Tales From the Road: How Social Engineering Penetration Testing Proved to be A Fruitful Method of Attack

Tales From the Road: How Social Engineering Penetration Testing Proved to be A Fruitful Method of Attack

During an engagement with a financial services client, DirectDefense relied upon social engineering (and other tactics) to penetrate their physical offices and wireless networks.

Performing a combination of physical and wireless penetration testing is always a unique experience for DirectDefense consultants. From location to business type, our team has experienced and learned a lot over the years of attempting to break into businesses such as educational establishments, water treatment facilities, and communication companies. One consultant learned from these experiences that social engineering penetration testing tactics are particularly useful in these endeavors, especially when combined with just a sprinkle of spoofing. Easy as one, two, three, this consultant has the practice down backward and forwards, which should be taken as a warning that malicious attackers could do the same.

In a recent physical and wireless penetration testing engagement, this consultant employed social engineering penetration methods throughout the half-day-long assessment, during which time he successfully gained access to both the client’s physical offices and their wireless networks. Demonstrating the power of acting as you belong and just how far it can get someone with malicious intent, the consultant identified the client’s security threat vectors and made recommendations for adequate remediation.

A Plan of Attack

In this engagement, our consultant set out to test the security of our client’s physical facility using strategic social engineering techniques with the primary goal being to assess vulnerabilities and enhance overall security measures. If successful, the consultant would progress to attempting to access the client’s internal and wireless networks.

The entire process was carefully orchestrated, drawing on insights from both the client’s input and the consultant’s reconnaissance efforts before and during the journey. To breach the physical premises, the consultant leveraged a tried-and-true tactic honed through multiple physical penetration tests in the past year: phone number spoofing coupled with infiltration of the client’s Microsoft Teams platform.

By exploiting vulnerabilities within the client’s Microsoft Teams account, the consultant identified an out-of-office employee. Capitalizing on this, they reinstated the employee’s status to “in-office” and access their personal information, including their phone number. Using SpoofCard, a readily available application, they called the client’s building security desk. Posing as the employee whose Teams account he had accessed, the consultant instructed the security guard to issue a visitor’s badge to an unregistered guest expected shortly. Not long after, the consultant entered the building, strolled right up to the desk, and was given the visitor’s badge without being asked for identification.

And just like that, our consultant had gained access to the client’s physical facility with little effort. Making his way through the badge-activated turnstiles in the lobby, he was soon on his way to the client’s floor of the building via elevator without anyone noticing an imposter was amongst them.

Accessing the Wireless Networks

To the client’s credit, there were yet more physical barriers in our consultant’s way when he stepped off the elevator. Yet the power of social engineering penetration testing tactics prevailed when our consultant simply employed a tailgating technique to finish making his way through these physical barriers and into the client’s offices. Finding an unoccupied one, he set to work on the wireless penetration testing aspect of this engagement.

Quickly finding a network port with an ethernet cable, the consultant pulled out a Raspberry Pi device from his pocket and connected it. At this point, however, an employee had finally noticed that an unknown person was up to something in an empty office and came over to see what was going on. Yet again, our consultant was able to escape suspicion simply by acting like he belonged and impersonating an IT professional. The suspecting employee quickly accepted this cover and left the consultant alone in the empty office once again.

After determining that the Raspberry Pi had successfully established a connection and made a callback to the DirectDefense team, the consultant took a look around for other opportunities to penetrate the client’s networks.

Discovering an unattended and unlocked computer, the consultant seized the opportunity to utilize a USB Rubber Ducky device in an attempt to access its contents. However, the employee returned to their desk mid-process. Swiftly adapting, the consultant employed additional social engineering tactics, persuading the employee that he was an IT professional addressing a keyboard malfunction on the device (an issue that he made up on the spot with his fingers metaphorically tightly crossed).

By some stroke of penetration testing luck, the employee was actually having keyboard troubles and thus bought into the consultant’s narrative, leaving him uninterrupted for several minutes. Within this window, the consultant effectively installed a back door on the computer, and the power of social engineering penetration testing tactics was proven yet again.

Recommending Remediations

From start to finish, this engagement only took the better part of one afternoon, during which time our consultant was able to break through both physical and wireless network security measures with relative ease. Despite the protocols in place, which normally call for no unregistered visitor passes being given and unknown persons to be reported by employees, our consultant gained access to the building, offices, and wireless networks without so much more than a questioning glance from the client’s personnel. Everything our consultant uncovered drives home the importance of conducting regular security assessments and continuous security training for all personnel.

To remediate the security threat vectors discovered during this engagement, our consultant and the DirectDefense team specifically recommended the following:

1. Visitor Verification Procedures – Implement a strict visitor verification process with pre-registration, digital verification, and real-time notifications. Visitors must show ID, wear time-sensitive badges, and be escorted in secure areas. Restrict elevator access to employees with badges for floor security.
2. End-User Security Awareness Training – Enhance security training to cover in-person attacks, unescorted visitors, and phone social engineering like Caller ID spoofing. Teach staff to confront unfamiliar faces and handle tailgating and piggybacking. Utilize results from physical penetration tests for training.
3. Network Segmentation / NAC – Review network segmentation and ACLs to align with least privilege and data classification policies. Implement Network Access Control (NAC) to prevent unauthorized devices from accessing internal network segments.
4. Egress Filtering – Improve egress filtering to prevent unauthorized downloads and data exfiltration. Restrict outbound communication and tighten port and destination controls based on business needs. Strong controls help contain compromises and deter data movement out of the organization.
5. Security Monitoring and Alerting – Enhance internal network monitoring for security events, including unauthorized device connections, data egress, and vulnerability scanning. Consider implementing or enhancing User Behavior Analytics (UBA) and Security Information and Event Management (SIEM) correlation features to detect suspicious user activity. Enable real-time response to high-priority alerts 24/7.
6. Fortify Microsoft Teams External Domains Communication – By default, all external domains are permitted. You can allow or block specific domains to define trusted organizations for external meetings and chats. If you block domains, all others are allowed; if you allow domains, all others are blocked. There are four scenarios for configuring trusted organizations.
7. Fortify Wireless Networks With Pre-Shared Key – Consider upgrading wireless networks from Pre-Shared Keys (PSKs) to a more robust form of authentication like WPA2-Enterprise/802.1x. If not possible due to compatibility or business concerns, ensure that the PSKs used are lengthy, random, and complex.

Key Takeaways

The key takeaway from our physical and wireless social engineering penetration testing engagement was the remarkable ease with which our consultant gained access to the client’s facility while successfully impersonating either an IT professional or a last-minute important visitor. Many companies unfamiliar with physical penetration tests often overestimate the effectiveness of their security measures. Visible security badges, restricted turnstiles, and other apparent security protocols can create a false sense of security. However, our engagement demonstrated that the reality can be quite different.

The sensitivity of the information held by our client, a prominent financial institution, became apparent during our testing. Despite using relatively simplistic methods, our consultant accessed various layers of the client’s networks and could have delved even deeper. This exposed the client to significant security risks, particularly from financially motivated malicious actors. Irrespective of industry, physical and wireless penetration testing stand as crucial tools in fortifying a business’s security posture. At DirectDefense, we guide our clients through every stage of the process, extending beyond vulnerability identification to comprehensive remediation efforts.

Contact Us Today!

Take stock of how secure your physical facilities and wireless networks are from malicious attackers. Contact us online or call 1 888 720 4633.

   By: Bethany Kozal   03.28.24