Jayson E. Street’s subject in this part is the different tricks to apply during penetration engagements, and the rules he sticks to in his work.
Now I’m not talking about social engineering part so much, as this is all the damage I’m going to do after your security guy lets me through the front door. Because number 1 fact is I’m getting in. I took this picture, I kid you not, when I was going to meet the guy for the first part of our meeting, and as soon as I got into the concourse and I saw the employee door for the security area (I was like “Oh, you’ve got to be joking me”), I walked right over, pushed 135 – guess what, I got in! I would have tried 531 or 315. You should have seen the guy’s face when I showed up 10 minutes before our meeting and no one knew I was there. So, that was fun.
Here’s the other one. I went to apply for another “job”, and when I’m on these engagements I like to be bad, so when I signed in to the receptionist, I stole the pen. I’m a bad guy, that’s what we do. So as soon as I finished getting the pen and signing in, I asked the girl where the bathroom was. It’s not because I drink so much frickin diet Pepsi, it’s just because I get lost very easily, and I will wander buildings looking for that darn bathroom for hours. You can’t believe the things I can get into. Well, I’m going through and actually happen to stumble into the secured area, or part of the employee area. I was looking for the bathroom and I found the employee entrance… This is a facility actually equipped with a million-dollar security system. And I looked at the door and saw this little rod thing they were latching the door with. And then I remembered – oh, wait, I got a pen! So I took the pen that I stole, put the cap on the rod, the door shut perfectly, and it didn’t latch! So I leave, then come back in about 20 minutes or so – it’s still there, I’m now in a secured facility, and no one knows.
I’m not a master locksmith; I tell people I don’t have to be a master locksmith if your people will let me through the front door. I don’t have to be a massive ninja coder, which I’m not, if I could just steal your hard drive with all your data.
Here’s another key: I love forging emails and putting them on iPad (see image). The key is to put them on an iPad. If you forge an email and print it out, they’re gonna think it’s fake: “Oh, you just typed this up”. You put it on an iPad – the blue hyperlinks stay hyperlinked, and also it’s like: it’s on an iPad, it’s magical, you must be telling the truth. So I was up in that secured facility in New York, the network guy noticed an unusual amount of traffic coming from the computer of the CFO’s assistant going to their main server, and he was worried about what was going on. It was me. And so he comes over and asks: “What’s going on? What are you doing?” And I start telling him exactly why I’m there. I spent 2 hours on Google creating this email, making it sound like the new owner of this company was upset, and sent an email to the other company that he owns to send one of his guys out (me) to go look at the network. And I made it sound very political, and that was supposed to be a surprise so that no one knew I was supposed to be there.
So I showed this to the networking guy. Well, he sent me to his office, we went to his office and we talked to the CIO for about 10 minutes, and the employee then started to escort me around to all the other computer desks and stuff, you know, so I could plug in my malware… And I had an employee escort, so I had to be okay. So I actually could finish the rest of the engagement, having someone help me and make sure that people knew I was okay to be there, plugging in my USB devices and doing whatever else. I really loved that email.
I’ve got 2 rules, but guess what – looking for PCI is not one of them. I don’t really care, I just wanna eff you up, I just wanna mess you up in the worst possible way, I wanna be the worst thing to ever happen to you at the worst possible time (remember the kittens). So this is why I got my 2 rules, I got them from “Serenity” which was based off the series “Firefly”. And these 2 quotes are very simple: “I aim to misbehave” and “Let’s go be bad guys”. That’s it, I’m just trying to do bad. To team it up, it’s like “red team” – don’t act surprised when we try to kick you below the belt. It’s like bank managers are still being kidnapped today, taken to their home, their family held hostage overnight until they go open up the bank for bank robbers. That’s not funny, that’s real. This stuff still happens.
Another thing is – what we’re doing is not a new concept. This is from 1992, the movie “Sneakers”:
– So, people hire you to break into their places…to make sure no one can break into their places?
– It’s a living.
– Not a very good one.
But this is indeed an old one. Better people than me talk about it a little bit more technically – like I said, I’m the comedy relief on this, but let’s keep going.
Another thing that we have to understand is management is not proactive, it’s reactive. Dan Erwin said in 2008: “The best way to get management excited about a disaster plan is to burn down the building across the street”. Hello everyone, let me introduce myself – I’m the fire… So what we’re gonna get to now is the fun part, and the fun part is talking about all the different ways that we can start those fires.