Last week, I shared a story about how we took down a network using a sticky note. You can read more about that over at Social Engineering Stories #1 | Advanced Email Protections Prevent Social Engineering! Or Does It? This week, I want to share a little story about persistence.
“It’s not that I’m so smart, it’s just that I stay with problems longer.”Albert Einstein
There’s a lot that can be said about persistence being the key to success and how those who succeed are just the ones that didn’t give up. Honestly it’s become so cliché that I think most of us just tune out when the topic is brought up, but I wanted to share a story about a recent engagement that would have failed it we just took “no” for an answer.
Note: Any names, titles, or companies mentioned in this post have been sanitized to protect the identity of our client.
Table of Contents:
- Who are these guys?
- Everybody loves lunch breaks
- Getting inside, but how far?
- Man, can somebody please fix this printer already?
- Wearing many hats
Who are these guys?
This test was completely black-box. This meant that we didn’t know anything about the company, who worked there, what their phone numbers were, or even how many employees they had. We were given two addresses and were tasked with getting inside by social engineering their employees. Sounds simple enough, right?
We pull up to the address and quickly realized we were in for a challenge. At first, there appeared to be only a single way in or out, which was through a security gate manned by a guard 24/7. We figured we’d first try pulling up to the gate, pretend to be a customer, and ask to go inside. However we were quickly turned away when we tried this, as customers were only allowed on weekends. This was rejection #1.
Everybody loves lunch breaks.
Great, so now the guard knows what we look like and the make/model/color of our vehicle. Because of this, we knew we would need to find another way in, at least until a shift change occurred and a new guard was posted. We drove around a bit until we found something we didn’t expect in a Taco Bell parking lot. Apparently our client has employees that loves Chalupa Supremes because there was a staircase that leads directly down into their own parking lot! There’s a gate at the top of the staircase left wide open with a sign that states “COMPANY EMPLOYEES ONLY”. Damn. If only there was a way to ignore a sign.
While we could have impersonated an employee, we still didn’t know the names of management personnel, nor what an employee badge would look like. Instead of taking the risk of being stopped and questioned as fake employees, we decided to stick to our favorite go-to: Construction Workers. One Google search on “Site Survey Checklist” and two satellite image printouts later, we were ready to go as hired personnel to, uh.. survey the site?
We throw our paperwork into a clipboard, dress up with our hardhats, put on our “badges” that we printed from Staples and head towards the stairs from the Taco Bell. As we approach the staircase, we realize we may have made a mistake. Two guards are posted at the bottom of the staircase looking up at us wondering why we’re there. We couldn’t turn around now, the only choice was to keep pressing forward.
Talking amongst ourselves: “According to this printout, the line seems to run underground over to the Northeast side of the building.. Is that this side?”
*Guards continuing to look up at us suspiciously.*
“Hmm, I’m not sure, let’s ask these guys. Do you guys know if this is the Northeast corner?” We say to the guards as we point to our satellite image printout on the clipboard. “We’re supposed to be doing an inspection, but this place is huge and we think we might have gotten turned around.”
Any suspicion they had is immediately gone as we continue to engage in conversation. “Actually I think you guys are looking for the other side of the building, but you’ll want to drive over there, it’s quite a long walk” says one of the guards.
We reply back with “That’s okay, we’ve got to inspect the whole place so we’ll just start over here”, as we try and walk away towards the target building.
“No really, you’ll need to go get your car and go through the security gate. As long as you check in, we won’t follow you around.” Well that’s helpful information, isn’t it? Before leaving, we ask the security guard for his name. “I’m Chewy”.
While we were technically turned away, we did at least gain some helpful information. We know the name of a security guard that we may be able to name drop later, as well as an understanding that making it through the security gate should give you unattended access to the building. This was rejection #2.
Getting inside, but how far?
We gave it some time before heading towards the security gate again since the guard there would likely remember us as the “lost customers”. After a couple hours, we decided to take a gamble that the guard from the morning has left and we’d be greeted by somebody new. Our bet paid off.
As we drive up to the security booth, we flash our badges and say “Hey, we’re here with <Fake Company Name> to do a quick site survey.” Seconds later the gate was opening and we were allowed inside without a single question or note taken about who we were and why we were there. This was a huge downfall for them, as returning with a different identity down the road would be much harder if our license plate was already associated with this fake company.
Normally, vendors would need to check in through the main entrance so that they can be escorted around while onsite. Yeah, forget that, let’s just drive around the building until we find an open door. Given that this was a very large warehouse, it didn’t take very long.
We walk in through a door that is propped open and are immediately questioned by a nicely dressed man who is clearly some member of management (we later find out that he’s the director of corporate security.. oops). “Hey! Can I help you?” he shouts to us as we attempt to walk in.
“Yeah actually, is this the Northeast corner?” we say, again pointing down to the image on our clipboard.
A moment of silence passes as the man looks at the clipboard. You can see his brain working as he tries to decide how to respond before replying with “Oh okay, I see. You’ll want to head down this way, take a right, and keep on walking until you see blah blah blah”.
Well that was easy! We thank the man and we head on our way, completely unattended throughout the warehouse. Next, we approach a door, secured with an RFID reader, that appears to lead inside the corporate office area. We wait around for somebody to exit the door, slip in, and realize we’re right in the middle of what seems to be their IT Department as there are server health monitors, ticket dashboards, and all other metrics on display from TVs mounted around the room. Knowing these guys would be the most likely the call BS on us taking pictures of computer screens and claiming it’s “for a site survey”, we quickly get ourselves out of this area and continue to walk around.
Construction dudes walking in a warehouse, no big deal. Construction dudes walking around a bunch of cubicles while people are working, raises a few red flags. Knowing we were drawing a lot of attention, we decide to make our visit quick. A quick tour of the office area allowed us to make mental notes of areas of interest; Payroll Office, Mailroom, Server Room, etc. Before anybody started questioning us too heavy, we decide to leave.
Man, can somebody please fix this printer already?
While our first trip inside was very insightful, we knew we were not going to be able to gain access to the sensitive areas of the building without a better ruse. While we were inside however, we noticed that a large Konica printer they used had a sticker on it showing that it was a managed printer from a company named “Elite Printers”. Armed with this information, we ran back to Staples and created ourselves some more badges! Man, getting hired as a printer technician sure is easy.
Since our printouts worked so well last time, we went ahead and printed out a fictional work-order for “Preventative Maintenance” and “Documentation Updates” that must occur on the printers after-hours. You know, because printers are critical infrastructure and we can’t do this work if the office is full of people. Obviously.
From some vishing we did earlier in the assessment, we learned that most folks seem to head home around 5 PM. So we wait a bit after 5 PM and head onsite closer to 7 PM. As we approach the security gate a third time, we let the guard know why we’re there, and he again lets us through without taking any information down about us.
We take a quick drive around the building, looking for a way in, but find that all of the doors seem to be tightly locked this time around. Eventually, we find a small parking lot that is nearly full of cars, so we decide to park here and attempt to tail-gate our way inside the building. Twenty minutes go by before we see anybody come out, so we jump on the first opportunity we see.
As a woman walks out the door towards the parking lot, we spark up a conversation with her. “Hey there, would you mind holding the door for us? We’re here to do some work on the printers, but our badges aren’t letting us in.”
“I’m going to have to get a supervisor for this, hold on” she says as she heads back inside. While it was frustrating for us, she actually did a great job on making this decision! A few minutes later, she comes back outside with another woman who introduces herself as the manager of this department. She asks us who we are and why we’re there.
“Sorry to bother you. Our manager forgot to sort out the details of how we’re supposed to get inside, but we have a work order here to take a look at a few printers. Could you let us in so we can be on our way?”.
She wasn’t buying it, and replies with “Nobody told me you were supposed to be here, I’m going to have to check on a few things.” Again, we’re left outside waiting. A few minutes later all of the employees of this department start flooding out the door. This is why doing your homework is so beneficial — if we knew that they all got off work at this time, we could have just waited a bit longer and probably snuck in through the crowd.
It isn’t long until we’re joined by security. And guess who it is? Our good friend Chewy from the previous day. At this point I start to worry that we’re busted. I mean the guy just saw us yesterday as construction workers and now here we are as printer technicians, surely he’d recognize us?
He walks up to us and starts asking us the same typical questions “Who are you?” and “Why are you here?”. We repeat the spiel and, to my surprise, he doesn’t connect the dots that we were here yesterday!
“I’m trying to get our boss on the phone..” we say as we pretend to be on a phone call, “but he isn’t answering. I’m hoping we can get this sorted out so we can just do our job and head home, it’s been a long day.”
Chewy agrees and tries to call his boss. “I can’t get my boss to answer either!” he says. We all laugh together about the situation, which completely defuses any tension there may have been.
The manager returns to the door and apologetically states “Sorry guys, I checked with help desk, the only guys still here, and they aren’t expecting you either. Who is it that set this up?”
“I’m not sure, our boss just sent us here to perform the work and now we can’t get him on the phone.” We say, showing frustration on our faces.
“Well you’ll need to come back during regular business hours from 8 AM – 5 PM, after scheduling something with our director. Her name is <name>. As long as you schedule things with her, she should be able to let us know to expect you.”
As a last ditch effort, we say “but we’re already here and are on a very tight schedule. I’m happy to show you the work order”, as we point to our clipboard, “if you can just let us in we should be in and out in no time.”
“I can’t do that, we have protocols we have to follow, and nobody knows why you’re here. I’m sure you’re legit, I can see your badges and I know we do business with your company, but I can’t let you in.” This was rejection #3
Boom! Yes, we were rejected, but she just confirmed that simply knowing a vendor’s name and creating fake badges will lend credibility in our favor. Knowing we’re not going to get inside through her, we reply with “We understand. We’ll get something scheduled and try to come back later.”
As we walk away, Chewy starts asking for our information. “Hey, let me grab your name and vehicle information. What company is it you’re here with again?” At this point, his phone starts to ring. It’s his boss, Shane, calling him back. He takes down our information and then hands over the phone to us.
Shane: “Sorry that we can’t let you in, we just have no idea why you’re here and who authorized you.”
Us: “We understand, we’re sorry for any confusion. If only we could just get our boss on the phone to sort all of this out”.
Shane: “Well how about you have your boss call me tomorrow? As long as I speak with him ahead of time, I’ll make sure my guys know to let you in”.
And just like that, we have a plan for tomorrow.
Wearing many hats.
The next day comes, and we wait until 5 PM before calling Shane. We know that we need his approval to let us in, but we don’t want to call while people are still there for him to verify with. As the evening approaches, I spin up my phone spoofing software and give him a call from the Elite Printers “office” number.
No answer. A few more attempts. No answer. Finally, I decide to leave a voicemail.
“Hey Shane, this is Rick over at Elite Printers. I sent a couple guys out last night, but they had trouble getting inside and were told to have me give you a call? Look, we’re running late on this project so I’m going to send them back over tonight at 8 PM. Please make sure to have your guys know to let them in.”
Although we didn’t make it through to the head of security as we planned, we decided to continue with the plan anyway. We wait for 8 PM to roll around, and then we head back onsite and approach the security gate.
“Hey it’s us again with Elite. Chewy should be expecting us, is he around?” This simple sentence is all it took to get through the gate, yet again.
We’re allowed in, and we park our car as we wait for Chewy to approach. Before long, he rolls up and asks “Hey guys, you got everything sorted out?”
Us: “Yeah, our boss talked with Shane earlier and said we should be all good”, we say, knowing damn well that we never made it through to Shane.
Chewy: “Ugh, Shane didn’t tell me anything. Let me get him on the phone.”
He calls his boss yet again, who insists that he never received a call from us and denies us entry. This was rejection #4
This time we decide to be more persistent now that we have Chewy on our side. “Chewy, is there anybody else here we can talk with?” we ask. He replies with “Well I guess I could check with the folks upstairs. Let’s drive around to the back-side of the building, follow me.” We get in our car and drive to the other side (we weren’t kidding when we said this place was huge).
“Wait here” he says as he gets out of his cart and walks in through a backdoor. As he goes inside, I notice that the door doesn’t appear locked and doesn’t close all of the way. I make a note of this and mention it to my partner as a potential way in should we need to come back. A few minutes later, Chewy returns.
Chewy: “I’m sorry guys, nobody knows why you’re here and they won’t come down to talk with you.” This was rejection #5
Us: “Let us get our manager on the phone and we’ll get this all sorted out. If we don’t get this job done today, we won’t get paid. We’re already short staffed due to the Covid situation.”
Chewy: “If it were up to me, I’d say just forget it and let you in, but I’ll get fired if I do that. Let’s head back to the front, I’ve got rounds to do as I’m the only other one here.”
Us: “No worries man, we don’t want you to get in trouble. Go ahead and do your rounds and we’ll just stay here and make a phone call real quick.”
He leaves us unattended, so we try and call Shane one last time while sitting in our car. Still no answer. Guess that only leaves us one other choice! We hop out of the car and walk in through the unlocked door. This gets us inside the warehouse, but we still need to slip into the corporate office area, and we need to do it quickly.
We find a door that leads to the offices, but it’s locked and secured with another RFID reader. Luckily for us, there was a janitor still around who happily badged us through, thank you janitor man.
At this point we feel a brief sense of relief, as we’re finally in the corporate offices, unattended, with nearly nobody here. This didn’t last long though, as Chewy quickly found his way to us and wasn’t too happy. “What are you guys doing in here? Shane never called me to allow you in!”
Us: “Really?? Our boss just told us he got off the phone with him. What’s going on?”
Chewy replies with “I’m not sure, but I can’t have you in here unless Shane says it’s okay.” At this point he’s eagerly rushing to get us out the door while he tries to get Shane on the phone yet again. This was rejection #6
We follow Chewy outside, and this time he makes sure the lock the door behind us. There’s definitely no way we’re getting in now without direct authorization, so we decide to text a member of our pentesting team back home. We fill him in on the situation and ask him to call Shane directly, pretending to be our supervisor. A few minutes later, Chewy gets a call from Shane.
Chewy: “Alright! Shane just got off the phone with your boss and you’re clear to go. Let’s get you inside.”
Finally, our persistence paid off! There’s a tiny bit more to this story, but it ends with us gaining access (along with an escort) to all sensitive areas of the building, including the server room and CEO’s office.
Whether you’re a pentester who can relate, a business owner looking for tips on how they can better train their employees, or just some dude who likes to hear about people getting tricked, I think we all can find value in this story. We would have never been successful had we given up when we were told “no” the first, second, third — hell, even the sixth time! We didn’t need to use aggressive force. We didn’t need to use evil manipulation. We simply just needed to act like we belong, have a solid pretext, and stick with it.