Terminal Services The locaredirec-tion is provided below should you feel the need
to exercise this option
• Local Computer Policy\Computer Configuration\Administrative Templates\ Windows Components\Terminal Services\Client/Server data redirection\Do not allow clipboard redirection
Disabling this entirely on the host system can be more difficult There are a few third-party resources that provide free utilities that can govern this function Prevent
is a freeware application that will allow you to selectively customize the clipboard features.X Citrix, BlueCoat RA, and Sun SGD can also restrict this behavior
Disabling Screen Printing
This vulnerability stems from the host operating system’s ability to take screenshots
of the session information on the desktop This approach to data theft is
cumber-some and labor-intensive, but it does pose a potential liability This issue is difficult
to address because it is also beneficial, especially when troubleshooting systemic issues Windows, Citrix, and Sun SGD do not provide mechanisms to prevent this although BlueCoat RAY does
X www.softpedia.com/get/System/System-Miscellaneous/Prevent.shtml
Y www.bluecoat.com/doc/529
Trang 2chapter 6 Pod Slurping
172
A workaround is available to disable the screen-print function entirely on Windows systems, but this risk still persists Phones and other hand-held devices now include onboard cameras that can be used to capture static or motion shots from any screen in range This factor should be considered when deciding the necessary restrictions to impose on an environment If you decide disabling of the screen-print feature is required, the below option is available on Windows 2000 and XP systems
1� Open the Registry Editor by going to Start, Run, then type regedit in the Run box 2� Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSEM\CurrentControlSet\Control\Keyboard Layout
3� Create a new binary value named ScanCode Map.
4� Set the ScanCode Map to the following value:
Trang 3Mitigating Measures 173
Hijacking an iPhone
While jailbreaking your iPhone can provide you with enhanced features and applications, it can also open up additional vulnerabilities A recent example of this comes from a Dutch cracker who took the freed phones hostage, demanding ransom for release.Z He deployed a port-scanning technique to identify those who had bro-
ken out of jail and then sent them the SMS message depicted in Figure 6.15 Users were directed to a Web site and forced to pay for the corrective actions
The Dutch cracker converted to a hacker with a sudden change of heart and decided
to release the mitigating procedures on the Web site for free.AA This attack exploited
the default passwords in the OpenSSH client that is commonly installed after
break-ing from jail Both the mobile and the root accounts are set with the default password
of alpine Disabling or uninstalling the client is the easiest prevention techniques
that can be implemented If OpenSSH is needed, these passwords can be changed to prevent this type of incident from occurring The following procedures outline the necessary steps to accomplish this These steps assume you have a jailbroken iPhone with Cydia and OpenSSH installed
fIgURE 6�15
Jailbroken iPhone Extortion Message
Z www.wired.com/gadgetlab/2009/11/iphone-hacker/
AA http://mr09.fileave.com/
Trang 4chapter 6 Pod Slurping
174
1� In your iPhone, locate the Cydia application and use the search feature to find
MobileTerminal, as seen in Figure 6.16
2� Once found, install the MobileTerminal on the iPhone and then reboot your
iPhone
3� After the iPhone initializes from reset, locate and open the MobileTerminal
application
4� Type the command passwd, as shown in Figure 6.17.
5� Enter the existing password – which should be still set to the default of alpine –
then press Return.
6� Enter the new password when prompted and then press Return Enter the word again for confirmation, and then press Return again Your mobile account
pass-password has just been changed
7� Now type login at the prompt and press Return Type root at the prompt and press Return again.
8� Repeat the procedures outlined in steps 4 through 6, and your OpenSSH root
account will also be changed
fIgURE 6�16
Cydia Search Results for MobileTerminal
Trang 5Summary
You have now changed the root and mobile default account passwords for OpenSSH Take heed when installing programs and perform due diligence when electing to download any other applications onto your iPhone, jailbroken or not
SUMMARy
From a corporate standpoint, expulsion of these devices entirely could contradict the outcome it is intended to provide Mobile phones and other memory-based gadgets are entrenched as an essential part of the enterprise and our daily lives A sudden policy change enforcing their banishment could decrease morale, spike interest, or even lead to disgruntled behaviors
The lines between what can be beneficial or detrimental are twisting together more than ever It is becoming increasingly difficult to determine which of the latest improvised illusions actually pose a true hazard Adaptations of these attacks are evolving with increasing velocity, and the best thing we can do is constantly strive for enhanced awareness
fIgURE 6�17
Cydia Search Results for MobileTerminal
Trang 6chapter 6 Pod Slurping
3 www.apple.com/pr/library/, Quarterly reports from relevant monthly links Accessed December 2009.
4 www.copyright.gov/1201/2008/responses/apple-inc-31.pdf, Responsive Comment of Apple Inc to EFF DMCA Exemption, p 12 Accessed December 2009.
Trang 7Social Engineering and
USB Come together for a
The art form known as social engineering is often used to manipulate individuals or
social groups through the use of conversation, digital coercion, or other deceptive techniques These tactics are commonly employed to persuade people to perform actions or divulge information they would not under normal circumstances Some define this as a pure intelligence-gathering mechanism, although the meaning is vast and has minimal boundaries Just as governments use social engineering to shape and manage fundamental aspects of our society, criminals and security professionals employ a similar strategy
In this chapter, we will explore the body of knowledge commonly known as social engineering twisted into a penetration-testing perspective We will gaze into these evolving fields, provide practical examples, build a portable penetra-
tion platform, and discuss how to combat these clever confrontations While social engineering and penetration philosophies have been around for sev-
eral millennia, each are continually evolving and adapting to the information technology scene
Social engineering can generally be considered a subject under the broader
spec-trum of social sciences While the social sciences definition typically refers to
large-scale applications, the concept of influencing attitudes, popular beliefs, behaviors, and resources port quite nicely into the technological sector
Trang 8chapter 7 Social Engineering and USB
178
BraIn Games
An examination of your own actions in everyday situations will present a number of social engineering circumstances Everyone engages in these activities during daily interactions both at work and in our personal lives These can range from the temper tantrums toddlers deploy for that needless toy to spousal affirmations commonly used to keep oneself free from an undesirable dilemma Job interviews, promotional boards, and even common customer interactions can all be viewed as forms of social engineering
Large-scale executions of social engineering endeavors can be found around the world The city of Las Vegas is a prime example of an entire location teeming with these tantalizing tactics Everything from the glamorous performances, delectable foods, and complimentary beverages to each building’s architectural design and decor are all meant to influence or manipulate men, women, and children While these are a far cry from the common Jedi mind tricks, they still speak to the broader definition of the term and illustrate the exploitation of our psychological nakedness.Perhaps the most infamous social engineer known among the hacking and law- enforcement communities is Kevin Mitnick Considered a master of phone phreaking, Kevin thrived in an underground culture and got his start by exploiting bus punch- card systems for free rides Phone phreakers are regarded as technology enthusiasts who dedicate an enormous amount of time to learning, testing, and exploiting telephone networks While much of their work involved technical expertise, a large majority of what they did included manipulating phone company employees, support personnel, and end users to achieve a desired outcome This gravitated toward more lucrative tricks that ultimately resulted in incarceration and stiff penalties
If you have an e-mail account, then you are likely eligible to receive millions
of dollars from an overpaid procurement contract involving the Nigerian ment.A Or maybe you have been contacted regarding qualification for lottery tickets
govern-or unpaid winnings in a fgovern-oreign country If you have not received an e-mail from them yet, then your antispam product is likely doing its job Scam artists have used these and other ploys for years by way of telephone, physical mail, and e-mail, and have even evolved to SMS texting on mobile phones All of these are forms of social
manipulation called phishing, which have plagued corresponding technological
com-munication mechanisms as they are embraced by our societies
A report issued by Kelly Higgins of Dark Reading in 2006 discussed a security engagement conducted by Joshua Perrymon that involved USB drives.1 A Credit Union client hired their firm and specifically requested strong focus on social engi-neering aspects The client was also concerned with USB flash drives both from a data theft and malicious code injection perspective Taking these requirements into consideration, they devised a USB drive with a specially crafted Trojan The Trojan was designed to grab sensitive information from a target system and send it to a remote location The drives were then scattered around the parking lot and break
A www.scamdex.com/419-index.php
Trang 9Hacking the Wetware 179
areas before the employees arrived for work Success was obtained almost instantly, and a few days later, 15 of the 20 drives had been inserted into Credit Union systems The data gathered aided additional testing efforts and proved to provide an enormous amount of valuable data
In 2009, a Siemens security consultant was hired by a financial services company
to employ a social engineering exercise at one of their locations The consultant was able to effortlessly obtain access to the facilities several times unchallenged by the security staff, with whom he eventually established communication on a first- name basis Once this level of presence was established, he was also able to escort additional consultants into the building to aid in gathering information about the client He was not only able to access desk-side material, cabinets, and other general items but also able to acquire access to the data center floor Using a phone from a meeting room, he called various employees claiming to be IT support and was able
to attain usernames and password from a majority of the individuals Employees are much more trusting when a call is received from an internal location In the
article, published by SC Magazine in the United Kingdom,B the consultant, Collin Greenlees, made the following statement:
The scary thing is that it’s all simple stuff It’s just confidence, looking the part
and basic trickery such as ‘tailgating’ people through swipe card operated doors
or, if you’re really going for it, carrying two cups of coffee and waiting for people
to hold doors open for you.2
haCkInG the WetWare
All of the attacks in this book can be applied in a social engineering fashion In fact, USB Hacksaw, USB Switchblade, USB-Based Virus/Malicious Code Launch, and Pod Slurping will work much more effectively by including an enticing icon or sug-
gestive content Placement of alluring labels like staff reductions, employee salaries,
or even personal items such as Vegas photos will provide temptations many will find irresistible If autorun is disabled, this may be the only means by which a payload can be distributed USB Device Overflow, RAM dump, and the attack outlined in this chapter can all be deployed using a socially engineered diversion to remove the indi-
vidual from the location Our minds work in very predictable and trusting patterns, and this is precisely what criminals intend to use for an advantage
reverse social engineering
Reverse social engineering is another technique used to mislead people In these types of attacks, the perpetrator causes a problem on the objective’s system or envi-
ronment The attacker will then impersonate a technical staff member and rush to the
B www.scmagazineuk.com/
Trang 10chapter 7 Social Engineering and USB
180
aid of the victim Individuals in desperate need are less likely to interrogate a helping hand Once the mission is accomplished, the attacker would return the systems to working order In these scenarios, the supposed support person gains the confidence and trust of those they allegedly helped
penetration of a Vulnerable kind
Penetration testing is a growing trend in the technology industry and has seen a rapid evolution over the last decade Social engineering is gradually becoming a necessary evil in these testing processes Some debate whether social engineering should be a part of penetration testing or if the results of the testing should be used to feed sepa-rate efforts.C Others indicate it should be excluded altogether because it will succeed The level of success is high, and this is precisely why the social aspect needs con-stant attention While penetration testing is a measurable activity, social engineering remains an art form and can significantly differ from subject to tester
Penetration testing is a method of evaluating and analyzing the security of a tem, network, and related dependencies Vulnerabilities, technical flaws, and innate weaknesses are the primary objectives of this process If properly planned and accu-rately executed, this can be a tremendously beneficial tool in ascertaining the security posture of an environment and organization Penetration testing can be broken down
sys-in two distsys-inct types: sys-internal and external These two types have three different
variations commonly referred to as black-, white-, and gray-box testing.
In black-box testing, the penetrator is not provided with any information related
to the organization or environment, similar to how a real attacker might approach the situation Information is provided in white-box testing scenarios, and they usually specify areas of interest that can be in desperate need of an audit With the gray-box types, the testers are given some knowledge of the environment to speed up the pro-cess There can be a number of reasons for this application, although cost is usually
a driving factor
Penetration testing can be isolated into three separate phases consisting of tack, attack, and postattack activities In the preattack phase, testers usually perform their initial information gathering in a passive manner This involves techniques such
preat-as dumpster diving, Internet queries (Edgars,D user/news groups, social networking, and so forth), and even social engineering to some degree Active reconnaissance
is also used, which involves mapping of relative online targets, Internet ing, fingerprinting, port scans, and receptionist cold calls for respective discover-ies Valuable information can be obtained by parsing additional Web resources like dnsreports.com, whois.domaintools.com, netcraft.com, my.ip-plus.net/tools/index en.mpl, and many others
profil-The attack phase can vary depending on the customer requirements, service level agreements, and scope of work defined From an external perspective, these activities
C http://www.darknet.org.uk/2006/03/should-social-engineering-a-part-of-penetration-testing/
D www.sec.gov/edgar.shtml
Trang 11Hacking the Wetware 181
include but are not limited to error checking, packet crafting, filter validation, scanning techniques, and network/account DoS testing Target acquisition, privilege escala-
tion, access proliferation, and privilege preservation are common concepts employed
at this level In the next section, we will dive deeper into these tools and techniques
After the attack is complete, thorough descriptions of actions, observations, and vulnerabilities must be built in both a technical and a nontechnical style During this postattack stage, it is crucial that restoration of the exploitations be returned to a preattack state The documentation must also include corrective actions but should not exceed the boundaries defined in the rules set forth prior to the engagement Regulatory definitions and their relations to the relevant elements of the testing results should also be included
Penetration testing is laced with risks that need to be understood by an
engag-ing organization and the employees Severe damage can be incurred when any type
of testing is performed on production systems, especially of the penetration kind Companies seeking qualified third-party penetration testing should ensure these pro-
viders are properly accredited and insured Some of the relative industry
certifica-tions include Open-Source Security Testing Methodology (OSSTMM), OSSTMM Professional Security Tester (OPST), Certified Ethical Hacker (CEH), and Global Information Assurance Certification (GIAC) Certified Incident Handler (GCIH) Additional risks and mitigation considerations will be outlined in the “Elevated Hazards” section later in the chapter
There is considerable confusion and controversy surrounding this sector, and much of this can be attributed to the rapid evolution and large corporations seeking
to avoid regulatory penalties One company’s vulnerability audit might be another’s penetration test, while others may combine both approaches into a complete security assessment Clear differences can be seen in penetration testing, as this involves more intrusive actions to actively perform a series of exploitations Penetration testing does not usually evaluate policies or roles or provide a comprehensive view encompassing all aspects of an environment’s security
Threats and vulnerabilities can be functionally defined by risk; considering this factor, an effective risk analysis will uncover a majority of these aspects.E As
described in Chapter 5, “RAM dump,” management and assessment of risk is an ongoing process that must be constantly maintained From an attacker’s perspec-
tive, when social engineering is combined with penetration techniques, it can involve many forms of exploitation not often covered by these assessment and auditing pro-
cesses This overview of penetration-testing philosophies was provided to prepare you for the next section