There are a variety of physical methods for information gathering. Some require very little equipment and others require high-tech gear. The one thing these methods have in common is that they can not be done from a remote location. You have to be on-site and in-person. This means that pretexting, the principles of influence, and other psychological factors are typically necessary to successfully utilize these methods. No one source of information is the leading method to use nor is one method alone likely to give you enough data to secure your best chances for success. Your best bet is to utilize multiple methods of gathering information and then synthesize the proper attack vector for the job from that data.
We always recommend that any of the activities described be explicitly approved by the target(s) within the scope of a sanctioned penetration test and that you carry a copy of a letter of authorization with you at all times.
Dumpster diving is simply the process of going through trash to find something of value, such as, medical records, resumes, personal photos and emails, bank statements, financial account details, information about software, and tech support logs. This information can then be used to leverage an attack against a target. As with most forms of social engineering, “Working smarter, not harder” is a good slogan. Doing hours of work brute-forcing a password or account number may be unnecessary when you can just obtain the same information from a discarded unshredded post-it note.
An older television series called Tiger Team demonstrated how they used a bag of trash to find valuable details about their target. Using the name of the company’s tech support they were able to send in a team member to act as a support employee and was given full access to their servers.
One of the best resources on dumpster diving in relation to the field of security is still Johnny Long’s book “No Tech Hacking.” This books is full of amazing information regarding social engineering and there are great pictures of example information that can be obtained from the trash without even having to crawl inside a dumpster. For more information see our framework page Dumpster Diving.
In the United States, it is legal take items that have been discarded in the trash/dumpster. However, the caveat to this is if the dumpster is on private property (not on the street corner or public alleyway) then it is likely considered trespassing to go on to the property and enter the dumpster. For more information regarding the legality of dumpster diving see this article, California vs Greenwood.
We recommend you confirm the local laws of the area in which you will be conducting a penetration test, and always keep your authorization letter with you during a physical social engineering testing.
Intrusion is when the social engineer actually enters the building or property of the target in order to obtain information or as a direct form of compromise as covered under Impersonation. Posing as an employee, an outside contractor, or even an IT administrator, the social engineer can ask questions or offer to fix issues either in-person or over the phone (see Pretexting and Elicitation).
Just like the phrase “When in Rome, do as the Romans do,” intrusion calls for the social engineer to blend into the environment with the way they dress and behave. Engaging in activities or frequenting places that bring the social engineer into contact with target employees is an excellent opportunity to elicit information. Proximity to the employees can provide opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards/badges.
Dark Reading highlighted a malicious social engineering attack where an unknown male used nothing but his wit and ability to build rapport to learn in which safety deposit boxes over 20 million dollars worth of diamonds were kept.
Also referred to as Piggybacking, is one way for a person to actually gain access to a secured building even if it has smart-card passes or biometrics. Normally those security measures can prevent unauthorized personnel from entering buildings, systems, or networks. Unfortunately, people can be too helpful and will allow individuals into a secured door by holding it open for them because the individual appears to still be searching for their pass (that wasn’t there to begin with). An ‘employee’ or ‘technician’ running to catch the door before it shuts works just as well and allows a social engineer to access an otherwise inaccessible place. The following is a video by CLA showing how easy it can be to piggyback/tailgate into a building.
Original source: YouTube.
Reverse Social Engineering
Reverse social engineering is the practice of having already accessed the goal machine or network and having rendered it unusable; then the social engineer can offer to “fix it.” An excellent remote device is something like this device that sends audio or allows you to listen in through a standard GSM card. A social engineer can also plant a rogue access point or attempt to access authorized areas with information received earlier from the telephone, emails or websites.
One easy method of information gathering is to simply look over the targets’ shoulder to view a plethora of information, commonly called shoulder surfing. Information obtained can range from user IDs, to passwords, to confidential data seen in plain text. Shoulder surfing doesn’t have to mean intrusion into the target location. It can also be done anywhere people open their computer to do work, such as coffee shops, airports, hotel restaurant/bar, or even an outdoor seating area just outside the office on a nice day.
The following is a video by European Network and Information Security Agency which shows how easy it is to shoulder surf:
Original source: YouTube.