Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Social Engineering to gain VPN and domain admin

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Social Engineering to gain VPN and domain admin

    I recently completed an engagement for my company where the objective was to see whether a social engineering attack would be successful against the client. There were few restrictions, only that we keep the contact informed of our "nefarious plans".

    Recon
    To start, I searched Linkedin for any email addresses of company personnel. I found about 40 people and put each email address into a text file. Next, I ran the Harvester tool to extract email account from Google and PGP: (http://www.edge-security.com/theHarvester.php

    Parsing through the results, I realized I had my contacts information in the results. This made the attack fit into a real world scenario. (I don't like performing social engineering with company provided information, it makes it seem like cheating).

    The attack
    I informed our contact that I would be using his information and calling the help desk to gain access. He didn't think this would work, but gave me the go ahead to "do whatever you want". Not a good thing to tell someone they can do anything, but we will get to the reason later

    I went to the company website and looked for the Help Desk phone number. It wasn't present, but they did provide a 1-800 number. I called it and asked for my contacts direct number (like I said above, no provided information, do it all yourself). They wouldn't provide it, as it was against company policy. Fine, I said, please connect me. I hung up. I called back "They aren't answering and I really need to talk to someone, can you transfer me to someone in their department?" I was transferred to someone and asked them for my contacts direct number. They were happy to oblige.

    Now the fun part. I have the contacts email and phone number. I call back to the 1-800 number and ask for the help desk. Once connect I get their direct number and ask for someone to connect me to remote access assistance. They say "that would be the Security Group" and transfer me.

    The Attack
    The Security Group asks me how they can assist. I say that I'm looking to create a VPN account for a contractor. What steps are necessary? They say to provide the request via company email and they would send a verification email that would need to be responded to. That would be a problem I tell them, as I'm working remotely and only have my blackberry. They can't help me.

    Call #2. I call the help desk as my contact and ask them to create a ticket for my email. I tell them that it's not working. They ask me for my SSN and I tell them I'm boarding a plane and I'm in a public location and I don't feel comfortable giving it out. They proceed with creating a ticket for my email. I ask for the ticket number and give them my cell phone number, since I'm traveling. Then I hang up.

    Call #3. I call the help desk as my contact and ask for the status of the ticket. They respond it is with the email group. I get transferred. I once again tell them "I'm at an airport... blah blah" so I don't verify my identity. I tell them I can't access my email to verify a new account request that I needed for a new contractor. They say the ticket needs to be escalated. I tell them I'm traveling, they respond "we have your cell number in the ticket". Sweet!

    Call #4. I receive a call from Security (the same guy I spoke to in call #1) saying we will have to reset the Lotus Notes ID file on my computer. I tell him that I'm traveling and he would have to send it to my Gmail account. At this point, he asked to verify my identity. I once again pull the airport excuse. They proceed to email the Notes ID and new password to my Gmail account. Now my contact cannot access his mail (at least until he calls to reset legitimately).

    Call #5. Now I must hurry. I can create tickets and requests without an email being read by the contact. I call in to the help desk as the contact and ask them to create a VPN account as my contact. They say the same think "we have to email the request to you to sign". Fine, do it, I'm in a hurry.

    Call #6. I call back as my contact pissed off. "Where the hell is the request? I have to fly out and nothing has arrived. Does this have something to do with my email problems from earlier (giving them the case number)? Yes, they say that would be the reason and that they can't approve it without the email verification. I ask that they complete the verification verbally with me and they refuse. I ask to escalate to their supervisor. I explain the problem to them and they said they would personally take care of the problem. I tell them I'm leaving on a plane in a few minutes to see the contractor (that would be me) and it needs to be done by the time I arrive.

    Call #7. My cell gets a call from Security asking if I requested a VPN account. I tell them my email is down and need access for my contractor. They once again say that it needs to be done via email.

    Call #8. I call in as myself and reference the five case number to the help desk person. I beg them to help me out, as I'm on the clock and haven't been able to get any work done. They see all the requests and transfer me to Security (crap). I get a different person that listens to my story. They feel bad and give me a temporary username and password to the VPN. Thanks!

    I connect and use the Notes ID to open my contacts email. I approve the request submitted and complain about poor customer service. At this time the contact calls me asking if I did something to his email. Hmm, yes I did. Here is your new password (hahaha).

    With the VPN access, I can view all of their domains. There is no restriction. I run mbenum to find "SQL Server" and then SQLPing to search for sa/blank. I find 18 servers with misconfigured SQL. I use OSQL to create my own account and GSecdump to dump the hashes. After all is done I find a hash for a domain administrator. I put this hash through Plain-text.info rainbow tables and have the DA password. I login to the DC and dump the hashes for the entire user base.

    By this time, the client calls me back, just having fixed his email. He asks "were you successful with your calls?". I tell him the story and there is dead silence. He doesn't believe me. I connect to his PC with VNC (I did a limited port scan earlier that revealed port 5800/5900). I used the cqure VNC password decryper to get the universal password for VNC and used the DA account for authentication. I connect and take control of his desktop. I open notepad and type "Believe me now?".

    The End.

  2. #2
    fastboi
    Guest

    Default

    and then your mother wakes you up and says "time to go to school my little boy"... :P

  3. #3
    Junior Member
    Join Date
    May 2008
    Posts
    56

    Default

    Wow! That was awesome, "Believe me now?". I think we should have sub-forum on here, to where members can write out an outline of their testing. So newbies like myself can see how everything is done. I enjoyed this.
    A+
    Network +
    Security +
    Linux +

    Work in progress: Saving for OSCP

    Currently reading:Hacking-The Art Of Exploitation.

  4. #4
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    This is the first time I've heard the term "social engineering", I did a quick Wikipedia search of it just there. I'm a little puzzled because it has nothing to do with engineering I use the term "conning" to describe your actions. It's definitely a skill and some people are brilliant at it, but I don't see how it can be referred to as a form of engineering. Here's one well-accepted definition of "engineering":

    The creative application of scientific principles to design or develop structures, machines, apparatus, or manufacturing processes, or works utilizing them singly or in combination; or to construct or operate the same with full cognizance of their design; or to forecast their behavior under specific operating conditions; all as respects an intended function, economics of operation and safety to life and property.
    Anyway, in response to the original poster: Good work! Quite the con!
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  5. #5
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Social engineering at its best and a very entertaining read, would have loved to be able to see the poor guys face when the words popped up in notepad.
    Quote Originally Posted by Virchanza View Post
    This is the first time I've heard the term "social engineering", I did a quick Wikipedia search of it just there. I'm a little puzzled because it has nothing to do with engineering I use the term "conning" to describe your actions. It's definitely a skill and some people are brilliant at it, but I don't see how it can be referred to as a form of engineering. Here's one well-accepted definition of "engineering":
    Actually I find the word social engineering to be rather suiting and self-explanatory. Here is a a more broad definition of engineering which at least fits together with the word social:
    Quote Originally Posted by http://wordnet.princeton.edu/perl/webwn?s=engineering
    Engineering is the discipline dealing with the art or science of applying scientific knowledge to practical problems
    But personally I do not even find the definition you quote to be too unfitting.
    -Monkeys are like nature's humans.

  6. #6
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    You still Trying social engeering williamc?, Nice post.

  7. #7
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Fantastic post!!!
    wtf?

  8. #8
    Junior Member Amlord1's Avatar
    Join Date
    Nov 2008
    Posts
    78

    Default

    Quote Originally Posted by Virchanza View Post
    This is the first time I've heard the term "social engineering", I did a quick Wikipedia search of it just there. I'm a little puzzled because it has nothing to do with engineering I use the term "conning" to describe your actions. It's definitely a skill and some people are brilliant at it, but I don't see how it can be referred to as a form of engineering. Here's one well-accepted definition of "engineering":



    Anyway, in response to the original poster: Good work! Quite the con!
    It is social engineering. It has a lot to do with psychology. First, You need to know what the person your trying to get information is going to ask you. This comes with experience, BUT.. A lot of it is pretty obvious. Look up tiger team on YOUTUBE. They are the 1337... But then again, this was a really good job as well. "Hacking" is only part of most operations. If you can get the information you need just by asking, then why not?
    Originally Posted by pureh@te
    You may think its stupid but when you are posting online sometimes spelling, grammar and thought put into the content of your posts is the only thing people have to measure you by and to determine the level of seriousness they should give you. So with that in mind I'd say "Yes" its pretty important.

  9. #9
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by Amlord1 View Post
    It is social engineering. It has a lot to do with psychology.
    Psychology is Engineering?

    I think the term "Social Engineering" was born because people wanted to put a more sophisticated and less seedy slant on "Conning". When I think of engineering, funnily enough I think of people producing an engine. It's about designing, testing, making a prototype, producing the finished product.

    I've never been a fan of calling a spade an icecream scoop, but if you want a more pleasant term for "Conning" then maybe "Confidence Psychology" or something like that would work.

    The following is an interesting read: http://en.wikipedia.org/wiki/Confidence_trick
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  10. #10
    Junior Member NoobBiscUiT's Avatar
    Join Date
    Jun 2007
    Posts
    58

    Default

    wow.
    awesome post thank you,
    very enjoyable read.

    i also think another section that tells success stories like this would be great.
    Become the change you seek in the world. - Gandhi
    The important thing is not to stop questioning. - Albert Einstein
    Don't judge the unknown - Grindordie

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •