Physical Methods of Information Gathering

Physical Methods of Information Gathering

There are a variety of physical methods for information gathering. Some require very little equipment and others require high-tech gear.  The one thing these methods have in common is that they can not be done from a remote location. You have to be on-site and in-person. This means that pretexting, the principles of influence, and other psychological factors are typically necessary to successfully use these methods. It’s important to note that no one source of information is the leading method to use. And there is not one method likely to give you enough data to secure your best chances for success. Your best bet is to use multiple methods of gathering information. And then synthesize the proper attack vector for the job from that data.

We always recommend that any of the activities described be explicitly approved by the target(s) within the scope of a sanctioned penetration test and that you carry a copy of a letter of authorization with you at all times.

Shoulder Surfing

One easy method of information gathering is to simply look over the targets’ shoulder, known as shoulder surfing. Information obtained can range from user IDs, to passwords, to confidential data seen in plain text. Shoulder surfing doesn’t have to mean intrusion into the target location. You can shoulder surf anywhere people open their computer to do work. It could be such places as coffee shops, airports, public transportation, hotel restaurant/bar, or an outdoor seating area just outside the office.

The following is a video by European Network and Information Security Agency which shows how easy it is to shoulder surf:

Original source: YouTube.

Intrusion/Roleplay

Intrusion is when the social engineer actually enters the building or property of the target in order to obtain information or as a direct form of compromise as covered under Impersonation. Posing as an employee, an outside contractor, or even an IT administrator, the social engineer can ask questions or offer to fix issues either in-person or over the phone (see Pretexting and Elicitation).

Intrusion calls for the social engineer to blend into the environment with the way they dress and behave. Activities or places that bring the social engineer into contact with target employees is an excellent opportunity to elicit information. Proximity to the employees can provide opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards/badges.

Dark Reading highlighted a malicious social engineering attack where an unknown male used nothing but his wit and ability to build rapport to learn in which safety deposit boxes over 20 million dollars worth of diamonds were kept.

Tailgating

Also referred to as Piggybacking, is one way for a person to actually gain access to a secured building even if it has smart-card passes or biometrics. Normally those security measures can prevent unauthorized personnel from entering buildings, systems, or networks. Unfortunately, people can be too helpful and allow individuals into a secured door by holding it open for them. Because the individual appears to still be searching for their pass (that wasn’t there to begin with). An ‘employee’ or ‘technician’ running to catch the door before it shuts works just as well and allows a social engineer to access an otherwise inaccessible place. The following is a video by CLA showing how easy it can be to piggyback/tailgate into a building.

Original source: YouTube.

Reverse Social Engineering

Reverse social engineering is the practice of having already accessed the goal machine or network and having rendered it unusable; then the social engineer can offer to “fix it.” A social engineer can also plant a rogue access point or attempt to access authorized areas with information received earlier from the telephone, emails or websites.

Dumpster Diving

Dumpster diving is simply the process of going through trash to find something of value. It could be things such as, medical records, resumes, photos and emails, bank statements, financial account details, information about software, and tech support logs. This information can then be used to leverage an attack against a target.  As with most forms of social engineering, “Working smarter, not harder” is a good slogan. Doing hours of work brute-forcing a password or account number may be unnecessary. Especially when you can just obtain the same information from a discarded unshredded post-it note.

Legality

In the United States, it is legal take items that people discard in the trash/dumpster. However, if the dumpster is on private property, it is likely considered trespassing to enter the dumpster. For more information regarding the legality of dumpster diving see this article, California vs Greenwood.

We recommend you confirm the local laws of the area in which you will be conducting a penetration test. And always keep your authorization letter with you during a physical social engineering testing.

This video clip from Tiger Team demonstrates how a bag of trash can provide valuable information.  The team found valuable information about their target, such as the name of the company’s tech support. Using the information, they sent in a team member to act as a support employee. The rouse was successful. The team member receives full access to the company’s servers.

One of the best resources on dumpster diving in relation to the field of security is Johnny Long’s book No Tech Hacking. It’s full of amazing information regarding social engineering. It also contains pictures showing how you can get information without having to crawl inside a dumpster. For more information see our framework page Dumpster Diving.