There are a variety of physical methods for information gathering; some require very little equipment and others involve high-tech gear to properly pull them off. The one thing these methods have in common is that they can not be done from a remote location. You have to be on-site and in-person. This means that pretexting, the principles of influence, and other psychological factors are typically necessary to successfully utilize these methods. No one source of information is the leading method to use nor is one method alone likely to give you enough data to secure your best chances for success. Your best bet, and the route many criminals will take, is to utilize multiple methods of gathering information and then synthesize the proper attack vector for the job from that data.
We always recommend that any of the activities described be explicitly approved by the target(s) within the scope of a sanctioned penetration test and that you carry a copy of a letter of authorization with you at all times.
Dumpster diving is simply the process of going through the items that have been thrown away by a person or organization to find something that might be of value to you. The devastating nature of the items or information found can be anything from medical records, resumes, personal photos and emails, bank statements, financial account details, information about software, tech support logs to so much more. Of course all of this information can be used to leverage an attack against a target. As with most forms of social engineering, “Working smarter, not harder” is a good slogan. Doing hours of work brute-forcing a password or account number seems silly when you can just obtain it from an unshredded sticky post-it note that was discarded in a trash bag.
An older television series called Tiger Team has an example of how valuable this form of information gathering can be. In one episode, a team of social engineers demonstrated how they used a bag of trash to find valuable details about their target. Once they located the name of the tech support team they were able to send in a team member to act as a support employee and was given full access to their servers.
One of the best resources on dumpster diving in relation to the field of security is still Johnny Long’s book “No Tech Hacking”. This books is full of amazing information regarding social engineering and there are great pictures of example information that can be obtained from the trash without even having to crawl inside a dumpster.
One example occurred in Albuquerque, New Mexico when a stack of documents containing people’s personal information, including social security numbers were seen in a dumpster outside an Albuquerque tax preparation business. Carelessly tossed in the dumpster for anyone to see or take as they walked by. In the United States, it is legal to go through or take anything discarded in the trash; however, the caveat to this is if a dumpster is on private property (not on the street corner or public alleyway) then it is likely considered trespassing to go on to the property and enter the dumpster. Here is a small collection of legal cases that were won by companies who caught people sifting through and taking their trash. We recommend you confirm the local laws of the area in which you will be pentesting and always keep that letter of authorization on you during physical social engineering testing.
Intrusion is when the social engineer actually enters the building or property of the target in order to obtain information or as a direct form of compromise as covered under Impersonation. Posing as an employee, an outside contractor, or even an IT administrator, the social engineer can ask questions or offer to fix issues either in-person or over the phone (see Pretexting and Elicitation).
Dark Reading highlighted a social engineering attack where an unknown male used nothing but his wit and ability to build rapport to not only gain access to the necessary key but also to learn in which safety deposit boxes over 20 million dollars worth of diamonds were kept. Apparently, this man only gained the needed information during his intrusion but it resulted in him getting away with the diamonds.
Just like the phrase “When in Rome, do as the Romans do,” intrusion calls for the social engineer to blend into the environment with the way they dress and behave. Engaging in activities or frequenting places that bring the social engineer into contact with target employees is an excellent opportunity to elicit information. Proximity to the employees can provide opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards/badges.
Also referred to as Piggybacking, this is one way for a person to actually gain access to a secured building even if it has smart-card passes or biometrics. Normally those security measures can prevent unauthorized personnel from entering buildings, systems, or networks. Unfortunately, people can be too helpful and will allow individuals into a secured door by holding it open for them because the individual appears to still be searching for their pass (that wasn’t there to begin with). An ‘employee’ running to catch the door before it shuts works just as well and allows a social engineer to access an otherwise inaccessible place. Here is a nice video (albeit a little goofy) showing how easy it would to piggyback/tailgate into a building.
Original source: YouTube.
Reverse Social Engineering
Once inside target, a social engineer can also plant a rogue access point or attempt to access authorized areas with information received earlier from the telephone, emails or websites. Reverse social engineering is the practice of having already accessed the goal machine or network and having rendered it unusable; then the social engineer can offer to “fix it.” An excellent remote device is something like this device that sends audio or allows you to listen in through a standard GSM card.
One easy method of information gathering is to simply look over the targets’ shoulder to view a plethora of information, commonly called shoulder surfing. Information obtained can range from user IDs, to passwords, to confidential data seen in plain text. Shoulder surfing doesn’t have to mean intrusion into the target location. It can also be done anywhere people open their computer to do work, such as coffee shops, airports, hotel restaurant/bar, or even an outdoor seating area just outside the office on a nice day.
The following is a video by European Network and Information Security Agency which shows how easy it is to shoulder surf:
Original source: YouTube.