leveraging social engineering in physical security assessments...stephanie “snow” carruthers...
TRANSCRIPT
Leveraging Social Engineering in Physical Security Assessments
Stephanie “Snow” Carruthers
October 26, 2017
About Me
▪ Professional Social Engineer
▪ DEF CON 22 SECTF Black Badge (2014)
▪ SAINTCON Vault Physical Security Challenge Black Badge (2017)
▪ Tabletop Games
▪ Salt Lake City, Utah
Twitter: @_sn0ww
Stephanie
Proactive Security Services
MindPoint Group’s Proactive Security services allow organizations to become aware of their vulnerabilities and understand what steps to take to secure their information. MPG’s services include:
• Technical Security Assessments
• Application Security
• Penetration Testing
• Social Engineering
Agenda
A OSINT
Y Pretext Development
Agenda
(
I Recon
2 On-Site Goals
O Training
OSINT
• Trappings• Badges• Jobs• Out-of-office
Employees• Access Control Systems• Guards• Cameras• Nearby Restaurants• Maps/Floor Plans• Event Calendar
Company Location
• Names• Badges• Business Cards• Uniform
Vendors
OSINT
Social Media
Business Casual Dress
Some with badges some
without
TRAPPINGS
D
Employee Turnstile Stairs on the leftGlass elevator
FLOOR PLAN
A
HID Clamshell Badge
RFID SYSTEM
4
LayoutDesign
Color Codes
BADGES
T
OSINT
Problems with
policies….
OSINT
OSINT
OSINT
Security Through
Obscurity
OSINT
Floor Plans, building information, and
company calendars… oh my!
OSINT
Places to check
• http://www.loopnet.com
• Real Estate Companies
• Google Maps
• Company website for building management
company
• Company website for calendars
OSINT
OSINT
OSINT
Watering Holes
OSINT
Recon via YouTubeNew company building, internships, jobs are all common
reasons why companies make videos to promote
themselves. These videos typically contain a lot of useful
information for us.
OSINT
Vendors
Pretext Creation
Do NOT impersonate:
• Law Enforcement
• Doctors
• Lawyers
• Maybe others depending on
state law
Pretext Laws
Pretext Creation
Scope Limitations
• Clothing• Transportation• Badges• Business Cards• Clipboards/Documents
Appearance
Documentation of Pretext• Internal • ExternalPretext Reuse
Pretext Creation
Why pretext reuse isn’t always a good idea…
Image Source: https://spellboundbookshop.com/wp-content/uploads/2016/08/storytime-gold.jpg
Pretext Creation
Always have a plan B, and C…
Image Source: https://spellboundbookshop.com/wp-content/uploads/2016/08/storytime-gold.jpg
Recon
Reconnaissance
Recon
• Entrances• Public• Employee Only
• Operating Hours• Access Control Systems• Loading Docks/Service
bays• Dumpsters
Perimeter• Physical Security
Controls• Locks• Turnstiles• RFID
• Guards• Cameras
Interior
• Coffee Shops• Restaurants
Nearby
Risk Chart
Medium
Low
High
On-Site Goals
Tailgating & Piggybacking
Tailgating
Tailgating means that others are following through
the door without the knowledge of the person who
has opened the door
Piggybacking
Piggybacking implies that the person who has
opened the door with their credentials knows that
others are following them into a secure area
On-Site Goals
Tailgating & Piggybacking
My favorite piggybacking story…
Image Source: https://spellboundbookshop.com/wp-content/uploads/2016/08/storytime-gold.jpg
On-Site Goals
Document Management
Where to look:
• Trash Cans
• Dumpsters
• Shred Bins
• Breakrooms
• Mailrooms
• Bathrooms
• Employee Desks
• Conference Rooms
• Print Rooms
Image Source: http://www.shrednorth.com/wp-content/uploads/2013/10/shred-north-shredding-containers.jpg
On-Site Goals
Elicitation
What I Do:
• Ask an employee to perform a task:Print a file on a USB
Let me in without a badge
• Ask an employee to provide information:I’m with IT, what's your password?
How do you lock the building?
Where are the patient records?
How do VIPs check-in?
Are cameras being actively monitored?
On-Site Goals
Elicitation
One of my favorite pretexts for elicitation…
Image Source: https://spellboundbookshop.com/wp-content/uploads/2016/08/storytime-gold.jpg
On-Site Goals
RFID Cloning
What to use:
• Proxmark
• RFIDler
• Homebrew Solution
• Huntsman (Based off
BishopFox’s Tastic)
Tips:
1. Clone as many as you can during recon
2. Don’t keep RFID cards on you while trying to capture –
Oops …
On-Site Goals
Non-Destructive Entry
What I Use:
• Simple Lockpick set (thx @Serepick)
• Bogotas
• Shims
• Airbag (thx China)
• Thumb Latch Tool (thx @deviantollam)
• Crash bar tool (thx Sparrows)
• Under the door tool (thx @RiftRecon)
On-Site Goals
Picking locks…
The risk has to be worth the reward…
Image Source: https://spellboundbookshop.com/wp-content/uploads/2016/08/storytime-gold.jpg
On-Site Goals
USB Drops
Where you do not put them:
• A Parking Lot (Thx Lawyer)
Where do I put them:
• Employee Desks
• Mail rooms, in mailboxes
• Interoffice Mail
• In a white envelope with someone’s name on
them (Thx Jayson Street)
Image Source: http://image.made-in-china.com/43f34j00GnYabfVsOPcI/Slid-Design-USB-Flash-Drive-Memory-Stick-ET012-.jpg
On-Site Goals
USB Drops
Image Source: http://assets.eflorist.com/assets/products/PHR_/T50-3A.jpg
We’ve added them onto
floral and cookie deliveries.
On-Site Goals
USB Drops
What do I name them:
• Q4 Company X Employee Terminations
• 2017 Payroll
• Q4 Bonuses
• 2017 Payroll Decreases
• Company XYZ Merger 2018
On-Site Goals
USB DropsStatistics for 2017
20%
80%
Just USB left in the open
Opened Not Opened
60%
40%
USB in envelop with employee name
Opened Not Opened
On-Site Goals
USB Drops
On-Site Goals
Network Port SecurityThis is done as a minor subcomponent. It is not the holy grail of the test.
What I do:
• Plug a laptop in and run a simple ping scan
Where I do it:
• Conference Rooms
• Unattended Lobbies
• Cubicle Areas
• The Data Center
• Really, where ever I see a jack and an opportunity
On-Site Goals
TheftStuff I jack:
• Laptops
• Phones
• Files
• Building Keys
• Badges
Where I put it:
A designated office which I predetermine with the point of
contact.
On-Site Goals
After-Hours Access
Why come back at night:
• Different staff are working
• No staff is present
• Building usually has more security features to test
What do I do:
• Rinse and repeat!
Risk Chart
Medium
Low
High
• After Hours Access• NDE• Theft
• Network Port Security• Elicitation• Badge Replication
• Tailgating/Piggybacking• Document Management• USB Drops• RFID Cloning
Tips & Tricks
Image Source: http://trikkeacademy.com/wordpress/wp-content/uploads/2016/02/tips-tricks.jpg
Tips & Tricks
Bathrooms are your friend
Bathrooms are generally a great place to hide if you
need to duck away or you think someone is getting
suspicious.
Sneak into a bathroom right before closing time and
wait for everyone to leave.
Tips & Tricks
Get out of jail free card…
Fake copies don’t make you friends. I typically bring
the entire statement of work with me.
Image Source: http://www.thepostturtle.com/wp-content/uploads/2015/02/Get-Out-of-Jail-Free.jpg
Tips & Tricks
“Out of Order”
Place an out of order sign over a shredder and
place an empty bin next to it. Return later in the day
to collect your documents.
Image Source: https://cdn2.bigcommerce.com/server4600/10c6f/products/1525/images/2790/WS26007_Red_Out_Of_Order_sign__53859.1397133707.450.450.png?c=2
Tips & Tricks
Spilled coffee
Spill some coffee on a fake resume.
Ask the front desk employee to help you out of a jam
and print off a fresh copy from your convenient USB
drive.
Image Source: https://static1.squarespace.com/static/54adb763e4b0faae8683e555/t/54b539e5e4b09f5e2402e436/1421680203051/
Training
“Tell me and I forget. Teach me and I remember. Involve me and I learn.” – Benjamin Franklin
• “Teachable moments” can be conducted
on the spot or the next day after the
assessment.
• Hold on-site security awareness training
using the results from the assessment.
Recap
A OSINT
Y Pretext Development
Recap
(
I Recon
2 On-Site Goals
O Training
Q&A
Questions?
Contact Us
Stephanie Carruthers
Twitter: @_sn0ww
Social Engineer Team Lead
www.mindpointgroup.com
Follow Us on Social Media