Sometimes red teams (the bad guys) are hired to test the capabilities of blue teams (the good guys). Some examples of this would be how Quick Reaction Forces (QRF) are pushed into a real-life scenarios to see how they’ll react, Infosec/IT teams are tested under pressure and Intel guys get a dose of deception.

One scenario we often play is the “rogue agent” or “underground criminal,” where part of the plan is to disrupt their listening capabilities.

In this situation, we communicate with someone inside the company or organization being tested and provide a way for their intel and QRF guys to test their skills. Of course we don’t make it easy for them.

Burner Phones

One tool we often use in red team operations are burner phones, which by definition are prepaid cell phones specifically purchased to be used briefly and then replaced.

To make it more interesting, I’ve made a point to collect prepaid phones from different parts of the world. The simpler the phone, the better. In the picture below, you’ll see a phone from the Netherlands, one from South Africa and another from India.

Burner phones from different countries

All of these phones were purchased with cash and not only have plenty of minutes loaded onto them, but are GSM phones that can work anywhere in the world. Let them try to figure these out!

The idea is to use a burner once, make contact and disable it by removing the battery before moving on to use the next one. Then all of the sudden, a different member of the team would use the first one to make a completely innocuous call, like ordering pizza. Only this call would have false information: “Excuse me sir, I’d like to order pizza for 8 people, how many do you think I would need?”

This usually confuses the heck out of the first timers and it’s good to see what they try to do with this information.

Burner phones allow the team to remain fully anonymous by switching between different phones. It also helps test the analysts’ attention to detail and teaches them to start separating solid intel from noise. Like I said, it’s fun to see then scratch their heads over these.

Civilian Applications

While some people might consider burner phones something only criminals use, you now know they’re utilized by red teams too. Law abiding citizens can also benefit from these phones too. Often we don’t want to leave our personal phone numbers when calling companies, due to them selling that information to telemarketers, or we want to set a separate line to be used when purchasing online.

In some other cases it’s a matter of survival. If you have a burner phone from another network, it may be the only one that works during an emergency. Redundancy is a great thing to have when it comes to cellular networks and the point here is to show that they’re a useful tool to have at your disposal.

Editor-in-Chief’s Note: U. Fridman is a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

This is the final article of the Inside Red Team Operations series, which is a walk through the Red Team process of planning, preparing and executing a security vulnerability assessment and penetration test; bad-guys style.

Part 1 examined the elements and techniques necessary for planning the operation while Part 2 showed how information gathered during recon is used to implement the plan. This article uses the previous elements to show how the plan comes together.

Alright, we are ready. If you remember from the previous post, we were setting up a fake bird watching conference and expo. We bought the domain and built a basic website that provides information about the “expo.” We also have a C2 (command and control) server ready to receive any transmissions that our backdoors might send if we can install it on the target’s network. Now we just need a viable exploit.

Digging through all of the data we collected during our recon was a slow process, but it enabled us to discover several instances where IT personnel asked about specific versions of Windows, IIS and other applications. It’s a good start, but not enough. It’s time to start putting our social engineering skill to the test. We need to know what kind of operating system (OS) the Vice President or at least the majority of the users run so we can choose the perfect exploit.

I prefer redundancy so I’ll try an email approach and a direct approach via the phone.

First we craft our initial email to the VP of Marketing describing the conference and why we would like him to attend as a keynote speaker. We need to make this as convincing and official sounding as possible. Since we bought the domain for the conference we can create a convincing email address with a @conferencename.com in it. In the email we also point to “more information” on our website and we add snippets of comments from other “famous” bird watchers stating why the conference would be a success.

Before sending off this initial email, we need to write in a little bit of “code magic” to our website. It’s possible to retrieve the OS information through a code running in JavaScript. This code will be executed at the client side; the web browser running on the VP of Marketing computer or at least by his assistant. The code will then pass the information to another piece of code that is hidden from the user.

Now, the page we point to on the link is just a white page. There’s nothing on it other than a hidden use of the JavaScript code. Why? We are making sure that when we call and ask if they checked the website for more info, they would answer that the page was blank. We can then sound confused and ask what browser and OS are they running so we can “fix the page”… It’s all intentional.

Once all of this is ready, we can then send the email and one of two things will happen next:

1.) The VP or his assistant will open the email and go to the website. In this case we should have the OS and the browser information they used logged on our data dump.

or

2.) They don’t care and they will simply delete the email.

If the first scenario happens, we are good to go and we can choose to verify by calling them as a “follow up” to the email. This is optional, but I like to do it. Like I said, redundancy. If the second scenario happens, then we have no choice but to call them. In this case we need to be very careful as to not spook them. We want to sound friendly and convince them that this conference is going to be great and that it would be a privilege to have the VP as a keynote speaker.

So, the assistant opened the email and browsed to our website. We discover that she is running an old version of Windows XP without the latest service packs. It doesn’t surprise me. Now we can call and introduce ourselves. Another team member in the meantime is preparing the backdoor we want to install and the “weaponized” PDF that will make this happen. We call and of course she mentions that the webpage is blank. We can ask her what OS she is running and what browser is she using and tell her right there to try again. Of course we uploaded the actual page now so she can see it.

If we are lucky and she is friendly (shows interest) we can point her to the PDF we want the VP to read. This PDF “has useful information for the keynote speakers”. The PDF is a specially crafted document that will attempt to exploit one of two vulnerabilities found in the version of Internet Explorer that the assistant is running. Once this is exploited, the code will attempt to download the actual backdoor from our C2 server.

We can learn two things here: if the backdoor is downloaded successfully we then know that we can connect to the C2 server without any problems and that the security software on that computer didn’t detect us.

Of course, if the backdoor wasn’t successfully downloaded, it could be due to several reasons. The main two being that the exploit didn’t work or we were blocked and couldn’t connect to the C2 server.

Up to this point we were not sure whether we would need a physical penetration of the target. So, I’m going to divide the post in two now: what would happen if the backdoor was installed and what would happened if a physical entry is needed.

Digital Penetration

The weaponized PDF worked and now we have an initial entry into the target. We are now sitting inside the assistant’s computer. It’s tempting to start scanning for other computers connected to the same network, but we need to remember we wish to remain hidden and not be discovered. Our target is the VP of Marketing. Our focus should be him.

The backdoor we installed allows us to send other binaries that can help us recon the computer and eventually jump into the VP’s machine.

The first thing we do is install another, different, backdoor. This is done for redundancy and persistence. If the first one is discovered, we want to have another way in already in place. The second thing we do is to check the assistant’s email files. If she answered the VP’s email, she has access to his account. Maybe we don’t even need to access his computer to collect sensitive corporate information.

If we do need to jump on the VP’s computer, there are several things we can test. We can scan the network for the system names and see if we can spot this particular computer. This approach is usually noisy and can set off various alarms so it should be the last resort. If you do decide to go this way, create a very noisy piece of malware that will give IT and security something to chase after. While they are on the false trail, I’ll do a more silent scan of the actual network. Deception is key.

What I would start with is listing the shares on the Assistant’s computer. Maybe she is copying files to and from the VP’s computer. I would also check the list of past connections and the user names on her computer to see if maybe they are sharing the same computer. I could also send an email from her account to the VP’s and see if we can get the IP address from the email.

Moving inside the network is a delicate task. In our case we have a target, but what if we didn’t and we just want to find a possible target?

We are a red team, we need to think like an attacker. What are you after? Data? A specific computer or server? A specific person? Total disruption of the network? Once you know your target or what you want to achieve, make a plan. Create a diagram of what you know and what your next 4-5 moves will be. Create contingency moves for each one, you never know. It’s a useful thing to have when a good sysadmin or security guy on the other side discovered you and is trying to block you.

Modern networks, even in small to medium organizations, can have a lot of complexity and security features built in. Plan a stealthy recon and send a noisier bot somewhere else. Depending on how much time you have try to move slowly. Do not set off any alarms. Add each potentially good system you find to an overall map of the network as you know it. Record their names, IP address, OS, apps running, etc. The idea is to have as much information in front of you on the whiteboard as possible, then plan the next phase: where to go and what to extract. Plan the egress routes and the protocols you’ll use to extract the information. In our case, we can setup a good backdoor with a connection to the C2 server but sometimes extracting the information is not as easy. You should get different servers ready to receive the data (encrypted of course since it’s property of your customer). Have fallback servers as well; Mr. Murphy is always present.

Once you are done with the planning, execute. Again, stealth is key here. Unless you were specifically hired to test the reaction of the organization’s quick reaction teams, you should try to be as quiet as sign language. Move slowly and copy information in small bits. If you have a 2GB file you need to extract, partition it into smaller chunks and extract them using different protocols.

When you are done with the execution, vanish. Clean any backdoors and other tools you might have left on the network. This is done not only to avoid being detected, but if there is an actual bad guy in the network you don’t want to aid them with tools or backdoors. Do not erase logs. These are great educational tools for the security guys at the organization and they can learn forensics through them.

So, back to our target, the VP. Searching for a share or a connection didn’t return any leads. We can however send an email to the VP with the link to our website where the JavaScript code can grab his IP and other information. Using the Assistant’s email address we send him an email saying that she thinks the keynote invitation is a great opportunity and he should check out the website. This works. We now have the IP address for the VP’s computer.

By using a small port scanner (using a custom low-signature port scanner we wrote and uploaded via the backdoor) we discover that the standard Windows administrative shares are enabled. These are the classic C$, D$, ADMIN$, etc. These shares will allow you to browse the computer’s files remotely by doing a simple \\IP_ADDRESS\C$ (it’ll display the contents of the C:\ drive). In some cases these shares require login credentials, which are relatively easy to get by “sniffing” the network or grabbing them out of the domain controller (this is a subject for a whole different post…). So, we move into our target and after a quick search we find his documents. We compress them, partition the file into smaller chucks and began the slow and methodical process of data egress.

An offline analysis of the documents reveals that we now have a copy of the corporate marketing plan for the next 5 years.

Mission successful.

Physical Penetration

Sometimes a digital-only penetration is not possible. Ultimately we would still like to get those valuable documents but we can’t find a way in through the exploitation of digital vulnerabilities. This is when the physical recon we did in the early stages of the project comes in handy.

There are two types of physical penetrations: covert and overt. In a covert infil you find a way to breach the physical security of the perimeter and enter the premises without anyone knowing you were there. An overt infil, on the other hand, is one where you enter the building in plain sight, go through security and pretend to have a reason to be there. I’ll focus on the overt case because usually these are the most fun.

We first need to come up with a plausible backstory. Just as before, believability is paramount.

The company uses Software X to run its servers. X is a very expensive piece of software that requires a very specific license. It is known that big companies try to save money by acquiring one license and reusing it on more than one server (illegal). One scenario I found that often works is the guise that I am there to check their licenses. How can we do this?

Based on experience, security guards and receptionists at the main entrance of the company are often bored and tired, so a well placed call a day or two ahead of the operation will give us a good way to get in. We call and we can say something like: “Hi, my name is John Doe, I’m with Software X. We are currently performing our quarterly license test and we’ll be sending Mr. Some Name tomorrow to check yours.” Now, in some cases the security guards will transfer this call to an IT engineer or manager in charge of the servers. These people can challenge this by saying that they would talk to their Software X account representative and that’ll be the end of it. If you really did your homework you would have called Software X and asked to talk to the person in charge of this account, so you would know his name. You can tell the IT person that “Mr Account Manager Name” is up to speed and he would be calling him soon to let him know about the license check.

Most times, the security guards will eventually let the IT person know, but in a way so out there that the IT person would go something like: “OK, let me know when he is here.”

Now, I usually use a name I can back up with an ID. Either my real name so I can show them my drivers license, or one that I can have a fake license made. I also like to have an ID card with the logo of the company I’m supposedly working for, together with my name, picture and other little pieces of false info. You can find pictures of badges by searching for them online. It doesn’t have to be perfect, but it has to be good enough to make the guard believe you indeed are an employee of Software X.

This way, when we arrive in the building the next day, they are expecting us. We need to be dressed properly, suit and tie, etc. Go to the guard, give them your name and the drivers license and fake Software X ID card. Tell them you are here to check the license. Chances are you will be told to wait for the IT person to show you in. When that person arrives, introduce yourself, show them your ID card or give him a fake business card. You can mention “Mr Account Manager Name” and share that he sends his regards. Make it sound official.

If you are lucky you will be let into one of the server rooms. If you get to this point you are done. It would take little work to get to the good stuff from there.

If this first deception didn’t pan out as planned, there are other methods of overt infil you can attempt. Again, dressing up and playing the part is key. You need to arrive first thing in the morning, when everyone gets in. Try to find the smaller entrances, one that would get less attention by the security guard and just walk right in pretending to be on the phone. Hang a fake ID card on your pocket with the rear of the ID facing outwards. If someone is looking at you, they will see a badge and most likely won’t bother you (since you are also “on the phone”).

Once inside, you need to do a little recon and find those servers. Depending on what intel you gathered from your initial recon, you may actually have a pretty good idea of the servers location.

At this point I like to talk to the cleaning people if I can find them. I become very friendly with them, speaking in their own language if I can, talking about sports or other things you might notice on their cleaning carts, clothing (logo hat, uniform or t-shirt, etc) and other stuff. Once you have that conversation going, you could steer it towards something you want to know, like: “Wow, this is a huge building. How do you manage to take care of it by yourself?” He would reply: “Oh there’s a whole group of us that clean here.” Then you can go: “I bet they have the biggest computer rooms!” He at this point is your friend and chances are he would answer something like”: “Yeah, the room on the 3rd floor has 200 computers! It takes the whole floor.” Bingo, you have the info you were looking for.

It’s not always that easy, but you get the idea.

Physical penetration can be dangerous, especially on companies where the guards are authorized to use lethal force to stop an intruder. I’ve been there and have almost gotten shot a few times.

Anyway, this is in my opinion the most fun part of the project, however it should be your last resort. Training often and hard is the key. Go out and play safely.

Editor-in-Chief’s Note: U. Fridman is a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

Staying safe and protecting your valuables when away from home should always be a priority. Like most people, you might think that your electronically locked hotel door is secure enough to keep out the unwanted. There’s no physical lock to pick and you need a key card to get in, that’s good, right?

Unfortunately, it’s not. There’s a tiny device out there that can open approximately one third of all hotel doors in seconds.

Using an Arduino microcontroller and a few other components, almost anyone can build a device small enough to fit inside of a dry erase marker. This can then be used to unlock most hotel doors, including the dead bolt, in no time at all.

Watch the NBC News Report below and see what you think. What unnerves me the most about this situation is that the President of the American Hotel and Lodging Association doesn’t feel that guests are vulnerable. His statement? They have “extra security in a lot of the hotels.” It does look as if Onity is finally starting to fix this issue though. Forbes recently shared news of their progress a few days ago but with this being one of the most popular locks for hotel room doors, it may take a while to secure all of them.

Note: The purpose of showing this is to inform the public of this issue. Don’t be lulled into a false sense of security in anything you do. We’ve always advocated providing information educates on the illusion of security.

This hack was discovered by Cody Brocious who posted an excellent writeup on how and why it works to open these types of locks.

Matt Jakubowski, a pentester for Trustwave SpiderLabs, did a test at home with an Onity door lock and a device he built himself.

What You Can Do

So now that you know how it all works, how can you secure yourself and your belongings? It’s probably a good idea to call the hotel ahead of time and find out if they use Onity locks on the doors and if they do, ask if the locks have been upgraded. Ultimately, no lock is truly safe, but staying at a hotel with a massive security breach is obviously not a good idea.

If you are already in the hotel and in the room, use the chain on the inside of the door. If someone manages to open your deadbolt from the outside (as this device can), they would only be able to open the door a couple of inches which would provide you time to call for help. Just don’t think that the chain is the be-all end-all answer, but it is an added safety measure. This obviously only works if you’re in the room.

When you leave the hotel, use the safe in the room or one at the front desk if they have them. The easiest solution is to simply bring your valuables with you. If you do have to leave items in the room, it may be good idea to hide them in plain sight. Here are some interesting ways to store your stuff when you leave your hotel room.

• Rubik’s Cube Safe
• Dr Pepper Can Safe
• Hidden Book Safe
• Coffee Mug Hidden Safe
• Barbasol Shaving Cream Safe

Do note that these aren’t truly “safes” as they don’t lock. They do however allow you to keep small items relatively secure. If you want to save money, get creative and try and make some of these yourself.

Another option is something like the Pacsafe steel mesh cabling, which covers your entire bag or pack and could possibly deter a thief. What’s nice about Pacsafe devices like the image on the right, is that it completely covers your luggage, it’s not just a cable lock that leaves the majority of your bag still exposed.

Face it though, all security is ultimately defeatable by someone or something. Take the approach that we like to mention, all security is just simply buying time…

Editor-in-Chief’s note: This post was written by security expert U. Fridman and originally ran on his company blog, Red Teams.

A few years back, a customer asked us to test their newly installed (and very expensive) surveillance and security system. The product promised them an automated system that was so secure they wouldn’t have to place a security guard there.

After some recon we discovered that while the entrance was guarded by a very secure keypad + access card combination lock, the inside had an automated “unlock” sensor so if anyone wanted to come out, the door would unlock from the inside.

Using a high resolution night capable camera, we took photos of the door and lock. After careful review of the pictures we found out that the top and bottom of the doors were not sealed tight against the floor as we could see a tiny bit of light from there. A plan was set in motion.

Later when we arrived, we approached the door carefully and removed a piece of gear from our kit that would, hopefully, allow us to bypass the “very secure” lock: an old credit card.

We slid the old credit card under the door and… nothing.

After a few seconds we agreed that the sensor wasn’t picking the movement, maybe because we were too close to the door and sensors usually “look” a bit farther out.

We retrieved another credit card and we tied it up to a piece of metal string (essentially several springs from a pens click mechanism tied together). We pushed the card under the door again, then carefully we pushed it farther with the metal string. And farther, and farther and… voila! The motion sensor detected movement “from the inside” and unlocked the door.

We were in.

Big, expensive, digital lock defeated by an old credit card and a spring.

Today we’ll be looking at the 2nd part of our Inside Red Team Operations series, which takes us through the process of planning, preparing and executing a security vulnerability assessment and penetration test; bad-guys style.

In Part 1, we looked at some of the elements and techniques for planning the operation and the recon. In this part, we’ll see how the information gathered during the 1st phase can be used to plan the operation.

Sorting Through Recon Data

Through OSINT, social engineering, phone probes and physical recon, we collected a large amount of data about our target. Some of that information is useless and some is the key to the success of the operation. Going through the information is tedious work but it can be rewarding.

Focusing on People

The first focus is on people. We collected email addresses and information about their employees. This should give us a clear picture of the who’s who in the company, or at least one or two names we can use to mount a social engineering attack. I usually focus on the people that hold mid-level positions. They tend to be well informed about what’s going on and are usually very helpful on the phone or over emails. That willingness to help usually comes from a person wanting to climb into a better position and want that extra “you see? I am very helpful and people rely on me” message to be spread.

Once we have a name, we can search all the information we have about that person. If needed we can perform a deeper recon on him/her. There are several websites that provide information about a particular person, however social media sites like Facebook, Twitter and especially LinkedIn provide all the information we may need.

Products and Technologies

The second thing we focus on is products and technologies. A huge part of a successful social engineering attack is having your facts straight. If the target is a company manufacturing/developing products, they usually have them listed on their Website. Focus on those and try to get the product owners, managers, developers, spokesmen, etc.

If the target is an organization (either private or government) then the focus should be on the service these organizations provide and the points of contact.

Infrastructure

Finally we focus on the technology, or more specifically what powers their networks, web servers and their IT infrastructure. This includes informational scans for things such specific product names and versions, problems with them as reported by their own IT people. Backend and frontend technologies such as any database, CRM or other data management, web services technologies and code.

This information will allow us to start planning any possible penetration via the exploitation of a technical vulnerability. For example, if I know their main web page is hosted on a Windows 2003 Service Pack X, with IIS X.x and MS SQL Database X, then I’ll be able to pinpoint a possible vulnerability that might not be patched in this system and either find an exploit for it or write my own.

In our project, we want to be able to penetrate the company’s network and if that fails, penetrate the company’s premises. Sorting through the data, we found that the VP of marketing’s email address is listed as a point of contact on a bird watcher’s forum.

How is this relevant? Well, we now have “something in common with the VP.” We’re going to become not only an expert bird watcher, but “all the sudden” there is a new bird watching expo being planned in a few months. Since this VP is such a successful business person, we’d like him to be one of the keynote speakers at this expo. How’s that?

Preparing The Bait

The first thing we need to do is get our facts straight. We don’t need to learn everything there is to bird watching, but take 24 hours to read about it, familiarize yourself with the jargon, the hot spots in the country and local area. You want to sound credible.

Second, buy a domain that reflects the “bird watching expo” that is coming up soon. For example, birdwatchexpovegas.com, or something similar. This will be our bait. We’ll use this Website to try and exploit the vulnerabilities we may find in their system, or if this fails, as a supporting site for our cover story.

It would be a good thing at this point to try to figure out what kind of laptops/workstations the employees use. Knowing what OS (version, patch version, etc.) will help us narrow the possible vulnerabilities we can exploit.
One way to do this is by calling and using social engineering to get any number of employees to disclose that information. Another is to directly approach our target with an email.

His company email is the point of contact for the bird watchers forums, so he is expecting to see bird watching related stuff on this inbox. Using the Website we just created we add a little piece of code to the page that can extract some of the information we need. We then can craft a very convincing email directing the target to our site.

If this works, then we’ll have a file sitting on our server with enough information about his browser and system for us to be able to pinpoint a vulnerability that can be exploited. On top of this, it’s often safe to assume that large corporations and organizations don’t have the latest patches, so we can use 0day exploits as well and see if they’ll work.

A good thing to have at this point is a good attack that can be spread via a PDF or a Word document. Those two file types have a lot of potential for hiding exploit code that can leverage Adobe Reader and Microsoft Office, two products with a LOT of vulnerabilities. Another good technology to exploit is Flash. You’d be surprised at the things you can do with Flash. We could use the PDF or Word Doc on an email and the Flash on our Website.

Dry Run

Before we can try all of this on our target we need to perform a dry run. This will be used to not only test our code (Website, exploits, etc.) and our script (the social engineering script, the cover story,) but to also polish the whole plan and have contingencies for every part of it. What if the exploit doesn’t work? What if the target is not interested in the expo? What if he is using a web browser that has been patched? What if his secretary is the one answering the phone? A lot of things wind up not working out.

We need to go through the whole attack and figure out the weak points. If you can, bring someone that isn’t involved into planning and have him/her poke holes in the plan. You’ll be surprised at the things you miss when you’re extremely focused.

Now comes the tricky part. We need to replicate the target environment as closely as we can. That’s when the initial digital recon comes into play. We performed informational scans using one of many tools. We should have enough information about their internet facing network and some of the employee’s workstations in order to prepare our own copy of those systems. Grab a good server, install a virtual machine manager and start cracking.

Do they use Linux for their mail server? Do they use Windows with IIS for their website? Do they have Firewalls? Routers? Any other security device that can be detected? It’s important to note that in most cases, an informational scan will return minimal information, so it’s necessary to go head first into gathering more. This can be done by either calling or visiting the target.

Once we have out servers and workstations ready have your team play the parts and have a person not involved in the planning play the target. Follow the flow and see where it fails.

Stay tuned for Part 3, where we’ll execute the operation and see how to react when things don’t go as planned!

In this three part series we’re going to go through what it takes to perform a security vulnerability assessment that would ultimately end in the penetration of the target.

In part 1 we’ll talk about planning the operation, digital & physical recon and some of the kit we might need. In part 2, we’ll analyze the information gathered during the recon, plan and rehearse the operation and perform a dry run. This will test what we’ve learned and polish our plan. In part 3 we’ll execute the operation and plan for contingencies when things don’t go as planned.

What is a Red Team?

In the world of computer and information security, a red team is a group of highly skilled experts hired to provide adversarial services, i.e. to act like attackers. The goal of red team operations is to continuously challenge the plans, defensive measures and concepts of the organization.

These exercises result in a better understanding of possible adversaries and help to improve counter measures against future threats. Red teams are also tasked with probing physical security measures, sometimes as part of an overall digital/physical assessment and sometimes as a project of its own.

This series will focus on a combination of both physical and digital vulnerability assessments, as well as penetration of the target. This way you can see the techniques needed for both.

It is important to mention that each project/operation is different and the techniques described here will have to be adapted, changed or completely dropped based on the target. It is also important to mention that I will keep the technical details to a minimum. I’m doing this for two reasons; one, because not everyone reading this has a background in computers and two, because I don’t want to show the bad guys any technique they can use.

With all this in mind, let’s begin.

The Project

We’re tasked with penetrating the internal network of a fortune 100 company. If successful, we are also tasked with acquiring highly sensitive marketing documents.

There are many ways to try to penetrate their network and systems but we are going to focus on two. We will try a purely digital approach first, if it fails, we’ll try a physical approach that might give us a way into their network.

The digital approach usually entails scanning their public facing systems in search for a vulnerability to exploit, or a more direct approach that includes social engineering (hacking people into providing information) and a well placed weaponized document or attack code. A physical approach is just that. Physically penetrating the premises, trying to either get to a computer inside or connecting your laptop to their network and trying to find the documents. More often there’s a backdoor to access the network remotely from the convenience of your office/TOC.

Planning and Initial Recon

The initial recon and planning phase is critical. Some operations fail because of lack of information about the target, others are highly successful because the recon was carefully performed and all the possible weak points were identified.

Digital Recon

Let’s start with information in the public domain. Open source intelligence (OSINT) gathering is our first priority. You’d be surprised how much information about companies, their employees and the technology they use in their networks is really out there.

We can start using Google, Yahoo, DuckDuckGo and other search engines, however it would be good to use a search engine aggregator that can search across all search engines at once. It’s also useful sometimes to use the local search engines if we’re targeting a company or organization in another country.

There are services that provide a list of local search engines, or you can try local Google or Yahoo versions. For example, for russia try google.ru and ru.yahoo.com, for Argentina google.com.ar or for France google.fr. You get the picture.

We begin by searching for the company’s web sites, domains, press releases that might indicate the use of a certain technology, names of employees, high level executives, etc.

Press releases are a great resource, for example, they usually detail new products with names of technology, executives and other snippets of information that we can use for a social engineering approach.

Next we search for emails. We can type “@companydomain” and usually you’ll get a list of sites where people used their company email address for various tasks. This is a great source of information about employees (possible targets for social engineering) but more importantly, a lot of times IT people go to technical forums to request help about the technology they are using. It’s a great way to start mapping their operating systems, web servers, databases, firewalls, routers, etc. without having started the mapping part of the recon.

OSINT will usually take a few weeks. We want to gather as much information as we can and built a logical map of what we now know: people, systems, products and connections between all these.

Another great way to gather information is to call the company phone number off hours and if you get a voice mail probe for default passwords. Chances are you’ll get several hits. You can get a lot of good intel via this method. Getting the company’s different phone numbers is relatively easy.

The next phase of the digital recon is mapping the public facing digital assets. We want to know their digital footprint: IP address ranges, domains, websites and security devices if possible. This should be done very carefully, we don’t want to tip their security devices that we are mapping them.

We start searching the different “whois” databases for their different IP ranges. Since our target is a fortune 100 organization, chances are they have acquired a set of IP addresses that is static to that company. Knowing the IP ranges will allow us to also map those servers that might be connected to the internet but do not necessarily provide services (like a company website or e-commerce site do). You would be amazed at what you can find sometimes. In one project I found a server that had a Telnet service up and running, needless to say it was my way in. A developer enabled this for a project and forgot to disable it later. Humans… They are always the weakest link.

We want to map the ports open, the services behind those ports, operating systems, web server software, database software, versions of the software, email servers, file transfer services, etc. Once we have this information we can perform a very simple and fast vulnerability assessment and see what is exploitable right then and there. Sometimes this is all it takes, but most of the time it’s more complicated than this.

There are countless tools to do this, some open source, some commercial. Check online for more information.

Physical Recon

Now for the physical part. If we’re considering the possibility of a physical penetration we need to recon the target.

I usually divide the recon into two different methods: covert and overt. In a covert recon you’re usually either away from the target, using binos or scopes to surveil the target, or you are performing recon at night completely hidden. An overt recon usually means walking into the target’s premisses and pretending to be someone you’re not, while trying to collect as much information as you can by either observing or taking to people (social engineering).

During a physical recon I would also perform a scan of the premisses for any wireless, bluetooth or other RF that I can find. Many times during projects I found open wireless access points and routers. I logged right into them and used them as a channel in. As part of the kit, it’s useful to not only have a lightweight laptop during a physical recon, but also a wireless signal finder/scanner, wifi antenna booster, a good set of stumblers and other software to map all the signals you might find.

I found it very useful to perform a physical recon with a team of 2 or 3 members. You can send one around the premises to check any possible ways in (in case we need a covert entry), while the others maintain a tight surveillance. Key items to map are dress code of employees, badges or IDs they have, working hours, guards and their schedule, different access points to the building, daily activities (day & night) and also paying attention to trash collection, product delivery, etc.

Equipment

A good camera, scopes and other observation gear is needed here. Usually hunting stores have great gear you can get. All this will provide a clear picture of what’s going on around the building, but not inside. Like I mentioned, sometimes you have to perform an overt recon.

For these, I find it very useful to have a small voice recorder and have it on as soon as you walk in. It will record any information people might give you, while also recording atmospherics: a loudspeaker announcing company news or the name of an employee, normal working noise, etc.

Also carry a USB or a small wireless card with you, sometimes during the recon you’ll find yourself in the position of having a brief access to a computer inside the company. Plug that wireless router/card (pre-configured to a certain name/password) and try connecting to it later when you leave. Carry a set of lock picking tools, I like the Bogota Entry Toolset. It’s small, easy to conceal and in most cases work like a charm.

Also, I like to carry a small LED light, which is useful to check inside server racks and other tight spots, a small knife, a pen and a notepad.

Pen and paper might seem a bit outdated but it’s a great way to create a sketch of the site: doors, elevators, access points, guard and camera locations, etc. It’s is an invaluable tool for a physical recon.

Summary

We’ve just gone through the initial information gathering and recon phase. This is a critical phase and can make or break our operation.

You need knowledge to perform the technical part, but overall you have to be creative. Think outside the box, think like an attacker, try to figure out what they would do to gather information. For example, large corporations usually have a cafeteria or restaurant inside their building. This is a weak spot during lunch time, with a lot of activity. You could sneak in dressed as a cook, or even a server and you’re inside.

Bend the rules.

Stay tuned for part 2 where we’ll talk about analyzing the data gathered during our recon, as well as the planning and execution of a dry run!