Third-Party Impersonation

One of the drawbacks to help desk impersonation is that it is almost too common. Companies know about this technique and make their policy known that they are not to give out passwords to anybody. Another technique, which is much more successful in gaining internal information, is third-party impersonation.

Through third-party impersonation, you can gather information on the types of equipment and software used in an organization. Discovering this information using software tools can sometimes be the longest part of any penetration test. It is a lot easier just to come right out and ask their network administrators and IT managers. You can do this by calling and pretending to be a salesperson with a network integrator:

PenTester: Hi. I am with You Can Trust Us Consulting and I would like to tell you about our new firewall product.

VictimUser: That is alright. We are already quite happy with what we have.

PenTester: Really? What type of firewall are you running?

VictimUser: We are using PIX and NetScreen firewalls.

PenTester: Well, I am sure those are both excellent products, but are you aware of the dangers of denial-of-service attacks like smurfs and ping of deaths? Are your firewalls protecting against these types of attacks?

VictimUser: Of course.

PenTester: Well, I can tell you know what you are doing. Now, our product can also do special filtering to protect your e-mail server. Are your products protecting your e-mail server?

VictimUser: That is not a concern for us because we do not allow incoming e-mail from the Internet. It all comes from our corporate headquarters.

PenTester: Well, it sounds like you are happy with your current product. I do not want to waste any more of your time. Let me leave my phone number and name in case you ever do decide to call us. (Proceed to leave a fake name and phone number, because the target will probably never call it anyway.)

You can see from this short example that you can discover the type of firewall and some of its configuration. You know that this company is probably blocking or limiting ICMP, the protocol used in smurf and ping of death attacks. You also know that TCP port 25, the port used by e-mail, is inaccessible via the Internet. This has saved you a lot of time trying to scan for these protocols and run the risk of being detected.

Using the phone is not the only way to do third-party impersonation, though. You can also perform it in person. I once entered into a credit union posing as a computer technician. I informed the teller that I had been called in because the company server was having problems and I was there to fix it. The teller walked me over to the elevator and swiped her access card to let me in. I went up to the restricted second floor, where the data center was located. I then approached the receptionist on the second floor.

This test was already prearranged with the IT manager, who had purposely left the building on this day to see how her staff responded to social engineering. When I informed the receptionist that I was there to work on the server, she told me that the IT manager was out and that she was not told about a technician coming. She asked if I could come back the next day. After I told her that I charged per hour and that I drove from two hours away and it would be a significant charge if I had to drive back and return the next day, she decided to let me in. She walked me back toward the data center.

The data center was protected well. It had two doors secured with a card swipe device and a sign-in sheet for all visitors. For some reason, though, the receptionist did not have me sign in. I was also surprised to discover that she had access to get into the data center. She opened the doors, and I walked directly into the data center, without checking my identification or validating my purpose for being there. The only thing she did tell me was that she did not have the passwords to the servers. I told her that would not be a problem. (A simple password-cracking tool would take care of that.)

Within minutes of running a security scanner, I discovered all the devices in both the data center and in remote locations, in addition to all devices with either default or no passwords. After I was able to log on to one server with a simple password, I could connect to all other servers. You can imagine the shock of the IT manager when she discovered my ability to access the company information with such ease.

Another example of third-party impersonation is to act as if you are with a trade magazine that is doing a review on the company product. Most employees are eager to learn that they might be quoted in a magazine. Often, in their eagerness, they give away free products and reveal inside information that should not otherwise be shared. This is why the public relations staff should always be present during an interview and sample products should be given only after the identity of the interviewer has been verified.

You might be surprised to discover just how much information an IT administrator is willing to give when he thinks he is being interviewed about his data security:

PenTester: So far I am impressed with the steps you have taken to secure your infrastructure. (Flattery is the first step to opening the door for more information.)

VictimUser: Thank you. Here at XYZ Company, we take security seriously.

PenTester: I can tell. Now, does your company enforce any type of security policies?

VictimUser: Oh, of course. We have an acceptable use Internet policy and a password policy for all users to sign when they first get employed with us.

PenTester: Tell me more; this is interesting.

VictimUser: Well, our password policy, for example, requires all users to create passwords that are at least eight characters long and contain both letters and numbers. They are required to change it every three months.

PenTester: Fascinating. Now, I have heard stories that when companies enforce these types of policies, users might write their passwords on notes and place them under their keyboards. Do you have any problem with that in your company?

VictimUser: (laughing) Oh, yes, all the time. We wish we could stop it, but I bet 50 percent of our users have their passwords written down somewhere on their desk.

This short interview revealed that the easiest way to gain access into the company network would be to look for passwords around the desk of a user. You could enter into the building late in the day and ask to use the restroom. After closing time (and before the cleaning crew arrive), you could exit the restroom and walk around the office while looking at desks for passwords to gain access.

Note

A few years ago, I was asked to assess the security of a real-estate company while the network administrator was away. After going up to the administrator desk, I looked around and saw pictures of horses. I figured she must own some horses and casually remarked to the employee in the next cubicle, "Wow, these horses are gorgeous! Are they hers?" After the employee responded affirmatively, I asked, "What are their names?" Sure enough, the password used by the network administrator was the name of one of her horses.