Mitigating Measures 171 Drive Mapping Environments with this ability enabled allow users to transfer any data from client to server or vice versa. This opens the door for leakage scenarios and also provides the ability to upload malicious code unknowingly or intentionally. Windows Terminal Service is able to prevent local drive mapping on the target sessions. These settings can be adjusted by toggling the following GPO item. • Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Terminal Server\Device and Resource Redirection Citrix, BlueCoat RA, and Sun SGD are all able to modify this behavior. Due to resource testing limitations and version variance, we will only include Windows- related corrective actions where applicable. Disabling Clipboard Pasting The copy and paste feature within windows can be very useful, but it is also another vulnerable area. Administrators rely heavily on this feature to perform basic daily function, so its removal will not come without a cost. Disabling this has the potential to decrease administrative efficiency, increase outage times, and limit troubleshoot- ing, which could be financially devastating depending on the circumstances involved. Administrators often make use of this feature to copy database query results, logs for vendor troubleshooting, or any number of normal tasks often considered mun- dane. A Windows Group Policy option is available for disabling clipboard redirec- tion in Terminal Services. The location is provided below should you feel the need to exercise this option. • Local Computer Policy\Computer Configuration\Administrative Templates\ Windows Components\Terminal Services\Client/Server data redirection\Do not allow clipboard redirection Disabling this entirely on the host system can be more difficult. There are a few third-party resources that provide free utilities that can govern this function. Prevent is a freeware application that will allow you to selectively customize the clipboard features. X Citrix, BlueCoat RA, and Sun SGD can also restrict this behavior. Disabling Screen Printing This vulnerability stems from the host operating system’s ability to take screenshots of the session information on the desktop. This approach to data theft is cumber- some and labor-intensive, but it does pose a potential liability. This issue is difficult to address because it is also beneficial, especially when troubleshooting systemic issues. Windows, Citrix, and Sun SGD do not provide mechanisms to prevent this although BlueCoat RA Y does. X www.softpedia.com/get/System/System-Miscellaneous/Prevent.shtml Y www.bluecoat.com/doc/529 chapter 6 Pod Slurping172 A workaround is available to disable the screen-print function entirely on Windows systems, but this risk still persists. Phones and other hand-held devices now include onboard cameras that can be used to capture static or motion shots from any screen in range. This factor should be considered when deciding the necessary restrictions to impose on an environment. If you decide disabling of the screen-print feature is required, the below option is available on Windows 2000 and XP systems. 1. Open the Registry Editor by going to Start, Run, then type regedit in the Run box. 2. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSEM\CurrentControlSet\Control\Keyboard Layout 3. Create a new binary value named ScanCode Map. 4. Set the ScanCode Map to the following value: 0000000000000000040000002AE037E0000037E00000540000000000 5. Reset your computer, and the screen-print function should be disabled. EPIC FAIL Reliance on file-, folder-, and partition-level encryption will not prevent these attacks from occurring. Encryption and decryption functions are often transparent to an authenticated user and applications depending on the particular configuration. Encrypted packages can be copied in their current state, allowing for offline deciphering. TIP These instructions apply to U.S. keyboard mappings only; be sure to validate values for non-U.S. keyboards where applicable. The scancode values are used to map keyboard buttons. By remapping the Print Screen and Alt-Print Screen values to null, these functions are essentially disabled. NOTE If the users are administrators of their own computers, they will have the ability to revert to the original scancode settings. This change will prevent a user from taking screenshots on the local computer, which also removes the possibility of capturing thin client sessions. It will not remove the ability of applications designed to render screen images. You must also rid your environment of these applications to close this gap. Mitigating Measures 173 Hijacking an iPhone While jailbreaking your iPhone can provide you with enhanced features and applications, it can also open up additional vulnerabilities. A recent example of this comes from a Dutch cracker who took the freed phones hostage, demanding ransom for release. Z He deployed a port-scanning technique to identify those who had bro- ken out of jail and then sent them the SMS message depicted in Figure 6.15. Users were directed to a Web site and forced to pay for the corrective actions. The Dutch cracker converted to a hacker with a sudden change of heart and decided to release the mitigating procedures on the Web site for free. AA This attack exploited the default passwords in the OpenSSH client that is commonly installed after break- ing from jail. Both the mobile and the root accounts are set with the default password of alpine. Disabling or uninstalling the client is the easiest prevention techniques that can be implemented. If OpenSSH is needed, these passwords can be changed to prevent this type of incident from occurring. The following procedures outline the necessary steps to accomplish this. These steps assume you have a jailbroken iPhone with Cydia and OpenSSH installed. FIGURE 6.15 Jailbroken iPhone Extortion Message Z www.wired.com/gadgetlab/2009/11/iphone-hacker/ AA http://mr09.fileave.com/ chapter 6 Pod Slurping174 1. In your iPhone, locate the Cydia application and use the search feature to find MobileTerminal, as seen in Figure 6.16. 2. Once found, install the MobileTerminal on the iPhone and then reboot your iPhone. 3. After the iPhone initializes from reset, locate and open the MobileTerminal application. 4. Type the command passwd, as shown in Figure 6.17. 5. Enter the existing password – which should be still set to the default of alpine – then press Return. 6. Enter the new password when prompted and then press Return. Enter the pass- word again for confirmation, and then press Return again. Your mobile account password has just been changed. 7. Now type login at the prompt and press Return. Type root at the prompt and press Return again. 8. Repeat the procedures outlined in steps 4 through 6, and your OpenSSH root account will also be changed. FIGURE 6.16 Cydia Search Results for MobileTerminal 175 Summary You have now changed the root and mobile default account passwords for OpenSSH. Take heed when installing programs and perform due diligence when electing to download any other applications onto your iPhone, jailbroken or not. SUMMARY From a corporate standpoint, expulsion of these devices entirely could contradict the outcome it is intended to provide. Mobile phones and other memory-based gadgets are entrenched as an essential part of the enterprise and our daily lives. A sudden policy change enforcing their banishment could decrease morale, spike interest, or even lead to disgruntled behaviors. The lines between what can be beneficial or detrimental are twisting together more than ever. It is becoming increasingly difficult to determine which of the latest improvised illusions actually pose a true hazard. Adaptations of these attacks are evolving with increasing velocity, and the best thing we can do is constantly strive for enhanced awareness. FIGURE 6.17 Cydia Search Results for MobileTerminal chapter 6 Pod Slurping176 Endnotes 1. www.wired.com/gadgets/mac/commentary/cultofmac/2002/02/50688. Accessed October 2009. 2. www.theglobeandmail.com/report-on-business/article812678.ece Shane Schick, “Be Afraid of the File-slurping iPod,” www.theglobeandmail.com, February 9, 2006. Accessed November 2009. 3. www.apple.com/pr/library/, Quarterly reports from relevant monthly links. Accessed December 2009. 4. www.copyright.gov/1201/2008/responses/apple-inc-31.pdf, Responsive Comment of Apple Inc. to EFF DMCA Exemption, p. 12. Accessed December 2009. CHAPTER 177 INFORMATION IN THIS CHAPTER • BrainGames • HackingtheWetware • ElevatedHazards • GenerationsofInuences • ThwartingTheseBehaviors Social Engineering and USB Come together for a Brutal Attack 7 The art form known as social engineering is often used to manipulate individuals or social groups through the use of conversation, digital coercion, or other deceptive techniques. These tactics are commonly employed to persuade people to perform actions or divulge information they would not under normal circumstances. Some define this as a pure intelligence-gathering mechanism, although the meaning is vast and has minimal boundaries. Just as governments use social engineering to shape and manage fundamental aspects of our society, criminals and security professionals employ a similar strategy. In this chapter, we will explore the body of knowledge commonly known as social engineering twisted into a penetration-testing perspective. We will gaze into these evolving fields, provide practical examples, build a portable penetra- tion platform, and discuss how to combat these clever confrontations. While social engineering and penetration philosophies have been around for sev- eral millennia, each are continually evolving and adapting to the information technology scene. Social engineering can generally be considered a subject under the broader spec- trum of social sciences. While the social sciences definition typically refers to large- scale applications, the concept of influencing attitudes, popular beliefs, behaviors, and resources port quite nicely into the technological sector. CHAPTER 7 Social Engineering and USB178 BRAIN GAMES An examination of your own actions in everyday situations will present a number of social engineering circumstances. Everyone engages in these activities during daily interactions both at work and in our personal lives. These can range from the temper tantrums toddlers deploy for that needless toy to spousal affirmations commonly used to keep oneself free from an undesirable dilemma. Job interviews, promotional boards, and even common customer interactions can all be viewed as forms of social engineering. Large-scale executions of social engineering endeavors can be found around the world. The city of Las Vegas is a prime example of an entire location teeming with these tantalizing tactics. Everything from the glamorous performances, delectable foods, and complimentary beverages to each building’s architectural design and decor are all meant to influence or manipulate men, women, and children. While these are a far cry from the common Jedi mind tricks, they still speak to the broader definition of the term and illustrate the exploitation of our psychological nakedness. Perhaps the most infamous social engineer known among the hacking and law- enforcement communities is Kevin Mitnick. Considered a master of phone phreaking, Kevin thrived in an underground culture and got his start by exploiting bus punch- card systems for free rides. Phone phreakers are regarded as technology enthusiasts who dedicate an enormous amount of time to learning, testing, and exploiting telephone networks. While much of their work involved technical expertise, a large majority of what they did included manipulating phone company employees, support personnel, and end users to achieve a desired outcome. This gravitated toward more lucrative tricks that ultimately resulted in incarceration and stiff penalties. If you have an e-mail account, then you are likely eligible to receive millions of dollars from an overpaid procurement contract involving the Nigerian govern- ment. A Or maybe you have been contacted regarding qualification for lottery tickets or unpaid winnings in a foreign country. If you have not received an e-mail from them yet, then your antispam product is likely doing its job. Scam artists have used these and other ploys for years by way of telephone, physical mail, and e-mail, and have even evolved to SMS texting on mobile phones. All of these are forms of social manipulation called phishing, which have plagued corresponding technological com- munication mechanisms as they are embraced by our societies. A report issued by Kelly Higgins of Dark Reading in 2006 discussed a security engagement conducted by Joshua Perrymon that involved USB drives. 1 A Credit Union client hired their firm and specifically requested strong focus on social engi- neering aspects. The client was also concerned with USB flash drives both from a data theft and malicious code injection perspective. Taking these requirements into consideration, they devised a USB drive with a specially crafted Trojan. The Trojan was designed to grab sensitive information from a target system and send it to a remote location. The drives were then scattered around the parking lot and break A www.scamdex.com/419-index.php Hacking the Wetware 179 areas before the employees arrived for work. Success was obtained almost instantly, and a few days later, 15 of the 20 drives had been inserted into Credit Union systems. The data gathered aided additional testing efforts and proved to provide an enormous amount of valuable data. In 2009, a Siemens security consultant was hired by a financial services company to employ a social engineering exercise at one of their locations. The consultant was able to effortlessly obtain access to the facilities several times unchallenged by the security staff, with whom he eventually established communication on a first- name basis. Once this level of presence was established, he was also able to escort additional consultants into the building to aid in gathering information about the client. He was not only able to access desk-side material, cabinets, and other general items but also able to acquire access to the data center floor. Using a phone from a meeting room, he called various employees claiming to be IT support and was able to attain usernames and password from a majority of the individuals. Employees are much more trusting when a call is received from an internal location. In the article, published by SC Magazine in the United Kingdom, B the consultant, Collin Greenlees, made the following statement: The scary thing is that it’s all simple stuff. It’s just confidence, looking the part and basic trickery such as ‘tailgating’ people through swipe card operated doors or, if you’re really going for it, carrying two cups of coffee and waiting for people to hold doors open for you. 2 HACKING THE WETWARE All of the attacks in this book can be applied in a social engineering fashion. In fact, USB Hacksaw, USB Switchblade, USB-Based Virus/Malicious Code Launch, and Pod Slurping will work much more effectively by including an enticing icon or sug- gestive content. Placement of alluring labels like staff reductions, employee salaries, or even personal items such as Vegas photos will provide temptations many will find irresistible. If autorun is disabled, this may be the only means by which a payload can be distributed. USB Device Overflow, RAM dump, and the attack outlined in this chapter can all be deployed using a socially engineered diversion to remove the indi- vidual from the location. Our minds work in very predictable and trusting patterns, and this is precisely what criminals intend to use for an advantage. Reverse Social Engineering Reverse social engineering is another technique used to mislead people. In these types of attacks, the perpetrator causes a problem on the objective’s system or envi- ronment. The attacker will then impersonate a technical staff member and rush to the B www.scmagazineuk.com/ CHAPTER 7 Social Engineering and USB180 aid of the victim. Individuals in desperate need are less likely to interrogate a helping hand. Once the mission is accomplished, the attacker would return the systems to working order. In these scenarios, the supposed support person gains the confidence and trust of those they allegedly helped. Penetration of a Vulnerable Kind Penetration testing is a growing trend in the technology industry and has seen a rapid evolution over the last decade. Social engineering is gradually becoming a necessary evil in these testing processes. Some debate whether social engineering should be a part of penetration testing or if the results of the testing should be used to feed sepa- rate efforts. C Others indicate it should be excluded altogether because it will succeed. The level of success is high, and this is precisely why the social aspect needs con- stant attention. While penetration testing is a measurable activity, social engineering remains an art form and can significantly differ from subject to tester. Penetration testing is a method of evaluating and analyzing the security of a sys- tem, network, and related dependencies. Vulnerabilities, technical flaws, and innate weaknesses are the primary objectives of this process. If properly planned and accu- rately executed, this can be a tremendously beneficial tool in ascertaining the security posture of an environment and organization. Penetration testing can be broken down in two distinct types: internal and external. These two types have three different variations commonly referred to as black-, white-, and gray-box testing. In black-box testing, the penetrator is not provided with any information related to the organization or environment, similar to how a real attacker might approach the situation. Information is provided in white-box testing scenarios, and they usually specify areas of interest that can be in desperate need of an audit. With the gray-box types, the testers are given some knowledge of the environment to speed up the pro- cess. There can be a number of reasons for this application, although cost is usually a driving factor. Penetration testing can be isolated into three separate phases consisting of preat- tack, attack, and postattack activities. In the preattack phase, testers usually perform their initial information gathering in a passive manner. This involves techniques such as dumpster diving, Internet queries (Edgars, D user/news groups, social networking, and so forth), and even social engineering to some degree. Active reconnaissance is also used, which involves mapping of relative online targets, Internet profil- ing, fingerprinting, port scans, and receptionist cold calls for respective discover- ies. Valuable information can be obtained by parsing additional Web resources like dnsreports.com, whois.domaintools.com, netcraft.com, my.ip-plus.net/tools/index. en.mpl, and many others. The attack phase can vary depending on the customer requirements, service level agreements, and scope of work defined. From an external perspective, these activities C http://www.darknet.org.uk/2006/03/should-social-engineering-a-part-of-penetration-testing/ D www.sec.gov/edgar.shtml [...]... the premier penetration-testing package used for these engagements It is one of the more potent platforms that combine a majority of the necessary tools to perform this job Mati Aharoni and Max Moser ­initiated E  ww.csrc.nist.gov/nissc/ 199 9/proceeding/papers/p28.pdf w 181 182 CHAPTER 7  Social Engineering and USB the development of this project that has evolved into a collaborative community effort... much to be gained and gathered from a number of other sources When a well-planned attack 191 192 CHAPTER 7  Social Engineering and USB includes predistribution of Switchblade/Hacksaw payloads, a wealth of information can be obtained before making an entry Taking along a preconfigured RAM dump, specially crafted USB- Based Virus/Malicious Code Launch, Device Overflow, Pod Slurper, and data siphon (tethering... video) are supported as well (http:// sipp.sourceforge.net/) Backtrack Attack via USB The picture we can paint for this attack can come in many flavors In the “Brain Games” section of this chapter, two scenarios were described using social engineering methods to disseminate USB devices and gain access into a building Targeted attacks, such as those directed toward administrators of systems for relevant... particular device, software, or other components to perform a thorough analysis of the underlying structure, operation, and functionality The process usually involves a detailed 1 89 190 CHAPTER 7  Social Engineering and USB breakdown of both hardware and software elements but can be isolated to one or the other Table 7.8 provides a listing of the tools included and short descriptions of a few commands... to combine all of your favorite operating environments on a single USB drive The following instructions will walk you through building a persistent version of Backtrack 4 on a single USB drive 1 Insert the 2 GB flash drive and launch UNetbootin 2 Select DiskImage and browse to the folder where you saved the bt4-final.iso file 3 Select USB for Type and ensure the correct drive letter is associated with... unavailable due to Layer 2 switching Sshmitm and Webmit facilitate active man-in-the-middle attacks for redirected HTTPS and SSH ­raffic t using weak bindings in certain PKI implementations (http://monkey org/~dugsong/dsniff/) This brute-force tool lives up to its name by providing fast, modular, and parallel login attacks for network services Modules included here are CVS, File Transfer Protocol (FTP),... evolved into a collaborative community effort The initial version was designed to run from CD/DVD media for portable use on multiple platforms It is now available for USB, VMware, dual-boot, and other options, although the persistent USB version will be covered here The current release is version 4, which just made the final stage at the time of this writing This release has a number of changes, the... Windows XP, Vista, 7, 2003, or 2008 In this example, the raw hash output from the USB Switchblade will be used to authenticate to the target system Using the hash can be beneficial for situations where cracking may have failed (long passwords) If you did not save these logs, you will need to perform a hash extraction again with USB Switchblade, fgdump, or one of the many other tools you now have in your... some of its vulnerabilities The digital file containing the conversation or voice message can be intercepted or misused in a number of ways Table 7 .9 provides a listing of the tools included and short descriptions of these commands Hacking the Wetware Table 7 .9 VoIP utilities Backtrack VoIP tools PcapToSip_RTP PcapSipDump SIPcrack Smap SIPp This is a program that contains full C-source code that gives... Boot into Backtrack 4 Select Start Persistent Live CD when prompted 7 Insert the 4 GB drive into the Backtrack system 8 Type fdisk –l | grep ‘^Disk’ to view all disks 9 Find the 4 GB flash drive by checking the size It should read 40 09 MB or whatever size drive you are using In this example, the drive is /dev/sdc, but yours could be different The drive will be called out as /dev/sd* and /mnt/sd* from . for you. 2 HACKING THE WETWARE All of the attacks in this book can be applied in a social engineering fashion. In fact, USB Hacksaw, USB Switchblade, USB- Based Virus/Malicious Code Launch, and. is one of the more potent platforms that combine a major- ity of the necessary tools to perform this job. Mati Aharoni and Max Moser initiated E www.csrc.nist.gov/nissc/ 199 9/proceeding/papers/p28.pdf CHAPTER. 20 09. 2. www.theglobeandmail.com/report-on-business/article812678.ece Shane Schick, “Be Afraid of the File-slurping iPod,” www.theglobeandmail.com, February 9, 2006. Accessed November 20 09. 3.