My name is Steven and I have been working at tSF for 4 years now. TSF regularly gets asked to perform social engineering assignments for customers. Often I am the person assigned to execute these assignments.
I would like to provide you with the story of one of my black box social engineering assignments. In order not to give away any information about our client, I will use the fictitious company name ‘Funda’ with John as its CEO throughout this post.
It all started with an introductory meeting with John, the CEO at Funda. The assignment was very clear: perform a full social engineering exercise on our sites and see how much damage you could do without actually exploiting it. The only person who knew about this was John himself and no hints or additional information was shared with us. Furthermore, all physical social engineering practices were in scope (evidentially, we coordinated all our scenarios and plans with John anyway before the execution phase).
From the moment I started the assignment, it was very important to get as much information of Funda as possible. This brought us at our first major phase, the digital enumeration phase: The information gathering began with collecting company and employee information. This included collecting lists of employees, the geographic locations of each office, and creating detailed profiles of each employee.
Now that I had formed a geographic picture of all of the company’s locations, and thus had already created a picture of possible entrances to the sites, it was time to turn assumptions into facts. This ensured that we arrived at the physical on-site reconnaissance phase.
Initially, I made sure that I had classified all the collected data neatly and had it with me when going to the premises of Funda.
I left very early in the morning to visit all the sites and to get a clear picture of how much movement there was in and around the building. It was also important to map out all possible entrances and exits in order to move on to the next step. To limit this blog post, I’m only going to map out the physical scenario from the main site of Funda.
Upon arriving at Funda’s main site, it quickly became clear that there were not many options. The entire building was protected by a 3rd party security company. In total, there were three options. The main entrance, the vendor entrance and the secure underground parking lot.
During the physical reconnaissance exercise, we took numerous photos showing all the cameras in place.
Since there was occasional movement at the supplier’s entrance by some workers and a supplier who all had badges, I decided to use this as the first option in our next phase, physically entering the building.
When I got back to the tSF offices, I went through all the photos and created a scenario that would be as believable as possible.
The plan was to present myself as an employee of a fictious company named “Elektro Bavari”. A credible website was created in advance together with a sweater on which ‘Elektro Bavari’ was printed. I also made a work order that was signed (obviously not a real signature) by John, the CEO of Funda. If people were to ask questions, I prepared a story in which I indicated that I had to make some adjustments to the electricity throughout the building and then carry out an electrical re-inspection of the electrical installation. This in itself should give us some extra leeway if people see us entering electrical installation rooms or data rooms.
Should I not get in through the vendor entrance, I still had a backup plan to tailgate with people through the garages or if that didn’t work, I would try to get in through the front. The third option, however, our goal was to piggyback through the side door used by vendors, I made sure I was definitely on time to increase our chances of success. At 06:10 I arrived at the main Funda building. Since there were no lights switched on in the building, it appeared that we were well on time. After waiting in the car for a while, I saw the same vendor arriving at 8AM who I already noticed during the physical reconnaissance exercise.
We got out, unloaded equipment, and piggybacked the supplier. While piggybacking, I pretended that I was on the phone with my (fictional) colleague who was already in the building. This would ensure increased credibility that we were effectively allowed to be in the building .
The vendor in question asked no questions and simply let me in. To use the elevator in the building, it was necessary to use a badge. However, we could use the stairwell which gave us access to each floor. In subsequent actions, I walked down each floor looking for sensitive data like post-it’s with passwords for example.
In the end I got out through the same door with a lot of evidence. I had access to certain servers, unlocked computers, post-its with passwords, documents, printed mails with passwords and much more.
Conclusion: Operation Funda was a successful exercise for us.
Steven Verscheure – Social Engineer/Ethical Hacker @ tSF
Want to get acquainted with ethical hacking or social engineering, learn more about how Steven and the tSF team can help you?
