Metasploit like framework to lessen the learning curve
Connecting the dots….
Footprints in the ether, and other
Sean Satterlee – Principal Security Engineer
THIS IS PURELY FOR EDUCATIONAL PURPOSE.
Myself, any identities that I may use, Net Source,
Inc., NetSourceLabs, NetSourceSecure and any
other organizations that I am affiliated with
cannot be held liable for any negligence or
illegal activity that may result in the disclosure
of the information included in this briefing.
A “howto” or “readme.txt”
A quick guide to a talk by me.
Topics will be all over the place
I will chase rabbits
I use profanity to make my point
I am passionate about my work
If you get up during this talk, be prepared to be heckled.
Did I mention that I will jump around on topics?
I will bring in points that I find interesting, while they might not be germane to the exact topic, you may find them useful.
If I switch languages for a certain word or concept. Do not get angry. Write it down, google it, you can figure it out for yourself
I may repeat things every now again.
I will chase rabbits
I need to make a “logic-chart” for following my talks
I should also remember to start using the “notes” feature for powerpoint.
I like it when people clap immediately after pseudo profound statements.
I do not like the obligatory applause at the end of my talks
My talks are interactive.
Several of my friends are in the crowd
Sometimes I will just skip slides because I don’t feel like talking about them. It’s alright though, you can download this slide deck
The detailed sections are out of order. Sorry, I don’t want to fix it.
They are not “plants”, but I will sometimes call on them to help me remember antic dotes.
• A nice name for Corporate Espionage
• Knowing the business model for a given target
(read: client), and you will further understand
the areas of their infrastructure that may be
• Knowing more about your target will lead you
to appropriate attack vectors
• Is it necessary to publish this information?
• In short, the answer is no.
• Having information is one thing.
• Displaying that you have this information is
• An entire generation raised with the notion
that “knowledge is power” has caused this.
• Displaying this information as a means to
show power and to hinder some else‟s
operations is something completely different.
Forms of Reconnaissance and Intel
Subsets of Physical
– Done at multiple times throughout the day/night.
– Establish key employees and work shifts
– Use a rental car with a contour cam (HD), just leave it.
– Don’t get too close
– Use everything you can in BT5, or Kali
• Dumpster Dive
– Do this at night
– Avoid the critters
• Get a tour, make note of how physical security
– Electronic Keypads
– “Secure” keylocks
• Make note of the badges, if you are conducting
a social, you may need to create one.
• It doesn’t need to “work”, Just pass a glance.
#,0 (same time) followed by 0000
“Program” button, followed by 7777
#,9,# 123456 add your code by:
1234 (no lockout, just keep pecking)
Keys to a successful “Social”
• Accurate data
• Susceptible targets
• Curiosity killed the cat
• Think of this as a „reverse dead drop‟.
Pseudo public place, and you WANT it to
– You may ask yourself, “who would actually
plug this in?”
– Now tell yourself, “too many people that
probably work with me.”
• The USB drop isn‟t always needed
– If you can gain physical access:
• a rubber-ducky can be used to drop a payload and
a reverse, persistent shell
– If you can‟t gain physical access:
• You can squeeze a rubber-ducky into anything that
uses a USB connection. Ship it to someone in the
target company. Human stupidity will take over,
and SOMEONE will plug it in.
Just how easy is that?
• Not calling anyone out, but certain people in
this industry are literally, batting 1000 using
– But seriously, how easy is it?
I was going to make a political joke
here, but… well, let’s just skip that
part as I don’t really have any
Quality of Sources
• None of these tools are worth the processing
power of launching them if you don’t know
where to look.
Sources, you say?
Public Records for target area
ESRI – GIS data
County Assessors office
• Go into the Kinko‟s
closest to your target.
• Say you “forgot your
• They show you a box,
you say “that‟s it!”
A quick note about ‘excessed
• Please wipe configs on hardware and
• 4th Saturday sales have yielded quite a
few Cis** devices with current configs for
an organization STILL ON THEM.
Create your own transforms
• There is a wealth of information in public
– Property taxes
– Marriages, divorces, VPO’s, traffic citations, etc
– Birth records, death certificates
Quality of Product
• Your information is only as good as your
– Use CORRECT and ACCURATE information. Do not
• The signal to noise ration is horrendous This entire
section is total
• I will not pretend that neuro-linguistics has gotten me past some
serious security measures.
– However, a fake accent did get ri0t and I quite a few drinks in Vegas.
• How does it work?
– You appeal to a person’s sensibility and logic.
Seriously though, what does SE get us?
• It gets us physical access to a location to actually
DO the CD/USB drop
• If the target is in a shared office location, hangout
in the smoker’s area.
Pay attention to visual layout of ID badges in case you
need to fabricate one
– Possibly tailgate a person into a secure area
• Become a customer/client of the target.
• Remember, people are inherently stupid
and willing to trust. Exploit this.
– “Give them an ounce of quality lies, and you
will get a pound of truth in return.” - me
Qualify your statements and questions
• Don’t ask stupid questions that are DIRECT.
• You will always need to fill some gaps, it’s
important to do this without inferring a
• Be knowledgeable of the subject matter at
– This means taking an interest in whatever widget
you are trying to gather information about
• So what options do I have to exploit a location
using the information I have gathered?
Intranet access portals with weak user/pass combos
Sub-domains for test/development environments to
attack via web applications to extract data
– Complete Breach of network via wireless to create a
Wait, I just said wireless
“techie LUsers” – let me tell you why they are
your biggest problem.
“Why?” you ask?
• Because they are the ones that take it upon
themselves to create and fix things with only
half of the ‘larger picture’
• Which, in turn, just ends up causing more
How this can cause issues
• Vast majority of ‘labs’ are default passwords
• Rogue AP’s lack strong encryption or any at all
• A shared password used over an open wifi
• Unused accounts with the “default
How is this remedied?
Strengthen your policies
Educate users (yes, that’s twice on purpose)
– Old machine accounts in AD
– Maintenance (service) accounts
– Accounts that have never been used
• Try harder
• Enable yourself and your staff
– Come to local hacker meetings
– We will gladly show you stuff
• No such thing as a stupid question.
– Just stupid people, that don’t ask questions.
Any questions that relate to the actual
• I like to eat steak cooked medium rare
• I have two cats, a dog, a planted aquarium
and a entire school of carnivorous fish
• My favorite color is clear