Note: I haven't made 15 posts yet so the pictures can be found in the distorted URLs.
There is no such thing as irrelevant information ~ Muts
During the information gathering stage (if possible) I visit the target for some reconnaissance work in a process that involves exploration and inference. In this case I examined a telecommunications centre which houses a base transceiver station(cell site) and a virtual switchboard. All of this was done with permission. This is a simple overview of my methodology and the purpose of it is to demonstrate how trifles can turn out to be useful pieces of information.
1) Gloves: I don't need to explain this one?
2) Knife: For cutting bags
3) Torch: A portable light with a magnifying glass(good for poorly written scribbles)
4) Folder, backpack or plastic bag(I prefer the latter)
5) Digital camera: Indispensable.
I usually put on clothes which give me the air of a vagrant but I don't exaggerate it. I'll wear a cheap rain jacket, torn jeans, a hood and I'll remove my glasses and mess up my goatee beard. This will avail against prying eyes since I'll just look like a bum rummaging the garbage for recyclable materials and/or food. Why is this important? because I don't want to produce the impression of an document/identity thief.
Even in the days of the paper shredder it's very likely you'll find whole documents, letters and all sorts of memorandums. From this we can collect names of employees and customers, phone numbers, email addresses, material on office routines, schedules and so on and so forth. I addition to useful info I can also deduce recent activities. Let's take a look.
Note the abundance of twisted pair cabling that is on top; could this be just old wires? or perhaps a change in equipment?
Lying below the bag of wiring on the left side I found a box--- on it is an address of a seller and manufacturer of computer equipment and in addition on the post label there is a content description stating "modular connectors". From this I can deduce that they have indeed been improving their network and this could be fodder for a social engineering attack.
And finally paper, white gold. I always stress my search for crumpled and/or torn notes.
From all this I found the following:
9 Employee names
More assorted names and phone numbers to count. Customers perhaps?
3 work schedules
A paper with the IPs of local hosts scribbled on them, as well as other connection config info.
A document with electronic consumption measurements.
An employment application.
A crumpled post-it-note with a username and password from a web-app of their site.
An internal "staff only" URL
I have an eye open for aberrations, I view this as fodder for social engineering attacks. I also peek inside for anything that could be of use.
Trouble with your antenna? Here I'm allowed to draw the conclusion that their TV reception is poor. This could be useful fodder for an SE attack; I could ascertain who's behind their TV service and impersonate a service rep stating that he detects that their television converter box or set-top box is receiving a sub-par signal and thus send them an email containing guidelines on improving their signal. This email could be a vehicle for a backdoor payload or contain links to sham sites on improving the signal or maybe even a manual of whatever set-top unit they are using. Remember, being elaborate is a key element.
May not be clear on photo but they are all running Win XP Pro. Earlier that evening I saw that the monitor at the anterior was displaying the latest version of Internet Explorer and MSN messenger.
Now I know who is providing security.
Hmm... vandalism? maybe they are not doing such a good job. Here I can make a telephone call or send a sham email from a competing security guard services provider or maybe even send an email from Securitas themselves and use the vandalism examples as a basis for a proposition for increased patrolling and in the process implement an attack similar to the one with the antenna problem.
The lights are turned on at 3:00 in the morning?
Nice, a whiteboard. Here I learnt important topics which are evidently under discussion at this business. In this case they were looking for buyers for a telephone directory service. This is something which I could avail myself of, such as shammed interest in this product as a pretext to gain more info or maybe even access(which I eventually did).
In just 30 minutes I acquired a good chunk of information without any key strokes, which aided me very well latter on in the attack. I am happy to announce that I successfully penetrated several computers at this company using mostly what I observed on the physical site. I did proposed to them the following solutions:
1. Use paper shredders
2. Turn your damn lights off.
3. Be more circumspect with phonecalls and emails pertaining to problems visible from the outside.
If you live in the same or an adjacent city you could give this a try. It's quite a thrill.