Tuesday, April 1, 2014

Social Engineering

Social engineering is a technique used by attackers to take advantage of the natural trusting nature of most human beings. Criminals often pose as an insider or other trusted person to gain information they otherwise wouldn’t be able to access. Hackers then use the information gained to further penetrate the wireless and quite possibly the wired network and do whatever they please. 

Social engineering shouldn’t be taken lightly. It can allow confidential or sensitive information to be leaked and cause irreparable harm to jobs and reputations. 

Proceed with caution and think before you act.

Social engineering is more common and easier to carry out in larger organizations, but it can happen to anyone. Testing for social-engineering exploits usually requires assuming the role of a social engineer and seeking vulnerabilities by approaching people and subtly probing them for information. If your organization is large enough that most people won’t readily recognize you, carrying out the tests yourself should be pretty easy. You can claim to be a
  • Customer
  • Business partner
  • Outside consultant or auditor
  • Service technician
  • Student at a university
If there’s any chance of being noticed, or if you simply don’t feel comfortable doing this type of testing, you can always hire a third party to perform the tests. Just make sure you hire a trusted third party, preferably someone you’ve worked with before. Be sure to check references, perform criminal background checks, and have the testing approved by management up front.

Passive tests

The easiest way to start gathering information you can use during your social engineering tests is to simply search the Internet. You can use your favorite search engine to look up public information such as phone lists, organizational charts, network diagrams, and more. You can then see, from an outsider’s perspective, what public information is available that can be used as an inroad for social engineering and ultimate penetration into your network.


One of the best tools for performing this initial reconnaissance is Google.

You can also perform some more advanced Google queries that are specific to your network and hosts. Simply enter the following directly into Google’s search field to look for information that could be used against you:

  • site: your~public~host~name/IP keywords to search for Look for keywords such as wireless, address, SSID, password, .xls (Excel spreadsheets), .doc (Word documents), .ppt (Power Point slides), .ns1 (Network Stumbler files), .vsd (Visio drawings), .pkt (sniffer packet captures), and so on.
  • site: your~public~host~name/IP filetype:ns1 ns1 This searches for Network Stumbler files that contain wireless network configuration information. You can perform this query on any type of file, such as .vsd, .doc, and so on.
  • site: your~public~host~name/IP inurl:”h_wireless_11g.html” or inurl:”ShowEvents.shm”

This searches publicly accessible APs (yikes!) such as D-Link and Cisco Aironet for wireless setup pages and event logs, respectively. You may not think your systems have such a vulnerability, but do this test — you may be surprised.

These are just a few potential Google queries you can perform manually, just to get you started. Be sure to perform these queries against all of your publicly accessible hosts. 

If you’re not sure which of your servers are publicly accessible, you can perform a ping sweep or port scan from outside your firewall to see which systems respond. (This is not foolproof because some systems don’t respond to these queries, but it’s a good place to start.)

For in-depth details on using Google as an ethical-hacking tool, check out Johnny Long’s Web site, http://johnny.ihackstuff.com.

This site has a wealth of information on using Google for advanced queries. It also includes a query database, called the Google Hacking Database (GHDB), where you can run various queries directly from the site. 

You can also use sitedigger 3.0

Active tests

You can use various methods to go about gathering information from insiders. Two simple and less in-your-face methods are e-mail and the telephone. Simply pick up the phone, make a call to the help desk or to a random user, and start asking questions. Use a phone on which your caller ID won’t give away your identity, such as a phone in the reception area or break room, a

pay phone, or perhaps a colleague’s office. You can even use your own phone if you think your users are gullible enough or won’t recognize your name or number. You can do the same with e-mail. Change your e-mail address in your e-mail client (if possible) or use an obscure Webmail account and pose as an outsider.


A common method of social engineering is to gain direct physical access to wireless clients and APs. However, the good thing (or bad thing, depending on how you look at it) about wireless networks is that physical access is not necessary.


You can also just show up in person, acting as an outsider. Whichever method you choose, your goal is to glean information from employees and other users on your network that would essentially give you the “keys” you need for gaining external access to the wireless network. This includes:

  • SSIDs
  • WEP key(s)
  • Computer and network login passwords
  • Preshared secret passphrases used by authentication systems such as WPA
  • Legitimate MAC or IP addresses used to get onto the network

You could call up your help desk or any random user, pose as a legitimate employee or business partner, and ask for wireless configuration information such as the SSID or WEP key(s). You can ask practically anyone for this information.They may

  • Know it off the top of their head
  • Have it written down and readily available
  • Let you walk them through looking the information up on their computer
  • Refer to someone else who can help

After you gather as much information as you feel comfortable gathering, you should check to see just how far you can penetrate the network as an outsider.



Unauthorized Equipment

A very common problem network administrators and security managers face is the introduction of unauthorized wireless systems onto the network. Some users — especially those who are technically savvy — don’t like to be told they can’t use wireless network technology in their workspace, so they may take the initiative to do it themselves, often in direct defiance of organizational policy.



You can even have a malicious insider or, worse, an outsider on an adjacent floor, who has set up a rogue AP for your users to connect to. This is a very simple setup for the hacker. All he has to do is set up an AP using your SSID and wait for your wireless systems to associate with it. There are also programs that automate the process of creating “fake” APs. If this occurs, hackers can capture virtually all traffic flowing to and from your wireless clients.



A more common problem is the naïve introduction of wireless systems by users who either don’t understand the security issues associated with their actions or aren’t aware of company policies. Either way, you’ve got a potential mess on your hands.



Let’s take a look at an unauthorized AP scenario. When it comes to users installing unauthorized wireless systems, here’s how it usually happens:

1. An employee, Lars, wants to be able to work on his laptop in an adjacent, more plush, cubicle. However, that cubicle doesn’t have an Ethernet network drop.



2. Lars thinks of a solution: ‘Instead of dealing with IT to get a new drop installed or asking them to come up with another solution, I can just install a wireless AP in my main work area and communicate wirelessly from my laptop to the network!’



3. Lars strolls merrily down to the local consumer electronics store during his lunch break and buys a “wireless-network-in-a-box” solution. What a deal — he can get an AP, a wireless PC Card for his laptop, and 5,000 free hours on AOL for the low price of $59.95. Subtracting the $50 in mail-in rebates, Lars has a newfound freedom from network cabling for only $9.95!



4. Lars returns to the office, unpacks his treasure, plugs the AP into the network jack in his original cubicle, and installs the wireless NIC in his laptop.



5. Lars powers up the AP, which, in typical fashion, has a valid IP address for your network preprogrammed into it. Remember, to make things convenient for the end users, no security settings are enabled on the AP — no WEP, broadcasting of the default SSID, blank admin password — nothing. He thinks to himself, ‘Wow, who would’ve thought it’d be this easy!?’



6. Lars boots his laptop, which grabs an IP address from the AP that is running its own DHCP server, and he’s off! He’s now able to log on to your network and browse the Internet. Again, Lars can’t believe how easy this was to set up and thinks that maybe IT is his calling.



Total elapsed time: 45 minutes. Consequences of Lars’s actions: Complete and unlimited exposure of your network to the outside world.


This is a typical scenario, and it didn’t require a whole lot of know-how on Lars’s part. But some people are savvier. They know that they don’t need an AP to communicate with other wireless users directly. These peer-to-peer or ad hoc systems can be even trickier to track down because no AP is involved. 


We often hear “my users wouldn’t do that” or “I know my network,” but believe it or not, regardless of the size of the organization, this scenario happens very easily and very often.



If you’re on a limited budget and want to get a general view of wireless APs in your building, you can use a wireless laptop running Windows XP. Here’s a quick test you can run to look for unauthorized APs and wireless clients before they get the best of your network:


1. On the Windows XP desktop, right-click My Network Places and select Properties.

     The Network Connections window opens.

2. Double-click your wireless network card.

     The Status window opens.

3. Select View Wireless Networks.

    You can walk around your building to see what comes up. Unfortunately, in order for new APs     to show up, you have to click Refresh Network List in the upper-left corner of the window, or         simply press F5 on your keyboard. 


Notice how one AP shows up with the Lock icon labeled Security-enabled wireless network, and

the other two (including Lars’) don’t. The one that has security enabled is using WEP encryption. The other two (including Lars’) are, well, wide open. Shame on Lars!

Default Settings

An unbelievable number of APs are deployed with the default settings still intact, including, for example:

  • IP addresses
  • SSIDs
  • Broadcasting of SSIDs
  • Admin passwords
  • Remote management enabled
  • Full power settings
  • Use of omnidirectional antennas that come standard on most APs
  • No MAC-address filtering
  • WEP turned off



Hackers know they can download the documentation for practically any 802.11-based wireless network right off the Internet. This documentation often reveals many of the default settings in use. In addition, several independent Internet sites list default settings, including:

  • www.cirt.net/cgi-bin/passwd.pl
  • www.phenoelit.de/dpl/dpl.html
  • http://new.remote-exploit.org/index.php/Wlan_defaults
  • www.thetechfirm.com/wireless/ssids.htm



If you want to see if your users or any of the systems you’ve set up are using vulnerable default settings, you can perform some basic tests with the information you’ve gathered, including

  • Connecting to APs by using their default SSIDs
  • Remotely connecting to the default admin port
  • Spoofing MAC addresses
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)