Note: Multiple edits for typos (the ghost of a learning disability mostly overcome) and additional image upload occurred between 21:10 EST, 9/30/18 & 22:23 EST 9/30/18
Last year I released the essay Shared thoughts after 6+ years in pentesting: (Shared thoughts after 6+ years in Pentesting).
I decided that every year I would release another essay, thereby allowing me to chronicle my growth in these arts, compare/contrast/re-orientate/better articulate my perceptions of years past and/or share some of the methodologies/techniques I have been using.
This essay includes images from engagements I have participated in (with all due redactions, permissions, etc.) so that I may better illustrate my thoughts.
We all work from atop the shoulders of titans; this allows me to give back to the community like so many before me.
Weld Pond tweeted my last essay in 2017; I am a son of Massachusetts, and it was a cable news story about The L0pht that stirred the embers in my mind that this was happening nearby.
I could become a hackerā¦
More than that: along with martial arts, hacking has saved my lifeā¦
I grew up in a bad way in a bad place with every excuse to fail.
Hacking gave me the means to build something that is mineā¦so many of you have given your hard work to the world, providing me with the raw materials I forged into a vocation, purpose and place in a world I did not believe I belonged in.
If the kid I was could see the man I have become, I know heād be psyched; I wish I could go back in time and tell him that everything would be alright (though he likely wouldnāt believe me that everything would turn out this awesome).
Better than alrightā¦amazing.
So here goes nothing.
Letās get weird. Letās get dangerous.
maderas
Perception
More then ever, I believe that penetrating and exploiting systems/networks has become a matter of perception.
The data an attacker perceives and the manner in which they act upon that data governs the probability of their success during any stage of an engagement; the same holds true for the amount/degree of advantage that an attacker can perceive in and/or leverage from the data they enumerate.
Where defending against an attack is concerned, many times a defenderās best defense is their perception of the ways in which a vulnerability could be leveraged relative to the resources that are native to the digital spaces they are employed in defending.
Many times, some manner of business need could impede a defenderās capacity to fix vulnerabilities* *or mount the best defense possible.
In these instances, the defender must perceive the ultimate cost their organization may pay for the presence of a given vulnerability.
The defender must also perceive the manner in which they may best relay/explain the possible/potential cost(s) to an organization.
The topography/composition of an engagement environment is almost always shaped by human perception; for example, perhaps a target organizationās cost-benefit analysis leads it to ignore patching vulnerabilities within its IP space that they perceive to be "minorā.
I believe that the degree of perception that matters most where the security posture of an organization is concerned are blind spots in that perception.
An organization that chooses to ignore a vulnerability yet recognizes that the vulnerability is present at least perceives some potential detriment that the vulnerability could pose to the resources making up the organizationās information infrastructure.
Hopefully the client/organization documents these vulnerabilities and develops contingencies to deal with the vulnerabilities in case they are further compounded by an incident such as a breach.
Real World Example: Looking around corners
The diagrams above are āa real-world example of a large refineryā from the Industrial Ethernet Book illustrating the topography of the ādefense in depthā strategies, structures,technologies and resources that in many ways define ISA-99/IEC-62443 standard IEC-62443-3-2 ("Standard addresses security risk assessment and system design for IACS"):
ā A large refinery example shows how ISA-99 zones and conduits design techniques were used to create a security architecture and protect operations. The refinery company follows the concepts of ANSI/ISA-95.00.01- 2000 and ANSI/ISA-99.01.01-2007, dividing its process operations into Levels 0 ā 4." (http://www.iebmedia.com/index.phpid=8460&parentid=74&themeid=255&hpid=2&showdetail=true&bb=1&appsw=1)
I have engaged networks/targets in the Industrial/Energy sectors configured by ISA-99/ ISA/IEC-62443 zones/conduits, defense in depth design specifications; in a huge majority of cases, these were challenging solo engagements (especially facilities in the EU where government/governing body regulations, specifications and/or certification enforced/demanded strict specifications) where the scope/parameters afforded me a wide operational latitude in which to operate (the engagement methodologies landed somewhere between Red Team/external Black-box testing).
A gross over simplification of the defense in depth strategy as a topography: each network segment (āzoneā) is isolated from the others via technologies such as firewalls/VPNā¦each zone maintains one (or two at maximum, illustrated by the red dots in the diagram above) network connections (āconduitsā) to some zones while excluding connection(s) to others (thereby shielding the zones with the most critical infrastructure behind other zones they are isolated from).
Each zone/conduit is normally protected by some type of security/secured network appliance.
As an attacker, I do not like to play to the strengths of a targetā¦
It is a situation not unlike a magician using their patter and physicality to distract you as they perform their trick: if you want to try and figure out the trick, donāt look at the magicianā¦look at what is happening around the magician.
The strengths of ISA-99/ ISA/IEC-62443 is that it creates a crucible of InfoSec best practices: isolation of critical systems,network segmentation,encrypted/secure channelsā¦attacking each zone individually risks detection, as each zone necessitates new periods of prolonged enumeration and can consumes a great deal of timeā¦
During an engagement, the more actions an attacker is forced to take and the more time they are forced to spend in attaining their goal increases the probability they will be detected.
Also, from a professional perspective, it is unlikely that a real world/malicious actor is going to smash themselves up against the strong points of a clientās securityā¦attacks normally follow the paths of least resistance (unfortunately, defensive quantities also follow this dynamic way too often).
Real world attackers are going to hit the soft spots (though ultimately, the client may want their infrastructure targeted zone by zone).
ISA-99/ ISA/IEC-62443 attempts to limit my reach to something like the image below, forcing me to take ground a zone at a time at great risk:
However, on more than one occasion, I have engaged targets where variables inherent to the environment (blind spots in the operational perception of an organization/client) allowed me to bypass the strengths of the zone and conduit, defense in depth configuration of ISA-99/ISA/IEC-62443, thereby allowing my reach to extend to targets throughout the engagement environment.
Digital Pickpocketing
The age of transferable, mobile digital media has led to widespread implementation of UPnP/UPnP-like programs and services for easy, quick movement of media between devices.\
Most users do not understand these technologies fullyā¦this leads to them leaving ports open and media available; sometimes the user does not shutdown a program correctly (leaving UPnP/UPnP-like services up and the port/media available) or the program is poorly designed (which can also leave UPnP/UPnP-like services up and the port/media open).
Many times, these protocols are allowed through firewalls/network appliances (thus they are utilized by malware, especially RATs pretty often) as many Network/System Administrators do not fully perceive the InfoSec implications of protocols like UPnP (along with similar protocols like DLNA and SSDP that are often incorporated into its stack) or perceive these protocols/services as a possible threat, thereby creating an exploitable blind spot.
During an internal engagement against a facility in the Industrial/Energy sector, I was allowed a restricted workstation (laptop) and low privilege user credentials.
I immediately ignored the Ethernet connected laptop and used the provided credentials to connect to the corporate/facility WiFi with a customized Nexus 7 2013 (all of this was within scope of the engagement) and immediately utilized an application called ControlDLNAā¦below is an example of what I found:
Browsing the Administratorās folders (from image above, images below), I discovered itself a huge amount of actionable dataā¦
These findings provided confirmation that an Administrator account of at least one network segment connected to the corporate/facility WiFi network.
Most of the users/accounts with the highest levels/degrees of user/account privilege connected to the corporate/facility WiFi connection during the engagement.
This led me to utilize ControlDLNA and other UPnP/IoT applications (examples: applications that allowed me to detect and/or interact with Bluetooth and HID appliances) regularly.
Link Below:The link below is video displaying the contents of an Administratorās folder that contained photos, located on their company Iphone during the engagementā¦
Eventually, the Administrator connected to the facility WiFi with their compay Iphone when they were in a section of the facility that received a poor mobile signal.
I had access to media on this Administratorās workstation and their company Iphone due to blind spots in how the organization perceived the threat posed by file sharing/IoT protocols.
This was not shadow IT as the application in question was loaded on every company Iphone after the organization/facility had chosen to phase out company Windows/Android phones/tablets due to security concerns.
If I was a real world, malicious actor who had downloaded the gigabytes of material available to me on the Administratorās workstation/lphone, that material could have (at the very least) directly led to successful social engineering against the Administrator and any number of employees.
Below: This engagement allowed me to attack from any area that I could access via my temporary keycard with access similar to that conferred upon a visitor or new employee.
Thus I deployed this and similar attacks throughout the facility, which allowed me to access corporate media shares (below) that were full of materials that could have been used in social engineering attacks, as a source of recon or as a direct attack vector (example: encoding payloads into files downloaded from the accessed media shares and somehow presenting them to the owner or placing/leaving the encoded materials in any SMB based shares exploited/accessed later).
Image above: Another facility media share and the laptop of a management employee accessible from an area any guest could attack from: a bathroom stall.
All of these attacks were accomplished with a Nexus 7 2013 with a bluetooth keyboard case and NO USB ATTACHMENT as to better resemble an attacker who did not want to draw attention to themselves; had I used an Alfa or TP-Link USB/wireless attachment, the potential damage/reach of these attacks may have been much greater.
Also of note: some targets used IM or other messaging services that used UPnP/UPnP like protocols that stored the discussions as media files on their company devices; I was able to access those files as well.
This Metadata taken from those materials also could have provided a real world malicious actor with other avenues for penetrating areas of the network:
Metadata could be stripped from these materials (via tools such like Exiftool or FOCA) thereby allowing a real world actor to gain personal/private data on the target(s)ā¦for example: by stripping GPS/other geolocation data/tags from photos accessed, the attacker could find or narrow down the physical location of a targetās home address.
Locating a targetās home address via this metadata , a malicious actor could crack the employees WiFi or access their residence physically to exploit machines in their home that could be connected to systems/machines/networks within the facility.
Also, what if a real world attacker using this attack had found material on the Administratorās/an employeeās device(s) that were sensitive, illegal, deeply personal, embarrassing or could cause their terminationā¦what if an attacker used these materials to successfully blackmail the Administrator/employee into carrying out attacks via a USB or some other physical media at inaccessible areas within the facility?
Remember, the facility was within the Industrial/Energy sector; historically, these facilities have a high probability of gaining the attention of state actors with sufficient financial means, logistical resources and motivation to accomplish/attempt the aforementioned attacks.
By leveraging an attack vector that the Industrial/Energy sector facility was not able to contest, a real world malicious actor could have leveraged blind spots in the facilities perception of vulnerabilities/risk, thereby broadening their reach to extend throughout the entire engagement environment while ignoring the InfoSec architecture designed to defend it.
Real World Example: Attacking the blindspot(s) of a targetās perception(s) on multiple levels
The link above is an example of my capitalizing on a blind spot in a targetās perception during a past solo engagement.
Conducting an external engagement against a now defunct facility conducting activities governed by PCI/HIPAA, I gained access to the internal network of the target from outside the building, thereby circumventing the expensive physical/digital security implementations the organizationās clients demanded through/via contractual obligations (example: to enter the targetās lobby a person had to enter a code in multiple numeric keypads and scan themselves in with a keycard).
Sitting in a parked car in the massive parking lot the target shared with dozens of other unrelated businesses, the video above shows how I accessed the internal network of the facility via my customized Nexus 7 2013 using a wireless adapter and a common application that comes installed with Nethunter (which anyone could also download from FDroid or the Play Store).
IT at the facility had used a residential Belkin wireless gateway as a temporary fix that remained in place for at least 6 months within the target facility/network and they had left WPS engaged.
The Belkin Gateway was attached to a host with time clock software installed (relevant image below) in the employee loungeā¦employees would sign into their shifts or on/off breaks from this machine; management was under scrutiny from corporate due to the facility being off its āadherenceā metricā¦corporate expected employees to wait until they got to/back to their desk workstation to sign in/out of the timeclock software installed there.
Corporate did not approve, nor did they know about this host.
Thus a proper gateway had never been bought/requested to serve this taskā¦worse, the Belkin gateway had all of its default credentials still in play, the time clock host was an older machine that was rarely patched with AV/AM with a long out of date .DAT fileā¦this host machine also had Belarc Advisor installed (a wonderful tool if you want to commit the sin of dropping a binary to disk as it renders a TON of data about the connected hosts/network).
This Belking gateway was connected to the main network by an Ethernet connection; this was necessary so the management could more easily export the data from the time clock software.
Images below: some examples of data gained from a native Belarc Advisor well into the engagement. Data in Red Squares represent Administrator user I created as an extra means of persistence and at organizationās/clientās request to test if IT would notice.
Below, Belarc reveals other blind spots: in the red square, notice all of the accounts native to the host I had gained access toā¦accounts that functioned on one machine could log into any machine in the facility outside of those in the server room.
Most of the accounts native to this host belonged to employees who were no longer with the organization/client, yet none of their accounts had been closed yet as IT waited until a certain number needed to be suspended and then did so.
Also, IT wasnāt assuring that employees werenāt reusing credentials for the time clock software, their workstations, VPN access, etcā¦thus, attacking the time clock host with Metasploit from my Nexus 7 allowed me to gain credentials that worked though out the wider network.
All of the workstations had access to a panel that would allow Remote Desktop access to any other host on any segment except the server room; all that was needed was the credentials necessary to access the host in question (all DCs were directly reachable from any host as they were located in a seperate closet on the top floor).
IT had implemented the Remote Desktop panel with a star network topography so that they and management could access/remote into āany workstation from any workstationā to ensure maximum uptime of/for each employee (business driving IT and creating blind spots).
Since the facility was also a sprawling multi-floor affair, management/IT grew tired of having to travel all over the building to help employees with tech issues ).
All of these aforementioned blind spots (which also include the use of some questionable software to run business dependent programs, top most red square above) maimed the vendor solutions the organization/client had invested in (also highlighted within lower red square in image above) which included a remediation layer that isolated hosts when malware/dangerous configurations were detected.
Worse of all: after gaining access to a managerās desktop, I found an Excel sheet (image below) with every credential for every employee in the company (including international employees) that listed every current/past set of credentials for all of the different billing systems utilized for PCI/HIPAA governed activities.
The Excel sheet was labled āPasswordsDoNotDeleteā; you can see the condition of the passwordsā¦the employees would be assigned something like TShirt10, and they would usually make small changes to the password every 90 days (TShirt11, TShirt12, etc.)ā¦other data on the sheet also included IT tickets.
Speed of the leader, speed of the crew: the account highlighted in Red belonged to the Supervisor of IT who had the equivalent of Domain Administrator access/statusā¦they had only one password for all of their accounts: Autumn04 and it had not been modified (changed) since they had assigned it to their self (finding this sheet allowed me to establish multiple methods of persistence within every network made available by the scopes/parameters of the engagement).
Engagements causing me to ponder/perceive deeper realities
Attrition.org has always had a huge place in my heart, right alongside The L0pht, CDC, 2600, Phrack, CCC, Defcon, Computer H.O.P.E, netbooks, Thinkpads == to or > then the x230 , Macbooks from before 2012, Neuromancer, Blade Runnerā¦
These are all technology based things that shaped my sensibilities and who I amā¦
I get Attrition.org because I hate seeing the advantaged take from the disadvantaged forciblyā¦as someone who has engaged in professional prizefights to shed some of their aggression, I better understand Attrition.orgās approach: sometimes you need to do more than just talk to a complete asshole.
Attrition.org represents an institution whose approach has instilled a type of moral fear in meā¦I think sometimes you need that to be a good manā¦for some it is religion, for some others it is the lawā¦I am not really an authority loving kind of guy generally, but our community polices its own pretty well I think, so I submit part of my psyche to itās authority.
During the engagement detailed above, I realized that if I were an identity thief or if I had no moral/professional center (especially with it being a solo engagement), that this breach could have produced a good chunk of changeā¦this engagement taught me the high financial stakes this game can have, which opened my eyes to the motivation this game has for someone in some economically depressed part of the world living on less than $5 USD a dayā¦
Right now the First World keeps shipping its electronic waste to Third World countries where young people sacrifice their health and their environment to turn these electronics into scrapā¦
With the rapid advances/increased availability of computer technology and the inevitabilities that Mooreās Law dictates, how long before these Third World countries realize that they are receiving more and more powerful machines better capable of simple attacks like password crackingā¦
How long before they start searching those computers for identity data, forgotten/lost/accidentally discarded crypto currencyā¦I can see a shack full of discarded machines being turned on another scrapped machine to crack some passwordā¦
How long before they stop breaking these machines for scrap and start using them to break passwords or teach themselves to mount all other types of attacksā¦passwords may lose some importance in InfoSec in the future, but they are likely to be a gap somewhere in the world for a long while yetā¦
I find the self righteous whitehat āgood guy/bad guyā shit childish, but this engagement reaffirmed my belief that you do not get, nor deserve a cookie for doing the right thing, but not being an asshole is a reward in itself.
A solid reputation is also a reward; it represents the trust others have in you amidst a world where it is tough to trust things.
As Roland says, I remember the face of my fatherā¦but I also remember Attrition.org.
Perception is often about Presentation
Hopefully, if/when a breach occurs, the victim has sharp employees, solid documentation detailing any vulnerabilities they have decided to except and an action plan in place.
Tightening the attack surfaces around/eliminating these vulnerabilities (especially where vulns like priv escalations are concerned) as early as possible following a breach can go a long way toward ensuring that persistence is truly abated.
In this vocation, the specifics concerning solutions are generally more important to an organization/client than the specifics concerning a problem (risk, exploited vulnerabilities, etc.); I want to lead them to the best solution possible, and showing them the blood/guts surrounding an issue is almost always the best way toward persuading an organization/client to make improvements.
On the OffSec side of things, I find that an organization/client better understands the benefits of patching a vulnerability after I show them video from the engagement. This video usually begins at an exploited vulnerability and carries on to the most final conclusion (post-exploitation, lateral movement, persistence, etc) that may be represented in the time/ situation available.
Ultimately, the video represents what the organization/client stands to lose/the potential damages the they could incur.
If you can exploit vulnerabilities through very mundane means (like a Nexus 7 and some stock applications), it can help drive the point home even more.
An organization invests in InfoSec to help ensure profitability/prosperity; to remedy an issue, you often have to present a vulnerability in a manner that allows the powers that be to easily perceive the potential cost(s)/potential value.
Sometimes a demo video must take the place of actual engagement footageā¦the demo environment where the demo takes place should match the organizationās/clientās environment with all possible exactness, with security turned up to 11 whenever possible.
Environment exactness/added security helps address excuses/justifications for poor security practices in the real environment pre-emptivelyā¦you do not want to hear āwell we have a firewall hereā or āwe have AV/AM thereāā¦the path of attackers and defenders often follow the path of least resistance where InfoSec is concerned, and excuses for weak InfoSec practices (even if the excuses have no merit) can harm the maximum effectiveness of the help you try to render unless you are prepared.
Perception is often defined by presentationā¦I like to show an organization/client how they can help themselves rather than just telling them how.
How do I become a hacker/penetration tester, learn to hack/learn penetration testing skills, (etc.)
This is likely the question I see posted/asked the most online concerning my vocation.
When I first started out, there was a strong stance against āspoon feedingā knowledge; meaning that if you asked a question of a hacking/InfoSec community, youād better of damn well exhausted every possible resource in finding an answer prior to asking (or scorn given an edge by some strong wit was forthcoming).
My reaction is somewhere in the middle concerning newbie questions; my gut tells me that if you are asking how to become a hacker, than you may lack many of the requisite traits necessary to walk your version of this pathā¦
This path is about finding and questioning knowledge through action.
Myself, I have a compulsive need to find the answers to the questions myself; I love research. I love how research snowballs, how one question/answer leads to another question/answer, leading to a slow amassing of knowledge until that never ends.
That feeling when youāve followed a question from night into day, when the search for an answer evaporates hours as if they were minutesā¦
Those times when life finally demands that you turn your attention elsewhere, but you spend one more moment to marvel at how a single question at point A can end up mutated into something unrecognizable at point Z due to the blur of questions and answers that made up point B through X.
Often, knowledge is amassed in new and unusual waysā¦during research, a wrong turn there leads to a new revelation hereā¦sometimes you realize you are asking yourself the wrong questions and thereby find your way far closer to an answer.
Today, knowledge or the path to an knowledge are almost always within your reach; knowledge or the path to knowledge has never been closer or more accessible than they are now.
I believe that the compulsive search for your own answers is what develops the faculties/capacities needed to be truly useful in this work.
This is a discipline based upon high level problem solving; how will you become good at solving problems unless you are solving problems?
Finally, I will tell you what helped me the most starting out (and I started out when there were far less sources available to a newbie):
Early in your development in these arts, I believe that asking your peers to part with knowledge that they worked and sacrificed so much for is disrespectful to them unless you have exhausted every other option at your disposal or you are constantly putting in more than you take out knowledge wise.
Information exchange through communication is not what I am talking about; equivalent exchange of knowledge in this manner, such as that which can occur with follow employees over coffee whil e you talking shop has been fundamental to my growth.
I believe that being lazy and just asking for answers is also disrespectful to those who have been kind enough to share that knowledge elsewhere; in this present age, it is very unlikely that the knowledge you seek isnāt online or on a printed page.
I have not asked a single question in a forum or community concerning a technical question unless that question was a means of clarifying anotherās comments, questions or an issue they raised concerning my own work/research.
There has yet to be a problem I have faced that I could not answer myself with some work; I believe this not only allowed me to build knowledge, but also build my own confidence in my faculties for solving a problem.
For about all of my career I have sought out the hidden places where blackhats operate (and I do not mean super secret darknet forums) to examine their work; this meant finding their infrastructure to examine their work without the luxury of asking questions (amongst blackhats, operational knowledge is a commodity as is a paranoia).
This means a willingness to go out into the jungle rather than just learning from what others have written about the jungle.
This doesnāt mean joining the natives and it doesnāt mean lying to the natives and/or trying to burn their hut down while they sleepā¦this is a good way for you machine to catch malaria, or worseā¦
I believe that this is the reason why my career has consisted of positions far closer to the Red Teaming spectrum; I let my interests dictate an eventual career pathā¦thus, my my vocation has been 99.8% manual engagement of targets (the stuff I love) .2% running Nessus/Qualys or some other automated vulnerability scanner (this stuff I donāt love).
You must except that if you want this, than you are responsible for getting it for yourselfā¦I have been willing to search for the knowledge I wanted and was willing to absorb it from any source I thought passed the sniff test.
The Burning House Principle
I strongly believe in the value of Passive Reconnaissanceā¦Passive reconnaissance equates to asymmetrical intelligence gathering in a manner that does not directly interact with target resources (my next project will cover my methods for this is detail)*
Given the rapid application of AI/Machine Learning toward defensive solutions (AV, AM, etc.) targeted to the IT Security, the decreasing expense of running systems with advanced processors that are dedicated toward threat intelligence, increased sharing of threat intelligence throughout the IT Security Sectors and societyās ever growing reliance on digital networks to sustain its infrastructures, it is my belief that Passive Recon and obfuscation will gain greater and greater importance for most actors (minus those with a specific socio-political background/advantage such as actors in China).
I perceive the value of Passive Reconnaissance through a principle I call the Burning Building Principle.
Basically, you are only likely to enter a burning building if there is something of immense value inside (for this metaphor, the valuables are the objectives of an engagement with the burning building being the engagement environment itself).
The further away from the burning building you are, the further away from harm (detection, failing to meet engagement objectives) you are, but also the further away you are from the valuables that you can only retrieve through entering the unpredictable inferno inside (establishing some manner of session within an engagement/target environment).
The closer you are/further inside the burning building you are, the greater the chance of catastrophic failure
For instance, you donāt enter the burning building (the engagement environment), but the fire hits a gas line and it explodes (metaphorically, so let us say you were detected by the target after visiting a webpage per your IP which had not yet been obfuscated) harming you, though the probability of this happening at a distance was far less than if you had entered the buildng.
And once inside, the longer you are in there without meeting the objectives that compelled you to enter and the more actions you are forced to take once inside, the higher the probability of catastrophic failureā¦and eventually the building is going to collapse (engagement duration ends, persistence is detected, general detection before persistence, target leaves the environment or loses value, etc.).
If you have not entered the building and met your objectives or you are trapped inside during the collapse without meeting these directives, you have suffered catastrophic failure (though it could be a win for the organization you engaged, which is a win for you in many circumstances, but still).
Before you enter the building, you want to gain as much as possible with the minimal chance of incurring harm (hurting your chances of meeting the objectives of the engagement)ā¦until you engage the targetās IP space in some way, the probability of being burned is zeroā¦ideally, you want to enter the burning with as much data as possibleā¦you want to have a plan, utilizing an economy action balanced by decisive, effective action (running up and down multiple floors, in and out of the burning building to meet every objective may not be the best plan).
Why scout the burning building from no cover on the law when you could scout it from a safer distance or from behind cover (i.e., using traffic obfuscation methods. using 2nd party data sources from sites like Shodan, or Hurricane Electricās BGP Kit, google dorking with Pagoda through HTTP randiomization//Agent spoofing libraries, etc.).
Once you gain ingress or directly touch a targetās IP space, the probability of detection never falls to zeroā¦why not lower that probability as much as possible?
Social Engineering tactics taken from telemarketing/customer service
Before I became a penetration tester/Red Teamer, I worked for years as a Closer in a telemarketing and customer service call room; my job was to feed lines to reps or get on the phone myself (getting on the line and taking over a repās phone) in order to convince a prospective customer to open their home/schedule to meet with a sales representative.
I also needed to ensure that the environment the sales rep would enter was as conducive to a possible sale (then or in the future) as our statistics defined possible; the company I worked for sold high end home improvement products with a minimum sale of $6k and average sale of $30k.
This meant ensuring all homeowners/decision makers were home for the duration of the sales repās demo, ensuring that the homeowners/decision makers had an open ended amount of time (at least 3 to 4 hours) in which to meet with the sales rep, inquiring about specifics concerning the construction of the home, etc.
Ultimately, my capacity to perform well in my position came down to four distinct skills that were interlinked: active listening, relief of obligation, empathy and anticipating/pre-emptive dealing with objections to what I had to offer.
Active listening (say, āthe enumeration phaseā of each phone call to or from a prospective customer) allowed me the mental material to reflect an objection back to the potential customer, thereby showing them that I was listening to their concerns.
Really listening to the person on the other end of the line (careful analysis of the data gained in the āenumeration phasesā of each call, with the speed/understanding of potential applications of data coming by practice/experience ) allowed me to anticipate what objections would/could follow be forthcoming early in the call and allowed me to offer rebuttals that showed them the value in what I had to offer while I alleviated their concerns about having a sales person out to their home (thereby relieveing their obligations while creating greater value in what I had to offer).
Most importantly, listening closely and getting a feel for each person on the phone allowed me to identify an āinā, a way of offering the person on the phone a concept in a manner that overcame their reluctance while enriching the value of the offer itself.
Customer: ā I am not planning on doing any work to the home nowā¦.maybe in the Springā¦ā
Me: āWell it is winter time, I think itād be crazy to punch holes in your home during a New England Winterā¦and the holidays are around the cornerā¦I bet that with two kids you have better things to spend your money on in the next few monthsā¦ā
āThere arenāt many people looking to do work on their homes now; youāve made it abundantly clear that includes you and Mrs. Smithā¦We have employees that need to be paid anywayā¦we as a company know that if we show enough people what we have and leave them with an exact price guaranteed for a year, that folks are going to call us back eventuallyā¦we guarantee to beat our competitions price on a comparable product with this price we are providing nowā¦ā
āYou stated you are thinking about doing the work in Spring anyway, so why not find out what you will be looking at and getting a price you can hold against the competition for the next 12 months even if you donāt decide to go with usā¦.if you are both home Saturday anyway, and my guy is in your town seeing some other folks, than what could spending a bit of time with them hurt?.ā
By anticipating the customerās objections and dealing with them in a preemptive manner, the call became a conversation rather than an annoyance; it basically came down to making sense to the customer without insulting their intelligence and putting down what I had to offer at their feet while instilling what the value would be to them if they decided to pick the offer up themselves.
There is little success in trying to stuff concepts/social engineering attacks down the customerās/targetās throat; if they do not decide themselves, they will spit out what you offer/not trip the trap or contact IT concerning your attack.
The dialogue I provided above (between an imagined customer and myself) is the ghost of a marketing approach that I designed myself in 2007 when I was promoted to Marketing Manager by the company I worked for (a move that was mostly a nothing to lose, desperate last gasp by the ownership).
This approach/these communication dynamics allowed the company I worked for to survive the 2008 financial collapse without a incurring a single lay off while also allowing the company to take over the entirety of the Northeast territory through acquiring our closed/floundering competition.
Social engineering is not very different in execution at the emotional/intellectual level where a target is concerned; both demand that the target perceive authenticity in your approach, both demand that you provide an abundance of data that overwhelms the target;s inclinations toward suspiscion, both demand that you motivate a target to act in manner that is not detrimental to, or directly aligned against, your own motivationsā¦
In my mind, the best social engineering campaign identifies a method that is going to cause the target to ignore that corporate training they undertookā¦.it creates an instinctive/reactive action within them that moves them toward executing the trap (akin to the customer above dropping their objectives to consider what I have offered).
For me, the best social engineering attacks creates a sort of violent, instinctive reaction within a target that creates a gap in, or clouds the targetās logic for maybe a few seconds. āActive listeningā in the context of a social engineering attack is the capacity to perceive the data that may be used to effectively and/or perceive the manner in which enumerated data may be used to effectively, bait and hook the target(s).
This burst of curiosity (or whatever the emotional/intellectual trigger may be) is compounded through the creation of a temporary, situational reality that is conducive to the reaction(s) necessary for the target to click that link or open that PDF attached to the e-mail (such as an attacker using the account of a trusted confidant to execute attacks against other targets).
From there, it is about making the target except the decision they have made, thereby making them an unwitting accomplice; āactive listeningā in this case is the creative use of the data an attacker has enumerated, the attackerās capacity to perceive enumerated data that can be leveraged to move the target through the necessary actions, the attackerās ability to enumerate/make actionable the data that best serves as bait the target will not spit out on a hook so sharp they barely notice it set.
This piece could be the attackerās technical capacity that makes the target feel comfortable/safe with their decision; the attacker fashions an attack that does not trip AV/AM or create a buggy reaction that jars the targetās immersion in the ruse, causing a target to have second thoughts and contact IT.
This piece could be the promise of a tantalizing payoff or the lead up/build up to the payoff could appear so authentic that should a technical glitch occur (such as a popup that implores the target to change the security configuration of their OS or take any further steps necessary to execute a macro based drive by exploit) the target ignores, does not think about or forgets the potential harm their actions could cause.
This piece could be a situational/logistical reality that an attacker creates which forces the target into culpability, whether overtly or unknowingly.
For instance, one of the most successful social engineering attacks that I have executed was against an organization that was being examined for a buyout by a much larger corporation.
It is a game of motivation vs inhibition; in the age of social media/business organizations humanizing themselves within the digital spaces, deducing motivation is easier in individual cases rather than blanket cases.
This is why I prefer spearphishing/focused social engineering attacks if a client requests social engineering during a prolonged engagement (especially those demanding some period of persistence); otherwise, even if social engineering is on the table per the scope, I tend to avoid it until the latter stages of an engagement (depending on what the preliminary enumeration of the target tells me/us about their security posture of an organization and what I/we deduce to be of the most value to them).
I will enumerate these concepts further in a future project.
The enumeration/reconnaissance phase
I believe that during an engagement, an attacker should always be in a state of enumeration/reconnaissance as to constantly establish, re-establish, examine and re-examine* the *state of their situational awareness.
I believe that due to the way the human mind works (we may only pay real attention to one thing at a time, though we may shift that attention between multiple priorities) that certain points of an engagement may be more heavily invested in a certain type of action (enumeration/recon, overt offensive action, obfuscation of* current position, misdirecting the blue team/purple team,etc.); however, I believe that an attacker should always be in a state of enumerating the environments,situations and circumstances in which they find themselves.
Especially now, where target organizations seem to invest much more heavily in an ever growing boutique of vendor solutions rather then a greater degree of secure configuration/adherence to basic InfoSec best practices such as privilege siloing (which I believe will always be folly), an attacker is well served by striking a balance between definitive, direct action(s) and re-evaluating their position.
Enumeration itself can be a method of offensive action; for instance, during most phases on an engagement (unless I detect/sense that running such a tool could mean my detection), I like to run some manner of traffic analysis to help maintain an awareness of what fish are swimming about in the digital in which I am immersed.
Much like a shark is said to be capable of sensing electrical anomalies in the environments in which they are immersed, I like to have multiple methods deployed that may make me aware of any changes occurring in the nature/condition of the engagement environment (especially those changes I may create, as I prefer to have the traffic I create blend in with the natural biorhythms of the environment I am engaging).
I sense that a balanced attack posture is something like what I see when watching footage of small/medium size sharks hunting; they are always on the hunt for a meal, but they are also always adjusting between levels of aggression/awareness to ensure another shark/sea creature doesnāt make a meal of them.
Exploitation is about detecting and acting upon actionable data (as well as perceiving what data is actionable, how it is actionable or how it can be made actionable); actionable data can be uncovered at any time during an engagement and/or can undergo changes/be effected by changes to the surrounding environment that effects the nature in which it may become/can become/is actionable.
My definition of hacking vs. penetration testing/Red Teaming in this post
I use the word hacking to describe an art composed of many disciplines that I may utilize in my vocation as a Red Teamer/Penetration Tester.
I apply tools/techniques/methodologies during work, play and practice that mirror the same tools/techniques/methodologies I apply in my vocation as a Red Team operator and/or penetration tester.
However: personally, my application of these tools/techniques/methodologies and the reactions others have to the manner in which I apply my art have become a means of expression that aid me in developing a deeper understanding of myself and the world around me.
The importance of what a tool can or cannot do is much lessened; now, they (and code in general) are a means of expressing myself within the framework of a scope/parameters that are much less restrictions or rules, but are more the realities governing the medium on which I display my art.
Recognizing this. I see this art as ultimately an art of strategy, creativity and perception where almost anything can be leveraged toward meeting the objectives of an engagement.
In fact, I know hacking to be a martial art
Last year when Shared thoughts after 6+ years in Pentesting was released, there was a comment on HackerNews to the effect that the poster could not stand fellow InfoSec employees who looked at their vocation as if they were some manner of Zen monk/cyber warrior.
I can agree that someone who constantly espouses any personal philosophy and tries to push that on others can be insufferable; myself, I am an exceptionally quiet, introverted person who would never deign to tell others how they should think.
When I express myself in this way, I do so in order to give back to a community that I feel I owe a great debt too; I offer ideas in the hope that someone may find something useful amongst the experiences/ideas I relay.
And my own experiences paint my conception of thingsā¦I have been a martial artist since at least the age of five; I began fighting professionally in my mid 20s (muay thai. MMA, K-1 rules kickboxing and kyokushin); thus, I see everything through the eyes of a martial artist.
I see hacking as a martial art and I believe it is the most potent martial art to ever exist.
The martial arts comprise disciplines where the knowledge acquired by a practitioner allows them to better utilize their mental faculties toward an expression of physicality that creates change in the physical realities of an opponent.
Through the use of knowledge acquired through regular practice, a hackerās mind manipulates some implement with their physical body (their fingers striking a keyboard perhaps) that changes some physical reality of an opponent (such as embedding foreign code within the network infrastructure of a target).
Except hacking now has the potential to do some anime/manga levels of damage (look at the damage the Triton malware could have wrought) to people via attacks against critical infrastructure across great distances.
Though I wish to examine my views concerning the relationship between martial arts and hacking in a separate project, I can say that engagements have guided my hacking as fighting has guided my martial arts trainingā¦
They both show me where my strengths/weaknesses really lay by allowing me to test/push my limitations, creating a cycle of training/testing that gives me purpose through building skills I can use to help make the world a better place.
Like sparring/fighting an opponent eventually became, I have come to see an engagement as less about challenging a targetās defense with my own offense and more about challenging myself.
It is more a contest that allows me to learn the truth about myself; to find, establish, define and overcome my own limitations so that I can make myself a better, more useful piece of this world.
And finallyā¦
In Buddhism (especially Japanese Buddhism in particular) the beings who are charged with protecting the Buddha ( NiÅ (ä»ē) or KongÅrikishi (éåå士)) resemble devils, not angels.
āWithin the generally pacifist tradition of Buddhism, stories of dharmapalas justified the use of physical force to protect cherished values and beliefs against evil.ā https://en.wikipedia.org/wiki/Nio
I maintain that the baud is Buddha; both can convey messages that open our eyes to both wisdom and absurdity concerning our existence.
We may choose to learn what we will from that which they convey, or we may only have it show us what we wish to see.
Like the philosophical/theological concept of the Buddha, the baud represents many manifestations of a largely invisible world that human civilization now depends upon.
But we all must protect itā¦especially those of us that may resemble devils (yet are not) and have the skills necessary to protect the worldās digital spaces against all manners of threat. (political, financial, InfoSec and otherwise).
